Page 1
User Manual
Basic Configuration
Industrial ETHERNET Gigabit Switch
Power MICE, MACH 4000
Basic - L3P
Release 3.1 06/07
Technical Support
HAC-Support@hirschmann.de
Page 2
The naming of copyrighted trademarks in this manual, even when not specially indicated, should
not be taken to mean that these names may be considered as free in the sense of the trademark
and tradename protection law and hence that they may be freely used by anyone.
© 2007 Hirschmann Automation and Control GmbH
Manuals and software are protected by copyright. All rights reserved. The copying, reproduction,
translation, conversion into any electronic medium or machine scannable form is not permitted,
either in whole or in part. An exception is the preparation of a backup copy of the software for
your own use. For devices with embedded software, the end-user license agreement on the
enclosed CD applies.
The performance features described here are binding only if they have been expressly
guaranteed in the contract. This publication has been created by Hirschmann Automation and
Control GmbH according to the best of our knowledge. Hirschmann reserves the right to change
the contents of this manual without prior notice. Hirschmann can give no guarantee in respect
of the correctness or accuracy of the details in this publication.
Hirschmann can accept no responsibility for damages, resulting from the use of the network
components or the associated operating software. In addition, we refer to the conditions of use
specified in the license contract.
Printed in Germany (9.7.07)
Hirschmann Automation and Control GmbH
Stuttgarter Straße 45-51
72654 Neckartenzlingen
Tel. +49 1805 141538 -01-0607
Page 3
Contents
Contents
Contents 3
About this Manual 9
Key 11
Introduction 13
1 Access to the user interfaces 15
1.1 System monitor 16
1.2 Command Line Interface 19
1.3 Web based Interface 22
2 Entering the IP parameters 25
2.1 Basics IP parameter 27
2.1.1 IP address (version 4) 27
2.1.2 Network mask 28
2.1.3 Example of how the network mask is used 30
2.2 Entering the IP parameters via CLI 32
2.3 Entering the IP parameters via HiDiscovery 35
2.4 Loading the system configuration from the ACA 37
2.5 System configuration via BOOTP 39
2.6 System configuration via DHCP 43
2.7 System Configuration via DHCP Option 82 46
2.8 System configuration via the Web-based Interface 47
2.9 Faulty Device Replacement 49
Basic - L3P
Release 3.1 06/07
3
Page 4
Contents
3 Loading/saving settings 51
3.1 Loading settings 52
3.1.1 Loading from the local non-volatile memory 53
3.1.2 Loading from the AutoConfiguration Adapter 53
3.1.3 Loading from a file 54
3.1.4 Resetting the configuration to the state on delivery 56
3.2 Saving settings 57
3.2.1 Saving Locally (and on the ACA) 57
3.2.2 Saving into a file on URL 58
3.2.3 Saving into a binary file on the PC 59
3.2.4 Saving as script on the PC 59
4 Loading Software Updates 61
4.1 Loading the Software from the ACA 63
4.1.1 Swapping the software available 63
4.1.2 Starting the software 65
4.1.3 Performing a cold start 65
4.2 Loading the Software from the tftp Server 66
4.3 Loading Software via file selector 68
5 Configuring ports
69
6 Protection from unauthorized access 73
6.1 Password for SNMP access 74
6.1.1 Description Password for SNMP access 74
6.1.2 Entering password for SNMP access 75
6.2 Setting Telnet/Web/SSH access 79
6.2.1 Description Telnet/Web access 79
6.2.2 Description Web access 79
6.2.3 Description of SSH access 80
6.2.4 Enabling/disabling Telnet/Web/SSH access 81
6.3 Disabling HiDiscovery function 82
6.3.1 Description HiDiscovery protocol 82
6.3.2 Disabling HiDiscovery function 83
6.4 Port access control 84
6.4.1 Description port access control 84
6.4.2 Defining port access control 85
Basic - L3P
4
Release 3.1 06/07
Page 5
Contents
6.5 Port Authentication 87
6.5.1 Description Port-Based Network Access Control (802.1X) 87
6.5.2 Authentication process 88
6.5.3 Preparing the switch for the 802.1X port authentication 88
6.5.4 Setting 802.1X 89
6.6 Access Control Lists (ACL) 90
6.6.1 Description of IP-based ACLs 91
6.6.2 Description of MAC-based ACLs 92
6.6.3 Configuring IP ACLs 94
6.6.4 Configuring MAC ACLs 95
6.6.5 Configuring priorities with IP ACLs 97
6.6.6 Specifying the sequence of the rules 100
7 Synchronizing the System Time of the Network 103
7.1 Entering the Time 104
7.2 SNTP 106
7.2.1 Descripton SNTP 106
7.2.2 Preparing the SNTP configuration 107
7.2.3 Configuring SNTP 108
7.3 Precison Time Protocol 111
7.3.1 Funtion description PTP 111
7.3.2 Preparing the PTP configuration 114
7.3.3 Configuring PTP 115
7.4 Interaction PTP and SNTP 118
8 Traffic control 121
8.1 Directed frame forwarding 122
8.1.1 Store-and-forward 122
8.1.2 Multi-address capability 122
8.1.3 Aging of learned addresses 123
8.1.4 Entering static address entries 124
8.1.5 Disabling the specific packet distribution 125
8.2 Multicast application 126
8.2.1 Description multicast application 126
8.2.2 Example of a multicast application 127
8.2.3 Description IGMP snooping 128
8.2.4 Description GMRP 129
8.2.5 Setting multicast applications 129
Basic - L3P
Release 3.1 06/07
5
Page 6
Contents
8.3 Rate Limiter 133
8.3.1 Description Rate Limiter 133
8.3.2 Setting Rate Limiter for MACH 4000 and Power MICE 133
8.4 Prioritization 135
8.4.1 Description Prioritization 135
8.4.2 Tagging 136
8.4.3 IP ToS / DiffServ 139
8.4.4 Handling of received priority information 142
8.4.5 Handling of priority classes 142
8.4.6 Setting Prioritization 144
8.5 Flow control 149
8.5.1 Description Flow control 149
8.5.2 Setting flow control 150
8.6 VLANs 151
8.6.1 Description VLANs 151
8.6.2 Configuring VLANs 154
