Page 1
User Manual
Basic Configuration
Industrial ETHERNET (Gigabit) Switch
PowerMICE, MACH 1040, MACH 4000
UM Basic Configuration L3P
Release 7.1 12/2011
Technical Support
HAC.Support@Belden.com
Page 2
The naming of copyrighted trademarks in this manual, even when not specially indicated, should
not be taken to mean that these names may be considered as free in the sense of the trademark
and tradename protection law and hence that they may be freely used by anyone.
© 2011 Hirschmann Automation and Control GmbH
Manuals and software are protected by copyright. All rights reserved. The copying, reproduction,
translation, conversion into any electronic medium or machine scannable form is not permitted,
either in whole or in part. An exception is the preparation of a backup copy of the software for
your own use. For devices with embedded software, the end-user license agreement on the
enclosed CD applies.
The performance features described here are binding only if they have been expressly agreed
when the contract was made. This document was produced by Hirschmann Automation and
Control GmbH according to the best of the company's knowledge. Hirschmann reserves the right
to change the contents of this document without prior notice. Hirschmann can give no guarantee
in respect of the correctness or accuracy of the information in this document.
Hirschmann can accept no responsibility for damages, resulting from the use of the network
components or the associated operating software. In addition, we refer to the conditions of use
specified in the license contract.
You can get the latest version of this manual on the Internet at the Hirschmann product site
(www.beldensolutions.com).
Printed in Germany
Hirschmann Automation and Control GmbH
Stuttgarter Str. 45-51
72654 Neckartenzlingen
Germany
Tel.: +49 (0)1805 14-1538
Rel. 2011 12/2011 - 13.12.11
Page 3
Contents
Contents
About this Manual 9
Key 11
Introduction 13
1 Access to the user interfaces 15
1.1 System Monitor 16
1.2 Command Line Interface 18
1.3 Web-based Interface 21
2 Entering the IP Parameters 25
2.1 IP Parameter Basics 27
2.1.1 IP address (version 4) 27
2.1.2 Netmask 28
2.1.3 Classless Inter-Domain Routing 31
2.2 Entering IP parameters via CLI 33
2.3 Entering the IP Parameters via HiDiscovery 36
2.4 Loading the system configuration from the ACA 39
2.5 System configuration via BOOTP 41
2.6 System Configuration via DHCP 46
2.7 System Configuration via DHCP Option 82 49
2.8 Web-based IP Configuration 50
2.9 Faulty Device Replacement 53
3 Loading/saving settings 55
3.1 Loading settings 56
3.1.1 Loading from the local non-volatile memory 57
3.1.2 Loading from a file 58
3.1.3 Resetting the configuration to the state on delivery 60
3.1.4 Loading from the AutoConfiguration Adapter 61
3.1.5 Using the offline configurator 62
3.2 Saving settings 64
UM Basic Configuration L3P
Release 7.1 12/2011
3
Page 4
Contents
3.2.1 Saving locally (and on the ACA) 64
3.2.2 Saving in a binary file or a script file on a URL 66
3.2.3 Saving to a binary file on the PC 67
3.2.4 Saving as a script on the PC 68
3.2.5 Saving as an offline configuration file on the PC 68
4 Loading Software Updates 69
4.1 Loading the Software manually from the ACA 71
4.1.1 Selecting the software to be loaded 72
4.1.2 Starting the software 74
4.1.3 Performing a cold start 74
4.2 Automatic software update by ACA 75
4.3 Loading the software from the tftp server 77
4.4 Loading the Software via File Selection 79
5 Configuring the Ports 81
6 Assistance in the Protection from Unauthorized
Access 87
6.1 Protecting the device 88
6.2 Password for SNMP access 89
6.2.1 Description of password for SNMP access 89
6.2.2 Entering the password for SNMP access 90
6.3 Telnet/internet/SSH access 94
6.4 Restricted Management Access 99
6.5 HiDiscovery Access 101
6.5.1 Description of the HiDiscovery Protocol 101
6.5.2 Enabling/disabling the HiDiscovery function 101
6.6 Port access control 102
6.6.1 Description of the port access control 102
6.6.2 Application Example for Port Access Control 103
6.7 Port Authentication IEEE 802.1X 106
6.7.1 Description of Port Authentication according to
IEEE 802.1X 106
6.7.2 Authentication Process according to IEEE 802.1X 107
6.7.3 Preparing the Device for the
IEEE 802.1X Port Authentication 107
6.7.4 IEEE 802.1X Settings 108
6.8 Access Control Lists (ACL) 109
UM Basic Configuration L3P
4
Release 7.1 12/2011
Page 5
Contents
6.8.1 Description of prioritizing with ACLs 110
6.8.2 Description of IP-based ACLs 111
6.8.3 Description of MAC-based ACLs 112
6.8.4 Configuring IP ACLs 114
6.8.5 Configuring MAC ACLs 116
6.8.6 Configuring Priorities with IP ACLs 117
6.8.7 Specifying the Sequence of the Rules 119
7 Synchronizing the System Time in the Network 121
7.1 Entering the Time 122
7.2 SNTP 125
7.2.1 Description of SNTP 125
7.2.2 Preparing the SNTP Configuration 126
7.2.3 Configuring SNTP 127
7.3 Precision Time Protocol 131
7.3.1 Description of PTP Functions 131
7.3.2 Preparing the PTP Configuration 137
7.3.3 Application Example 139
7.4 Interaction of PTP and SNTP 145
8 Network Load Control 147
8.1 Direct Packet Distribution 148
8.1.1 Store-and-forward 148
8.1.2 Multi-Address Capability 149
8.1.3 Aging of Learned Addresses 149
8.1.4 Entering Static Addresses 150
8.1.5 Disabling the Direct Packet Distribution 152
8.2 Multicast Application 153
8.2.1 Description of the Multicast Application 153
8.2.2 Example of a Multicast Application 154
8.2.3 Description of IGMP Snooping 155
8.2.4 Setting IGMP Snooping 156
8.2.5 Description of GMRP 162
8.2.6 Setting GMRP 163
8.3 Rate Limiter 165
8.3.1 Description of the Rate Limiter 165
8.3.2 Load limiter settings (PowerMICE and MACH 4000) 166
8.3.3 Load limiter settings 166
8.4 QoS/Priority 168
8.4.1 Description of Prioritization 168
8.4.2 VLAN tagging 169
8.4.3 IP ToS / DiffServ 171
UM Basic Configuration L3P
Release 7.1 12/2011
5
Page 6
Contents
8.4.4 Management prioritization 174
8.4.5 Handling of Received Priority Information 175
8.4.6 Handling of Traffic Classes 175
8.4.7 Setting prioritization 178
8.5 Flow Control 184
8.5.1 Description of Flow Control 184
8.5.2 Setting the Flow Control 186
8.6 VLANs 187
8.6.1 VLAN Description 187
8.6.2 Examples of VLANs 188
8.6.3 Double VLAN Tagging 203
9 Operation Diagnosis 209
9.1 Sending Traps 210
9.1.1 List of SNMP traps 211
9.1.2 SNMP Traps during Boot 212
9.1.3 Configuring Traps 213
9.2 Monitoring the Device Status 215
9.2.1 Configuring the Device Status 216
9.2.2 Displaying the Device Status 217
9.3 Out-of-band Signaling 218
9.3.1 Controlling the Signal Contact 219
9.3.2 Monitoring the Device Status via the Signal Contact 219
9.3.3 Monitoring the Device Functions via the Signal
Contact 220
9.3.4 Monitoring the Fan 222
9.4 Port Status Indication 224
9.5 Event Counter at Port Level 226
9.5.1 Detecting Non-matching Duplex Modes 228
9.6 Displaying the SFP Status 231
9.7 TP Cable Diagnosis 232
9.8 Topology Discovery 233
9.8.1 Description of Topology-Detection 233
9.8.2 Displaying the Topology Discovery Results 235
9.9 Detecting IP Address Conflicts 236
9.9.1 Description of IP Address Conflicts 236
9.9.2 Configuring ACD 237
9.9.3 Displaying ACD 237
9.10 Detecting Loops 238
9.11 Reports 239
UM Basic Configuration L3P
6
Release 7.1 12/2011
Page 7
Contents
9.12 Monitoring Data Traffic at Ports (Port Mirroring) 241
9.13 Syslog 244
9.14 Event Log 247
10 EtherNet/IP 249
10.1 Integration into a Control System 251
10.2 EtherNet/IP Parameters 255
10.2.1 Identity Object 255
10.2.2 TCP/IP Interface Object 256
10.2.3 Ethernet Link Object 258
10.2.4 Ethernet Switch Agent Object 261
10.2.5 RSTP Bridge Object 264
10.2.6 RSTP Port Object 266
10.2.7 I/O Data 268
10.2.8 Assignment of the Ethernet Link Object Instances 269
10.2.9 Supported Services 270
A Setting up the Configuration Environment 271
A.1 Setting up a DHCP/BOOTP Server 272
A.2 Setting up a DHCP Server with Option 82 278
A.3 TFTP Server for Software Updates 282
A.3.1 Setting up the tftp Process 283
A.3.2 Software Access Rights 286
A.4 Preparing access via SSH 287
A.4.1 Generating a key 287
A.4.2 Uploading the key 289
A.4.3 Access through an SSH 290
B General Information 293
B.1 Management Information Base (MIB) 294
B.2 Abbreviations used 297
B.3 Technical Data 298
B.4 Readers’ Comments 299
C Index 301
D Further Support 305
UM Basic Configuration L3P
Release 7.1 12/2011
7
Page 8
Contents
UM Basic Configuration L3P
8
Release 7.1 12/2011
Page 9
About this Manual
About this Manual
The “Basic Configuration” user manual contains the information you need to
start operating the device. It takes you step by step from the first startup
operation through to the basic settings for operation in your environment.
The following thematic sequence has proven itself in practice:
Set up device access for operation by entering the IP parameters
Check the status of the software and update it if necessary
Load/store any existing configuration
Configure the ports
Set up protection from unauthorized access
Optimize the data transmission with network load control
Synchronize system time in the network
Perform an operation diagnosis
Store the newly created configuration in the non-volatile memory.
The “Installation” user manual contains a device description, safety
instructions, a description of the display, and the other information that you
need to install the device.
The “Redundancy Configuration User Manual” document contains the
information you require to select the suitable redundancy procedure and
configure it.
The “Industry Protocols” user manual describes how the device is connected
by means of a communication protocol commonly used in the industry, such
as EtherNet/IP and PROFINET IO.
UM Basic Configuration L3P
Release 7.1 12/2011
9
Page 10
About this Manual
The “Routing Configuration User Manual” document contains the information
you need to start operating the routing function. It takes you step-by-step
from a small router application through to the router configuration of a
complex network.
The manual enables you to configure your router by following the examples.
The “GUI” reference manual contains detailed information on using the
graphical interface to operate the individual functions of the device.
The “Command Line Interface” Reference Manual contains detailed
information on using the Command Line Interface to operate the individual
functions of the device.
The Industrial HiVision Network Management Software provides you with
additional options for smooth configuration and monitoring:
Simultaneous configuration of multiple devices
Graphic interface with network layout
Auto-topology discovery
Event log
Event handling
Client/server structure
Browser interface
ActiveX control for SCADA integration
SNMP/OPC gateway.
