manualshive.com logo in svg

Siemens RUGGEDCOM ROS, User Manual

The Siemens RUGGEDCOM ROS user manual is a comprehensive guide that allows users to seamlessly navigate and operate their RUGGEDCOM network switches. Available for free download at manualshive.com, this manual provides detailed instructions and troubleshooting tips, ensuring optimal performance and enhanced user experience.

Share
Download
background image

Chapter 4

System Administration

RUGGEDCOM ROS

User Guide

110

Authentication Related Security Alarms

Parameter

Description

LED & Relay

Synopsis:   

{ On, Off }

Default:   

Off

Enables LED and fail-safe relay control for this alarm. If latching is not enabled, this field

will remain disabled.

Refresh Time

Synopsis:   

0 s to 60 s

Default:   

60 s

Refreshing time for this alarm.

4. Click 

Apply

.

Section 4.4.4

Authentication Related Security Alarms

The following describes the authentication-related security messages that can be generated by ROS:

Section 4.4.4.1, “Security Alarms for Login Authentication”

Section 4.4.4.2, “Security Messages for Port Authentication”

Section 4.4.4.1

Security Alarms for Login Authentication

ROS provides various logging options related to login authentication. A user can log into a ROS device in three

different ways: Console, SSH or Telnet. ROS can log messages in the syslog, send a trap to notify an SNMP

manager, and/or raise an alarm when a successful and unsuccessful login event occurs. In addition, when a

weak password is configured on a unit or when the primary authentication server for or RADIUS is not

reachable, ROS will raise alarms, send SNMP traps and log messages in the syslog.
The following is a list of log and alarm messages related to user authentication:
• Weak Password Configured
• Login and Logout Information
• Excessive Failed Login Attempts
• RADIUS Server Unreachable
• TACACS Server Unreachable
• TACACS Response Invalid
• SNMP Authentication Failure

NOTE

All alarms and log messages related to login authentication are configurable. For more information

about configuring alarms, refer to 

Section 4.4.3, “Configuring an Alarm”

.

Weak Password Configured

ROS generates this alarm and logs a message in the syslog when a weak password is configured in the

Passwords

 table.

Summary of Contents for RUGGEDCOM ROS

Page 1: ...RUGGEDCOM ROS v4 1 User Guide For RSG2200 M2200 12 2014 Preface Introduction 1 Using ROS 2 Device Management 3 System Administration 4 Setup and Configuration 5 Troubleshooting 6 RC1119 EN 02 ...

Page 2: ...s whose use by third parties for their own purposes would infringe the rights of the owner Third Party Copyrights Siemens recognizes the following third party copyrights Copyright 2004 GoAhead Software Inc All Rights Reserved Security Information Siemens provides products and solutions with industrial security functions that support the secure operation of plants machines equipment and or networks...

Page 3: ...ndations 2 1 2 2 Key Files 3 1 2 2 1 SSL Certificates 4 1 2 2 2 SSH Key Pairs 6 1 3 Port Numbering Scheme 7 1 4 Available Services by Port 7 1 5 SNMP Management Interface Base MIB Support 9 1 5 1 Supported Standard MIBs 9 1 5 2 Supported Proprietary RUGGEDCOM MIBs 10 1 5 3 Supported Agent Capabilities 10 1 6 SNMP Traps 11 1 7 ModBus Management Support 13 1 7 1 ModBus Function Codes 13 1 7 2 ModBus...

Page 4: ... 2 6 4 2 Retrieving Information 37 2 6 4 3 Changing Values in a Table 39 2 6 4 4 Resetting a Table 39 2 6 4 5 Using RSH and SQL 39 2 7 Selecting Ports in ROS 40 2 8 Managing the Flash File System 40 2 8 1 Viewing a List of Flash Files 40 2 8 2 Viewing Flash File Details 41 2 8 3 Defragmenting the Flash File System 42 2 9 Accessing BIST Mode 42 Chapter 3 Device Management 43 3 1 Viewing Product Inf...

Page 5: ...SFP Port 63 3 6 6 2 Monitoring an SFP Port 63 3 6 6 3 Displaying Information for an SFP Port 64 3 6 7 Configuring an Ethernet Port 65 3 6 8 Configuring Port Rate Limiting 68 3 6 9 Configuring Port Mirroring 69 3 6 10 Configuring Link Detection 70 3 6 11 Detecting Cable Faults 72 3 6 11 1 Viewing Cable Diagnostics Results 72 3 6 11 2 Performing Cable Diagnostics 74 3 6 11 3 Clearing Cable Diagnosti...

Page 6: ... 4 1 Configuring the System Information 101 4 2 Customizing the Login Screen 102 4 3 Configuring Passwords 102 4 4 Managing Alarms 105 4 4 1 Viewing a List of Pre Configured Alarms 105 4 4 2 Viewing and Clearing Latched Alarms 106 4 4 3 Configuring an Alarm 107 4 4 4 Authentication Related Security Alarms 110 4 4 4 1 Security Alarms for Login Authentication 110 4 4 4 2 Security Messages for Port A...

Page 7: ... VLANs Globally 130 5 2 4 Configuring VLANs for Specific Ethernet Ports 131 5 2 5 Managing Static VLANs 133 5 2 5 1 Viewing a List of Static VLANs 134 5 2 5 2 Adding a Static VLAN 134 5 2 5 3 Deleting a Static VLAN 136 5 3 Managing Spanning Tree Protocol 137 5 3 1 RSTP Operation 137 5 3 1 1 RSTP States and Roles 138 5 3 1 2 Edge Ports 139 5 3 1 3 Point to Point and Multipoint Links 140 5 3 1 4 Pat...

Page 8: ... Specific Ethernet Ports 168 5 4 3 Configuring Priority to CoS Mapping 170 5 4 4 Configuring DSCP to CoS Mapping 171 5 5 Managing MAC Addresses 172 5 5 1 Viewing a List of MAC Addresses 172 5 5 2 Configuring MAC Address Learning Options 173 5 5 3 Configuring MAC Address Flooding Options 174 5 5 4 Managing Static MAC Addresses 176 5 5 4 1 Viewing a List of Static MAC Addresses 176 5 5 4 2 Adding a ...

Page 9: ...ps 208 5 9 3 Viewing a Summary of Multicast Groups 209 5 9 4 Configuring IGMP 209 5 9 5 Configuring GMRP Globally 211 5 9 6 Configuring GMRP for Specific Ethernet Ports 211 5 9 7 Managing Static Multicast Groups 213 5 9 7 1 Viewing a List of Static Multicast Groups 213 5 9 7 2 Adding a Static Multicast Group 213 5 9 7 3 Deleting a Static Multicast Group 215 5 10 Managing Port Security 215 5 10 1 P...

Page 10: ...5 11 2 Managing Port Trunks 225 5 11 2 1 Viewing a List of Port Trunks 226 5 11 2 2 Adding a Port Trunk 226 5 11 2 3 Deleting a Port Trunk 228 Chapter 6 Troubleshooting 229 6 1 General 229 6 2 Ethernet Ports 230 6 3 Spanning Tree 230 6 4 VLANs 231 ...

Page 11: ...ons available this Guide should be used as a companion to the Help text included in the software Conventions This User Guide uses the following conventions to present information clearly and effectively Alerts The following types of alerts are used when necessary to highlight important information DANGER DANGER alerts describe imminently hazardous situations that if not avoided will result in deat...

Page 12: ...er s command parameter1 parameter2 parameter3 parameter4 All commands and parameters are presented in the order they must be entered Related Documents Other documents that may be of interest include RUGGEDCOM RSG2200 Installation Guide RUGGEDCOM M2200 Installation Guide RUGGEDCOM RSG2200 Data Sheet RUGGEDCOM M2200 Data Sheet RUGGEDCOM Fiber Guide RUGGEDCOM Wireless Guide White Paper Rapid Spanning...

Page 13: ...d industrial markets allows Siemens to provide training specific to the customer s application For more information about training services and course availability visit www siemens com ruggedcom or contact a Siemens sales representative Customer Support Customer support is available 24 hours 7 days a week for all Siemens customers For technical support or general information contact Siemens Custo...

Page 14: ...RUGGEDCOM ROS User Guide Preface Customer Support xiv ...

Page 15: ...rt machines or weapons systems in which the failure of the software could result in death personal injury or severe physical or environmental damage Rugged Operating System ROS Features Simple plug and play operation automatic learning negotiation and crossover detection MSTP 802 1Q 2005 formerly 802 1s RSTP 802 1w and Enhanced Rapid Spanning Tree eRSTP network fault recovery 5ms Quality of Servic...

Page 16: ...nnel SSL and SSH keys are accessible to users who connect to the device via the serial console Make sure to take appropriate precautions when shipping the device beyond the boundaries of the trusted environment Replace the SSH and SSL keys with throwaway keys prior to shipping Take the existing SSH and SSL keys out of service When the device returns create and program new keys for the device Restr...

Page 17: ... 1 2 2 Key Files ROS uses security keys to establish secure remote logins SSH and Web access SSL It is strongly recommended that a unique SSL certificate and SSH keys be created and provisioned New ROS based units from Siemens will be shipped with a unique certificate and keys preconfigured in the ssl crt and ssh keys flash files The default and auto generated SSL certificates are self signed It i...

Page 18: ... minutes to generate whereas 2048 bit keys may take significantly longer A typical modern PC system however can generate these keys in seconds The following bash shell script fragment uses the openssl command line utility to generate a self signed X 509 v3 SSL certificate with a 1024 bit RSA key suitable for use in ROS Note that two standard PEM files are required the SSL certificate and the RSA p...

Page 19: ...aEncryption RSA Public Key 1024 bit Modulus 1024 bit 00 83 e8 1f 02 6b cd 34 1f 01 6d 3e b6 d3 45 b0 18 0a 17 ae 3d b0 e9 c6 f2 0c af b1 3e e7 fd f2 0e 75 8d 6a 49 ce 47 1d 70 e1 6b 1b e2 fa 5a 1b 10 ea cc 51 41 aa 4e 85 7c 01 ea c3 1e 9e 98 2a a9 62 48 d5 27 1e d3 18 cc 27 7e a0 94 29 db 02 5a e4 03 51 16 03 3a be 57 7d 3b d1 75 47 84 af b9 81 43 ab 90 fd 6d 08 d3 e8 5b 80 c5 ca 29 d8 45 58 5f e4...

Page 20: ...ke an SSH key pair ssh keygen t dsa b 1024 N f ssh keys The following is an example of an SSH key generated by ROS Private Key 1024 bit priv 00 b2 d3 9d fa 56 99 a5 7a ba 1e 91 c5 e1 35 77 85 e8 c5 28 36 pub 6f f3 9e af e6 d6 fd 51 51 b9 fa d5 f9 0a b7 ef fc d7 7c 14 59 52 48 52 a6 55 65 b7 cb 38 2e 84 76 a3 83 62 d0 83 c5 14 b2 6d 7f cc f4 b0 61 0d 12 6d 0f 5a 38 02 67 a4 b7 36 1d 49 0a d2 58 e2 ...

Page 21: ...n the device 2 1 4 3 6 5 8 7 10 9 12 11 Figure 1 RSG2200 M2200 Port Numbering Typical Use these numbers to configure applicable features on select ports Section 1 4 Available Services by Port The following table lists the services available under ROS This table includes the following information Services The service supported by the device Port Number The port number associated with the service Po...

Page 22: ...ailable through two management interfaces SNMP UDP 161 Open configurable Closed Yes Only available through two management interfaces SNTP UDP 123 Open Always might acts as server Open No Only available through two management interfaces SSH TCP 22 Open Open Yes Only available through two management interfaces ICMP Open Open No TACACS TCP 49 configurable Open configurable Closed Yes RADIUS UDP 1812 ...

Page 23: ...supports the following standard MIBs Standard MIB Name Title RFC 2578 SNMPv2 SMI Structure of Management Information Version 2 RFC 2579 SNMPv2 TC Textual Convention s for SMIv2 SNMPv2 CONF Conformance Statements for SMIv2 RFC 2580 IANAifType Enumerated Values of the ifType Object Defined ifTable defined in IF MIB RFC 1907 SNMPv2 MIB Management Information Base for SNMPv2 RFC 2011 IP MIB SNMPv2 Mna...