8.6.3 Setting up VLANs 156
8.6.4 Displaying the VLAN configuration 157
8.6.5 Deleting the VLAN settings 157
8.6.6 Example of a simple VLAN 158
9 Operation Diagnostics 165
9.1 Sending traps 166
9.1.1 SNMP trap listing 167
9.1.2 SNMP traps when booting 168
9.1.3 Configuring traps 168
9.2 Monitoring Device Status 171
9.3 Out-of-band signaling 174
9.3.1 Manual setting the signal contact 175
9.3.2 Monitoring correct operation via the signal contact 176
9.3.3 Monitoring the Device Status with a signal contact 177
9.4 Port status indication 178
9.5 Event counter on port level 180
9.6 Displaying the SFP Status 182
9.7 TP cable diagnosis 183
Basic - L3P
6
Release 3.1 06/07
Page 7
Contents
9.8 Topology discovery 184
9.8.1 Description Topology discovery 184
9.8.2 Displaying the topology discovery 186
9.9 IP Address Conflict Detection 188
9.9.1 Description of IP address conflicts 188
9.9.2 Configuring ACD 189
9.9.3 Displaying ACD 189
9.10 Reports 191
9.11 Monitoring port traffic (port mirroring) 193
Apendix A:Setting up the configuration environment 195
A.1 Setting up DHCP/BOOTP Server 196
A.2 Setting up DHCP Server Option 82 202
A.3 tftp server for software updates 207
A.3.1 Setting up the tftp process 208
A.3.2 Software access rights 211
A.4 Preparing for access via SSH 212
A.4.1 Creating a key 212
A.4.2 Uploading the key 214
A.4.3 Access via SSH 215
Appendix B:General Information 217
B.1 Hirschmann Competence 218
B.2 FAQ 219
B.3 Management Information BASE MIB 220
B.4 Used abbreviations 223
B.5 List of RFC's 224
B.6 Based IEEE standards 226
B.7 Technical Data 227
B.8 Copyright of integrated software 228
B.8.1 Bouncy Castle Crypto APIs (Java) 228
B.8.2 LVL7 Systems, Inc. 228
B.9 Reader's comments 229
Basic - L3P
Release 3.1 06/07
7
Page 8
Contents
Appendix C:Index 231
Basic - L3P
8
Release 3.1 06/07
Page 9
About this Manual
About this Manual
The “Basic Configuration” user manual contains all the information you need
to start operating the switch. It takes you step by step from the first startup
operation through to the basic settings for operation in your environment.
The following thematic sequence has proven itself in practice:
D Set up device access for operation by entering the IP parameters
D Check the status of the software and update it if necessary
D Load/Save the configuration
D Configure the ports
D Set up protection from unauthorized access
D Optimize the data transmission with network load control
D Synchronize system time in the network
D Function diagnosis
The “Installation” user manual contains a device description, safety instructions,
a description of the display, and all the other information that you need to install
the device before you begin with the configuration of the device.
The “Redundancy Configuration” user manual contains all the information
you need to select a suitable redundancy procedure and configure it.
The “Industrial Protocols” user manual describes how the Switch is
connected by means of a communication protocol commonly used in the
industry, such as EtherNet/IP or PROFINET.
The “Routing Configuration” user manual contains all the information you
need to start operating the routing function. It takes you step by step from
a
small router application through to the router configuration of a complex
network.
The manual enables you to configure your router by following the examples.
Basic - L3P
Release 3.1 06/07
9
Page 10
About this Manual
You will find detailed descriptions of how to operate the individual functions in
the “Web-based Interface” and “Command Line Interface” reference manuals.
If you use Network Management Software HiVision you have further
opportunities to:
D have an event logbook.
D configure the „System Location“ and „System Name“.
D configure the network address range and SNMP parameters.
D save the configuration on the Switch.
D simultaneous configuration of several Switches.
D configure the relevant ports to be displayed red if there is no link state.
10
Basic - L3P
Release 3.1 06/07
Page 11
Key
Key
The designations used in this manual have the following meanings:
D List
V Work step
U Subheading
Indicates a cross-reference with a stored link.
Note: A note emphasizes an important fact or draws your attention to
a
dependency.
Courier font ASCII representation in user interface
Execution in the Web-based Interface user interface
Execution in the Command Line Interface user interface
Symbols used:
Router
Switch
Bridge
Basic - L3P
Release 3.1 06/07
11
Page 12
Key
Hub
A random computer
Configuration computer
Server
12
Basic - L3P
Release 3.1 06/07
Page 13
Introduction
Introduction
The Switch has been developed for practical application in a harsh industrial
environment. Accordingly, the installation process has been kept simple.
Thanks to the selected default settings, you only have to enter a few settings
before starting to operate the Switch.
Basic - L3P
Release 3.1 06/07
13
Page 14
Introduction
14
Basic - L3P
Release 3.1 06/07
Page 15
Access to the user interfaces
1 Access to the user interfaces
The Switch has three user interfaces, which you can access via different
interfaces:
D System monitor via the V.24 interface (out-of-band)
D Command Line Interface (CLI) via the V.24 connection (out-of-band) and
Telnet (in-band)
D Web-based interface via Ethernet (in-band)
Basic - L3P
Release 3.1 06/07
15
Page 16
Access to the user interfaces
1.1 System monitor
The system monitor enables you to
D select the boot operating software,
D update the operating software,
D start the selected operating software,
D end the system monitor,
D erase the saved configuration and
D show the bootcode information.