Maintenance
Hirschmann are continually working on improving and developing their
software. You should regularly check whether there is a new version of
the software that provides you with additional benefits. You will find
software information and downloads on the product pages of the
Hirschmann website.
10
UM Basic Configuration L3P
Release 7.1 12/2011
Page 11
Key
Key
The designations used in this manual have the following meanings:
List
Work step
Link Cross-reference with link
Note: A note emphasizes an important fact or draws your attention to a dependency.
Subheading
Courier ASCII representation in user interface
Execution in the Graphical User Interface (Web-based Interface user interface)
Execution in the Command Line Interface user interface
Symbols used:
WLAN access point
Router with firewall
Switch with firewall
Router
Switch
UM Basic Configuration L3P
Release 7.1 12/2011
11
Page 12
Key
Bridge
Hub
A random computer
Configuration Computer
Server
PLC Programmable logic
controller
I/O Robot
12
UM Basic Configuration L3P
Release 7.1 12/2011
Page 13
Introduction
Introduction
The device has been developed for use in a harsh industrial environment.
Accordingly, the installation process has been kept simple. Thanks to the
selected default settings, you only have to enter a few settings before starting
to operate the device.
Note: The changes you make in the dialogs are copied into the volatile
memory of the device when you click on "Set".
To save the changes permanently, select the saving location in the Basic
Settings :Load/Save dialog box and click on "Save".
UM Basic Configuration L3P
Release 7.1 12/2011
13
Page 14
Introduction
14
UM Basic Configuration L3P
Release 7.1 12/2011
Page 15
Access to the user interfaces
1 Access to the user interfaces
The device has 3 user interfaces, which you can access via different
interfaces:
System monitor via the V.24 interface (out-of-band)
Command Line Interface (CLI) via the V.24 connection (out-of-band) as
well as Telnet or SSH (in-band)
Web-based interface via Ethernet (in-band).
UM Basic Configuration L3P
Release 7.1 12/2011
15
Page 16
Access to the user interfaces
1.1 System Monitor
The system monitor enables you to
select the software to be loaded
perform a software update
start the selected software
shut down the system monitor
delete the configuration saved and
display the boot code information.
1.1 System Monitor
Opening the system monitor
Use the terminal cable (see accessories) to connect
– the V.24 socket (RJ11) to
– a terminal or a COM port of a PC with terminal emulation based on
VT100
(for the physical connection, see the "Installation" user manual).
Speed 9,600 Baud
Data 8 bit
Parity None
Stopbit 1 bit
Handshake Off
Table 1: Data transfer parameters
Start the terminal program on the PC and set up a connection with the
device.
When you boot the device, the message
"Press <1> to enter System Monitor 1"
appears on the terminal.
16
UM Basic Configuration L3P
Release 7.1 12/2011
Page 17
Access to the user interfaces
< Device Name (Boot) Release: 1.00 Build: 2005-09-17 15:36 >
Press <1> to enter System Monitor 1 ...
1
1.1 System Monitor
Figure 1: Screen display during the boot process
Press the <1> key within one second to start system monitor 1.
System Monitor
(Selected OS: L3P-06.0.00 (2010-09-09 09:09))
1 Select Boot Operating System
2 Update Operating System
3 Start Selected Operating System
4 End (reset and reboot)
5 Erase main configuration file
sysMon1>
Figure 2: System monitor 1 screen display
Select a menu item by entering the number.
To leave a submenu and return to the main menu of system monitor 1,
press the <ESC> key.
UM Basic Configuration L3P
Release 7.1 12/2011
17
Page 18
Access to the user interfaces
1.2 Command Line Interface
1.2 Command Line Interface
The Command Line Interface enables you to use the functions of the device
via a local or remote connection.
The Command Line Interface provides IT specialists with a familiar
environment for configuring IT devices.
The script compatibility of the Command Line Interface enables you, among
other things, to feed multiple devices with the same configuration data, to
create and use partial configurations, or to compare 2 configurations using 2
script files.
You will find a detailed description of the Command Line Interface in the
“Command Line Interface” reference manual.
You can access the Command Line Interface via
the V.24 port (out-of-band)
Telnet (in-band)
SSH (in-band)
Note: To facilitate making entries, CLI gives you the option of abbreviating
keywords. Type in the beginning of a keyword. When you press the tab key,
CLI completes the keyword.
18
UM Basic Configuration L3P
Release 7.1 12/2011
Page 19
Access to the user interfaces
1.2 Command Line Interface
Opening the Command Line Interface
Connect the device to a terminal or to a “COM” port of a PC using
terminal emulation based on VT100, and press any key (see on
page 16 “Opening the system monitor”) or
call up the Command Line Interface via Telnet.
A window for entering the user name appears on the screen.
Up to 5 users can access the Command Line Interface.
Copyright (c) 2004-2010 Hirschmann Automation and Control GmbH
All rights reserved
PowerMICE Release L3P-06.0.00
(Build date 2010-09-09 12:13)
System Name: PowerMICE
Mgmt-IP : 10.0.1.105
1.Router-IP: 0.0.0.0
Base-MAC : 00:80:63:51:74:00
System Time: 2010-09-09 13:14:15
User:
Figure 3: Logging in to the Command Line Interface program
Enter a user name. The default setting for the user name is admin .
Press the Enter key.
Enter the password. The default setting for the password is private .
Press the Enter key.
You can change the user name and the password later in the
Command Line Interface.
Please note that these entries are case-sensitive.
The start screen appears.
UM Basic Configuration L3P
Release 7.1 12/2011
19
Page 20
Access to the user interfaces
NOTE: Enter '?' for Command Help. Command help displays all options
that are valid for the 'normal' and 'no' command forms. For
the syntax of a particular command form, please consult the
documentation.
(Hirschmann Product) >
1.2 Command Line Interface
Figure 4: CLI screen after login
20
UM Basic Configuration L3P
Release 7.1 12/2011
Page 21
Access to the user interfaces
1.3 Web-based Interface
1.3 Web-based Interface
The user-friendly Web-based interface gives you the option of operating the
device from any location in the network via a standard browser such as
Mozilla Firefox or Microsoft Internet Explorer.
As a universal access tool, the Web browser uses an applet which
communicates with the device via the Simple Network Management Protocol
(SNMP).
The Web-based interface allows you to graphically configure the device.
Opening the Web-based Interface
To open the Web-based interface, you need a Web browser (a program
that can read hypertext), for example Mozilla Firefox version 1 or later, or
Microsoft Internet Explorer version 6 or later.
Note: The Web-based interface uses Java software 6 (“Java™ Runtime
Environment Version 1.6.x”).
Install the software from the enclosed product CD. To do this, you go to
“Additional Software”, select Java Runtime Environment and click on
“Installation”.
UM Basic Configuration L3P
Release 7.1 12/2011
21
Page 22
Access to the user interfaces
Figure 5: Installing Java
1.3 Web-based Interface
Start your Web browser.
Make sure that you have activated JavaScript and Java in the security
settings of your browser.
Establish the connection by entering the IP address of the device
which you want to administer via the Web-based management in the
address field of the Web browser. Enter the address in the following
form:
http://xxx.xxx.xxx.xxx
The login window appears on the screen.
22
UM Basic Configuration L3P
Release 7.1 12/2011
Page 23
Access to the user interfaces
1.3 Web-based Interface
Figure 6: Login window
Select the desired language.
In the drop-down menu, you select
– user, to have read access, or
– admin, to have read and write access
to the device.
The password “public”, with which you have read access, appears in
the password field. If you wish to have write access to the device, then
highlight the contents of the password field and overwrite it with the
password “private” (default setting).
Click on OK.
The website of the device appears on the screen.
Note: The changes you make in the dialogs are copied to the device
when you click on “Write”. Click on “Load” to update the display.
UM Basic Configuration L3P
Release 7.1 12/2011
23
Page 24
Access to the user interfaces
1.3 Web-based Interface
Note: You can block your access to the device by entering an incorrect
configuration.
Activating the function “Cancel configuration change” in the “Load/Save”
dialog enables you to return automatically to the last configuration after a
set time period has elapsed. This gives you back your access to the
device.
24
UM Basic Configuration L3P
Release 7.1 12/2011
Page 25
Entering the IP Parameters
2 Entering the IP Parameters
The IP parameters must be entered when the device is installed for the first
time.
The device provides 7 options for entering the IP parameters during the first
installation:
Entry using the Command Line Interface (CLI).
You choose this “out of band” method if
you preconfigure your device outside its operating environment
you do not have network access (“in-band”) to the device
(see page 33 “Entering IP parameters via CLI”).
Entry using the HiDiscovery protocol.
You choose this “in-band” method if the device is already installed in the
network or if you have another Ethernet connection between your PC and
the device
(see page 36 “Entering the IP Parameters via HiDiscovery”).
Configuration using the AutoConfiguration Adapter (ACA).
You choose this method if you are replacing a device with a device of the
same type and have already saved the configuration on an ACA (see
page 39 “Loading the system configuration from the ACA”).
Using BOOTP.
You choose this “in-band” method if you want to configure the installed
device using BOOTP. You need a BOOTP server for this. The BOOTP
server assigns the configuration data to the device using its MAC address
(see page 41 “System configuration via BOOTP”). Because the device is
delivered with “DHCP mode” as the entry for the configuration data
reference, you have to reset this to the BOOTP mode for this method.
Configuration via DHCP.
You choose this “in-band” method if you want to configure the installed
device using DHCP. You need a DHCP server for this. The DHCP server
assigns the configuration data to the device using its MAC address or its
system name (see page 46 “System Configuration via DHCP”).
UM Basic Configuration L3P
Release 7.1 12/2011
25
Page 26
Entering the IP Parameters
Configuration via DHCP Option 82.
You choose this “in-band” method if you want to configure the installed
device using DHCP Option 82. You need a DHCP server with Option 82
for this. The DHCP server assigns the configuration data to the device
using its physical connection (see page 49 “System Configuration via
DHCP Option 82”).
Configuration via the Web-based interface.
If the device already has an IP address and can be reached via the
network, then the Web-based interface provides you with another option
for configuring the IP parameters.
26
UM Basic Configuration L3P
Release 7.1 12/2011
Page 27
Entering the IP Parameters
2.1 IP Parameter Basics
2.1 IP Parameter Basics
2.1.1 IP address (version 4)
The IP addresses consist of 4 bytes. These 4 bytes are written in decimal
notation, separated by a decimal point.
Since 1992, five classes of IP address have been defined in the RFC 1340.