Page 24: ...nents RFC 4363 Q BRIDGE MIB Definitions of Managed Objects for Bridges with Traffic Classes Multicast Filtering and Virtual LAN Extensions Section 1 5 2 Supported Proprietary RUGGEDCOM MIBs ROS supports the following proprietary RUGGEDCOM MIBs File Name MIB Name Description ruggedcom mib RUGGEDCOM MIB RUGGEDCOM enterprise SMI ruggedcomtraps mib RUGGEDCOM TRAPS MIB RUGGEDCOM traps definition rcsysi...

Page 25: ...B rclldpmibAC mib RC LLDP MIB AC LLDP MIB rclagmibAC mib RC LAG MIB AC IEEE8023 LAG MIB rcrstpmibAC mib RC_RSTP MIB AC RSTP MIB rcrcdot11AC mib RC RUGGEDCOM DOT11 MIB AC RUGGEDCOM DOT11 MIB rcrcpoeAC mib RC RUGGEDCOM POE MIB AC RUGGEDCOM POE MIB rcrcrstpmibAC mib RC RUGGEDCOM STP AC MIB RUGGEDCOM STP MIB rcrcsysinfomibAC mib RC RUGGEDCOM SYS INFO MIB AC RUGGEDCOM SYS INFO MIB rcrctrapsmibAC mib RC...

Page 26: ... can be retrieved using the CLI command alarms For more information about the alarms command refer to Section 2 6 1 Available CLI Commands Table Generic Traps Trap Severity heap error Alert NTP server failure notification real time clock failure Error failed password Warning MAC address not learned by switch fabric Warning BootP client TFTP transfer failure Error received looped back BPDU Error re...

Page 27: ... ModBus Memory Formats Section 1 7 1 ModBus Function Codes RUGGEDCOM devices support the following ModBus function codes for device management through ModBus NOTE While RUGGEDCOM devices have a variable number of ports not all registers and bits apply to all products Registers that are not applicable to a particular device return a zero 0 value For example registers referring to serial ports are n...

Page 28: ...egisters Description Reference Table in UI R W Format 0000 16 Product Identification R Text 0010 32 Firmware Identification R Text 0040 1 Number of Ethernet Ports R Uint16 0041 1 Number of Serial Ports R Uint16 0042 1 Number of Alarms R Uint16 0043 1 Power Supply Status R PSStatusCmd 0044 1 FailSafe Relay Status R TruthValue 0045 1 ErrorAlarm Status R TruthValue Product Write Register The followin...

Page 29: ...ics Ethernet In Packets R Uinst32 0406 2 Port s1 p4 Statistics Ethernet In Packets R Uinst32 0408 2 Port s2 p1 Statistics Ethernet In Packets R Uinst32 040A 2 Port s2 p2 Statistics Ethernet In Packets R Uinst32 040C 2 Port s2 p3 Statistics Ethernet In Packets R Uinst32 040E 2 Port s2 p4 Statistics Ethernet In Packets R Uinst32 0410 2 Port s3 p1 Statistics Ethernet In Packets R Uinst32 0412 2 Port ...

Page 30: ... Statistics Ethernet Out Packets R Uinst32 044C 2 Port s2 p3 Statistics Ethernet Out Packets R Uinst32 044E 2 Port s2 p4 Statistics Ethernet Out Packets R Uinst32 0450 2 Port s3 p1 Statistics Ethernet Out Packets R Uinst32 0452 2 Port s3 p2 Statistics Ethernet Out Packets R Uinst32 0454 2 Port s3 p3 Statistics Ethernet Out Packets R Uinst32 0456 2 Port s3 p4 Statistics Ethernet Out Packets R Uinst...

Page 31: ...t s3 p4 Statistics Ethernet In Packets R Uinst32 0498 2 Port s4 p1 Statistics Ethernet In Packets R Uinst32 049A 2 Port s4 p2 Statistics Ethernet In Packets R Uinst32 049C 2 Port s4 p3 Statistics Ethernet In Packets R Uinst32 049E 2 Port s4 p4 Statistics Ethernet In Packets R Uinst32 04A0 2 Port s5 p1 Statistics Ethernet In Packets R Uinst32 04A2 2 Port s5 p2 Statistics Ethernet In Packets R Uinst...

Page 32: ...Out Packets R Uinst32 04E2 2 Port s5 p2 Statistics Ethernet Out Packets R Uinst32 04E4 2 Port s5 p3 Statistics Ethernet Out Packets R Uinst32 04E6 2 Port s5 p4 Statistics Ethernet Out Packets R Uinst32 04E8 2 Port s6 p1 Statistics Ethernet Out Packets R Uinst32 04EA 2 Port s6 p2 Statistics Ethernet Out Packets R Uinst32 04EC 2 Port s6 p3 Statistics Ethernet Out Packets R Uinst32 04EE 2 Port s6 p4 ...

Page 33: ...Out Packets R Uint32 06C6 2 Port 4 Statistics Serial Out Packets R Uint32 Section 1 7 3 ModBus Memory Formats The following ModBus memory formats are supported by Siemens Section 1 7 3 1 Text Section 1 7 3 2 Cmd Section 1 7 3 3 Uint16 Section 1 7 3 4 Uint32 Section 1 7 3 5 PortCmd Section 1 7 3 6 Alarm Section 1 7 3 7 PSStatusCmd Section 1 7 3 8 TruthValues Section 1 7 3 1 Text The Text format pro...

Page 34: ... any alarms The response may look like 0x10 0x00 0x80 0x00 0x01 Section 1 7 3 3 Uint16 The Uint16 format describes a Standard ModBus 16 bit register Section 1 7 3 4 Uint32 The Uint32 format describes Standard 2 ModBus 16 bit registers The first register holds the most significant 16 bits of a 32 bit value The second register holds the least significant 16 bits of a 32 bit value Section 1 7 3 5 Por...

Page 35: ...Cmd consider a Write Multiple Register request to clear Ethernet port statistics 0x10 0x00 0x83 0x00 0x01 2 0x55 0x76 0x00 0x50 A bit value of 1 clears Ethernet statistics on the corresponding port A bit value of 0 does not clear the Ethernet statistics 0x10 0x00 0x81 0x00 0x02 Section 1 7 3 6 Alarm The Alarm format is another form of text description Alarm text corresponds to the alarm descriptio...

Page 36: ... 1 indicates the corresponding status for the device to be true 2 indicates the corresponding status for the device to be false Reading the FailSafe Relay Status From a Device Using TruthValue To understand how to use the TruthValue format to read the FailSafe Relay status from a device consider a ModBus request to read multiple registers from location 0x0044 0x04 0x00 0x44 0x00 0x01 The response ...

Page 37: ...bution of public SSH keys to network hosts that need them and more NOTE The RSA key pair must be added to the ssl crt file after the SSL certificate For SSL ROS requires an X 509 certificate in standard PEM format and an RSA key pair The certificate may be self signed or signed by a separate authoriy The RSA key must be between 512 and 2048 bits in length The certificate and keys must be combined ...

Page 38: ...Y END RSA PRIVATE KEY For SSH ROS requires a DSA key pair in PEM format The DSA key must be between 512 and 2048 bits in length for Controlled versions The key file is uploaded to the ssh keys flash file on the device The following is an example of a PEM formatted SSH key BEGIN DSA PRIVATE KEY MIIBuwIBAAKBgQD0gcGbXx rrEMu2913UW4cYo1OlcbnuUz7OZyd2mBLDx GYbD8 X5TnRcMraJ0RuuGK chqQJW5k3zQmZa BS6q9U7w...

Page 39: ...ion 2 1 1 Connecting Directly Section 2 1 2 Connecting via the Network Section 2 1 1 Connecting Directly ROS can be accessed through a direct serial console or Ethernet connection for management and troubleshooting purposes A console connection provides access to the console interface and CLI To establish a serial connection to the device do the following 1 Connect a workstation either a terminal ...

Page 40: ...Ethernet ports assign an IP address to the Ethernet port on the workstation in the range of 192 168 0 3 to 192 168 0 254 2 Open a Web browser For a list of recommended Web browsers refer to the section called System Requirements IMPORTANT Upon connecting to the device some Web browsers may report the Web server s certificate cannot be verified against any known certificates This is expected behavi...

Page 41: ...wing 1 Connect to the device either directly or through a Web browser For more information about how to connect to the device refer to Section 2 1 Connecting to ROS Once the connection is established the login form appears 1 2 Figure 2 SSH Login Screen Console Interface 1 User Name Box 2 Password Box 1 3 2 Figure 3 Login Screen Web Interface 1 Username Box 2 Password Box 3 Submit Button NOTE The f...

Page 42: ...b interface only Section 2 3 Logging Out To log out of the device navigate to the main screen and do the following To log out of the Console or secure shell interfaces press CTRL X To log out of the Web interface click Logout 1 Figure 4 Web Interface Example 1 Logout NOTE If any pending configuration changes have not been committed ROS will request confirmation before discarding the changes and lo...

Page 43: ... and or data related to the selected feature Each screen consists of a title the current user s access level parameters and or data in form or table format and controls e g add delete refresh etc The title provides access to context specific Help for the screen that provides important information about the available parameters and or data Click on the link to open the Help information in a new win...

Page 44: ...face GUI organized as a series of menus It is primarily accessible through a serial console connection but can also be accessed through IP services such as a Telnet RSH Remote Shell or SSH Secure Shell session NOTE IP services can be restricted to control access to the device For more information refer to Section 3 9 Configuring IP Services Each screen consists of a system identifier the name of t...

Page 45: ...this Enter to enter the sub menu or screen beneath Esc Press Esc to return to the previous screen Configuring Parameters Use the following controls to select and configure parameters in the Console interface Up Down Arrow Keys Use the up and down arrow keys to select parameters Enter Select a parameter and press Enter to start editing a parameter Press Enter again to commit the change Esc When edi...

Page 46: ...ions describe how to use the Command Line Interface CLI Section 2 6 1 Available CLI Commands Section 2 6 2 Tracing Events Section 2 6 3 Executing Commands Remotely via RSH Section 2 6 4 Using SQL Commands Section 2 6 1 Available CLI Commands The following commands are available at the command line Command Description alarms all Displays a list of available alarms Optional and or required parameter...

Page 47: ...rom flashing set the timeout period to 0 zero fpgacmd Provides access to the FPGA management tool for troubleshooting time synchronization help command Displays a brief description of the specified command If no command is specified it displays a list of all available commands including a description for each Optional and or required parameters include command is the command ipconfig Displays the ...

Page 48: ...data all displays all diagnostic data sql default delete help info insert save select update Provides an SQL like interface for manipulating all system configuration and status parameters All commands clauses table and column names are case insensitive Optional and or required parameters include default sets all records in a table s to factory defaults delete allows for records to be deleted from ...

Page 49: ...nd provides a means to trace the operation of various protocols supported by the device Trace provides detailed information including STP packet decodes IGMP activity and MAC address displays NOTE Tracing has been designed to provide detailed information to expert users Note that all tracing is disabled upon device startup To trace an event do the following 1 Log in to the device as an admin user ...

Page 50: ...I command to execute NOTE The access level corresponding to the user name selected must support the given command NOTE Any output from the command will be returned to the workstation submitting the command Commands that start interactive dialogs such as trace cannot be used Section 2 6 4 Using SQL Commands ROS provides an SQL like command facility that allows expert users to perform several operat...

Page 51: ...nother way to find a table name is to type the following in the CLI sql info tables This command also displays menu names and their corresponding database table names depending upon the features supported by the device For example Table Description alarms Alarms cpuDiags CPU Diagnostics ethPortCfg Port Parameters ethPortStats Ethernet Statistics ethPortStatus Port Status ipCfg IP Services Section ...

Page 52: ... the Where Clause Use the following command to display specific parameters from a table that have a specific value sql select from table where parameter value Where table is the name of the table parameter is the name of the parameter value is the value of the parameter Example sql select from ethportcfg where media 1000T Port Name ifName Media State AutoN Speed Dupx FlowCtrl LFI Alarm 1 Port 1 1 ...