1.1 System monitor
U Opening the system monitor
V Using a terminal cable (see accessories) connect the
– V.24 RJ11 socket to
– either a terminal or a COM port of a PC with terminal emulation
according to VT 100
(For the physical connection refer to the “Installation user manual“.).
Speed 9.600 Baud
Data 8 bit
Parity none
Stopbit 1 bit
Handshake off
Table 1: Data transfer parameters
V Start the terminal program on the PC, and establish a connection with
the Switch.
While booting the Switch the message „Press <1> to enter System
Monitor 1“ appears on the terminal.
Basic - L3P
16
Release 3.1 06/07
Page 17
Access to the user interfaces
1.1 System monitor
< PowerMICE MS4128-5 (Boot) Release: 1.00 Build: 2005-09-17 15:36 >
Press <1> to enter System Monitor 1 ...
1
Fig. 1: Screenshot during the boot process
V Press within one second the <1> key to start system monitor 1.
Basic - L3P
Release 3.1 06/07
17
Page 18
Access to the user interfaces
System Monitor
(Selected OS: L3P-01.0.00-K16 (2005-10-31 19:32))
1 Select Boot Operating System
2 Update Operating System
3 Start Selected Operating System
4 End (reset and reboot)
5 Erase main configuration file
sysMon1>
1.1 System monitor
Fig. 2: System monitor 1 screen display
V Select the desired menu by entering the number.
V To leave a sub menu and return to the main menu of system
monitor
1, press <ESC>.
18
Basic - L3P
Release 3.1 06/07
Page 19
Access to the user interfaces
1.2 Command Line Interface
1.2 Command Line Interface
The Command Line Interface allows you to use all device functions via a local
or a remote connection.
The command line interface provides IT specialists with a familiar environment for configuring IT devices.
The script ability of the Command Line Interfaces allows to feed several
devices with identical configuration data.
For a detailed description of the Command Line Interface, see the Reference
Guide „Command Line Interface“.
The Command Line Interface can be accessed via
D the V.24 (out-of-band) port or
D Telnet (in-band),
D SSH (in-band).
Note: To facilitate making entries, the CLI offers the option of abreviating
keywords. Type in the first letters of the keyword. If you now press the Tab
key, the CLI will complete the keyword, i.e. add the remaining letters for you.
U Opening the Command Line Interface
V Connect the Switch via the V.24 interface to a terminal or to a COM
port of a PC with terminal emulation according to VT 100 and press
any key (see
Command Line Interface via Telnet.
A window in which you are asked to enter your username appears on
the screen.
A maximum of five users are permitted to access the Command Line
Interface.
“Opening the system monitor” on page 16) or start the
Basic - L3P
Release 3.1 06/07
19
Page 20
Access to the user interfaces
Copyright (c) 2004-2005 Hirschmann Automation and Control GmbH
All rights reserved
PowerMICE Release L3P-01.0.00-K16
(Build date 2005-10-31 19:32)
System Name: PowerMICE
Mgmt-IP : 149.218.112.105
1.Router-IP: 0.0.0.0
Base-MAC : 00:80:63:51:74:00
System Time: 2005-11-01 16:00:59
User:
1.2 Command Line Interface
Fig. 3: Logging in to the Command Line Interface program
V Enter a username. The state on delivery value for the username is
admin. Press the Enter key.
V Enter the password. The state on delivery value for the password is
private. Press the Enter key.
You can change the username and the password later in the Command Line Interface.
Note that these entries are case-sensitive.
The start screen then appears.
20
Basic - L3P
Release 3.1 06/07
Page 21
Access to the user interfaces
NOTE: Enter '?' for Command Help. Command help displays all options
that are valid for the 'normal' and 'no' command forms. For
the syntax of a particular command form, please consult the
documentation.
(Hirschmann PowerMICE) >
1.2 Command Line Interface
Fig. 4: CLI screen after login
Basic - L3P
Release 3.1 06/07
21
Page 22
Access to the user interfaces
1.3 Web based Interface
1.3 Web based Interface
The user-friendly Web-based interface gives you the option of operating the
Switch from any location in the network via a standard browser such as the
Mozilla Firefox or the Microsoft Internet Explorer.
As a universal access tool, the Web browser uses an applet which communicates with the Switch via the Simple Network Management Protocol
(SNMP).
The Web-based interface allows you to graphically configure the Switch.
U Opening the Web-based Interface
To open the Web-based interface, you will need a Web browser (a program that can read hypertext), for example Mozilla Firefox version 1 or
higher or Microsoft Internet Explorer version 6 or higher.
Note: The Web-based interface uses the “Java™ Runtime Environment
Version 1.4.2.x, 1.5.x or 6.x” plug-in. If it is not yet installed on your com
puter, it will be installed automatically via the Internet when you start the
Web-based interface. This installation is very time-consuming.
For Windows NT users: cancel the installation. Install the plug-in from the
enclosed CD-ROM. Proceed by starting the program file
jre-6-windows-i586.exe in the Java directory on the CD-ROM.
Double-click
-
Fig. 5: Install Java
22
Basic - L3P
Release 3.1 06/07
Page 23
Access to the user interfaces
1.3 Web based Interface
V Start your Web browser.
V Make sure that you have activated JavaScript and Java in the security
settings of your browser.
V Establish the connection by entering the IP address of the Switch that
you want to administer via the Web-based network management in the
address field of the Web browser. Enter the address in the following
form:
http://xxx.xxx.xxx.xxx
The login window will appear on the screen.
Fig. 6: Login window
V Select the desired language.
V In the login fold-down menu, select
– user, for read access or
– admin, for read and write access
to the Switch.
Basic - L3P
Release 3.1 06/07
23
Page 24
Access to the user interfaces
1.3 Web based Interface
V The password “public”, with which you have read permission, appears
in the password field. If you wish to access the Switch with write per
mission, then highlight the contents of the password field and overwrite it with the password “private” (state on delivery). Changing the
password protects the Switch against unauthorized access.
V Click on OK.
The Website of the Switch appears on the screen.