Class Network
address
A 1 byte 3 bytes 1.0.0.0 to 126.255.255.255
B 2 bytes 2 bytes 128.0.0.0 to 191.255.255.255
C 3 bytes 1 byte 192.0.0.0 to 223.255.255.255
D 224.0.0.0 to 239.255.255.255
E 240.0.0.0 to 255.255.255.255
Table 2: IP address classes
Host address Address range
The network address is the fixed part of the IP address. The worldwide
leading regulatory board for assigning network addresses is the IANA
(Internet Assigned Numbers Authority). If you require an IP address block,
contact your Internet service provider. Internet service providers should
contact their local higher-level organization:
APNIC (Asia Pacific Network Information Center) - Asia/Pacific Region
ARIN (American Registry for Internet Numbers) - Americas and Sub-
Sahara Africa
LACNIC (Regional Latin-American and Caribbean IP Address Registry) –
Latin America and some Caribbean Islands
RIPE NCC (Réseaux IP Européens) - Europe and Surrounding Regions
UM Basic Configuration L3P
Release 7.1 12/2011
27
Page 28
Entering the IP Parameters
Net ID - 7 bits Host ID - 24 bits0
I
I
I
0
I
III
0
III0
Net ID - 14 bits
Net ID - 21 bits
Multicast Group ID - 28 bits
reserved for future use - 28 b its
Class A
Class B
Host ID - 16 bits
Host ID - 8 bit s
Class C
Class D
Class E
2.1 IP Parameter Basics
Figure 7: Bit representation of the IP address
An IP address belongs to class A if its first bit is a zero, i.e. the first decimal
number is less than 128. The IP address belongs to class B if the first bit is a
one and the second bit is a zero, i.e. the first decimal number is between 128
and 191. The IP address belongs to class C if the first two bits are a one, i.e.
the first decimal number is higher than 191.
Assigning the host address (host id) is the responsibility of the network
operator. He alone is responsible for the uniqueness of the IP addresses he
assigns.
2.1.2 Netmask
Routers and gateways subdivide large networks into subnetworks. The
netmask assigns the IP addresses of the individual devices to a particular
subnetwork.
The division into subnetworks with the aid of the netmask is performed in
much the same way as the division of the network addresses (net id) into
classes A to C.
The bits of the host address (host id) that represent the mask are set to one.
The remaining bits of the host address in the netmask are set to zero (see
the following examples).
28
UM Basic Configuration L3P
Release 7.1 12/2011
Page 29
Entering the IP Parameters
Example of a netmask:
Decimal notation
255.255.192.0
Binary notation
11111111.11111111.11000000.00000000
Subnetwork mask bits
Class B
2.1 IP Parameter Basics
Example of IP addresses with subnetwork assignment when the above
subnet mask is applied:
Decimal notation
129.218.65.17
128 < 129 191 › Class B
Binary notation
10000001.11011010.01000001.00010001
Subnetwork 1
Network address
Decimal notation
129.218.129.17
128 < 129 191 › Class B
Binary notation
10000001.11011010.10000001.00010001
Subnetwork 2
Network address
UM Basic Configuration L3P
Release 7.1 12/2011
29
Page 30
Entering the IP Parameters
Romeo
LAN 1
Lorenzo
LAN 2
Juliet
2.1 IP Parameter Basics
Example of how the network mask is used
In a large network it is possible that gateways and routers separate the
management agent from its management station. How does addressing
work in such a case?
Figure 8: Management agent that is separated from its management station by a
router
The management station "Romeo" wants to send data to the
management agent "Juliet". Romeo knows Juliet's IP address and also
knows that the router "Lorenzo" knows the way to Juliet.
Romeo therefore puts his message in an envelope and writes Juliet's IP
address as the destination address. For the source address he writes his
own IP address on the envelope.
Romeo then places this envelope in a second one with Lorenzo's MAC
address as the destination and his own MAC address as the source. This
process is comparable to going from layer 3 to layer 2 of the ISO/OSI base
reference model.
Finally, Romeo puts the entire data packet into the mailbox. This is
comparable to going from layer 2 to layer 1, i.e. to sending the data packet
over the Ethernet.
30
UM Basic Configuration L3P
Release 7.1 12/2011
Page 31
Entering the IP Parameters
2.1 IP Parameter Basics
Lorenzo receives the letter and removes the outer envelope. From the
inner envelope he recognizes that the letter is meant for Juliet. He places
the inner envelope in a new outer envelope and searches his address list
(the ARP table) for Juliet's MAC address. He writes her MAC address on
the outer envelope as the destination address and his own MAC address
as the source address. He then places the entire data packet in the mail
box.
Juliet receives the letter and removes the outer envelope. She finds the
inner envelope with Romeo's IP address. Opening the inner envelope and
reading its contents corresponds to transferring the message to the higher
protocol layers of the SO/OSI layer model.
Juliet would now like to send a reply to Romeo. She places her reply in an
envelope with Romeo's IP address as destination and her own IP address
as source. But where is she to send the answer? For she did not receive
Romeo's MAC address. It was lost when Lorenzo replaced the outer
envelope.
In the MIB, Juliet finds Lorenzo listed under the variable
hmNetGatewayIPAddr as a means of communicating with Romeo. She
therefore puts the envelope with the IP addresses in a further envelope
with Lorenzo's MAC destination address.
The letter now travels back to Romeo via Lorenzo, the same way the first
letter traveled from Romeo to Juliet.
2.1.3 Classless Inter-Domain Routing
Class C with a maximum of 254 addresses was too small, and class B with
a maximum of 65,534 addresses was too large for most users. This resulted
in ineffective usage of the class B addresses available.
Class D contains reserved multicast addresses. Class E is reserved for
experimental purposes. A gateway not participating in these experiments
ignores datagrams with these destination addresses.
UM Basic Configuration L3P
Release 7.1 12/2011
31
Page 32
Entering the IP Parameters
IP address, decimal
149.218.112.1
149.218.112.127
CIDR notation: 149.218.112.0/25
Mask bits
Network mask,
decimal
255.255.255.128
IP address, hexadecimal
10010101 11011010 01110000 00000001
10010101 11011010 01110000 01111111
25 mask bits
2.1 IP Parameter Basics
Since 1993, RFC 1519 has been using Classless Inter-Domain Routing
(CIDR) to provide a solution. CIDR overcomes these class boundaries and
supports classless address ranges.
With CIDR, you enter the number of bits that designate the IP address range.
You represent the IP address range in binary form and count the mask bits
that designate the netmask. The netmask indicates the number of bits that
are identical to the network part for the IP addresses in a given address
range. Example:
The combination of a number of class C address ranges is known as
“supernetting”. This enables you to subdivide class B address ranges to a
very fine degree.
32
UM Basic Configuration L3P
Release 7.1 12/2011
Page 33
Entering the IP Parameters
Entering IP addresses
Connect the PC with terminal
program started to the RJ11 socket
Command Line Interface
starts after key press
Log in and change to the
Privileged EXEC Mode
Switch off DHCP,
enter and save IP parameters
End of entering IP addresses
2.2 Entering IP parameters via CLI
2.2 Entering IP parameters via
CLI
If you do not configure the system via BOOTP/DHCP, DHCP Option 82, the
HiDiscovery protocol or the AutoConfiguration Adapter (ACA), then you
perform the configuration via the V.24 interface using the CLI.
Figure 9: Flow chart for entering IP addresses
UM Basic Configuration L3P
Release 7.1 12/2011
33
Page 34
Entering the IP Parameters
2.2 Entering IP parameters via CLI
Note: If there is no terminal or PC with terminal emulation available in the
vicinity of the installation location, you can configure the device at your own
workstation, then take it to its final installation location.
Set up a connection to the device (see on page 19 “Opening the
Command Line Interface”).
The start screen appears.
NOTE: Enter '?' for Command Help. Command help displays all options
that are valid for the 'normal' and 'no' command forms. For
the syntax of a particular command form, please consult the
documentation.
(Hirschmann PowerMICE) >
Deactivate DHCP.
Enter the IP parameters.
Local IP address
On delivery, the device has the local IP address 0.0.0.0.
Netmask
If your network has been divided up into subnetworks, and if these are
identified with a netmask, then the netmask is to be entered here.
The default setting of the netmask is 0.0.0.0.
IP address of the gateway
This entry is only required if the device and the management station or
tftp server are located in different subnetworks (see page 30
“Example of how the network mask is used”).
Enter the IP address of the gateway between the subnetwork with the
device and the path to the management station.
The default setting of the IP address is 0.0.0.0.
34
UM Basic Configuration L3P
Release 7.1 12/2011
Page 35
Entering the IP Parameters
2.2 Entering IP parameters via CLI
Save the configuration entered using
copy system:running-config nvram:startup-config.
enable Switch to the privileged EXEC mode.
network protocol none Deactivate DHCP.
network parms 10.0.1.23
255.255.255.0
copy system:running-config
nvram:startup-config
Assign the device the IP address 10.0.1.23 and
the netmask 255.255.255.0. You have the option
of also assigning a gateway address.
Save the current configuration to the non-volatile
memory.
After entering the IP parameters, you can easily configure the device via the
Web-based interface (see the “GUI” (Graphical User Interface / Web-based
Interface) reference manual).
UM Basic Configuration L3P
Release 7.1 12/2011
35
Page 36
Entering the IP Parameters
2.3 Entering the IP Parameters via HiDiscovery
2.3 Entering the IP Parameters
via HiDiscovery
The HiDiscovery protocol enables you to assign IP parameters to the device
via the Ethernet.
You can easily configure other parameters via the Web-based interface (see
the "GUI" (Graphical User Interface / Web-based Interface) reference
manual).
Install the HiDiscovery software on your PC. The software is on the CD
supplied with the device.
To install it, you start the installation program on the CD.
Start the HiDiscovery program.
Figure 10: HiDiscovery
36
UM Basic Configuration L3P
Release 7.1 12/2011
Page 37
Entering the IP Parameters
2.3 Entering the IP Parameters via
HiDiscovery
When HiDiscovery is started, HiDiscovery automatically searches the
network for those devices which support the HiDiscovery protocol.
HiDiscovery uses the first network interface found for the PC. If your
computer has several network cards, you can select the one you desire in the
HiDiscovery toolbar.
HiDiscovery displays a line for every device that reacts to the HiDiscovery
protocol.
HiDiscovery enables you to identify the devices displayed.
Select a device line.
Click on the signal symbol in the tool bar to set the LEDs for the selected
device flashing. To switch off the flashing, click on the symbol again.
By double-clicking a line, you open a window in which you can enter the
device name and the IP parameters.
Figure 11: HiDiscovery - assigning IP parameters
Note: When the IP address is entered, the device copies the local
configuration settings (see on page 55 “Loading/saving settings”).
Note: For security reasons, switch off the HiDiscovery function for the device
in the Web-based interface, after you have assigned the IP parameters to the
device (see on page 50 “Web-based IP Configuration”).
UM Basic Configuration L3P
Release 7.1 12/2011
37
Page 38
Entering the IP Parameters
2.3 Entering the IP Parameters via
HiDiscovery
Note: Save the settings so that you will still have the entries after a restart
(see on page 55 “Loading/saving settings”).
38
UM Basic Configuration L3P
Release 7.1 12/2011
Page 39
Entering the IP Parameters
2.4 Loading the system configuration from the ACA
2.4 Loading the system
configuration from the ACA
The AutoConfiguration Adapter (ACA) is a device for
for saving the device configuration data and
saving the device software.
If a device becomes inoperative, the ACA allows the configuration data to be
re-applied to a replacement device of the same type.
When the device is started, it checks to see whether a ACA is present. If an
ACA is present with a valid password and valid software, the device loads the
configuration data from the ACA.
The password is valid if
the entered password matches the password in the ACA, or
the preset password in the device is entered.
To save the configuration data in the ACA, see “Saving locally (and on the
ACA)” on page 64.
UM Basic Configuration L3P
Release 7.1 12/2011
39
Page 40
Entering the IP Parameters
2
1
4
0
3
1
0
3a
1
0
5
4a
1
2.4 Loading the system configuration
from the ACA
Figure 12: Flow chart of loading configuration data from the ACA
1 – Device start-up
2 – ACA plugged-in?