Page 53: ...nditions can also be included in the command to apply changes only to parameters that meet specific criteria In the following example flow control is enabled on ports that are operating in 100 Mbps full duplex mode with flow control disabled sql update ethportcfg set FlowCtrl Off where Media 100TX and FlowCtrl On 2 records updated Section 2 6 4 4 Resetting a Table Use the following command to rese...

Page 54: ...how to specify a single port a range of ports or all ports Select a single port by specifying the port number 2 Select a range of ports using a dash between the first port and the last port in the list 1 4 Select multiple ports by defining a comma separated list 1 4 6 9 Use the All option to select all ports in the device or if available use the None option to select none of the ports Section 2 8 ...

Page 55: ...og txt 003D0000 010000 61 61 256 config bak 003E0000 010000 62 62 15529 config csv 003F0000 008000 63 63 15529 factory txt 003FC000 004000 66 66 407 Section 2 8 2 Viewing Flash File Details To view the details of a file currently stored in Flash memory do the following 1 Log in to the device as an admin user and access the CLI shell For more information about accessing the CLI shell refer to Secti...

Page 56: ...ction 2 9 Accessing BIST Mode BIST Built In Self Test mode is used by service technicians to test and configure internal functions of the device It should only be accessed for troubleshooting purposes CAUTION Mechanical hazard risk of damage to the device Excessive use of BIST functions may cause increase wear on the device which may void the warranty Avoid using BIST functions unless instructed b...

Page 57: ... Section 3 4 Uploading Downloading Files Section 3 5 Managing Logs Section 3 6 Managing Ethernet Ports Section 3 7 Managing IP Interfaces Section 3 8 Managing IP Gateways Section 3 9 Configuring IP Services Section 3 10 Managing Remote Monitoring Section 3 11 Upgrading Downgrading Firmware Section 3 12 Resetting the Device Section 3 13 Decommissioning the Device Section 3 1 Viewing Product Informa...

Page 58: ...n run on Controlled units but it can not run on Non Controlled units The Non Controlled main firmware can run on both Controlled and Non Controlled units Serial Number Synopsis Any 31 characters Shows the serial number of the device Boot Version Synopsis Any 47 characters Shows the version and the build date of the boot loader software Main Version Synopsis Any 47 characters Shows the version and ...

Page 59: ...otal Box 5 RAM Free Box 6 RAM Low Watermark Box 7 Temperature Box 8 Free Rx Bufs Box 9 Free Tx Bufs Box 10 Reload Button This screen displays the following information Parameter Description Running Time Synopsis DDDD days HH MM SS The amount of time since the device was last powered on Total Powered time Synopsis DDDD days HH MM SS The cumulative powered up time of the device CPU Usage Synopsis 0 ...

Page 60: ...t such as those that affect basic connectivity and SNMP management is useful when communication with the device is still required during the reset The following categories are not affected by a selective configuration reset IP Interfaces IP Gateways SNMP Users SNMP Security to Group Maps SNMP Access RUGGEDCOM Discovery Protocol RCDP In addition the following categories are not affected by a full o...

Page 61: ... a Telnet or RS232 console session TFTP client using the CLI shell in a console session and a remote TFTP server TFTP server from a remote TFTP client SFTP secure FTP over SSH from a remote SFTP client NOTE The contents of the internal file system are fixed New files and directories cannot be created and existing files cannot be deleted Only the files that can be uploaded to the device can be over...

Page 62: ...Section 2 6 Using the Command Line Interface NOTE The send option sends files to the host computer while the receive option pulls files from the host computer 3 At the CLI prompt type xmodem send receive filename Where filename is the name of the file i e main bin NOTE If available in the terminal emulation or Telnet software select the XModem 1K protocol for transmission over the standard XModem ...

Page 63: ...o the host computer address is the IP address of the computer running the TFTP server source filename is the name of the file to be transferred destination filename is the name of the file on the device or the TFTP server that will be replaced during the transfer The following is an example of a successful TFTP client file transfer tftp 10 0 0 1 get ROS CF52_Main_v3 7 0 bin main bin TFTP CMD main ...

Page 64: ...ing NOTE This method requires a host computer that has SFTP client software installed 1 Establish an SFTP connection between the device and the host computer 2 Launch the SFTP transfer The client will indicate when the transfer is complete The following is an example of a successful SFTP server exchange user host sftp admin ros_ip Connecting to ros_ip admin ros_ip s password sftp put ROS CF52_Main...

Page 65: ...in a text editor For more information about downloading log files refer to Section 3 4 Uploading Downloading Files To view the system log through the Web interface navigate to Diagnostics View System Log The syslog txt form appears Figure 11 syslog txt Form Section 3 5 2 Clearing Local Logs To clear both the local crash and system logs log in to the CLI shell and type clearlogs To clear only the l...

Page 66: ...l selected is considered the minimum severity level for the system For example if ERROR is selected the system sends any syslog messages generated by Error Critical Alert and Emergency 3 Click Apply Section 3 5 4 Managing Remote Logging In addition to the local system log maintained on the device a remote system log can be configured as well to collect important event messages The syslog client re...

Page 67: ...log Client The Remote Syslog Client form appears 3 2 1 Figure 14 Remote Syslog Client Form 1 UDP Port 2 Apply Button 3 Reload Button 2 Configure the following parameter s as required Parameter Description UDP Port Synopsis 1025 to 65535 or 514 Default 514 The local UDP port through which the client sends information to the server s 3 Click Apply Section 3 5 4 2 Viewing a List of Remote Syslog Serv...

Page 68: ...rvers or collectors Similar to the local system log a remote system log server can be configured to log information at a specific severity level Only messages of a severity level equal to or greater than the specified severity level are written to the log To add a remote syslog server to the list of known servers do the following 1 Navigate to Administration Configure Syslog Configure Remote Syslo...

Page 69: ...the application or operating system component that generates a log message ROS map all syslog logging information onto a single facility which is configurable by user to facilitate remote syslog server Severity Synopsis EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL DEBUGGING Default DEBUGGING The severity level is the severity of the message that has been generated Please note that t...

Page 70: ...n 3 Click Delete Section 3 6 Managing Ethernet Ports The following sections describe how to set up and manage Ethernet ports NOTE For information about configuring remote monitoring for Ethernet ports refer to Section 3 10 Managing Remote Monitoring Section 3 6 1 Controller Protection Through Link Fault Indication LFI Section 3 6 2 Viewing the Status of Ethernet Ports Section 3 6 3 Viewing Statist...

Page 71: ...active Switch B must forward frames to the controller through Switch A 2 1 5 3 4 Figure 20 Example 1 Switch A 2 Switch B 3 Main Transmit Path 4 Backup Transmit Path 5 Controller If the transmit path from the controller to Switch A fails Switch A still generates a link signal to the controller through the receive path The controller still detects the link with Switch A and does not failover to the ...

Page 72: ...FI feature it must not be enabled on both sides of the link If it is enabled on both sides the link will never be established as each link partner will be waiting for the other to transmit a link signal The switch can also be configured to flush the MAC address table for the controller port Frames destined for the controller will be flooded to Switch B where they will be forwarded to the controlle...

Page 73: ...s the following information Parameter Description Port Synopsis 1 to maximum port number The port number as seen on the front plate silkscreen of the switch State Synopsis Down Up InOctets Synopsis 0 to 4294967295 The number of octets in received good packets Unicast Multicast Broadcast and dropped packets OutOctets Synopsis 0 to 4294967295 The number of octets in transmitted good packets InPkts S...

Page 74: ...in transmitted good packets InPkts Synopsis 0 to 18446744073709551615 The number of received good packets Unicast Multicast Broadcast and dropped packets OutPkts Synopsis 0 to 18446744073709551615 The number of transmitted good packets TotalInOctets Synopsis 0 to 18446744073709551615 The total number of octets of all received packets This includes data octets of rejected and local packets which ar...

Page 75: ... which Late Collision Event has been detected Pkt64Octets Synopsis 0 to 4294967295 The number of received and transmitted packets with size of 64 octets This includes received and transmitted packets as well as dropped and local received packets This does not include rejected received packets Pkt65to127Octets Synopsis 0 to 4294967295 The number of received and transmitted packets with size of 65 t...

Page 76: ...ber of transmitted Broadcast packets UndersizePkts Synopsis 0 to 4294967295 The number of received packets which meet all the following conditions Packet data length is less than 64 octets Collision Event has not been detected Late Collision Event has not been detected Packet has valid CRC Section 3 6 5 Clearing Statistics for Specific Ethernet Ports To clear the statistics collected for one or mo...

Page 77: ...onitoring an SFP Port Section 3 6 6 3 Displaying Information for an SFP Port Section 3 6 6 1 Configuring an SFP Port Depending on the required link media type an SFP port may require some explicit configuration For 1000Base X or 1000Base T links the speed of the SFP port must be set to 1 Gbps For 100Base FX or 100Base TX links the speed must be set to 100 Mbps Auto negotiation can be configured to...

Page 78: ...he transceiver is not recognized it is rejected An alarm is also generated and the port is blocked so that no link can be established until the transceiver is replaced The Media parameter shows the rejected SFP transceiver is unidentified For example SFP Unidentified If no transceiver is installed on an SFP port the Media parameter shows the SFP transceiver is unplugged SFP Unplugged Section 3 6 6...

Page 79: ...xx Part number xxxxxxxxxx Revision 0000 Laser wavelength 1310 nm Section 3 6 7 Configuring an Ethernet Port To configure an Ethernet port do the following NOTE Depending on the required link media type an SFP port may require some explicit configuration Before configuring an SFP port refer to Section 3 6 6 1 Configuring an SFP Port 1 Navigate to Ethernet Ports Configure Port Parameters The Port Pa...

Page 80: ...is 100TX 10FL 100FX 1000X 1000T 802 11g EoVDSL 100TX Only 10FL 100SX 10GX Default 100TX The type of the port media State Synopsis Disabled Enabled Default Enabled Disabling a port will prevent all frames from being sent and received on that port Also when disabled link integrity signal is not sent so that the link activity LED will never be lit You may want to disable a port for troubleshooting or...

Page 81: ...nding device to retry transmissions according to the Ethernet backoff algorithm When the port is full duplex it is accomplished using PAUSE frames which causes the sending device to stop transmitting for a certain period of time LFI Synopsis Off On Default Off Enabling Link Fault Indication LFI inhibits transmitting link integrity signal when the receive link has failed This allows the device at f...

Page 82: ...te Limiting Form 1 Port Box 2 Ingress Limit Box 3 Ingress Frames List 4 Egress Limit Box 5 Apply Button 6 Reload Button 3 Configure the following parameter s as required Parameter Description Port Synopsis 1 to maximum port number Default 1 The port number as seen on the front plate silkscreen of the switch Ingress Limit Synopsis 62 to 256000 Kbps or Disabled Default 1000 Kbps The rate after which...

Page 83: ...ble for analysis Select a target port that has a higher speed than the source port Mirroring a 100 Mbps port onto a 10 Mbps port may result in an improperly mirrored stream Frames will be dropped if the full duplex rate of frames on the source port exceeds the transmission speed of the target port Since both transmitted and received frames on the source port are mirrored to the target port frames ...

Page 84: ... s to be transmitted out of the target port Source Port Synopsis Any combination of numbers valid for this parameter The port s being monitored Source Direction Synopsis Egress and Ingress Egress Only Default Egress and Ingress Specifies monitoring whether both egress and ingress traffics or only egress traffic of the source port Target Port Synopsis 1 to maximum port number Default 1 The port whe...

Page 85: ...commended setting With this setting an extended period 2 minutes of excessive link state changes reported by a port will prompt Port Guard feature to disable FAST LINK DETECTION on that port and raise an alarm By disabling FAST LINK DETECTION on the problematic port excessive link state changes can no longer consume substantial amount of system resources However if FAST LINK DETECTION is disabled ...

Page 86: ... cables that are too long ROS includes a built in cable diagnostics utility The following sections describe how to run diagnostics on Ethernet cables Section 3 6 11 1 Viewing Cable Diagnostics Results Section 3 6 11 2 Performing Cable Diagnostics Section 3 6 11 3 Clearing Cable Diagnostics Section 3 6 11 4 Determining the Estimated Distance To Fault DTF Section 3 6 11 1 Viewing Cable Diagnostics R...