Note: The changes you make in the dialogs are taken over by the Switch
when you click on “Write”. Click on “Load” to update the display.
Note: You can block your access to the Switch by entering an incorrect
configuration.
Activating the function “Cancel configuration change” in the “Load/Save”
dialog enables you to return automatically to the last configuration after
a
set time period has elapsed. This gives you back your access to the
Switch.
-
24
Basic - L3P
Release 3.1 06/07
Page 25
Entering the IP parameters
2 Entering the IP parameters
IP address(es) must be entered when the Switch is installed for the first time.
The Switch provides 6 options for entering the IP parameters during the first
installation:
D Using the Command Line Interfaces (CLI).
Choose this “out-of-band” method if
– you preconfigure your Switch outside its operating environment, or
– you have no network access (“in-band”) to the Switch
(see “Entering the IP parameters via CLI” on page 32).
D Using the HiDiscovery protocol.
Choose this “in-band” method if
– the Switch is already installed on your network, or
– if there is another Ethernet connection between your PC and the Switch
available.
(see “Entering the IP parameters via HiDiscovery” on page 35).
D Using the AutoConfiguration Adapter (ACA).
Choose this method if you are replacing the Switch with a Switch of
the
same type and have already saved the configuration on an ACA
(see “Loading from the AutoConfiguration Adapter” on page 53).
D Using BOOTP.
Choose this “in-band” method if you want to configure the installed Switch
using BOOTP. You need a BOOTP server for this. The BOOTP server as
signs the configuration data to the Switch using its MAC address
(see
“System configuration via BOOTP” on page 39). Because the Switch
is delivered with “DHCP mode” as the entry for the configuration data reference, you have to reset this to the BOOTP mode for this method.
-
D Using DHCP.
Choose this “in-band” method if you want to configure the installed Switch
using DHCP. You need a DHCP server for this. The DHCP server assigns
the configuration data to the Switch using its MAC address or its system
name (see
Basic - L3P
Release 3.1 06/07
“System configuration via DHCP” on page 43).
25
Page 26
Entering the IP parameters
D Using DHCP Option 82.
Choose this “in-band” method if you want to configure the installed Switch
using DHCP Option 82. You need a DHCP server with Option 82 for this.
The DHCP server assigns the configuration data to the Switch using its
physical connection (see
“System Configuration via DHCP Option 82” on
page 46).
If the Switch already has an IP address and can be reached via the network,
then the Web-based interface provides you with another option for configuring
the IP parameters.
26
Basic - L3P
Release 3.1 06/07
Page 27
Entering the IP parameters
2.1 Basics IP parameter
2.1 Basics IP parameter
2.1.1 IP address (version 4)
The IP addresses consist of 4 bytes. These 4 bytes are written in decimal
notation, separated by a decimal point.
Since 1992, five classes of IP address have been defined in the RFC 1340.
Class Network address Host address Address range
A 1 Byte 3 Bytes 1.0.0.0 to 126.255.255.255
B 2 Bytes 2 Bytes 128.0.0.0 to 191.255.255.255
C 3 Bytes 1 Byte 192.0.0.0 to 223.255.255.255
D 224.0.0.0 to 239.255.255.255
E 240.0.0.0 to 255.255.255.255
Table 2: IP address classification
The network address represents the fixed part of the IP address. The
worldwide leading regulatory board for assigning Internet addresses is the
IANA (Internet Assigned Numbers Authority). If you need an IP address
block, contact your Internet-Service-Provider. Internet Service Providers
should contact their local higher-level organization:
D APNIC (Asia Pacific Network Information Centre) - Asia/Pacific Region
D ARIN (American Registry for Internet Numbers) - Americas and Sub-
Sahara Africa
D LACNIC (Regional Latin-American and Caribbean IP Address Registry) –
Latin America and some Caribbean Islands
D RIPE NCC (Réseaux IP Européens) - Europe and Surrounding Regions
Basic - L3P
Release 3.1 06/07
27
Page 28
Entering the IP parameters
2.1 Basics IP parameter
Net ID - 7 bits Host ID - 24 bits0
I
0
I
I
0
I I I 0
I
I I I
Net ID - 14 bits
Net ID - 21 bits
Multicast Group ID - 28 bits
reserved for future use - 28 b its
Host ID - 16 bits
Host ID - 8 bit s
Klasse A
Klasse B
Klasse C
Klasse D
Klasse E
Fig. 7: Bit representation of the IP address
All IP addresses belong to class A when their first bit is a zero, i.e. the first
decimal number is less than 128.
The IP address belongs to class B if the first bit is a one and the second bit
is a zero, i.e. the first decimal number is between 128 and 191.
The IP address belongs to class C if the first two bits are a one, i.e. the first
decimal number is higher than 191.
Assigning the host address (host id) is the responsibility of the network
operator. He alone is responsible for the uniqueness of the IP addresses
he
assigns.
2.1.2 Network mask
Routers and gateways subdivide large networks into subnetworks. The network mask assigns the IP addresses of the individual devices to a particular
subnetwork.
The division into subnetworks with the aid of the network mask is performed
in much the same way as the division of the network addresses into classes
A to C (net id).
In the part of the host address (host id) representing the mask, the bits are
set to one. The remaining bits of the host address in the network mask are
set to zero (see the following examples).
Basic - L3P
28
Release 3.1 06/07
Page 29
Entering the IP parameters
2.1 Basics IP parameter
Example of a network mask:
Decimal notation
255.255.192.0
Binary notation
11111111.11111111.11000000.00000000
Subnetwork mask bits
Class B
Example of IP addresses with subnetworks assignment when the above subnet mask is applied:
Decimal notation
129.218.65.17
128 < 129 ≤ 191 ➝ Class B
binary notation
10000001.11011010.01000001.00010001
Subnetwork 1
Network address
Decimal notation
129.218.129.17
128 < 129 ≤ 191 ➝ Class B
binary notation
10000001.11011010.10000001.00010001
Subnetwork 2
Network address
Basic - L3P
Release 3.1 06/07
29
Page 30
Entering the IP parameters
2.1 Basics IP parameter
2.1.3 Example of how the network mask is used
In a large network it is possible that gateways and routers separate the management agent from its management station. How does addressing work in
such a case?