3 – Password in device and ACA identical?
3a – Default password in device?
4 – Load configuration from ACA,
ACA LEDs flashing synchronously
4a –Load configuration from local memory,
ACA LEDs flashing alternately
5 – Configuration data loaded
40
UM Basic Configuration L3P
Release 7.1 12/2011
Page 41
Entering the IP Parameters
2.5 System configuration via BOOTP
2.5 System configuration via
BOOTP
When it is started up via BOOTP (bootstrap protocol), a device receives its
configuration data in accordance with the “BOOTP process” flow chart (see
fig. 13).
Note: In its delivery state, the device gets its configuration data from the
DHCP server.
Activate BOOTP to receive the configuration data (see on page 50 “Web-
based IP Configuration”), or see the CLI:
enable Switch to the privileged EXEC mode.
network protocol bootp Activate BOOTP.
copy system:running-config
nvram:startup-config
y Confirm save.
Activate BOOTP.
Provide the BOOTP server with the following data for a device:
# /etc/bootptab for BOOTP-daemon bootpd
#
# gw -- gateway
# ha -- hardware address
# ht -- hardware type
# ip -- IP address
# sm -- subnet mask
# tc -- template
.global:\
:gw=0.0.0.0:\
:sm=255.255.240.0:
UM Basic Configuration L3P
Release 7.1 12/2011
41
Page 42
Entering the IP Parameters
switch_01:ht=ethernet:ha=008063086501:ip=10.1.112.83:tc=.global:
switch_02:ht=ethernet:ha=008063086502:ip=10.1.112.84:tc=.global:
.
.
2.5 System configuration via BOOTP
Lines that start with a ‘#’ character are comment lines.
The lines under “.global:” make the configuration of several devices easier.
With the template (tc) you allocate the global configuration data (tc=.global:)
to each device .
The direct allocation of hardware address and IP address is performed in the
device lines (switch-0...).
Enter one line for each device.
After ha= enter the hardware address of the device.
After ip= enter the IP address of the device.
In the appendix under “Setting up a DHCP/BOOTP Server” on page 272, you
will find an example for the configuration of a BOOTP/DHCP server.
42
UM Basic Configuration L3P
Release 7.1 12/2011
Page 43
Entering the IP Parameters
2
DHCP
or
BOOTP?
Send
DHCP/
BOOTP
Requests
Reply from
DHCP/BOOTP
server?
Ye s
Ye s
Save IP parameter
and config file URL
locally
initialize IP stack
with IP parameters
No
No*
1
Start-up
Device in initalization
Device runs with
settings from
local flash
Device is manageable
Load default
configuration
2.5 System configuration via BOOTP
Figure 13: Flow chart for the BOOTP/DHCP process, part 1
* see fig. 14
UM Basic Configuration L3P
Release 7.1 12/2011
43
Page 44
Entering the IP Parameters
Load transferred
config file
No
Yes
Load remote
configuration from
URL of DHCP?
No*
Yes
Start tftp process
with config
file URL of DHCP
tftp
successful?
Save transferred
config file local
and set
boot configuration
to local
2
Loading of
configurations data
is complete
2.5 System configuration via BOOTP
Figure 14: Flow chart for the BOOTP/DHCP process, part 2
44
UM Basic Configuration L3P
Release 7.1 12/2011
Page 45
Entering the IP Parameters
2.5 System configuration via BOOTP
Note: The loading process started by DHCP/BOOTP (see on page 41
“System configuration via BOOTP”) shows the selection of “from URL & save
locally” in the “Load” frame. If you get an error message when saving a
configuration, this could be due to an active loading process. DHCP/BOOTP
only finishes a loading process when a valid configuration has been loaded.
If DHCP/BOOTP does not find a valid configuration, then finish the loading
process by loading the local configuration in the “Load” frame.
UM Basic Configuration L3P
Release 7.1 12/2011
45
Page 46
Entering the IP Parameters
2.6 System Configuration via DHCP
2.6 System Configuration via
DHCP
The DHCP (Dynamic Host Configuration Protocol) is a further development
of BOOTP, which it has replaced. The DHCP additionally allows the
configuration of a DHCP client via a name instead of via the MAC address.
For the DHCP, this name is known as the “client identifier” in accordance with
RFC 2131.
The device uses the name entered under sysName in the system group of
the MIB II as the client identifier. You can enter this system name directly via
SNMP, the Web-based management (see system dialog), or the Command
Line Interface.
During startup operation, a device receives its configuration data according
to the “DHCP process” flowchart (see fig. 13).
The device sends its system name to the DHCP server. The DHCP server
can then use the system name to allocate an IP address as an alternative to
the MAC address.
In addition to the IP address, the DHCP server sends
– the netmask
– the default gateway (if available)
– the tftp URL of the configuration file (if available).
The device accepts this data as configuration parameters (see on page 50
“Web-based IP Configuration”).
If an IP address was assigned by a DHCP server, it will be permanently
saved locally.
46
UM Basic Configuration L3P
Release 7.1 12/2011
Page 47
Entering the IP Parameters
Option Meaning
1 Subnet Mask
2 Time Offset
3Router
4 Time server
12 Host Name
42 NTP server
61 Client Identifier
66 TFTP Server Name
67 Bootfile Name
Table 3: DHCP options which the device requests
2.6 System Configuration via DHCP
The advantage of using DHCP instead of BOOTP is that the DHCP server
can restrict the validity of the configuration parameters (“Lease”) to a specific
time period (known as dynamic address allocation). Before this period
(“Lease Duration”) elapses, the DHCP client can attempt to renew this lease.
Alternatively, the client can negotiate a new lease. The DHCP server then
allocates a random free address.
To avoid this, most DHCP servers provide the explicit configuration option of
always assigning a specific client the same IP address based on a unique
hardware ID (known as static address allocation).
On delivery, DHCP is activated.
As long as DHCP is activated, the device attempts to obtain an IP address.
If it cannot find a DHCP server after restarting, it will not have an IP address.
To activate/deactivate DHCP (see on page 50 “Web-based IP
Configuration”).
Note: When using HiVision network management, ensure that DHCP always
allocates the original IP address to each device.
The appendix contains an example configuration of the BOOTP/DHCPserver (see on page 272 “Setting up a DHCP/BOOTP Server”).
UM Basic Configuration L3P
Release 7.1 12/2011
47
Page 48
Entering the IP Parameters
2.6 System Configuration via DHCP
Example of a DHCP-configuration file:
# /etc/dhcpd.conf for DHCP Daemon
#
subnet 10.1.112.0 netmask 255.255.240.0 {
option subnet-mask 255.255.240.0;
option routers 10.1.112.96;
}
#
# Host berta requests IP configuration
# with her MAC address
#
host berta {
hardware ethernet 00:80:63:08:65:42;
fixed-address 10.1.112.82;
}
#
# Host hugo requests IP configuration
# with his client identifier.
#
host hugo {
#
option dhcp-client-identifier "hugo";
option dhcp-client-identifier 00:68:75:67:6f;
fixed-address 10.1.112.83;
server-name "10.1.112.11";
filename "/agent/config.dat";
}
Lines that begin with the #-character contain comments.
The lines that precede the individual devices indicate settings that apply to
the following device.
The fixed-address line assigns a fixed IP address to the device.
Please refer to your DHCP-Server manual for more details.
48
UM Basic Configuration L3P
Release 7.1 12/2011
Page 49
Entering the IP Parameters
PLC
Switch (Option 82)
IP =
10.0.1.100
IP =
10.0.1.100
MAC Address =
00:80:63:10:9a:d7
DHCP Server
IP =
10.0.1.1
Backbone Switch
2.7 System Configuration via DHCP Option 82
2.7 System Configuration via
DHCP Option 82
As with the classic DHCP, on startup an agent receives its configuration data
according to the “BOOTP/DHCP process” flow chart (see fig. 13).
While the system configuration is based on the classic DHCP protocol on the
device being configured (see on page 46 “System Configuration via DHCP”),
Option 82 is based on the network topology. This procedure gives you the
option of assigning the same IP address to any device which is connected to
a particular location (port of a device) on the LAN.
The installation of a DHCP server is described in the chapter “Setting up a
DHCP Server with Option 82” on page 278.
Figure 15: Application example of using Option 82
UM Basic Configuration L3P
Release 7.1 12/2011
49
Page 50
Entering the IP Parameters
2.8 Web-based IP Configuration
2.8 Web-based IP Configuration
Use the Basic Settings:Network dialog to define the source from which
the device receives its IP parameters after startup, assign the IP parameters
and VLAN ID, and configure the HiDiscovery access.
50
UM Basic Configuration L3P
Release 7.1 12/2011
Page 51
Entering the IP Parameters
2.8 Web-based IP Configuration
Figure 16: Network parameters dialog
Under “Mode”, you enter where the device gets its IP parameters:
In the BOOTP mode, the configuration is via a BOOTP or DHCP
server on the basis of the MAC address of the device (see page 272
“Setting up a DHCP/BOOTP Server”).
In the DHCP mode, the configuration is via a DHCP server on the
basis of the MAC address or the name of the device (see page 278
“Setting up a DHCP Server with Option 82”).
In the “local” mode the net parameters in the device memory are used.
Enter the parameters on the right according to the selected mode.
You enter the name applicable to the DHCP protocol in the “Name” line in
the system dialog of the Web-based interface.
UM Basic Configuration L3P
Release 7.1 12/2011
51
Page 52
Entering the IP Parameters
2.8 Web-based IP Configuration
The “VLAN” frame enables you to assign a VLAN to the management
CPU of the device. If you enter 0 here as the VLAN ID (not included in the
VLAN standard version), the management CPU will then be accessible
from all VLANs.
The HiDiscovery protocol allows you to allocate an IP address to the
device on the basis of its MAC address. Activate the HiDiscovery protocol
if you want to allocate an IP address to the device from your PC with the
enclosed HiDiscovery software (state on delivery: operation “on”, access
“read-write”).
Note: Save the settings so that you will still have the entries after a restart
(see on page 55 “Loading/saving settings”).
52
UM Basic Configuration L3P
Release 7.1 12/2011
Page 53
Entering the IP Parameters
2.9 Faulty Device Replacement
2.9 Faulty Device R eplacement
The device provides 2 plug-and-play solutions for replacing a faulty device
with a device of the same type (faulty device replacement):
Configuring the new device using an AutoConfiguration Adapter (see on
page 39 “Loading the system configuration from the ACA”) or
configuration via DHCP Option 82 (see on page 278 “Setting up a DHCP
Server with Option 82”)
In both cases, when the new device is started, it is given the same
configuration data that the replaced device had.
Note: If you are replacing a device with DIP switches, check the DIP switch
settings to ensure they are the same.
Note: If you want to access the device via SSH, you also need an SSH key.
To transfer the SSH key of the old device to the new one, you have the
following options:
- If you have already created the key and saved it outside the device (e.g. on
your administration workstation), load the saved key onto the new device
(see on page 289 “Uploading the key”).
- Otherwise create a new SSH key and load it onto the new device (see on
page 287 “Preparing access via SSH”). Note that the new device now
identifies itself by means of another key.