Page 87: ...ference can be used as the calibration value Enter the calibration value and run cable diagnostics a few more times The distance to OPEN fault should now be at similar distance as the cable length Distance to fault for the selected port is now calibrated Good Synopsis 0 to 65535 The number of times GOOD TERMINATION no fault is detected on the cable pairs of the selected port Open Synopsis 0 to 655...

Page 88: ...CAT 5 or better quality Ethernet cable to the selected Ethernet port IMPORTANT Both the selected Ethernet port and its partner port can be configured to run in Enabled mode with auto negotiation or in Disabled mode Other modes are not recommended as they may interfere with the cable diagnostics procedure 2 Connect the other end of the cable to a similar network port For example connect a 100Base T...

Page 89: ...o determine the DTF value refer to Section 3 6 11 4 Determining the Estimated Distance To Fault DTF 7 Select Started IMPORTANT A diagnostic test can be stopped by selecting Stopped and clicking Apply However if the test is stopped in the middle of a diagnostic run the test will run to completion 8 Click Apply The state of the Ethernet port will automatically change to Stopped when the test is comp...

Page 90: ...nd recorded in the system log 3 Review the errors recorded in the system log and determine the average distance of the open faults For more information about the system log refer to Section 3 5 1 Viewing Local Logs 4 Subtract the average distance from the cable length to determine the calibration value 5 Configure the cable diagnostic utility to run a few times with the new calibration value The d...

Page 91: ...the case of the management interface the IP address type can be either static DHCP BOOTP or dynamic For all other interfaces the IP address must be static CAUTION Configuration hazard risk of communication disruption Changing the ID for the management VLAN will break any active Raw Socket TCP connections If this occurs reset all serial ports The following sections describe how to set up and manage...

Page 92: ...P interfaces as needed For more information refer to Section 3 7 2 Adding an IP Interface Section 3 7 2 Adding an IP Interface To add an IP interface do the following 1 Navigate to Administration Configure IP Interfaces The IP Interfaces table appears 1 Figure 37 IP Interfaces Table 1 InsertRecord 2 Click InsertRecord The Switch IP Interfaces form appears ...

Page 93: ...is IP interface is created ID Synopsis 1 to 4094 Default 1 Specifies the ID of the interface for which this IP interface is created If the interface type is VLAN this represents the VLAN ID Mgmt Synopsis No Yes Default No Specifies whether the IP interface is the device management interface IP Address Type Synopsis Static Dynamic DHCP BOOTP Default Static Specifies whether the IP address is static...

Page 94: ... 255 separated by periods Typically subnet mask numbers use either 0 or 255 as values e g 255 255 255 0 but other numbers can appear IMPORTANT Each IP interface must have a unique network address 4 Click Apply Section 3 7 3 Deleting an IP Interface To delete an IP interface configured on the device do the following 1 Navigate to Administration Configure IP Interfaces The IP Interfaces table appear...

Page 95: ...arameters are blank the gateway is considered to be a default gateway NOTE The default gateway configuration will not be changed when resetting all configuration parameters to their factory defaults The following sections describe how to set up and manage IP gateways Section 3 8 1 Viewing a List of IP Gateways Section 3 8 2 Adding an IP Gateway Section 3 8 3 Deleting an IP Gateway Section 3 8 1 Vi...

Page 96: ...red add IP gateways as needed For more information refer to Section 3 8 2 Adding an IP Gateway Section 3 8 2 Adding an IP Gateway To add an IP gateway do the following 1 Navigate to Administration Configure IP Gateways The IP Gateways table appears 1 Figure 42 IP Gateways Table 1 InsertRecord 2 Click InsertRecord The IP Gateways form appears ...

Page 97: ...fault gateway both the destination and subnet are 0 Subnet Synopsis where ranges from 0 to 255 Specifies the destination IP subnet mask For default gateway both the destination and subnet are 0 Gateway Synopsis where ranges from 0 to 255 Specifies the gateway to be used to reach the destination 4 Click Apply Section 3 8 3 Deleting an IP Gateway To delete an IP gateway configured on the device do t...

Page 98: ...ces provided by the device do the following 1 Navigate to Administration Configure IP Services The IP Services form appears 8 9 7 6 5 4 3 2 1 Figure 46 IP Services Form 1 Inactivity Timeout Box 2 Telnet Sessions Allowed Box 3 Web Server Users Allowed Box 4 TFTP Server Box 5 Modbus Address Box 6 SSH Sessions Allowed Box 7 RSH Server Box 8 Apply Button 9 Reload Button 2 Configure the following param...

Page 99: ...FTP Server GET ONLY only allows reading of files via TFTP Server ENABLED allows reading and writing of files via TFTP Server ModBus Address Synopsis 1 to 255 or Disabled Default Disabled Determines the Modbus address to be used for Management through Modbus SSH Sessions Allowed Controlled Version Only Synopsis 1 to 4 Default 4 Limits the number of SSH sessions RSH Server Synopsis Disabled Enabled ...

Page 100: ...story Control Section 3 10 1 3 Deleting an RMON History Control Section 3 10 1 1 Viewing a List of RMON History Controls To view a list of RMON history controls navigate to Ethernet Stats Configure RMON History Controls The RMON History Controls table appears Figure 47 RMON History Controls Table If history controls have not been configured add controls as needed For more information refer to Sect...

Page 101: ...6 Owner Box 7 Apply Button 8 Delete Button 9 Reload Button 3 Configure the following parameter s as required Parameter Description Index Synopsis 1 to 65535 Default 1 The index of this RMON History Contol record Port Synopsis 1 to maximum port number Default 1 The port number as seen on the front plate silkscreen of the switch Requested Buckets Synopsis 1 to 4000 Default 50 The maximum number of b...

Page 102: ...ket The range is 1 to 3600 The default is 1800 Owner Synopsis Any 127 characters Default Monitor The owner of this record It is suggested to start this string withword monitor 4 Click Apply Section 3 10 1 3 Deleting an RMON History Control To delete an RMON history control do the following 1 Navigate to Ethernet Stats Configure RMON History Controls The RMON History Controls table appears Figure 5...

Page 103: ...r RMON event which can generate an SNMP trap an entry in the event log or both The RMON event can also direct alarms towards different users defined for SNMP The alarm can point to a different event for each of the thresholds Therefore combinations such as trap on rising threshold or trap on rising threshold log and trap on falling threshold are possible Each RMON alarm may be configured such that...

Page 104: ...d It may be desirable to alarm when the total or absolute number of events crosses a threshold In this case set the measurement period type to absolute The following sections describe how to configure and manage RMON alarms Section 3 10 2 1 Viewing a List of RMON Alarms Section 3 10 2 2 Adding an RMON Alarm Section 3 10 2 3 Deleting an RMON Alarm Section 3 10 2 1 Viewing a List of RMON Alarms To v...

Page 105: ...s 1 Figure 54 RMON Alarms Table 1 InsertRecord 2 Click InsertRecord The RMON Alarms form appears 14 12 13 1 2 3 4 5 6 7 8 9 10 11 Figure 55 RMON Alarms Form 1 Index Box 2 Variable Box 3 Rising Thr Box 4 Falling Thr Box 5 Value Box 6 Type Options 7 Interval Box 8 Startup Alarm List 9 Rising Event Box 10 Falling Event Box 11 Owner Box 12 Apply Button 13 Delete Button 14 Reload Button 3 Configure the...

Page 106: ... equal to this threshold and the value at the last sampling interval was greater than this threshold a single event will be generated A single event will also be generated if the first sample after this record is created is less than or equal to this threshold and the associated startup alarm ils equal to falling After falling alarm is generated another such event will not be generated until the s...

Page 107: ...icular if this value is zero no associated event will be generated Owner Synopsis Any 127 characters Default Monitor The owner of this record It is suggested to start this string withword monitor 4 Click Apply Section 3 10 2 3 Deleting an RMON Alarm To delete an RMON alarm do the following 1 Navigate to Ethernet Stats Configure RMON Alarms The RMON Alarms table appears Figure 56 RMON Alarms Table ...

Page 108: ...ing RMON events define behavior profiles used in event logging These profiles are used by RMON alarms to send traps and log events Each alarm may specify that a log entry be created on its behalf whenever the event occurs Each entry may also specify that a notification should occur by way of SNMP trap messages In this case the user for the trap message is specified as the Community Two traps are d...

Page 109: ...vents table appears Figure 58 RMON Events Table If events have not been configured add events as needed For more information refer to Section 3 10 3 2 Adding an RMON Event Section 3 10 3 2 Adding an RMON Event To add an RMON alarm do the following 1 Navigate to Ethernet Stats Configure RMON Events The RMON Events table appears 1 Figure 59 RMON Events Table 1 InsertRecord 2 Click InsertRecord The R...

Page 110: ...t this event In the case of log an entry is made in the RMON Log table for each event In the case of snmp_trap an SNMP trap is sent to one or more management stations Community Synopsis Any 31 characters Default public If the SNMP trap is to be sent it will be sent to the SNMP community specified by this string Last Time Sent Synopsis DDDD days HH MM SS The time from last reboot at the time this e...

Page 111: ...ble 2 Select the event from the table The RMON Events form appears 9 7 8 1 2 3 4 5 6 Figure 62 RMON Events Form 1 Index Box 2 Type List 3 Community Box 4 Last Time Sent Box 5 Description Box 6 Owner Box 7 Apply Button 8 Delete Button 9 View Button 10 Reload Button 3 Click Delete Section 3 11 Upgrading Downgrading Firmware The following sections describe how to upgrade and downgrade the firmware Se...

Page 112: ...ore information refer to Section 3 4 Uploading Downloading Files 2 Reset the device to complete the installation For more information refer to Section 3 12 Resetting the Device 3 Access the CLI shell and verify the new software version has been installed by typing version The currently installed versions of the main and boot firmware are displayed version Current ROS CF52 Boot Software v2 20 0 Jan...

Page 113: ...ng the same methods used to install newer firmware versions For more information refer to Section 3 11 1 Upgrading Firmware 6 Press Ctrl S to access the CLI 7 Clear all logs by typing clearlogs 8 Clear all alarms by typing clearalarms IMPORTANT After downgrading the firmware and FPGA files be aware that some settings from the previous configuration may be lost or reverted back to the factory defau...

Page 114: ...nd Line Interface 5 Upload a blank version of the banner txt file to the device to replace the existing file For more information about uploading a file refer to Section 3 4 Uploading Downloading Files 6 Confirm the upload was successful by typing type banner txt 7 Clear the system and crash logs by typing clearlog 8 Generate a random SSL certificate by typing sslkeygen This may take several minut...

Page 115: ...sic information that can be used to identify the device its location and or its owner do the following 1 Navigate to Administration Configure System Identification The System Identification form appears 5 4 3 2 1 Figure 64 System Identification Form 1 System Name Box 2 Location Box 3 Contact Box 4 Apply Button 5 Reload Button 2 Configure the following parameter s as required Parameter Description ...

Page 116: ...s appear on the login screen To update the banner txt file download the file from the device modify it and then load it back on to the device For information about uploading and downloading files refer to Section 3 4 Uploading Downloading Files Section 4 3 Configuring Passwords ROS allows for up to three user profiles to be configured locally on the device Each profile corresponds to one of the fo...

Page 117: ... Form 1 Auth Type Box 2 Guest Username Box 3 Guest Password Box 4 Confirm Guest Password Box 5 Operator Username Box 6 Operator Password Box 7 Confirm Operator Password Box 8 Admin Username Box 9 Admin Password Box 10 Confirm Admin Password Box 11 Apply Button 12 Reload Button NOTE ROS requires that all user passwords meet strict guidelines to prevent the use of weak passwords When creating a new ...

Page 118: ... regardless of the device configuration If server authentication is required requests to the server will be sent only if local authentication fails Guest Username Synopsis Any 15 characters Default guest Related password is in field Guest Password view only cannot change settings or run any commands Guest Password Synopsis 15 character ASCII string Related username is in field Guest Username view ...

Page 119: ...on state of the device Examples include authentication failures Remote Network MONitoring RMON MIB generated alarms or error states that temporarily exceeded a certain threshold These alarms can be cleared from the list of alarms NOTE For more information about RMON alarms refer to Section 3 10 2 Managing RMON Alarms When either type of alarm occurs a message appears in the top right corner of the...