Romeo
Juliet
Lorenzo
LAN 1
LAN 2
Fig. 8: Management agent that is separated from its management station by a
router
The management station “Romeo” wants to send data to the management
agent “Juliet”. Romeo knows Juliet's IP address and also knows that the
router “Lorenzo” knows the way to Juliet.
Romeo therefore puts his message in an envelope and writes Juliet's IP
address as the destination address. For the source address he writes his own
IP address on the envelope.
Romeo then places this envelope in a second one with Lorenzo's MAC
address as the destination and his own MAC address as the source. This
process is comparable to going from layer 3 to layer 2 of the ISO/OSI base
reference model.
Finally, Romeo puts the entire data packet into the mailbox. This is comparable to going from layer 2 to layer 1, i.e. to sending the data packet over the
Ethernet.
Basic - L3P
30
Release 3.1 06/07
Page 31
Entering the IP parameters
2.1 Basics IP parameter
Lorenzo receives the letter and removes the outer envelope. From the inner
envelope he recognizes that the letter is meant for Juliet. He places the inner
envelope in a new outer envelope and searches his address list (the ARP
table) for Juliet's MAC address. He writes her MAC address on the outer
envelope as the destination address and his own MAC address as the source
address. He then places the entire data packet in the mail box.
Juliet receives the letter and removes the outer envelope. She finds the inner
envelope with Romeo's IP address. Opening the inner envelope and reading
its contents corresponds to transferring the message to the higher protocol
layers of the ISO/OSI layer model.
Juliet would now like to send a reply to Romeo. She places her reply in an
envelope with Romeo's IP address as destination and her own IP address as
source. But where is she to send the answer? For she did not receive
Romeo's MAC address. It was lost when Lorenzo replaced the outer
envelope.
In the MIB, Juliet finds Lorenzo listed under the variable hmNetGateway
IPAddr as a means of communicating with Romeo. She therefore puts the
envelope with the IP addresses in a further envelope with Lorenzo's MAC
destination address.
The letter then travels back to Romeo via Lorenzo, the same way the first
letter traveled from Romeo to Juliet.
Basic - L3P
Release 3.1 06/07
31
Page 32
Entering the IP parameters
2.2 Entering the IP parameters via CLI
2.2 Entering the IP parameters
via CLI
If you do not configure the system via BOOTP/DHCP, DHCPOption 82,
Hidiscovery protocol or the ACA AutoConfiguration Adapter, then perform
the configuration via the V.24 interface using the Command Line Interface:
Entering IP addresses
Connect the PC with terminal
program started to the RJ11 socket
Command Line Interface
starts after key press
Log in and change to the
Privileged EXEC Mode
Switch off DHCP,
enter and save IP parameters
End of entering IP addresses
Fig. 9: Flow chart for entering IP addresses
If there is no terminal or PC with terminal emulation available in the vicinity of
the installation location, the IP parameters can also be entered in your wor
-
king environment prior to ultimate installation.
V Set up a connection with the Switch in accordance with “Opening the
Command Line Interface” on page 19.
Basic - L3P
32
Release 3.1 06/07
Page 33
Entering the IP parameters
2.2 Entering the IP parameters via CLI
The start screen then appears
NOTE: Enter '?' for Command Help. Command help displays all options
that are valid for the 'normal' and 'no' command forms. For
the syntax of a particular command form, please consult the
documentation.
(Hirschmann PowerMICE) >
V Change to privileged EXEC mode by entering
enable and then press the Enter key.
V Disable DHCP by entering
network protocol none and
then press the Enter key.
V Enter the IP paremeters with
network parms <IP-Adresse> <Netzmaske> [<Gateway>]
and press the Enter key.
D Locale IP address
On delivery, the local IP address of the Switch is 0.0.0.0.
D Network mask
If your network has been divided up into subnetworks, and if these are
identified with a network mask, then the network mask is to be entered
here.
The default setting of the network mask is 0.0.0.0.
Basic - L3P
Release 3.1 06/07
33
Page 34
Entering the IP parameters
2.2 Entering the IP parameters via CLI
D IP address of the gateway
This entry is only needed if the Switch and the management station/
tftp server are located in different subnetworks (see
“Example of how
the network mask is used” on page 30).
Enter the IP address of the gateway between the subnetwork with the
Switch and the path to the management station.
The default setting of the IP address is 0.0.0.0.
V Save the configuration entered with
copy system:running-config nvram:startup-config
and then press the Enter key.
Confirm that you want to save the configuration by pressing y.
NOTE: Enter '?' for Command Help. Command help displays all options
that are valid for the 'normal' and 'no' command forms. For
the syntax of a particular command form, please consult the
documentation.
(Hirschmann PowerMICE) >en
(Hirschmann PowerMICE) #network protocol none
(Hirschmann PowerMICE) #network parms 149.218.112.105 255.255.255.0
(Hirschmann PowerMICE) #copy system:running-config nvram:startup-config
Are you sure you want to save? (y/n) y
Copy OK: 15811 bytes copied
Configuration Saved!
(Hirschmann PowerMICE) #
After entering the IP parameters, you can easily configure the Switch via the
Web-based Interface (see Reference manual „Web-based Interface“).
34
Basic - L3P
Release 3.1 06/07
Page 35
Entering the IP parameters
2.3 Entering the IP parameters via HiDiscovery
2.3 Entering the IP parameters
via HiDiscovery
The HiDiscovery protocol enables you to assign IP parameters to the Switch
via the Ethernet.
You can easily configure additional parameters with the Web-based management (see Reference manual „Web-based Interface“).