UM Basic Configuration L3P
Release 7.1 12/2011
53
Page 54
Entering the IP Parameters
2.9 Faulty Device Replacement
54
UM Basic Configuration L3P
Release 7.1 12/2011
Page 55
Loading/saving settings
3 Loading/saving settings
The device saves settings such as the IP parameters and the port
configuration in the temporary memory. These settings are lost when you
switch off or reboot the device.
The device allows you to do the following:
Load settings from a non-volatile memory into the temporary memory
Save settings from the temporary memory in a non-volatile memory
If you change the current configuration (for example, by switching a port off),
the Web-based interface changes the “load/save” symbol in the navigation
tree from a disk symbol to a yellow triangle. After saving the configuration,
the Web-based interface displays the “load/save” symbol as a disk again.
UM Basic Configuration L3P
Release 7.1 12/2011
55
Page 56
Loading/saving settings
3.1 Loading settings
3.1 Loading settings
When it is restarted, the device loads its configuration data from the local
non-volatile memory. The prerequisites for this are:
You have not connected an AutoConfiguration Adapter (ACA) and
the IP configuration is “local”.
During a restart, the device also allows you to load settings from the following
sources:
a binary file of the AutoConfiguration Adapter. If an ACA is connected to
the device, the device automatically loads its configuration from the ACA
during the boot procedure.
from a script file of the AutoConfiguration Adapter. If an ACA is connected
to the device, the device automatically loads its configuration from the
script file of the ACA during the boot procedure (see on page 61 “Loading
a script from the ACA”).
Note: Details of times required for a reboot:
The time required for a cold start is the time taken by the device from the
moment power is switched on until it is fully connected and its
Management-CPU is fully accessible.
Depending on the device type and the extent of the configuration settings,
a cold start takes at least about 10 seconds.
Extensive configuration settings will increase the time required for a
reboot, especially if they contain a high number of VLANs. In extreme
cases, a reboot can take up to about 200 seconds.
A warm start is quicker, since in this case the device skips the software
loading from NVRAM.
56
UM Basic Configuration L3P
Release 7.1 12/2011
Page 57
Loading/saving settings
3.1 Loading settings
During operation, the device allows you to load settings from the following
sources:
the local non-volatile memory
a file in the connected network (setting on delivery)
a binary file or an editable and readable script on the PC and
the firmware (restoration of the configuration on delivery).
Note: When loading a configuration, hold off any accesses to the device until
it has loaded the configuration file and applied the new configuration settings.
Depending on the device type and the extent of the configuration settings,
this process can take between 10 and 200 seconds.
3.1.1 Loading from the local non-volatile memory
When loading the configuration data locally, the device loads the
configuration data from the local non-volatile memory if no ACA is connected
to the device.
Select the
Basics: Load/Save dialog.
In the “Load” frame, click “from Device”.
Click “Restore”.
enable Switch to the privileged EXEC mode.
copy nvram:startup-config
system:running-config
The device loads the configuration data from the
local non-volatile memory.
UM Basic Configuration L3P
Release 7.1 12/2011
57
Page 58
Loading/saving settings
3.1 Loading settings
3.1.2 Loading from a file
The device allows you to load the configuration data from a file in the
connected network if there is no AutoConfiguration Adapter connected to the
device.
Select the
Basics: Load/Save dialog.
In the “Load” frame, click
“from URL” if you want the device to load the configuration data from a file and
retain the locally saved configuration.
“from URL & save to Switch” if you want the device to load the configuration data
from a file and save this configuration locally.
“via PC” if you want the device to load the configuration data from a file on the PC
and retain the locally saved configuration.
In the “URL” frame, enter the path under which the device will find
the configuration file, if you want to load from the URL.
Click “Restore”.
Note: When restoring a configuration using one of the options in the
“Load” frame, note the following particulars:
The device can restore the configuration from a binary or script file:
– The option “from Device” restores the configuration exclusively from the device-
internal binary file.
– The 3 options “from URL”, “from URL and save to Device” or “via PC” can restore
the configuration both from a binary file and from a script file. The script file can
be an offline configuration file (*.ocf) or a CLI script file (*.cli). The device
determines the file type automatically.
When restoring the configuration from a script file, you first delete
the device configuration so that the default settings are overwritten
correctly. For further information (see on page 60 “Resetting the
configuration to the state on delivery”)
The URL identifies the path to the tftp server from which the device
loads the configuration file. The URL is in the format
tftp://IP address of the tftp server/path name/file name
(e.g. tftp://10.1.112.5/switch/config.dat).
58
UM Basic Configuration L3P
Release 7.1 12/2011
Page 59
Loading/saving settings
3.1 Loading settings
Example of loading from a tftp server
Before downloading a file from the tftp server, you have to save the
configuration file in the corresponding path of the tftp servers with
the file name, e.g. switch/switch_01.cfg (see on page 66
“Saving in a binary file or a script file on a URL”).
In the “URL” line, enter the path of the tftp server, e.g. tftp://
10.1.112.214/switch/switch_01.cfg.
Figure 17: Load/Save dialog
enable Switch to the privileged EXEC mode.
copy tftp://10.1.112.159/
switch/config.dat
nvram:startup-config
UM Basic Configuration L3P
Release 7.1 12/2011
The device loads the configuration data from a
tftp server in the connected network.
59
Page 60
Loading/saving settings
3.1 Loading settings
Note: The loading process started by DHCP/BOOTP (see on page 41
“System configuration via BOOTP”) shows the selection of “from URL & save
locally” in the “Load” frame. If you get an error message when saving a
configuration, this could be due to an active loading process. DHCP/BOOTP
only finishes a loading process when a valid configuration has been loaded.
If DHCP/BOOTP does not find a valid configuration, then finish the loading
process by loading the local configuration in the “Load” frame.
3.1.3 Resetting the configuration to the state on delivery
The device enables you to
reset the current configuration to the state on delivery. The locally saved
configuration is kept.
reset the device to the state on delivery. After the next restart, the IP
address is also in the state on delivery.
Select the
Basics: Load/Save dialog.
Make your selection in the "Delete" frame.
Click "Delete configuration". The device will delete its configuration
immediately.
Setting in the system monitor
Select 5 “Erase main configuration file”
This menu item allows you to reset the device to its state on delivery. The
device saves configurations other than the original one in its Flash
memory in the configuration file *.cfg.
Press the Enter key to delete the configuration file.
UM Basic Configuration L3P
60
Release 7.1 12/2011
Page 61
Loading/saving settings
3.1 Loading settings
3.1.4 Loading from the AutoConfiguration Adapter
Loading a configuration during the boot procedure
If you have connected an ACA to the device, the device automatically
loads its configuration from the ACA during the boot procedure. After the
loading, the device updates its configuration in the local non-volatile
memory with the configuration from the ACA.
Note: During the boot procedure, the configuration on the ACA has
priority over the configuration in the local non-volatile memory.
The chapter “Saving locally (and on the ACA)” on page 64 describes how
you can save a configuration file on an ACA.
Loading a script from the ACA
If the ACA contains a script file, the device automatically loads its
configuration from the script file on the ACA during the boot procedure.
The prerequisites for this are:
The ACA is connected during the boot procedure.
There is no binary configuration in the main directory of the ACA.
The main directory of the ACA contains a file with the name
“autoupdate.txt”.
The file “autoupdate.txt” is a text file and contains a line whose content
has the format script=<file_name>. Here <file_name> stands
for the name of the script file to be loaded, e.g. custom.cli.
The file specified using script=<file_name>, e.g. custom.cli, is
located in the main directory of the ACA and is a valid script file.
If the local non-volatile memory of the device contains a configuration, the
device ignores this.
After applying the script, the device updates the configuration in the local
non-volatile memory with the configuration from the script.
In the process, it also writes the current binary configuration to the ACA.
Note: During the boot procedure, a binary configuration on the ACA has
priority over a script on the ACA.
The chapter “Saving as a script on the PC” on page 68 describes how you
can save a script file on an ACA.
UM Basic Configuration L3P
Release 7.1 12/2011
61
Page 62
Loading/saving settings
3.1 Loading settings
Reporting configuration differences
The device allows you to trigger the following events when the
configuration stored on the ACA does not match the configuration on the
device:
send an alarm (trap) (see on page 213 “Configuring Traps”),
update the device status (see on page 216 “Configuring the Device
Status”),
update the status of the signal contacts (see on page 219 “Controlling
the Signal Contact”).
3.1.5 Using the offline configurator
The offline configurator allows you to create configurations for devices in
advance. You create the configuration virtually on your PC and load it onto
your device in a 2nd step.
In this way you can prepare and manage the device configuration efficiently,
thus saving time and effort both when creating the configuration and loading
it to the devices.
For more details on using the offline configurator, see the chapter “Loading
a configuration from the offline configurator” in the “GUI Reference Manual”
(Graphical User Interface / Web-based Interface) document.
Example of using the offline configurator
An IT employee already creates the configuration files for the devices of
a production cell during the planning phase. In doing so, he uses existing
configuration files for a similar production cell and modifies these.
He makes the offline configuration files available to the field service
employee, who mounts the devices on site and then loads the
configuration to the devices. All that is required for this is for the devices
to be reachable and have received an IP address, e.g. via HiDiscovery.
62
UM Basic Configuration L3P
Release 7.1 12/2011
Page 63
Loading/saving settings
3.1 Loading settings
Data format
The offline configurator reads and writes configuration data in an XMLbased format. The file name extension of these files is “.ocf” (Offline
Configurator Format).
You can use the Web-based interface of the devices to load these files
and thus configure your devices very quickly.
The XML format also allows you to use other tools to create, edit and
manage the offline configuration files and thus optimize your
administration processes.
Installation and operating requirements
A requirement for the installation is a PC with a Windows™ XP operating
system (with Service Pack 3) or higher.
You install the offline configurator from the product CD included with the
device. To do so, start the “Setup.exe” installation file from the “ocf_setup”
folder.
The offline configurator - like the Web-based interface - uses Java
software 6 (“Java™ Runtime Environment (JRE) Version 1.6.x”).
If required, you can install it from the product CD. To do this, you go to
“Additional Software”, select Java Runtime Environment and click on
“Installation”.
Using the offline configurator
Start the offline configurator by double-clicking the “Offline Management”
desktop symbol.
For more details on using the offline configurator, see the chapter
“Loading a configuration from the offline configurator” in the “GUI
Reference Manual” (Graphical User Interface / Web-based Interface)
document.
UM Basic Configuration L3P
Release 7.1 12/2011
63
Page 64
Loading/saving settings
3.2 Saving settings
3.2 Saving settings
In the “Save” frame, you have the option to
save the current configuration on the device,
save the current configuration in binary form in a file under the specified
URL, or as an editable and readable script,
save the current configuration in binary form or as an editable and
readable CLI script on the PC,
save the current configuration for the offline configurator on the PC in
XML format.
3.2.1 Saving locally (and on the ACA)
The device allows you to save the current configuration data in the local nonvolatile memory and in the ACA.
Select the
Basics: Load/Save dialog.
In the "Load" options, click on "From device".
Click on "Save".