Page 120: ...ough the Command Line Interface CLI using the alarms For more information refer to Section 2 6 1 Available CLI Commands For information about modifying a pre configured alarm refer toSection 4 4 3 Configuring an Alarm Section 4 4 2 Viewing and Clearing Latched Alarms To view a list of alarms that are configured to latch navigate to Diagnostics View Latched Alarms The Latched Alarms table appears ...

Page 121: ... Clear Latched Alarms Form 1 Confirm Button 2 Click Confirm Section 4 4 3 Configuring an Alarm While all alarms are pre configured on the device some alarms can be modified to suit the application This includes enabling disabling certain features and changing the refresh time To configuring an alarm do the following IMPORTANT Critical and Alert level alarms are not configurable and cannot be disab...

Page 122: ...Chapter 4 System Administration RUGGEDCOM ROS User Guide 108 Configuring an Alarm Figure 69 Alarms Table 2 Select an alarm The Alarms form appears ...

Page 123: ...system reboot ALERT The device has had a serious failure that did not cause a system reboot CRITICAL The device has a serious unrecoverable problem ERROR The device has a recoverable problem that does not seriously affect operation WARNING Possibly serious problem affecting overall system operation NOTIFY Condition detected that is not expected or not allowed INFO Event which is a part of normal o...

Page 124: ...ice in three different ways Console SSH or Telnet ROS can log messages in the syslog send a trap to notify an SNMP manager and or raise an alarm when a successful and unsuccessful login event occurs In addition when a weak password is configured on a unit or when the primary authentication server for TACACS or RADIUS is not reachable ROS will raise alarms send SNMP traps and log messages in the sy...

Page 125: ...ses the device i e SSH Web Console Telnet or RSH However when a user logs out a message is only logged when the user is accessing the device through SSH Telnet or Console Message Name Alarm SNMP Trap Syslog Successful Login Yes Yes Yes Failed Login Yes Yes Yes User Logout No No Yes Excessive Failed Login Attempts ROS generates this alarm and logs a message in the syslog after 10 failed login attem...

Page 126: ...rates this alarm and logs a message in the syslog when a host connected to a secure port on the device is communicating using a source MAC address which has not been authorized by ROS or the dynamically learned MAC address has exceeded the total number of MAC addresses configured to be learned dynamically on the secured port This message is only applicable when the port security mode is set to Sta...

Page 127: ...5 2 Updating the Configuration File Section 4 5 1 Configuring Data Encryption To encrypt the configuration file and protect it with a password passphrase do the following NOTE Data encryption is not available in Non Controlled NC versions of ROS When switching between Controlled and Non Controlled NC versions of ROS make sure data encryption is disabled Otherwise the NC version of ROS will ignore ...

Page 128: ...d with the same passphrase Confirm Passphrase Synopsis 31 character ascii string This passphrase is used as a secret key to encrypt the configuration data Encrypted data can be decrypted by any device configured with the same passphrase 3 Click Apply Section 4 5 2 Updating the Configuration File Once downloaded from the device the configuration file can be updated using a variety of different tool...

Page 129: ...ization RADIUS is a UDP based protocol used for carrying authentication authorization and configuration information between a Network Access Server NAS that desires to authenticate its links and a shared authentication server It provides centralized authentication and authorization for network access RADIUS is also widely used in conjunction with the IEEE 802 1X standard for port security using th...

Page 130: ...ections describe how to configure RADIUS authentication Section 4 6 1 1 Configuring the RADIUS Server Section 4 6 1 2 Configuring the RADIUS Client Section 4 6 1 1 Configuring the RADIUS Server The Vendor Specific attribute or VSA sent to the RADIUS server as part of the RADIUS request is used to determine the access level from the RADIUS server This attribute may be configured within the RADIUS s...

Page 131: ...from the table The RADIUS Server form appears 7 6 5 4 3 2 1 Figure 73 RADIUS Server Form 1 Server Box 2 IP Address Box 3 Auth UDP Port Box 4 Auth Key Box 5 Confirm Auth Key Box 6 Apply Button 7 Reload Button 3 Configure the following parameter s as required Parameter Description Server Synopsis Any 8 characters Default Primary This field tells whether this configuration is for a Primary or a Backu...

Page 132: ...ized servers The following sections describe how to configure TACACs authentication Section 4 6 2 1 Configuring TACACS Section 4 6 2 2 Configuring User Priviliges Section 4 6 2 1 Configuring TACACS ROS can be configured to use two TACACS servers a primary server and a backup server If the primary server is unavailable the device will automatically attempt to connect with the backup server To confi...

Page 133: ... Auth TCP Port Synopsis 1 to 65535 Default 49 The IP Port on server Auth Key Synopsis 31 character ascii string Default mySecret The authentication key to be shared with server Confirm Auth Key Synopsis 31 character ascii string The authentication key to be shared with server 4 Set the privilege levels for each user type i e admin operator and guest For more information refer to Section 4 6 2 2 Co...

Page 134: ... Serv Privilege Config form appears 5 4 3 2 1 Figure 76 TACPLUS Serv Privilege Config Form 1 Server Box 2 IP Address Box 3 Auth TCP Port Box 4 Apply Button 5 Reload Button 2 Configure the following parameter s as required Parameter Description Admin Priv Synopsis 0 to 15 0 to 15 Default 15 Privilege level to be assigned to the user Oper Priv Synopsis 0 to 15 0 to 15 Default 2 14 Privilege level to...

Page 135: ...the network Information about the client s location can be sent along with the DHCP request to the server Based on this information the DHCP server makes a decision about an IP Address to be assigned DHCP Relay Agent takes the broadcast DHCP requests from clients received on the configured access port and inserts the relay agent information option Option 82 into the packet Option 82 contains the V...

Page 136: ...ts 2 4 5 6 and 8 can have DHCP clients connected 3 Click Apply Section 5 2 Managing Virtual LANs A Virtual Local Area Network VLAN is a group of devices on one or more LAN segments that communicate as if they were attached to the same physical LAN segment VLANs are extremely flexible because they are based on logical connections rather than physical connections When VLANs are introduced all traffi...

Page 137: ...AN Section 5 2 1 3 The Management VLAN Section 5 2 1 4 Edge and Trunk Port Types Section 5 2 1 5 Ingress and Egress Rules Section 5 2 1 6 Forbidden Ports List Section 5 2 1 7 VLAN Aware and VLAN Unaware Modes Section 5 2 1 8 GARP VLAN Registration Protocol GVRP Section 5 2 1 9 PVLAN Edge Section 5 2 1 10 QinQ Section 5 2 1 11 VLAN Advantages Section 5 2 1 1 Tagged vs Untagged Frames VLAN tags iden...

Page 138: ...t out of another trunk port The trunk ports must be members of all VLANs that the pass through traffic is part of even if none of those VLANs are used on edge ports Frames transmitted out of the port on all VLANs other than the port s native VLAN are always sent tagged NOTE It may be desirable to manually restrict the traffic on the trunk to a specific group of VLANs For example when the trunk con...

Page 139: ...re Modes The native operation mode for an IEEE 802 1Q compliant switch is VLAN aware Even if a specific network architecture does not use VLANs ROS s default VLAN settings allow the switch to still operate in a VLAN aware mode while providing functionality required for almost any network application However the IEEE 802 1Q standard defines a set of rules that must be followed by all VLAN aware swi...

Page 140: ...witch sends GVRP bridge protocol data units BPDUs out of all GVRP enabled ports GVRP BPDUs advertise all the VLANs known to that switch configured manually or learned dynamically through GVRP to the rest of the network When a GVRP enabled switch receives a GVRP BPDU advertising a set of VLANs the receiving port becomes a member of those advertised VLANs and the switch begins advertising those VLAN...

Page 141: ...thin the same VLAN This protection extends to all traffic on the VLAN including unicast multicast and broadcast traffic For more information about how to configure a port as protected refer to Section 5 2 4 Configuring VLANs for Specific Ethernet Ports NOTE This feature is strictly local to the switch PVLAN Edge ports are not prevented from communicating with ports outside of the switch whether pr...

Page 142: ...nother switch The switch strips the outer tag while associating the frames with the VID extracted from it before stripping Thus the frames are switched to appropriate edge ports i e customers 1 3 2 1 2 4 4 5 5 Figure 79 Using QinQ 1 Customer 1 PVID is X 2 Customer 2 PVID is Y 3 Network Service Provider Infrastructure 4 Switch 5 QinQ NOTE QinQ can only be enabled on one switch port at a time NOTE S...

Page 143: ...s 1 VLAN 2 Switch Administrative Convenience VLANs enable equipment moves to be handled by software reconfiguration instead of by physical cable management When a host s physical location is changed its connection point is often changed as well With VLANs the host s VLAN membership and priority are simply copied to the new port Reduced Hardware Without VLANs traffic domain isolation requires the u...

Page 144: ...list of all VLANs whether they were created statically implicitly or dynamically navigate to Virtual LANs View VLAN Summary The VLAN Summary table appears Figure 82 VLAN Summary Table If a VLANs are not listed add static VLANs as needed For more information refer to Section 5 2 5 2 Adding a Static VLAN Section 5 2 3 Configuring VLANs Globally To configure global settings for all VLANs do the follo...

Page 145: ...l ports When enabled any tagged packet arriving at a port which is not a member of a VLAN with which that packet is associated is dropped When disabled packets are not dropped NOTE Ingress filtering has no effect when ports are in either VLAN unaware mode or Q in Q mode 3 Click Apply Section 5 2 4 Configuring VLANs for Specific Ethernet Ports When a VLAN ID is assigned to an Ethernet port the VLAN...

Page 146: ...ombination of numbers valid for this parameter The port number as seen on the front plate silkscreen of the switch or a list of ports if aggregated in a port trunk Type Synopsis Edge Trunk PVLANEdge QinQ Default Edge This parameter specifies how the port determines its membership in VLANs There are few types of ports Edge the port is only a member of one VLAN its native VLAN specified by the PVID ...

Page 147: ...h is programmed to use VLAN 1 If you modify a switch port to use a VLAN other than the management VLAN devices on that port will not be able to manage the switch PVID Format Synopsis Untagged Tagged Default Untagged Specifies whether frames transmitted out of the port on its native VLAN specified by the PVID parameter will be tagged or untagged If Type is set to QinQ set the PVID format to Tagged ...

Page 148: ...he Static VLANs table appears Figure 86 Static VLANs Table If a static VLAN is not listed add the VLAN For more information refer to Section 5 2 5 2 Adding a Static VLAN Section 5 2 5 2 Adding a Static VLAN To add a static VLAN do the following 1 Navigate to Virtual LANs Configure Static VLANs The Static VLANs table appears 1 Figure 87 Static VLANs Table 1 InsertRecord 2 Click InsertRecord The Sta...

Page 149: ...he multicast traffic Parameter Description VID Synopsis 1 to 4094 Synopsis 1 to 4094 Default 1 The VLAN Identifier is used to identify the VLAN in tagged Ethernet frames according to IEEE 802 1Q VLAN Name Synopsis Any 19 characters The VLAN name provides a description of the VLAN purpose for example Engineering VLAN Forbidden Ports Synopsis Any combination of numbers valid for this parameter These...

Page 150: ...which the VLAN should be mapped 4 Click Apply Section 5 2 5 3 Deleting a Static VLAN To delete a static VLAN do the following 1 Navigate to Virtual LANs Configure Static VLANs The Static VLANs table appears Figure 89 Static VLANs Table 2 Select the static VLAN from the table The Static VLANs form appears 6 7 8 1 2 3 4 5 Figure 90 Static VLANs Form 1 VID Box 2 VLAN Name Box 3 Forbidden Ports Box 4 ...

Page 151: ...formation throughout the network RSTP also offers a number of other significant innovations including Topology changes in RSTP can originate from and be acted upon by any designated bridges leading to more rapid propagation of address information unlike topology changes in STP which must be passed to the root bridge before they can be propagated to the network RSTP explicitly recognizes two blocki...

Page 152: ... determined that the port will play an active part in the network the state will change to learning The learning state is entered when the port is preparing to play an active part in the network The port learns addresses in this state but does not participate in frame transfer In a network of RSTP bridges the time spent in this state is usually quite short RSTP bridges operating in STP compatibili...