Install the HiDiscovery software on your PC. The software is on the CD supplied with the Switch.
V To install it, you start the installation program on the CD.
Note: The installation of HiDiscovery involves installing the WinPcap Version
3.0 software package.
If an earlier version of WinPcap is already installed on the PC, then you must
first uninstall it. A newer version remains intact when you install HiDiscovery.
However, this can not be guaranteed for all future versions of WinPcap. In
the event that the installation of HiDiscovery has overwritten a newer version
of WinPcap, then you uninstall WinPcap 3.0 and then re-install the new ver
sion.
V Start the HiDiscovery program.
-
Fig. 10: HiDiscovery
Basic - L3P
Release 3.1 06/07
35
Page 36
Entering the IP parameters362.3 Entering the IP parameters via HiDiscovery
When HiDiscovery is started, it automatically searches the network for those
devices which support the HiDiscovery protocol.
HiDiscovery uses the first PC network card found. If your computer has several network cards, you can select these in HiDiscovery on the toolbar.
HiDiscovery displays a line for every device which reacts to the HiDiscovery
protocol.
HiDiscovery enables you to identify the devices displayed.
V Select a device line.
V Click on the symbol with the two green dots in the tool bar to set the LEDs
for the selected device flashing. To Switch off the flashing, click on the
symbol again.
By double-clicking a line, you open a window in which you can enter the device name and the IP parameter.
Fig. 11: HiDiscovery - assigning IP parameters
Note: After the IP address has been entered, the Switch loads the local configuration settings (see “Loading/saving settings” on page 51).
Note: For security reasons, Switch off the HiDiscovery function for the device
in the Web-based interface, after you have assigned the IP parameters to the
device (see
“System configuration via the Web-based Interface” on page 47).
Note: Save the settings you have made so they will still be available after restart (see “Loading/saving settings” on page 51).
Basic - L3P
Release 3.1 06/07
Page 37
Entering the IP parameters
2.4 Loading the system configuration from the
2.4 Loading the system
configuration from the ACA
The ACA is a device for
D storing the configuration data of a Switch.
D storing the Switch software.
In the case of a Switch failure, the ACA enables a very simple configuration
data transfer by means of a substitute Switch of the same type.
When you start the switch, it checks for an ACA. If it detects an ACA with a
valid password and valid software, the Switch loads the configuration data
from the ACA.
The password is valid if
D the password on the Switch matches the password on the ACA, or
D the preset password is entered on the Switch.
To save the configuration data in the ACA see “Saving Locally (and on the
ACA)” on page 57
Basic - L3P
Release 3.1 06/07
37
Page 38
Entering the IP parameters382.4 Loading the system configuration from the
Switch starten
ACA
vorhanden?
Ja
Passwort im
Switch und ACA
identisch?
Ja
Konfiguration vom
ACA laden
ACA-LEDs blinken
synchron
Nein
Nein
Voreingestelltes
Passwort im
Switch?
Ja
Nein
Konfiguration aus
lokalem Speicher laden
ACA-LEDs blinken
alternierend
Konfigurationsdaten
geladen
Fig. 12: Flow chart loading configuration data from ACA
Basic - L3P
Release 3.1 06/07
Page 39
Entering the IP parameters
2.5 System configuration via BOOTP
2.5 System configuration via
BOOTP
During startup operation via BOOTP (bootstrap protocol) the Switch receives
its configuration data according to the “BOOTP process” flowchart
(see Fig. 13).
Note: In its state on delivery, the Switch gets its configuration data from the
BOOTP server.
V Activate BOOTP to receive the configuration data, see “System configu-
ration via the Web-based Interface” on page 47 or see in the CLI:
V Change to the Priviledged EXEC mode by entering enable and then
press the enter key.
V Enable BOOTP by entering
configure protocol bootp an then press the enter key.
V Save the configuration entered with
copy system:running-config nvram:startup-config
and then press the Enter key.
Confirm that you want to save the configuration by pressing y.
V Make the following data for the Switch available to the BOOTP server:
# /etc/bootptab for BOOTP-daemon bootpd
#
# gw -- gateways
# ha -- hardware address
# ht -- hardware type
# ip -- IP address
# sm -- subnet mask
# tc -- template
.global:\
:gw=0.0.0.0:\
:sm=255.255.240.0:
Basic - L3P
Release 3.1 06/07
39
Page 40
Entering the IP parameters
2.5 System configuration via BOOTP
switch_01:ht=ether
net:ha=008063086501:ip=149.218.17.83:tc=.global:
switch_02:ht=ether
net:ha=008063086502:ip=149.218.17.84:tc=.global:
.
.
Lines that start with a '#' character are comment lines.
The lines under “.global:” make the configuration of several devices easier.
With the template (tc) you allocate the global configuration data (tc=.global:).
The direct allocation of hardware address and IP address occurs in the device lines (switch-0...).
V Enter one line for each device.
V After ha= enter the hardware address of the device.
V After ip= enter the IP address of the device.
Refer to “Setting up DHCP/BOOTP Server” on page 196) for a BOOTP/
DHCP server configuration example.
40
Basic - L3P
Release 3.1 06/07
Page 41
Entering the IP parameters
Start-up
Load default
configuration
2.5 System configuration via BOOTP
Switch in initalization
Switch runs with
settings from
local flash
DHCP
or
BOOTP?
No
initialize IP stack
with IP parameters
Yes
No*
Send
DHCP/
BOOTP
Requests
Reply from
DHCP/BOOTP
server?
Yes
Save IP parameter
and config file URL
locally
Switch is manageable
2
Fig. 13: Flow chart for the BOOTP/DHCP process, part 1
* see note on page 54
Basic - L3P
Release 3.1 06/07
41
Page 42
Entering the IP parameters
2.5 System configuration via BOOTP
2
No*
Start tftp process
with config
file URL of DHCP
tftp
successful?
Yes
Load transferred
config file
Save transferred
config file local
and set
boot configuration
to local
Load remote
configuration from
Yes
URL of DHCP?