The device saves the current configuration data in the local nonvolatile memory and also, if a ACA is connected, in the ACA.
enable Switch to the privileged EXEC mode.
copy system:running-config
nvram:startup-config
The device saves the current configuration data
in the local non-volatile memory and also, if a
ACA is connected, in the ACA
64
UM Basic Configuration L3P
Release 7.1 12/2011
Page 65
Loading/saving settings
3.2 Saving settings
Note: After you have successfully saved the configuration on the device, the
device sends an alarm (trap) hmConfigurationSavedTrap together with
the information about the AutoConfiguration Adapter (ACA), if one is
connected. When you change the configuration for the first time after saving
it, the device sends a trap hmConfigurationChangedTrap.
Note: The device allows you to trigger the following events when the
configuration stored on the ACA does not match the configuration on the
device:
send an alarm (trap) (see on page 213 “Configuring Traps”),
update the device status (see on page 216 “Configuring the Device
Status”),
update the status of the signal contacts (see on page 219 “Controlling the
Signal Contact”).
Skip ACA21 during the boot phase
The device allows you to skip the ACA21 AutoConfiguration Adapter (if
connected) during the boot phase. In this case, the device ignores the
ACA21 during the boot phase. This shortens the boot phase of the device
by 1 to 4 seconds. If you have enabled this function, ACA21-functionality
becomes available as usual after the boot phase. The device simply skips
the ACA21-loading procedures during the boot phase.
enable Switch to Privileged EXEC mode.
configure Switch to Global Configure mode.
#boot skip-aca-on-boot
enable
#boot skip-aca-on-boot
disable
#show boot skip-aca-
on-boot
Skip ACA21 during the boot phase. (Disabled in the asdelivered state).
Include the ACA21 during the boot phase.
Show whether the "Skip ACA21 during boot phase"
function is enabled.
UM Basic Configuration L3P
Release 7.1 12/2011
65
Page 66
Loading/saving settings
3.2 Saving settings
3.2.2 Saving in a binary file or a script file on a URL
The device allows you to save the current configuration data in a file in the
connected network.
Note: The configuration file includes all configuration data, including the
password. Therefore pay attention to the access rights on the tftp server.
Select the
Basics: Load/Save dialog.
In the “Save” frame, choose “to URL (binary)”
to create a binary file, or “to URL (script)”
to create an editable and readable script file.
In the “URL” frame, enter the path under which you want the device
to save the configuration file.
The URL identifies the path to the tftp server on which the device saves
the configuration file. The URL is in the format
tftp://IP address of the tftp server/path name/file name
(e.g. tftp://10.1.112.5/switch/config.dat).
Click "Save".
enable Switch to the privileged EXEC mode.
copy nvram:startup-config
tftp://10.1.112.159/
switch/config.dat
copy nvram:script
tftp://10.0.1.159/switch/
config.txt
The device saves the configuration data in a
binary file on a tftp server in the connected
network
The device saves the configuration data in a
script file on a tftp server in the connected
network.
66
UM Basic Configuration L3P
Release 7.1 12/2011
Page 67
Loading/saving settings
3.2 Saving settings
Note: If you save the configuration in a binary file, the device saves all
configuration settings in a binary file.
In contrast to this, the device only saves those configuration settings that
deviate from the default setting when saving to a script file.
When loading script files, these are only intended for overwriting the default
setting of the configuration.
3.2.3 Saving to a binary file on the PC
The device allows you to save the current configuration data in a binary file
on your PC.
Select the
Basics: Load/Save dialog.
In the "Save" frame, click "on the PC (binary)".
In the save dialog, enter the name of the file in which you want the
device to save the configuration file.
Click "Save".
UM Basic Configuration L3P
Release 7.1 12/2011
67
Page 68
Loading/saving settings
3.2 Saving settings
3.2.4 Saving as a script on the PC
The device allows you to save the current configuration data in an editable
and readable file on your PC.
Select the
Basics: Load/Save dialog.
In the “Save” frame, click “to PC (script)”.
In the save dialog, enter the name of the file in which you want the
device to save the configuration file.
Click "Save".
3.2.5 Saving as an offline configuration file on the PC
The device allows you to save the current configuration data for the offline
configurator in XML form in a file on your PC.
Select the
Basics: Load/Save dialog.
In the “Save” frame, click “to PC (ocf)”.
In the save dialog, enter the name of the file in which you want the
device to save the configuration file.
Click "Save".
68
UM Basic Configuration L3P
Release 7.1 12/2011
Page 69
Loading Software Updates
4 Loading Software Updates
Hirschmann is working constantly to improve the performance of their
products. Therefore, on the Hirschmann web page (www.hirschmann-ac.de)
you may find a newer release of the device software than the one installed
on your device.
Checking the installed Software Release
Open the Basic Settings:Software dialog.
This dialog indicates the Release Number of the software installed
in the device.
enable Switch to Privileged EXEC mode.
show sysinfo Show system information.
Alarm...................................... None
System Description......................... Hirschmann Railswitch
System Name................................ RS-1F1054
System Location............................ Hirschmann Railswitch
System Contact............................. Hirschmann Automation
and Control GmbH
System Up Time............................. 0 days 0 hrs 45 mins
57 secs
System Date and Time (local time zone)..... 2009-11-12 14:15:16
System IP Address.......................... 10.0.1.13
Boot Software Release...................... L2B-05.2.00
Boot Software Build Date................... 2009-11-12 13:14
OS Software Release........................ L2B-03.1.00
OS Software Build Date..................... 2009-11-12 13:14
Hardware Revision.......................... 1.22 / 4 / 0103
Hardware Description....................... RS20-1600T1T1SDAEHH
Serial Number.............................. 943434023000001191
Base MAC Address........................... 00:80:63:1F:10:54
Number of MAC Addresses.................... 32 (0x20)
UM Basic Configuration L3P
Release 7.1 12/2011
69
Page 70
Loading Software Updates
Loading the software
The device gives you 4 options for loading the software:
manually from the ACA (out-of-band),
manually from the ACA (out-of-band),
via TFTP from a tftp server (in-band) and
via a file selection dialog from your PC.
Note: The existing configuration of the device is still there after the new
software is installed.
70
UM Basic Configuration L3P
Release 7.1 12/2011
Page 71
Loading Software Updates
4.1 Loading the Software manually from the ACA
4.1 Loading the Software
manually from the ACA
You can connect the AutoConfiguration Adapter (ACA) to a USB port of your
PC like a conventional USB stick and copy the device software into the main
directory of the ACA.
Copy the device software from your computer to the ACA.
Now connect the ACA to the device‘s USB port.
Open the system monitor (see page 16 “Opening the system monitor”).
Select 2 and press the Enter key to copy the software from the ACA into
the local memory of the device.
At the end of the update, the system monitor asks you to press any key to
continue.
Select 3 to start the new software on the device.
The system monitor offers you additional options in connection with the
software on your device:
selecting the software to be loaded
starting the software
performing a cold start
UM Basic Configuration L3P
Release 7.1 12/2011
71
Page 72
Loading Software Updates
4.1 Loading the Software manually
from the ACA
4.1.1 Selecting the software to be loaded
In this menu item of the system monitor, you select one of two possible
software releases that you want to load.
The following window appears on the screen:
Select Operating System Image
(Available OS: Selected: 05.0.00 (2009-08-07 06:05), Backup: 04.2.00
(2009-07-06 06:05 (Locally selected: 05.0.00 (2009-08-07 06:05))
1 Swap OS images
2 Copy image to backup
3 Test stored images in Flash mem.
4 Test stored images in USB mem.
5 Apply and store selection
6 Cancel selection
Figure 18: Update operating system screen display
72
UM Basic Configuration L3P
Release 7.1 12/2011
Page 73
Loading Software Updates
4.1 Loading the Software manually
from the ACA
Swap OS images
The memory of the device provides space for two images of the software.
This allows you, for example, to load a new version of the software without
deleting the existing version.
Select 1 to load the other software in the next booting process.
Copy image to backup
Select 2 to save a copy of the active software.
Test stored images in flash memory
Select 3 to check whether the images of the software stored in the
flash memory contain valid codes.
Test stored images in USB memory
Select 4 to check whether the images of the software stored in the
ACA contain valid codes.
Apply and store selection
Select 5 to confirm the software selection and to save it.
Cancel selection
Select 6 to leave this dialog without making any changes.
UM Basic Configuration L3P
Release 7.1 12/2011
73
Page 74
Loading Software Updates
4.1 Loading the Software manually
from the ACA
4.1.2 Starting the software
This menu item (Start Selected Operating System) of the system monitor
allows you to start the software selected.
4.1.3 Performing a cold start
This menu item (End (reset and reboot)) of the system monitor allows you to
reset the hardware of the device and perform a restart.
74
UM Basic Configuration L3P
Release 7.1 12/2011
Page 75
Loading Software Updates
4.2 Automatic software update by ACA
4.2 Automatic software update
by ACA
For a software update via the ACA, first copy the new device software into
the main directory of the AutoConfiguration Adapter. If the version of the
software on the ACA is newer or older than the version on the device, the
device performs a software update.
Note: Software versions with release 06.0.00 and higher in the nonvolatile memory of the device support the software update via the ACA. If
the device software is older, you have the option of loading the software
manually from the ACA (see page 71).
Give the file the name that matches the device type and the software
variant, e.g. rsL2P.bin for device type RS2 with the software variant L2P.
Please note the case-sensitivity here.
If you have copied the software from a product CD or from a Web server
of the manufacturer, the software already has the correct file name.
Also create an empty file with the name “autoupdate.txt” in the main
directory of the ACA. Please note the case-sensitivity here.
Connect the AutoConfiguration Adapter to the device and restart the
device.
The device automatically performs the following steps:
– During the booting process, it checks whether an ACA is connected.
– It checks whether the ACA has a file with the name “autoupdate.txt” in
the main directory.
– It checks whether the ACA has a software file with a name that
matches the device type in the main directory.
– If compares the software version stored on the ACA with the one
stored on the device.
– If these conditions are fulfilled, the device loads the software from the
ACA to its non-volatile memory as the main software.
– The device keeps a backup of the existing software in the non-volatile
memory.
– The device then performs a cold start, during which it loads the new
software from the non-volatile memory.
UM Basic Configuration L3P
Release 7.1 12/2011
75
Page 76
Loading Software Updates
4.2 Automatic software update by
ACA
One of the following messages in the log file indicates the result of the update
process:
S_watson_AUTOMATIC_SWUPDATE_SUCCESSFUL: Update
completed successfully.
S_watson_AUTOMATIC_SWUPDATE_FAILED_WRONG_FILE: Update
failed. Reason: incorrect file.
S_watson_AUTOMATIC_SWUPDATE_FAILED_SAVING_FILE: Update
failed. Reason: error when saving.
In your browser, click on “Reload” so that you can use the Web-based
interface to access the device again after it is booted.
76
UM Basic Configuration L3P
Release 7.1 12/2011
Page 77
Loading Software Updates
4.3 Loading the software from the tftp server
4.3 Loading the software from
the tftp server
For a tftp update, you need a tftp server on which the software to be loaded
is stored (see on page 282 “TFTP Server for Software Updates”).
Select the Basics:Software dialog.
The URL identifies the path to the software stored on the tftp server. The URL
is in the format
tftp://IP address of the tftp server/path name/file name
(e.g. tftp://192.168.1.1/device/device.bin).
UM Basic Configuration L3P
Release 7.1 12/2011
77
Page 78
Loading Software Updates
4.3 Loading the software from the tftp
Enter the path of the device software.