Page 153: ...network A port is a Backup Port when it receives a better message from the LAN segment it is connected to originating from another port on the same bridge The port is a backup for another port on the bridge and will become active if that port fails The Backup Port does not participate in the network Section 5 3 1 2 Edge Ports A port may be designated as an Edge Port if it is directly connected to ...

Page 154: ...OTE In actuality the primary determinant for root port selection is the root bridge ID Bridge ID is important mainly at network startup when the bridge with the lowest ID is elected as the root bridge After startup when all bridges agree on the root bridge s ID the path cost is used to select root ports If the path costs of candidates for the root port are the same the ID of the peer bridge is use...

Page 155: ...er is thus four times the configured maximum age parameter NOTE The RSTP algorithm is as follows STP configuration messages contain age information Messages transmitted by the root bridge have an age of 0 As each subsequent designated bridge transmits the configuration message it must increase the age by at least 1 second When the age exceeds the value of the maximum age parameter the next bridge ...

Page 156: ...ilover algorithms RSTP Fast Root Failover will not function properly and root bridge failure will result in an unpredictable failover time Fast Root Failover and RSTP Performance Running RSTP with Fast Root Failover disabled has no impact on RSTP performance Fast Root Failover has no effect on RSTP performance in the case of failures that do not involve the root bridge or one of its links The extr...

Page 157: ... 3 2 1 444 C K H 2 E 4 4 3 5 6 5 6 4 3 I G M J N L Figure 92 Example Structured Wiring Configuration To design a structured wiring configuration do the following 1 Select the design parameters for the network What are the requirements for robustness and network failover recovery times Are there any special requirements for diverse routing to a central host computer Are there any special port redun...

Page 158: ...selected links taking into account network loading and the quality of alternate links 6 Decide upon a port cost calculation strategy Select whether fixed or auto negotiated costs should be used It is recommended to use the auto negotiated cost style unless it is necessary for the network design to change the auto negotiated cost style Select whether the STP or RSTP cost style should be used Make s...

Page 159: ... and ports with half duplex shared media restrictions These bridges should not be used if network fail over recovery times are to be minimized 3 Identify edge ports Ports that connect to host computers Intelligent Electronic Devices IEDs and controllers may be set to edge ports in order to guarantee rapid transitioning to forwarding as well as to reduce the number of topology change notifications ...

Page 160: ...STP allows more than one bridge port to service a LAN In the following example if port 3 is designated to carry the network traffic of LAN A port 4 will block traffic Should an interface failure occur on port 3 port 4 will assume control of the LAN A 1 2 3 4 Figure 94 Example Port Redundancy Section 5 3 3 MSTP Operation The Multiple Spanning Tree MST algorithm and protocol provide greater control ...

Page 161: ...pport of this MSTP maintains separate hop counters for spanning tree information exchanged at the MST region boundary versus that propagated inside the region For information received at the MST region boundary the R STP Message Age is incremented only once Inside the region a separate Remaining Hop Count is maintained one for each spanning tree instance The external Message Age parameter is refer...

Page 162: ... also that it is possible for the CIST Regional Root to be the CIST Root MSTI Regional Root The root bridge for an MSTI within an MSTP region A root bridge is independently elected for each MSTI in an MSTP region Port Roles Each port on an MSTP bridge may have more than one CIST role depending on the number and topology of spanning tree instances defined on the port Role Description CIST Port Role...

Page 163: ...ssible to control the topology of each MSTI within a region Load Balancing MSTP can be used to balance data traffic load among sets of VLANs enabling more complete utilization of a multiply interconnected bridged network A bridged network controlled by a single spanning tree will block redundant links by design in order to avoid harmful loops Using MSTP however any given link may have a different ...

Page 164: ... 5 Configuring STP for Specific Ethernet Ports NOTE Static VLANs must be used in an MSTP configuration GVRP is not supported 2 Add static VLANs and map them to MSTIs For more information refer to Section 5 2 5 2 Adding a Static VLAN NOTE The Region Identifier and Revision Level must be the same for each bridge in the MST region 3 Configure the revision level for the MST Region Identifier For more ...

Page 165: ...dge Priority Synopsis 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 Default 32768 Bridge Priority provides a way to control the topology of the STP connected network The desired Root and Designated bridges can be configured for a particular topology The bridge with the lowest priority will become root In the event of a failure of the root bridge the brid...

Page 166: ...beginning to forward traffic Lower values allow the port to reach the forwarding state more quickly but at the expense of flooding unlearned addresses to all ports Max Hops Synopsis 6 to 40 Default 20 Only applicable to MSTP The maximum possible bridge diameter inside an MST region MSTP BPDUs propagating inside an MST region specify a time to live that is decremented by every switch that propagate...

Page 167: ...etwork A better alternative to disabling the port is to leave STP enabled but to configure the port as an edge port A good candidate for disabling STP would be a port that services only a single host computer Priority Synopsis 0 16 32 48 64 80 96 112 128 144 160 176 194 208 224 240 Default 128 Selects the STP port priority Ports of the same cost that attach to a common LAN will select the port to ...

Page 168: ...un the link in full duplex mode Force the parameter false when the port operates the link in full duplex mode but is still not point to point e g a full duplex link to an unmanaged bridge that concentrates two other STP bridges Restricted Role Synopsis True or False Default False A boolean value set by management If TRUE causes the Port not to be selected as the Root Port for the CIST or any MSTI ...

Page 169: ... standard does not address network security RSTP must process every received BPDU and take an appropriate action This opens a way for an attacker to influence RSTP topology by injecting RSTP BPDUs into the network BPDU Guard is a feature that protects the network from BPDUs received by a port where RSTP capable devices are not expected to be attached If a BPDU is received by a port for which Edge ...

Page 170: ...fined in the IEEE 802 1w standard has minor differences from more recent enhanced standard s Those differences cause interoperability issues which although they do not completely break RSTP operation can lead to a longer recovery time from failures in the network eRSTP offers some enhancements to the protocol which make the switch fully interoperable with other vendors switches which may be runnin...

Page 171: ...at provides connectivity towards the root bridge of the network Root Path Cost Synopsis 0 to 4294967295 Total cost of the path to the root bridge composed of the sum of the costs of each link in the path If custom costs have not been configured 1Gbps ports will contribute 4 100 Mbps ports will contribute 19 and 10 Mbps ports will contribute a cost of 100 to this figure For the CIST instance of MST...

Page 172: ...lures or as signaled from other bridges Excessively high or rapidly increasing counts signal network problems Section 5 3 8 Viewing STP Statistics for Ethernet Ports To view STP statistics for Ethernet ports navigate to Spanning Tree View Port RSTP Statistics The Port RSTP Statistics table appears Figure 100 Port RSTP Statistics Table This table displays the following information Parameter Descrip...

Page 173: ...ibute 4 100 Mbps ports will contribute 19 and 10 Mbps ports contribute a cost of 100 If the Cost Style is set to RSTP 1Gbps will contribute 20 000 100 Mbps ports will contribute a cost of 200 000 and 10 Mbps ports contribute a cost of 2 000 000 Note that even if the Cost style is set to RSTP a port that migrates to STP will have its cost limited to a maximum of 65535 RX RSTs Synopsis 0 to 42949672...

Page 174: ...ce Box 2 Get Button 3 Bridge Status Box 4 Bridge ID Box 5 Root ID Box 6 Root Port Box 7 Root Path Cost Box 8 Total Topology Changes Box This table displays the following information Parameter Description Bridge Status Synopsis Designated Bridge Not Designated For Any LAN Root Bridge Spanning Tree status of the bridge The status may be root or designated This field may show text saying not designat...

Page 175: ...of topology changes in the network as detected on this bridge through link failures or as signaled from other bridges Excessively high or rapidly increasing counts signal network problems Section 5 3 9 2 Viewing Statistics for Port MSTIs To view statistics for port MSTIs navigate to Spanning Tree View Port MSTI Statistics The Port MSTI Statistics form appears 2 1 Figure 102 Port MSTI Statistics Fo...

Page 176: ...or the Multiple Spanning Tree Instance towards the Common Spanning Tree root bridge i e this port is the root port for the Common Spanning Tree Instance Cost Synopsis 0 to 4294967295 Cost offered by this port If the Bridge RSTP Parameters Cost Style is set to STP 1Gbps ports will contribute 4 100 Mbps ports will contribute 19 and 10 Mbps ports contribute a cost of 100 If the Cost Style is set to R...

Page 177: ...psis Any 32 characters Default 0 This is a read only parameter and should be only used for network troubleshooting In order to ensure consistent VLAN to instance mapping it is necessary for the protocol to be able to exactly identify the boundaries of the MST regions For that pupose the characteristics of the region are included in BPDUs There is no need to propagate the exact VLAN to instance map...

Page 178: ...Default 32768 Bridge Priority provides a way to control the topology of the STP connected network The desired Root and Designated bridges can be configured for a particular topology The bridge with the lowest priority will become root In the event of a failure of the root bridge the bridge with the next lowest priority will then become root Designated bridges that for redundancy purposes service a...

Page 179: ... Box 6 RSTP Cost Box 7 Apply Button 8 Reload Button 3 Under Instance ID type an ID number for a Multiple Spanning Tree Instance MSTI and click GET The settings for the MSTI are displayed Any changes made to the configuration will be applied specifically to this instance ID 4 Configure the following parameter s as required Parameter Description Port s Synopsis Any combination of numbers valid for t...

Page 180: ... links and 100 for 10 Mbps links For MSTP this parameter applies to both external and internal path cost RSTP Cost Synopsis 0 to 2147483647 or Auto Default Auto Selects the cost to use in cost calculations when the Cost Style parameter is set to RSTP in the Bridge RSTP Parameters configuration Setting the cost manually provides the ability to preferentially select specific ports to carry traffic o...

Page 181: ... to configure the Inspect TOS parameter refer to Section 5 4 2 Configuring Classes of Service for Specific Ethernet Ports Received frames are first examined to determine if their destination or source MAC address is found in the Static MAC Address Table If they are the CoS configured for the static MAC address is used If neither destination or source MAC address is in the Static MAC Address Table ...

Page 182: ...n a port may have different CoS priorities This parameter specifies weighting algorithm for transmitting different priority CoS frames Examples 8 4 2 1 8 Critical 4 High 2 Medium and 1 Normal priority CoS frame Strict lower priority CoS frames will be only transmitted after all higher priority CoS frames have been transmitted 3 Click Apply 4 If necessary configure CoS mapping based on either the I...

Page 183: ...rameter The port number as seen on the front plate silkscreen of the switch or a list of ports if aggregated in a port trunk Default Pri Synopsis 0 to 7 Default 0 This parameter allows to prioritize frames received on this port that are not prioritized based on the frames contents e g priority field in the VLAN tag DiffServ field in the IP header prioritized MAC address Inspect TOS Synopsis No Yes...

Page 184: ...rity to CoS Mapping The Priority to CoS Mapping table appears Figure 111 Priority to CoS Mapping Table 2 Select a priority level The Priority to CoS Mapping form appears 4 3 2 1 Figure 112 Priority to CoS Mapping Form 1 Priority Box 2 CoS List 3 Apply Button 4 Reload Button 3 Configure the following parameter s as required Parameter Description Priority Synopsis 0 to 7 Default 0 Value of the IEEE ...

Page 185: ...ss of Service do the following 1 Navigate to Classes of Service Configure DSCP to CoS Mapping The DSCP to CoS Mapping table appears Figure 113 DSCP to CoS Mapping Table 2 Select a DSCP level The DSCP to CoS Mapping form appears 1 3 4 2 Figure 114 DSCP to CoS Mapping Form 1 DSCP Box 2 CoS List 3 Apply Button 4 Reload Button 3 Configure the following parameter s as required Parameter Description DSC...

Page 186: ...Service for Specific Ethernet Ports Section 5 5 Managing MAC Addresses The following sections describe how to configure and manage MAC addresses Section 5 5 1 Viewing a List of MAC Addresses Section 5 5 2 Configuring MAC Address Learning Options Section 5 5 3 Configuring MAC Address Flooding Options Section 5 5 4 Managing Static MAC Addresses Section 5 5 5 Purging All Dynamic MAC Addresses Section...