No
Loading of
configurations data
is complete
Fig. 14: Flow chart for the BOOTP/DHCP process, part 2
* see note on page 54
42
Basic - L3P
Release 3.1 06/07
Page 43
Entering the IP parameters
2.6 System configuration via DHCP
2.6 System configuration via
DHCP
The DHCP (dynamic host configuration protocol) responds similarly to the
BOOTP and offers in addition the configuration of a DHCP client with a name
instead of the MAC address. For the DHCP, this name is known as the “client
identifier” in accordance with rfc 2131.
The Switch uses the name entered under sysName in the system group of
the MIB II as the client identifier. You can enter this system name directly via
SNMP, the Web-based management (see system dialog), or the Command
Line Interface.
On startup, an Switch receives its configuration data according to the
“BOOTP/DHCP process” flow chart
(see Fig. 13).
The Switch sends its system name to the DHCP server. The DHCP server
can then assign an IP address as an alternative to the MAC address by using
the system name.
In addition to the IP address, the DHCP server sends
– the tftp server name (if present),
– the name of the configuration file (if present).
The Switch accepts this data as configuration parameters (see “System con-
figuration via the Web-based Interface” on page 47).
If an IP address was assigned by a DHCP server, it will be permanently saved locally.
Option Meaning
1 Subnet Mask
2 Time Offset
3 Router
4 Time server
12 Host Name
61 Client Identifier
66 TFTP Server Name
67 Bootfile name
Table 3: DHCP options which the Switch requests
Basic - L3P
Release 3.1 06/07
43
Page 44
Entering the IP parameters
2.6 System configuration via DHCP
The special feature of DHCP in contrast to BOOTP is that the server can only
provide the configuration parameters for a certain period of time (“lease”).
When this time period (“lease duration”) expires, the DHCP client must at
tempt to renew the lease or negotiate a new one. A response similar to
BOOTP can be set on the server (i.e. the same IP address is always assi
gned to a particular client using the MAC address), but this requires the explicit configuration of a DHCP server in the network. If this configuration was
not performed, a random IP address – whichever one happens to be availa
ble – is assigned.
On delivery DHCP is enabled.
As long as DHCP is activated, the Switch attempts to obtain an IP address.
If it cannot find a DHCP server after restarting, it will not have an IP address.
To activate/deactivate DHCP, see “System configuration via the Web-based
Interface” on page 47.
-
Note: When using HiVision network management, ensure that DHCP always
assigns the original IP address to each Switch.
Refer to “Setting up DHCP/BOOTP Server” on page 196) for a BOOTP/
DHCP server configuration example.
Example of a DHCP configuration file:
# /etc/dhcpd.conf for DHCP Daemon
#
subnet 149.218.112.0 netmask 255.255.240.0 {
option subnet-mask 255.255.240.0;
option routers 149.218.112.96;
}
#
# Host berta requests IP configuration
# with her MAC address
#
host berta {
hardware ethernet 00:80:63:08:65:42;
fixed-address 149.218.112,82;
}
44
Basic - L3P
Release 3.1 06/07
Page 45
Entering the IP parameters
2.6 System configuration via DHCP
#
# Host hugo requests IP configuration
# with his client identifier.
#
host hugo {
# option dhcp-client-identifier "hugo";
option dhcp-client-identifier 00:68:75:67:6f;
fixed-address 149.218.112.83;
server-name "149.218.112.11";
filename "/agent/config.dat";
}
Lines that start with a '#' character are comment lines.
The lines preceding the individually listed devices refer to settings that apply
to all the following devices.
The fixed-address line assigns a permanent IP address to the device.
For further information, please refer to the DHCP server manual.
Basic - L3P
Release 3.1 06/07
45
Page 46
Entering the IP parameters462.7 System Configuration via DHCP Option 82
2.7 System Configuration via
DHCP Option 82
As with the classic DHCP, on startup an agent receives its configuration data
according to the “BOOTP/DHCP process” flow chart
While the system configuration is based on the classic DHCP protocol on the
device being configured (see
“System configuration via DHCP” on page 43),
Option 82 is based on the network topology. This procedure gives you the
option of always assigning the same IP address to any device which is
connected to a particular location (port of a Switch) on the LAN.
(see Fig. 13).
The installation of a DHCP server is described in the chapter “Setting up
DHCP Server Option 82” on page 202.
PLC
IP =
149.218.112.100
Switch (Option 82)
D0 D0 D0
MACH 3002
MICE
MAC address =
00:80:63:10:9a:d7
DHCP server
IP =
149.218.112.1
IP =
149.218.112.100
Fig. 15: Application example of using Option 82
Basic - L3P
Release 3.1 06/07
Page 47
Entering the IP parameters
2.8 System configuration via the Web-based
2.8 System configuration via the Web-based Interface
With the dialog Basics:Network you define the source from which the
Switch gets its network parameters after starting, assign IP parameters and
VLAN ID and configure the HiDiscovery access.
Fig. 16: Dialog network parameter
V Under “Modus” you enter where the Switch is to obtain its
IP parameters:
D In the BOOTP mode, the configuration comes from a BOOTP or
DHCP server on the basis of the MAC address of the Switch (see
page 39).
D In the DHCP mode, the configuration comes from a DHCP server on
the basis of the MAC address or the name of the Switch (see
D In the local mode the net parameters in the Switch memory are used.
Basic - L3P
Release 3.1 06/07
page 43).
47
Page 48
Entering the IP parameters
2.8 System configuration via the Web-based
V Enter the parameters according to the selected mode on the right.
V You enter the system name applicable to the DHCP protocol in the Sy
stem dialog of the Web-based Interfaces, in the “Name” line.
V In the “Local” frame assign
– an IP address,
– a Netmask and
– a Gateway Address
to the Switch.