Click on “tftp Update” to load the software from the tftp server to the
device.
server
Figure 19: Software update dialog
After successfully loading it, you activate the new software:
Select the dialog Basic Settings:Restart and perform a cold
start.
In a cold start, the device reloads the software from the permanent
memory, restarts, and performs a self-test.
After booting the device, click “Reload” in your browser to access the
device again.
enable Switch to the privileged EXEC mode.
copy tftp://10.0.1.159/
product.bin system:image
Transfer the “product.bin” software file to the
device from the tftp server with the IP address
10.0.1.159.
78
UM Basic Configuration L3P
Release 7.1 12/2011
Page 79
Loading Software Updates
4.4 Loading the Software via File Selection
4.4 Loading the Software via File Selection
For an HTTP software update (via a file selection window), the device
software must be on a data carrier that you can access from your
workstation.
Select the Basics:Software dialog.
In the file selection frame, click on “...”.
In the file selection window, select the device software (name type:
*.bin, e.g. device.bin) and click on “Open”.
Click on “Update” to transfer the software to the device.
The end of the update is indicated by one of the following messages:
Update completed successfully.
Update failed. Reason: incorrect file.
Update failed. Reason: error when saving.
File not found (reason: file name not found or does not exist).
Connection error (reason: path without file name).
After the update is completed successfully, you activate the new
software:
Select the Basic settings: Restart dialog and perform a cold
start.
In a cold start, the device reloads the software from the non-volatile
memory, restarts, and performs a self-test.
In your browser, click on “Reload” so that you can access the device
again after it is booted.
UM Basic Configuration L3P
Release 7.1 12/2011
79
Page 80
Loading Software Updates
4.4 Loading the Software via File Selection
80
UM Basic Configuration L3P
Release 7.1 12/2011
Page 81
Configuring the Ports
5 Configuring the Ports
The port configuration consists of:
Switching the port on and off
Selecting the operating mode
Activating the display of connection error messages
Configuring Power over ETHERNET.
Switching the port on and off
In the state on delivery, all the ports are switched on. For a higher level of
access security, switch off the ports at which you are not making any
connection.
Select the
Basics:Port Configuration dialog.
In the "Port on" column, select the ports that are connected to
another device.
Selecting the operating mode
In the state on delivery, the ports are set to the “Automatic configuration”
operating mode.
Note: The active automatic configuration has priority over the manual
configuration.
Select the
Basics:Port Configuration dialog.
If the device connected to this port requires a fixed setting
– select the operating mode (transmission rate, duplex mode) in the "Manual
configuration" column and
– deactivate the port in the "Automatic configuration" column.
UM Basic Configuration L3P
Release 7.1 12/2011
81
Page 82
Configuring the Ports
Displaying detected connection errors
In the state on delivery, the device displays a detected connection error
via the signal contact and the LED display. The device allows you to
suppress this display, because you do not want to interpret a switched off
device as an interrupted connection, for example.
Select the
Basics:Port Configuration dialog.
In the "Propagate connection error" column, select the ports for
which you want to have link monitoring.
Configure Power over ETHERNET
If the device is equipped with PoE media modules, it will then allow you to
supply current to devices such as IP phones via the twisted-pair cable.
PoE media modules support Power over ETHERNET according to IEEE
802.3af.
On delivery, the Power over ETHERNET function is activated globally and
on all PoE-capable ports.
Nominal power for MS20/30, MACH 1000 and PowerMICE:
The device provides the nominal power for the sum of all PoE ports plus
a surplus. Because the PoE media module gets its PoE voltage
externally, the device does not know the possible nominal power.
The device therefore assumes a “nominal power” of 60 Watt per PoE
media module for now.
Nominal power for MACH 4000:
The device provides the nominal power for the sum of all PoE ports plus
a surplus. Should the connected devices require more PoE power than is
provided, the device then switches PoE off at the ports. Initially, the device
switches PoE off at the ports with the lowest PoE priority. If multiple ports
have the same priority, the device first switches PoE off at the ports with
the higher port number.
82
UM Basic Configuration L3P
Release 7.1 12/2011
Page 83
Configuring the Ports
Global settings
– For devices with PoE select the
Basic Settings:Power over Ethernet dialog.
– For devices with PoE select the
Basic Settings:Power over Ethernet Plus:Global dialog.
Frame "Operation":
With “Function On/Off” you turn the PoE on or off.
Frame "Configuration":
With “Send Trap” you can get the device to send a trap in the
following cases:
– If a value exceeds/falls below the performance threshold.
– If the PoE supply voltage is switched on/off at at least one port.
Enter the power threshold in “Threshold”. When this value is
exceeded/not achieved, the device will send a trap, provided that
“Send Trap” is enabled. For the power threshold you enter the power
yielded as a percentage of the nominal power.
“Nominal Power” displays the power that the device nominally
provides for all PoE ports together.
“Reserved Power” displays the maximum power that the device
provides to all the connected PoE devices together on the basis of
their classification.
“Delivered Power” shows how large the current power requirement
is at all PoE ports.
The difference between the "nominal" and "reserved" power indicates
how much power is still available to the free PoE+ ports.
UM Basic Configuration L3P
Release 7.1 12/2011
83
Page 84
Configuring the Ports
Port settings
– For devices with PoE select the
Basic Settings:Power over Ethernet dialog.
– For devices with PoE+ select the
Basic Settings:Power over Ethernet Plus:Port dialog.
The table only shows ports that support PoE.
In the “POE on” column, you can enable/disable PoE at this port.
The “Status” column indicates the PoE status of the port.
In the “Priority” column (MACH 4000), set the PoE priority of the port
to “low”, “high” or “critical”.
The "Class" column indicates the class of the connected device:
Class: Maximum delivered power
0: 15.4 W = As-delivered state
1: 4.0 W
2: 7.0 W
3: 15.4 W
4: reserved, treated as Class 0
The column „Consumption [W]“ displays the current power
delivered at the respective port.
The “Name” column indicates the name of the port, see
Basic settings:Port configuration.
Figure 20: Power over Ethernet dialog
84
UM Basic Configuration L3P
Release 7.1 12/2011
Page 85
Configuring the Ports
Switch on PoE power supply
OCTOPUS PoE devices let you switch on the PoE power supply before
loading and starting the software. This means that the connected PoE
devices (powered devices) are supplied with the PoE voltage more
quickly and the start phase of the whole network is shorter.
enable Switch to Privileged EXEC mode.
configure Switch to Global Configure mode.
#inlinepower fast-startup
enable
#inlinepower fast-startup
disable
#show inlinepower Show Power over Ethernet System Information
Switch on Inline Power Fast Startup (disabled in
the as-delivered state).
Switch off Inline Power Fast Startup.
(Fast Startup and other information).
Cold start with detected errors
This function lets you reset the device automatically with a cold start in the
following cases:
if an error is detected
(selftest reboot-on-error enable)
or
only if a serious error is detected
(selftest reboot-on-error seriousOnly)
If the function selftest reboot-on-error seriousOnly is
enabled, the device behaves as follows:
If an error is detected in a subsystem (for example, if an HDX/FDX
mismatch is detected on a port), cold starts of the device are dropped.
However, if an error affecting the function of the entire device is
detected, the device still carries out a cold start.
The device sends an alarm message (for Trap messages, see
page 210)
Note: If the selftest reboot-on-error seriousOnly function is
enabled and the device detects an HDX/FDX mismatch, automatic cold
starts of the device are dropped. In this case, to return the affected port(s)
to a usable condition, open the Basic Settings:Reboot dialog and
carry out a cold start of the device.
enable Switch to Privileged EXEC mode.
configure Switch to Global Configure mode.
UM Basic Configuration L3P
Release 7.1 12/2011
85
Page 86
Configuring the Ports
#selftest reboot-on-error
enable
#selftest reboot-on-error
seriousOnly
#selftest reboot-on-error
disable
#show selftest Show status of the "Cold start if error detected"
Switch on the "Cold start if error detected“ function.
Switch on the "Cold start only if serious error
detected“ function.
Switch off the "Cold start if error detected“ function
(enabled in the as-delivered state).
function (Enabled/Disabled/seriousOnly).
86
UM Basic Configuration L3P
Release 7.1 12/2011
Page 87
Assistance in the Protection from Unauthorized Access
6 Assistance in the Protection
from Unauthorized Access
The device provides the following functions to help prevent unauthorised
accesses.
Password for SNMP access
Telnet/internet/SSH access can be switched off
Restricted Management access
HiDiscovery function can be switched off
Port access control by IP or MAC address
IEEE 802.1X standard port authentication
Access Control Lists (ACL)
UM Basic Configuration L3P
Release 7.1 12/2011
87
Page 88
Assistance in the Protection from Unauthorized Access
6.1 Protecting the device
6.1 Protecting the device
If you want to maximize the protection of the device against unauthorized
access in just a few steps, you can perform some or all of the following steps
on the device:
Deactivate SNMPv1 and SNMPv2 and select a password for SNMPv3
access other than the standard password (see on page 90 “Entering the
password for SNMP access”).
Deactivate Telnet access.
Deactivate web access after you have downloaded the applet for the webbased interface onto your management station. You can start the webbased interface as an independent program and thus have SNMP access
to the device.
If necessary, deactivate SSH access (see on page 96 “Switching Telnet/
Internet/SSH access on/off”).
Deactivate HiDiscovery access.
Note: Retain at least one option to access the device. V.24 access is always
possible, since it cannot be deactivated.
88
UM Basic Configuration L3P
Release 7.1 12/2011
Page 89
Assistance in the Protection from Unauthorized Access
6.2 Password for SNMP access
6.2 Password for SNMP access
6.2.1 Description of password for SNMP access
A network management station communicates with the device via the Simple
Network Management Protocol (SNMP).
Every SNMP packet contains the IP address of the sending computer and the
password with which the sender of the packet wants to access the device
MIB.
The device receives the SNMP packet and compares the IP address of the
sending computer and the password with the entries in the device MIB.
If the password has the appropriate access right, and if the IP address of the
sending computer has been entered, then the device will allow access.
In the delivery state, the device is accessible via the password "public" (read
only) and "private" (read and write) to every computer.
To help protect your device from unwanted access:
First define a new password with which you can access from your
computer with all rights.
Treat this password as confidential, because everyone who knows the
password can access the device MIB with the IP address of your
computer.
Limit the access rights of the known passwords or delete their entries.
UM Basic Configuration L3P
Release 7.1 12/2011
89
Page 90
Assistance in the Protection from Un-
6.2 Password for SNMP access
authorized Access
6.2.2 Entering the password for SNMP access
Select the Security:Password/SNMP Access dialog.
This dialog gives you the option of changing the read and read/write
passwords for access to the device via the Web-based interface, via the
CLI, and via SNMPv3 (SNMP version 3).
Set different passwords for the read password and the read/write
password so that a user that only has read access (user name “user”)
does not know, or cannot guess, the password for read/write access
(user name “admin”).
If you set identical passwords, when you attempt to write this data the
device reports a general error.
The Web-based interface and the user interface (CLI) use the same
passwords as SNMPv3 for the users “admin” and “user”.
Note: Passwords are case-sensitive.
Select “Modify Read-Only Password (User)” to enter the read
password.
Enter the new read password in the “New Password” line and repeat
your entry in the “Please retype” line.
Select “Modify Read-Write Password (Admin)” to enter the read/
write password.