Page 187: ...address on the device as a static MAC address For more information refer to Section 5 5 4 2 Adding a Static MAC Address Section 5 5 2 Configuring MAC Address Learning Options The MAC address learning options control how and when MAC addresses are removed automatically from the MAC address table Individual addressees are removed when the aging timer is exceeded Addresses can also be removed when a ...

Page 188: ...pon link failure detection When link failure occurs the switch may have some MAC addresses previously learned on the failed port As long as those addresses are not aged out the switch will still be forwarding traffic to that port thus preventing that traffic from reaching its destination via the new network topology Note that when a network redundancy protocol e g RSTP MSTP is enabled on the switc...

Page 189: ...onfigure the following parameter s as required Parameter Description Port s Synopsis Comma separated list of ports The port number as seen on the front plate silkscreen of the switch or a list of ports if aggregated in a port trunk Flood Unknown Unicast Synopsis On Off Default On Normally unicast traffic with an unknown destination address is flooded out of all ports When a port is configured to t...

Page 190: ...tion and ROS will generate a port security alarm The following sections describe how to configure and manage static MAC addresses Section 5 5 4 1 Viewing a List of Static MAC Addresses Section 5 5 4 2 Adding a Static MAC Address Section 5 5 4 3 Deleting a Static MAC Address Section 5 5 4 1 Viewing a List of Static MAC Addresses To view a list of static MAC addresses configured on the device naviga...

Page 191: ...ere ranges 0 to FF A MAC address learned by the switch Maximum of 6 wildcard characters may be used to specify a range of MAC addresses allowed to be learned by the Port Security module when Port Security is set to Static MAC mode Wildcard must start from the right hand end and continuous Examples 00 0A DC means the entire MAC address space of RuggedCom 00 0A DC 12 3 means the range 00 0A DC 12 30...

Page 192: ...option Learn is applicable for Port Security in Static MAC mode CoS Synopsis N A Normal Medium High Crit Default N A Prioritizes traffic for the specified MAC address To not prioritize traffic based on the address select N A 4 Click Apply Section 5 5 4 3 Deleting a Static MAC Address To delete a static MAC address from the Static MAC Address Table do the following 1 Navigate to MAC Address Tables ...

Page 193: ...mic MAC Addresses To purge the dynamic MAC address list of all entries do the following 1 Navigate to MAC Address Tables Purge MAC Address Table The Purge MAC Address Table form appears 1 Figure 124 Purge MAC Address Table Form 1 Confirm Button 2 Click Confirm Section 5 6 Managing Time Services The System Time Manager offers the following time keeping and time synchronization features Local hardwa...

Page 194: ...e the following parameter s as required Parameter Description Time Synopsis HH MM SS This parameter allows for both the viewing and setting of the local time Date Synopsis MMM DD YYYY This parameter allows for both the viewing and setting of the local date Time Zone Synopsis UTC 12 00 Eniwetok Kwajalein UTC 11 00 Midway Island Samoa UTC 10 00 Hawaii UTC 9 00 Alaska UTC 8 00 Los Angeles Vancouver U...

Page 195: ...lies in most part of USA and Canada 03 2 0 02 00 00 11 1 0 02 00 00 DST begins on March s 2nd Sunday at 2 00am DST ends on November s 1st Sunday at 2 00am Section 5 6 2 Configuring NTP ROS may be configured to refer periodically to a specified NTP server to correct any accumulated drift in the on board clock ROS will also serve time via the Simple Network Time Protocol SNTP to hosts that request i...

Page 196: ...NMP ROS supports versions 1 2 and 3 of the Simple Network Management Protocol SNMP otherwise referred to as SNMPv1 SNMPv2c and SNMPv3 respectively SNMPv3 provides secure access to the devices through a combination of authentication and packet encryption over the network Security features for this protocol include Feature Description Message Integrity Makes sure that a packet has not been tampered ...

Page 197: ...configured as User Name The following sections describe how to setup and manage SNMP on the device Section 5 7 1 Managing SNMP Users Section 5 7 2 Managing Security to Group Mapping Section 5 7 3 Managing SNMP Groups Section 5 7 1 Managing SNMP Users The following sections describe how to configure and manage SNMP users refer to the following Section 5 7 1 1 Viewing a List of SNMP Users Section 5 ...

Page 198: ...l as SNMPv1 and SNMPv2c communities NOTE When employing the SNMPv1 or SNMPv2c security level the User Name parameter maps the community name with the security group and access level To add a new SNMP user do the following 1 Navigate to Administration Configure SNMP Configure SNMP Users The SNMP Users table appears 1 Figure 129 SNMP Users Table 1 InsertRecord 2 Click InsertRecord The SNMP Users for...

Page 199: ...admin or Sub25admin is permitted Must have at least one alphabetic character and one number Special characters are permitted Must not have more than 3 continuously incrementing or decrementing numbers For example Sub123 and Sub19826 are permitted but Sub12345 is not An alarm will generate if a weak password is configured The weak password alarm can be disabled by the user For more information abou...

Page 200: ...rom SNMP engine can be protected from disclosure and if so the type of privacy protocol which is used Auth Key Synopsis 31 character ASCII string The secret authentication key password that must be shared with SNMP client If the key is not an emtpy string it must be at least 6 characters long Confirm Auth Key Synopsis 31 character ASCII string The secret authentication key password that must be sh...

Page 201: ...Box 3 v1 v2c Community Box 4 Auth Protocol Box 5 Priv Protocol Box 6 Auth Key Box 7 Confirm Auth Key Box 8 Priv Key Box 9 Confirm Priv Key Box 10 Apply Button 11 Delete Button 12 Reload Button 3 Click Delete Section 5 7 2 Managing Security to Group Mapping The following sections describe how to configure and manage security to group maps refer to the following Section 5 7 2 1 Viewing a List of Sec...

Page 202: ...curity to Group Maps Table If security to group maps have not been configured add maps as needed For more information refer to Section 5 7 2 2 Adding a Security to Group Map Section 5 7 2 2 Adding a Security to Group Map Multiple combinations of security models and groups can be mapped up to a maximum of 32 for SNMP To add a security to group map do the following 1 Navigate to Administration Confi...

Page 203: ...mpV3 The Security Model that provides the name referenced in this table Name Synopsis Any 32 characters The user name which is mapped by this entry to the specified group name Group Synopsis Any 32 characters The group name to which the security model and name belong This name is used as an index to the SNMPv3 VACM Access Table 4 Click Apply Section 5 7 2 3 Deleting a Security to Group Map To dele...

Page 204: ...Group Maps Form 1 Security Model Box 2 Name Box 3 Group Box 4 Apply Button 5 Delete Button 6 Reload Button 3 Click Delete Section 5 7 3 Managing SNMP Groups Multiple SNMP groups up to a maximum of 32 can be configured to have access to SNMP The following sections describe how to configure and manage SNMP groups on the device Section 5 7 3 1 Viewing a List of SNMP Groups Section 5 7 3 2 Adding an S...

Page 205: ...ss The SNMP Access table appears Figure 138 SNMP Access Table If SNMP groups have not been configured add groups as needed For more information refer to Section 5 7 3 2 Adding an SNMP Group Section 5 7 3 2 Adding an SNMP Group To add an SNMP group do the following 1 Navigate to Administration Configure SNMP Configure SNMP Access The SNMP Access table appears 1 Figure 139 SNMP Access Table 1 Insert...

Page 206: ...evel Synopsis noAuthNoPriv authNoPriv authPriv Default noAuthNoPriv The minimum level of security reqwuired in order to gain the access rights allowed by this entry A security level of noAuthNoPriv is less than authNoPriv which is less than authPriv ReadViewName Synopsis noView V1Mib allOfMib Default noView This parameter identifies the MIB tree s to which this entry authorizes read access If the ...

Page 207: ...ars 9 7 8 6 5 4 3 2 1 Figure 142 SNMP Access Form 1 Group Box 2 Security Model Box 3 Security Level Box 4 ReadViewName Box 5 WriteViewName Box 6 NotifyViewName Box 7 Apply Button 8 Delete Button 9 Reload Button 3 Click Delete Section 5 8 Managing Network Discovery ROS supports the Link Layer Discovery Protocol LLDP and RUGGEDCOM Discovery Protocol RCDP both Layer 2 protocols for automated network ...

Page 208: ...ule The LLDP transmit module when enabled sends the local device s information at regular intervals in IEEE 802 1AB standard format Whenever the transmit module is disabled it transmits an LLDPDU LLDP data unit with a time to live TTL type length value TLV containing 0 in the information field This enables remote devices to remove the information associated with the local device in their databases...

Page 209: ...mber Control of device LEDs for easy physical identification Configuration of basic identification networking and authentication parameters For security reasons RUGGEDCOM Explorer will attempt to disable RCDP on all devices when Explorer is shut down If RUGGEDCOM Explorer is unable to disable RCDP on a device ROS will automatically disable RCDP after approximately one hour of inactivity NOTE RCDP ...

Page 210: ...s Default 30 s The interval at which LLDP frames are transmitted on behalf of this LLDP agent Tx Hold Synopsis 2 to 10 Default 4 The multiplier of the Tx Interval parameter that determines the actual time to live TTL value used in a LLDPDU The actual TTL value can be expressed by the following formula TTL MIN 65535 Tx Interval Tx Hold Reinit Delay Synopsis 1 to 10 s Default 2 s The delay in second...

Page 211: ...ble 2 Select a port The Port LLDP Parameters form appears 5 4 3 2 1 Figure 145 Port LLDP Parameters Form 1 Port Box 2 Admin Status List 3 Notifications Options 4 Apply Button 5 Reload Button 3 Configure the following parameter s as required Parameter Description Port Synopsis 1 to maximum port number Default 1 The port number as seen on the front plate silkscreen of the switch Admin Status Synopsi...

Page 212: ... may share the same IP configuration Siemens s RUGGEDCOM Explorer is a lightweight standalone Windows application that supports RCDP It is capable of discovering identifying and performing basic configuration of ROS based devices via RCDP The features supported by RCDP include Discovery of ROS based devices over a Layer 2 network Retrieval of basic network configuration ROS version order code and ...

Page 213: ...nformation that is advertised to neighbors navigate to Network Discovery Link Layer Discovery Protocol View LLDP Global Remote Statistics The LLDP Global Remote Statistics form appears 1 5 2 3 4 Figure 147 LLDP Global Remote Statistics Form 1 Inserts Box 2 Deletes Box 3 Drops Box 4 Ageouts Box 5 Reload Button This form displays the following information Parameter Description Inserts Synopsis 0 to ...

Page 214: ...on The LLDP Neighbor Information table appears 1 6 2 3 4 5 Figure 148 LLDP Neighbor Information Table 1 Port Box 2 ChassisId Box 3 PortId Box 4 SysName Box 5 SysDesc Box 6 Reload Button This form displays the following information Parameter Description Port Synopsis 1 to maximum port number The local port associated with this entry ChassisId Synopsis Any 45 characters Chassis Id information receiv...

Page 215: ...creen of the switch FrmDrop Synopsis 0 to 4294967295 A counter of all LLDP frames discarded ErrFrm Synopsis 0 to 4294967295 A counter of all LLDPDUs received with detectable errors FrmIn Synopsis 0 to 4294967295 A counter of all LLDPDUs received FrmOut Synopsis 0 to 4294967295 A counter of all LLDPDUs transmitted Ageouts Synopsis 0 to 4294967295 A counter of the times that a neighbor s information...

Page 216: ...t Filtering Concepts The following sections describe some of the concepts important to the implementation of multicast filtering in ROS Section 5 9 1 1 IGMP Section 5 9 1 2 GMRP GARP Multicast Registration Protocol Section 5 9 1 1 IGMP IGMP is used by IP hosts to report their host group memberships with multicast routers As hosts join and leave specific multicast groups streams of traffic are dire...

Page 217: ...ay the IGMP protocol guarantees the segment will issue only one membership report for each group The router periodically queries each of its segments in order to determine whether at least one consumer still subscribes to a given stream If it receives no responses within a given time period usually two query intervals the router will prune the multicast stream from the given segment A more common ...

Page 218: ...hed as sending membership reports to hosts could result in unintentionally preventing a host from joining a specific group Multicast routers use IGMP to elect a master router known as the querier The querier is the router with the lowest IP address All other routers become non queriers participating only in forwarding multicast traffic Switches running in active mode participate in the querier ele...