Enter the read/write password and repeat your entry.
"Data encryption" encrypts the data of the Web-based management
that is transferred between your PC and the device with SNMPv3.
You can set the "Data encryption" differently for access with a read
password and access with a read/write password.
90
UM Basic Configuration L3P
Release 7.1 12/2011
Page 91
Assistance in the Protection from Unauthorized Access
6.2 Password for SNMP access
Figure 21: Password/SNMP Access dialog
Note: If you do not know a password with “read/write” access, you will
not have write access to the device.
Note: For security reasons, the device does not display the passwords.
Make a note of every change. You cannot access the device without a
valid password.
Note: For security reasons, SNMPv3 encrypts the password. With the
“SNMPv1” or “SNMPv2” setting in the dialog Security:SNMPv1/v2
access, the device transfers the password unencrypted, so that this
can also be read.
Note: Use between 5 and 32 characters for the password in SNMPv3,
since many applications do not accept shorter passwords.
UM Basic Configuration L3P
Release 7.1 12/2011
91
Page 92
Assistance in the Protection from Un-
6.2 Password for SNMP access
authorized Access
Select the Security:SNMPv1/v2 access dialog.
With this dialog you can select the access via SNMPv1 or SNMPv2.
In the state on delivery, both protocols are activated. You can thus
manage the device with HiVision and communicate with earlier
versions of SNMP.
If you select SNMPv1 or SNMPv2, you can specify in the table via which
IP addresses the device may be accessed, and what kinds of
passwords are to be used.
Up to 8 entries can be made in the table.
For security reasons, the read password and the read/write password
must not be identical.
Please note that passwords are case-sensitive.
Index Serial number for this table entry
Password Password with which this computer can access the
device. This password is independent of the SNMPv2
password.
IP Address IP address of the computer that can access the device.
IP Mask IP mask for the IP address
Access
Mode
The access mode determines whether the computer has
read-only or read-write access.
Active Enable/disable this table entry.
92
UM Basic Configuration L3P
Release 7.1 12/2011
Page 93
Assistance in the Protection from Unauthorized Access
6.2 Password for SNMP access
Figure 22: SNMPv1/v2 access dialog
To create a new line in the table click “Create”.
To delete an entry, select the line in the table and click “Remove”.
UM Basic Configuration L3P
Release 7.1 12/2011
93
Page 94
Assistance in the Protection from Unauthorized Access
6.3 Telnet/internet/SSH access
6.3 Telnet/internet/SSH access
6.3.1 Description of Telnet Access
The Telnet server of the device allows you to configure the device using the
Command Line Interface (in-band). You can deactivate the Telnet server to
inactivate Telnet access to the device.
The server is activated in its state on delivery.
After the Telnet server has been deactivated, you will no longer be able to
access the device via a new Telnet connection. If a Telnet connection already
exists, it is retained.
Note: The Command Line Interface (out-of-band) and the
Security:Telnet/Web access dialog in the Web-based interface allow
you to reactivate the Telnet server.
94
UM Basic Configuration L3P
Release 7.1 12/2011
Page 95
Assistance in the Protection from Un-
6.3 Telnet/internet/SSH access
authorized Access
6.3.2 Description of Web Access
The device's Web server allows you to configure the device by using the
Web-based interface. You can deactivate the Web server to prevent Web
access to the device.
The server is activated in its state on delivery.
After the Web server has been switched off, it is no longer possible to log in
via a Web browser. The login in the open browser window remains active.
6.3.3 Description of SSH Access
The device's SSH server allows you to configure the device using the
Command Line Interface (in-band). You can deactivate the SSH server to
prevent SSH access to the device.
The server is deactivated in its state on delivery.
After the SSH server has been deactivated, you will no longer be able to
access the device via a new SSH connection. If an SSH connection already
exists, it is retained.
Note: The Command Line Interface (out-of-band) and the
Security:Telnet/Web access dialog in the Web-based interface allow
you to reactivate the SSH server.
Note: To be able to access the device via SSH, you require a key that has to
be installed on the device (see the "Basic Configuration User Manual”).
UM Basic Configuration L3P
Release 7.1 12/2011
95
Page 96
Assistance in the Protection from Un-
6.3 Telnet/internet/SSH access
authorized Access
6.3.4 Switching Telnet/Internet/SSH access on/off
The web server copies a Java applet for the web-based interface to your
computer. The applet then communicates with the device by SNMPv3
(Simple Network Management Protocol). The web-server of the device
allows you to configure the device through the web-based interface. You can
switch off the web server in order to prevent the applet being copied.
Select the Security:Telnet/Web/SHH access dialog.
Disable the server to which you want to refuse access.
enable Switch to the privileged EXEC mode.
configure Switch to the Configuration mode.
lineconfig Switch to the configuration mode for CLI.
transport input telnet Enable Telnet server.
no transport input telnet Disable Telnet server.
exit Switch to the Configuration mode.
exit Switch to the privileged EXEC mode.
ip http server Enable Web server.
no ip http server Disable Web server.
ip ssh Enable SSH function on switch
no ip ssh Disable SSH function on switch
6.3.5 Web access through HTTPS
The HTTPS communication protocol (HyperText Transfer Protocol Secure)
helps protect data transfers from interception. The device uses the HTTPS
protocol to encrypt and authenticate the communications between web
server and browser.
UM Basic Configuration L3P
96
Release 7.1 12/2011
Page 97
Assistance in the Protection from Un-
6.3 Telnet/internet/SSH access
authorized Access
The web server uses HTTP to load a Java applet for the web-based interface
onto your computer. This applet then communicates with the device by
SNMP (Simple Network Management Protocol). If you have enabled the
Web Server (HTTPS) function, the Java applet establishes an HTTPS
connection to the device. The device creates an HTTPS tunnel through the
SNMP. It uses DES encoding on 56 bits. You can upload HTTPS certificates
to the device.
Certificate
An X.509/PEM Standard certificate (Public Key Infrastructure) is required
for the encryption. In the as-delivered state, a self-generated certificate is
already present on the device.
You can create an X509/PEM certificate using the following CLI
command: # ip https certgen
You can upload a new certificate using the following CLI command:
copy tftp://<server_ip>/<path_to_pem>
nvram:httpscert
You can switch the HTTPS server off and on again using the following
CLI command sequence:
# no ip https server
# ip https server
Note: If you upload a new certificate, reboot the device or the HTTPS
server in order to activate the certificate.
HTTPS connection
Note: The standard port for HTTPS connection is 443. If you change the
number of the HTTPS port, reboot the device or the HTTPS server in
order to make the change effective.
You can change the HTTPS port number using the following CLI-
command (where <port_no> is the number of the HTTPS port):
#ip https port <port_no>
Note: If you want to use HTTPS, switch on both HTTPS and HTTP. This
is required in order to load the applet. In the as-delivered state, HTTPS is
switched off.
UM Basic Configuration L3P
Release 7.1 12/2011
97
Page 98
Assistance in the Protection from Un-
6.3 Telnet/internet/SSH access
authorized Access
Open the Security:Telnet/Internet/SSH Access dialog.
Tick the boxes Telnet Server active, Web Server(http)
and Web Server(https). In the HTTPS Port Number box, enter
the value 443.
To access the device by HTTPS, enter HTTPS instead of HTTP in
your browser, followed by the IP address of the device.
enable Switch to Privileged EXEC mode.
# ip https server Switch on HTTPS-server.
# ip https port <port_no> Set the HTTPS port number for a secure HTTP
connection.
- As-delivered state: 443.
- Value range: 1-65535
# no ip https server
# ip https server
# show ip https Optional: Show the status of the HTTPS server
# ip https certgen Create X509/PEM certificate.
# copy tftp://<server_ip>/
<path_to_pem>
nvram:httpscert
# no ip https server
# ip https server
If you change the HTTPS port number, switch the
HTTPS server off and then on again in order to
make the change effective.
and HTTPS port number.
Upload an X509/PEM certificate for HTTPS using
TFTP.
After uploading the HTTPS certificate, switch the
HTTPS server off and then on again in order to
activate the certificate.
The device uses HTTPS protocol and establishes a new connection.
When the session is ended and the user logs out, the device terminates
the connection.
Note: The device allows you to open HTTPS- and HTTP connections at
the same time. The maximum number of HTTP(S) connections that can
be open at the same time is 16.
UM Basic Configuration L3P
98
Release 7.1 12/2011
Page 99
Assistance in the Protection from Un-
6.4 Restricted Management Access
authorized Access
6.4 Restricted Management
Access
The device allows you to differentiate the management access to the device
based on IP address ranges, and to differentiate these based on
management services (http, snmp, telnet, ssh). You thus have the option to
set finely differentiated management access rights.
If you only want the device, which is located, for example, in a production
plant, to be managed from the network of the IT department via the Web
interface, but also want the administrator to be able to access it remotely via
SSH, you can achieve this with the “Restricted management access”
function.
You can configure this function using the Web-based interface or the CLI.
The Web-based interface provides you with an easy configuration option.
Make sure you do not unintentionally block your access to the device. The
CLI access to the device via V.24 provided at all times is excluded from the
function and cannot be restricted.
In the following example, the IT network has the address range 192.168.1.0/
24 and the remote access is from a mobile phone network with the IP
address range 109.237.176.0 - 109.237.176.255.
The device is always ready for the SSH access (see on page 287 “Preparing
access via SSH”) and the SSH client application already knows the
fingerprint of the host key on the device.
Parameter IT network Mobile phone
network
Network address 192.168.1.0 109.237.176.0
Netmask 255.255.255.0 255.255.255.0
Desired management access http, snmp ssh
Table 4: Example parameter for the restricted management access
enable Switch to the privileged EXEC mode.
show network mgmt-access Display the current configuration.
network mgmt-access add Create an entry for the IT network. This is given
the smallest free ID - in the example, 2.
UM Basic Configuration L3P
Release 7.1 12/2011
99
Page 100
Assistance in the Protection from Unauthorized Access
6.4 Restricted Management Access
network mgmt-access modify 2
ip 192.168.1.0
network mgmt-access modify 2
netmask 255.255.255.0
network mgmt-access modify 2
telnet disable
network mgmt-access modify 2
ssh disable
network mgmt-access add Create an entry for the mobile phone network. In
network mgmt-access modify 3
ip 109.237.176.0
network mgmt-access modify 3
netmask 255.255.255.0
network mgmt-access modify 3
http disable
network mgmt-access modify 3
snmp disable
network mgmt-access modify 3
telnet disable
network mgmt-access status 1
disable
network mgmt-access
operation enable
show network mgmt-access Display the current configuration of the function.
copy system:running-config
nvram:startup-config
Set the IP address of the entry for the IT network.
Set the netmask of the entry for the IT network.
Deactivate telnet for the entry of the IT network.
Deactivate SSH for the entry of the IT network.
the example, this is given the ID 3.
Set the IP address of the entry for the mobile
phone network.
Set the netmask of the entry for the mobile phone
network.
Deactivate http for the entry of the mobile phone
network.
Deactivate snmp for the entry of the mobile phone
network.
Deactivate telnet for the entry of the mobile phone
network.
Deactivate the preset entry.
Activate the function immediately.
Save the entire configuration in the non-volatile
memory.
100
UM Basic Configuration L3P
Release 7.1 12/2011
Loading...