Page 219: ... 2 and C3 are on VLAN 2 P2 and C2 are on VLAN 3 C1 is on both VLAN 2 and 3 Assuming that router 1 is the querier for VLAN 2 and router 2 is simply a non querier the switch will periodically receive queries from router 1 and maintain the information concerning which port links to the multicast router However the switch port that links to router 2 must be manually configured as a router port Otherwi...

Page 220: ... Multicast Group In order to join a multicast group an end station transmits a GMRP join message The switch that receives the join message adds the port through which the message was received to the multicast group specified in the message It then propagates the join message to all other hosts in the VLAN one of which is expected to be the multicast source When a switch transmits GMRP updates from...

Page 221: ...ve switches including one core switch B connects the sources to two hosts H1 and H2 which receive the multicast streams from S1 and S2 respectively A1 A2 A E C D S1 S2 H2 H1 E1 E2 C1 C2 B3 B4 B1 B2 B D1 D2 1 1 2 3 Figure 152 Example Establishing Membership with GMRP 1 Multicast Source 2 Switch 3 Multicast Host The hosts and switches establish membership with the Multicast Group 1 and 2 as follows ...

Page 222: ...ly become a member of Group 2 Ultimately Host H2 connected to Port C2 receives the Group 2 multicast Section 5 9 2 Viewing a List of IP Multicast Groups To view a list of IP multicast groups navigate to Multicast Filtering View IP Multicast Groups The IP Multicast Groups table appears Figure 153 IP Multicast Groups Table This table provides the following information Parameter Description VID Synop...

Page 223: ...ast group operates MAC Address Synopsis where ranges 0 to FF Multicast group MAC address Static Ports Synopsis Any combination of numbers valid for this parameter Ports that joined this group statically through static configuration in Static MAC Table and to which the multicast group traffic is forwarded GMRP Dynamic Ports Synopsis Any combination of numbers valid for this parameter Ports that joi...

Page 224: ...ueries generated by the switch NOTE This parameter also affects the Group Membership Interval i e the group subscriber aging time therefore it takes effect even in PASSIVE mode Router Ports Synopsis Any combination of numbers valid for this parameter Default None This parameter specifies ports that connect to multicast routers If you do not configure known router ports the switch may be able to de...

Page 225: ...lobally enabled each port can be individually configured RSTP Flooding Synopsis On Off Default Off This parameter specifies whether multicast streams will be flooded out of all RSTP non edge ports upon topology change detection Such flooding is desirable if guaranteed multicast stream delivery after topology change is most important Leave Timer Synopsis 600 to 300000 ms Default 4000 ms Time millis...

Page 226: ...Any combination of numbers valid for this parameter The port number as seen on the front plate silkscreen of the switch or a list of ports if aggregated in a port trunk GMRP Synopsis Disabled Adv Only Adv Learn Default Default Disabled Configures GMRP GARP Multicast Registration Protocol operation on the port There are several GMRP operation modes DISABLED the port is not capable of any GMRP proce...

Page 227: ...oup Section 5 9 7 1 Viewing a List of Static Multicast Groups To view a list of static multicast groups navigate to Multicast Filtering Configure Static Multicast Groups The Static Multicast Groups table appears Figure 159 Static Multicast Groups Table If a static multicast group is not listed add the group For more information refer to Section 5 9 7 2 Adding a Static Multicast Group Section 5 9 7...

Page 228: ...n 3 Configure the following parameter s as required Parameter Description MAC Address Synopsis where ranges 0 to FF Default 00 00 00 00 00 00 Multicast group MAC address VID Synopsis 1 to 4094 Default 1 VLAN Identifier of the VLAN upon which the multicast group operates CoS Synopsis N A Normal Medium High Crit Default N A Prioritizes traffic for the specified MAC address To not prioritize traffic ...

Page 229: ...om the table The Static Multicast Groups form appears 7 5 6 3 2 1 4 Figure 163 Static Multicast Groups Form 1 MAC Address Box 2 VID Box 3 Priority Box 4 Ports Box 5 Apply Button 6 Delete Button 7 Reload Button 3 Click Delete Section 5 10 Managing Port Security Port security or port access control provides the ability to filter or accept traffic from specific MAC addresses Port security works by in...

Page 230: ...s a highly flexible Port Security configuration which provides a convenient means for network administrators to use the feature in various network scenarios A Static MAC address can be configured without a port number being explicitly specified In this case the configured MAC address will be automatically authorized on the port where it is detected This allows devices to be connected to any secure...

Page 231: ...f the host authentication is rejected by the authentication server Section 5 10 1 3 IEEE 802 1X Authentication with MAC Address Based Authentication This method also referred to as MAB MAC Authentication Bypass is commonly used for devices such as VoIP phones and Ethernet printers that do not support the 802 1x protocol This method allows such devices to be authenticated using the same database in...

Page 232: ...el attributes in the Access Accept message The RADIUS server uses the following tunnel attributes for VLAN assignment Tunnel Type VLAN 13 Tunnel Medium Type 802 Tunnel Private Group ID VLANID Note that VLANID is 12 bits and takes a value between 1 and 4094 inclusive The Tunnel Private Group ID is a string as defined in RFC 2868 http tools ietf org html rfc2868 so the VLANID integer value is encode...

Page 233: ...not move to a different switch port NO authorized MAC address Device may move to another switch port If a MAC address is not listed do the following Configure port security For more information refer to Section 5 10 3 Configuring Port Security Configure IEEE 802 1X For more information refer to Section 5 10 4 Configuring IEEE 802 1X Section 5 10 3 Configuring Port Security To configure port securi...

Page 234: ...ed they do not age out until the unit is reset or the link goes down IEEE 802 1X standard authentication IEEE 802 1X with MAC Authentication also known as MAC Authentication Bypass With this option the device can authenticate clients based on the client s MAC address if IEEE 802 1X authentication times out Autolearn Synopsis 1 to 16 or None Default None Only applicable when the Security field has ...

Page 235: ...hen the link is up down on a non sticky secured port When traffic switches from or to a non sticky secured port NOTE Traffic is lost until the source MAC Address of the incoming traffic is authorized against the static MAC address table 4 Click Apply Section 5 10 4 Configuring IEEE 802 1X To configure IEEE 802 1X port based authentication do the following 1 Navigate to Port Security Configure 802 ...

Page 236: ... 65535 Default 30 s The time to wait for the Supplicant s EAP Response Identity packet before retransmitting an EAP Request Identity packet quietPeriod Synopsis 0 to 65535 Default 60 s The period of time not to attempt to acquire a Supplicant after the authorization session failed reAuthEnabled Synopsis No Yes Default No Enables or disables periodic re authentication reAuthPeriod Synopsis 60 to 86...

Page 237: ...gation Link aggregation also referred to as port trunking or port bundling provides the ability to aggregate or gather several Ethernet ports into one logical link port trunk with higher bandwidth This allows for highly randomized load balancing between the aggregated links based on both the source and destination MAC addresses of the forwarded frames Link Aggregation can be used for two purposes ...

Page 238: ...to the following rules and limitations Each port can belong to only one port trunk at a time A port mirroring target port can not be member of a port trunk However a port mirroring source port can be member of a port trunk A port working in QinQ mode cannot be a member of a port trunk DHCP Relay Agent Client port cannot be a member of a port trunk Load balancing between the links of a bundle is ra...

Page 239: ... primary port number in the appropriate configuration status UI sessions When a secondary port is added to a port trunk it inherits all the configuration settings of the primary port When this secondary port is removed from the port trunk the settings it had previous to the aggregation are restored Section 5 11 1 3 Link Aggregation and Physical Layer Features Physical layer features e g physical l...

Page 240: ...des of the aggregated link In switch to switch connections if the configuration of both sides does not match i e some ports are mistakenly not included in the port trunk it will result in a loop Therefore the following procedure is strongly recommended to configure a port trunk a Disconnect or disable all the ports involved in the configuration i e either being added to or removed from the port tr...

Page 241: ...utton 5 Delete Button 6 Reload Button 3 Configure the following parameter s as required Parameter Description Trunk ID Synopsis 1 to 2 Default 1 Trunk number It doesn t affect port trunk operation in any way and is only used for identification Trunk Name Synopsis Any 19 characters Provides a description of the aggregated link purpose Ports Synopsis Any combination of numbers valid for this paramet...

Page 242: ...nk do the following 1 Navigate to Link Aggregation Configure Port Trunks The Port Trunks table appears Figure 174 Port Trunks Table 2 Select the port trunk from the table The Port Trunks form appears 6 4 5 2 1 3 Figure 175 Port Trunks Form 1 Trunk ID Box 2 Trunk Name Box 3 Ports Box 4 Apply Button 5 Delete Button 6 Reload Button 3 Click Delete ...

Page 243: ...and the device statistics are logging the pings What is going on Is the switch being pinged through a router If so the switch gateway address must be configured as well The following figure illustrates the problem 192 168 0 1 10 10 0 1 10 10 0 2 192 168 0 2 1 2 3 Figure 176 Using a Router As a Gateway 1 Work Station 2 Router 3 Switch The router is configured with the appropriate IP subnets and wil...

Page 244: ... another switch If this has occurred then a traffic loop has been formed If the problem appears to be transient in nature it is possible that ports that are part of the spanning tree have been configured as edge ports After the link layers have come up on edge ports STP will directly transition them perhaps improperly to the forwarding state If an RSTP configuration message is then received the po...

Page 245: ...es through the unmanaged bridge part of the ring as if it is non existent When a link in the unmanaged part of the ring fails however the managed bridges will only be able to detect the failure through timing out of hello messages Full connectivity will require three hello times plus two forwarding times to be restored The network becomes unstable when a specific application is started The network...

Page 246: ...associated IP address space On a network of 30 switches management traffic needs to be restricted to a separate domain What is the best method for doing this while staying in contact with these switches At the switch where the management station is located configure a port to use the new management VLAN as its native VLAN Configure a host computer to act as a temporary management station At each s...

Reviews:

No comments

Related manuals for RUGGEDCOM ROS

IBM ServeRAID M5014 User Manual preview
ServeRAID M5014
Brand: IBM Pages: 106
Accel 300+ Installation Instructions Manual preview
300+
Brand: Accel Pages: 8
Cabletron Systems SmartSwitch 6000 Installation & User Manual preview
SmartSwitch 6000
Brand: Cabletron Systems Pages: 76
Harpo BraillePen 12 Quick Start Manual preview
BraillePen 12
Brand: Harpo Pages: 35
Hardi HC 6500 Quick Manual preview
HC 6500
Brand: Hardi Pages: 2
Van Air SENTINEL Installation, Operation & Maintenance Instructions preview
SENTINEL
Brand: Van Air Pages: 4
Rain Bird Image Series Quick Start Manual preview
Image Series
Brand: Rain Bird Pages: 4
Rain Bird ESP-ME3 Quick Reference Manual preview
ESP-ME3
Brand: Rain Bird Pages: 2
Rain Bird ESP-Me User Manual preview
ESP-Me
Brand: Rain Bird Pages: 140
Raindrip WeatherSmart RSC600i Installation & Programming preview
WeatherSmart RSC600i
Brand: Raindrip Pages: 36
X Rocker 2.1 Wireless Manual preview
2.1 Wireless
Brand: X Rocker Pages: 38
Keba Kemro K2 Project Engineering Manual preview
Kemro K2
Brand: Keba Pages: 16
KEB COMBIVERT F5 Safety Manual preview
COMBIVERT F5
Brand: KEB Pages: 16
Omron SYSMAC C500-NC222-E Operation Manual preview
SYSMAC C500-NC222-E
Brand: Omron Pages: 164
Taconova NOVASTAT EL DIGITAL Manual preview
NOVASTAT EL DIGITAL
Brand: Taconova Pages: 7
Climatisation RC4 Operating Manual preview
RC4
Brand: Climatisation Pages: 52
TECOM Challenger v8 Quick Reference User Manual preview
Challenger v8
Brand: TECOM Pages: 8
Aruba S3500 Series Uplink Module Installation Manual preview
S3500 Series Uplink Module
Brand: Aruba Pages: 8

Brands by name

Popular brands

Load more brands