V With the “VLAN ID” frame you can assign a VLAN to the Switch. If you enter
the illegal VLAN ID “0” here, the agent can be accessed by all VLANs.
V The HiDiscovery protocol (see “Entering the IP parameters via HiDiscov-
ery” on page 35) allows you to assign an IP address to the Switch on the
basis of its MAC address. Activate the HiDiscovery protocol if you want to
assign an IP address to the Switch from your PC with the HiDiscovery
software delivered (setting on delivery: active).
Note: Save the settings you have made to ensure they are still available after
restart (see
“Loading/saving settings” on page 51).
48
Basic - L3P
Release 3.1 06/07
Page 49
Entering the IP parameters
2.9 Faulty Device Replacement
2.9 Faulty Device Replacement
There are two plug-and-play solutions available for replacing a faulty Switch
with a Switch of the same type
(Faulty Device Replacement):
D First, you can configure the new switch using an AutoConfiguration
Adapter
(see “Loading the system configuration from the ACA” on page 37) or
D Second, you can configure the new switch using DHCP Option 82
(see “System Configuration via DHCP Option 82” on page 46).
In both cases, the same configuration data which the faulty Switch had are
transferred to the new Switch during booting.
Basic - L3P
Release 3.1 06/07
49
Page 50
Entering the IP parameters
2.9 Faulty Device Replacement
50
Basic - L3P
Release 3.1 06/07
Page 51
Loading/saving settings
3 Loading/saving settings
The Switch saves settings such as the IB parameters and the port
configuration in the temporary memory. These settings are lost when
you
switch off or reboot the device.
The Switch enables you to
D save settings from the temporary memory in a permanent memory
D load settings from a permanent memory into the temporary memory.
Basic - L3P
Release 3.1 06/07
51
Page 52
Loading/saving settings
3.1 Loading settings
3.1 Loading settings
During restart, the Switch automatically loads its configuration data from the
local non-volatile memory, provided that you have not activated BOOTP/
DHCP and that no ACA is connected to the Switch.
During operation, the Switch enables you to load settings from the following
sources:
D the local non-volatile memory,
D the AutoConfiguration Adapter. If an ACA is connected to the Switch, the
Switch always loads its configuration from the ACA.
D a file in the connected network (= state on delivery)
D a binary file or an editable and readable script on the PC and
D the state on delivery.
Note: When loading a configuration, do not access the Switch until it has
loaded the configuration file and has made the new configuration settings.
Depending on the complexity of the configuration settings, this procedure
can last between 10-200 seconds.
52
Basic - L3P
Release 3.1 06/07
Page 53
Loading/saving settings
3.1 Loading settings
3.1.1 Loading from the local non-volatile memory
When loading the configuration data locally, the Switch loads the configuration
data from the local permanent memory if no
V Select the Basics:Load/Save dialog.
V Click in the “Load”-frame “Local”.
V Click “Load configuration”.
V Enter the command enable to change to the Privileged EXEC
mode.
V Enter the command
copy nvram:startup-config system:running-config
to load the configuration data from the local non-volatile memory.
ACA is connected to the Switch.
3.1.2 Loading from the AutoConfiguration Adapter
If an ACA is connected to the Switch, the Switch always loads its configuration from the ACA.
For information on how to save a configuration file onto an ACA, refer to “Sa-
ving Locally (and on the ACA)” on page 57.
Basic - L3P
Release 3.1 06/07
53
Page 54
Loading/saving settings
3.1 Loading settings
3.1.3 Loading from a file
The Switch allows you to load the configuration data from a file in the
connected network if there is no AutoConfiguration Adapter connected
to
the Switch.
V Select the Basics:Load/Save dialog.
V Click in the Load"-frame “fromURL”, if you want the Switch to load
the configuration data from a file and to retain the locally saved con
figuration.
Click in the Load"-frame “from URL & save local”, if you want the
Switch to load the configuration data from a file and to save this con
figuration locally.
“via PC (script/binary)” when you want the Switch to load the configuration data from a file from the PC and retain the locally saved
configuration.
V In the “URL” edit box, type the field path under which the Switch finds
the configuration file if you want to load from URL.
V Click “Load configuration”.
-
-
The URL identifies the path to the tftp server from which the Switch loads
the configuration file. The URL is in the form
tftp://IP address of the tftp server/path name/file name
(e.g. tftp://149.218.112.5/switch/config.dat).
Example of loading a file from the TFTPServer
V To enable yourself to download a file from the tftp server, save the
configuration file into the corresponding path of the tftp server with
the file name, e.g.. switch/switch_01.cfg (see
“Saving into a
file on URL” on page 58).
V Enter the path to the tftp server into the line “URL”, e.g.
tftp://149.218.112.214/switch/switch_01.cfg .
Note: The status of the load, started by DHCP/BOOTP (see “System
configuration via BOOTP” on page 39), is displayed in the selected op-
tion “from URL & save local” in the “Load” frame. If you get an error message while saving the configuration, one reason may be that loading is
not completed. DHCP/BOOTP does not finish loading until a valid confi
guration is loaded. If DHCP/BOOTP does not find any valid configuration
you can stop the active loading by loading the local configuration in the
“Load” frame.
-
54
Basic - L3P
Release 3.1 06/07
Page 55
Loading/saving settings
3.1 Loading settings
Fig. 17: Dialog Load/Save
V Enter the enable command to change to the Priviledged EXEC
mode.
V Enter the command
copy tftp://149.218.112.159/switch/config.dat nv
ram:startup-config if you want the switch to load the configura-
tion data from a tftp server in the connected network.
Basic - L3P
Release 3.1 06/07
55
Page 56
Loading/saving settings
3.1 Loading settings
3.1.4 Resetting the configuration to the state on delivery
The Switch gives you the option to,
D reset the current configuration to the state on delivery. The locally saved
configuration remains.
D reset the Switch to the state on delivery. After restarting, the IP address
is also in the original delivery state.
V Select the Basics:Load/Save dialog.
V Make your choice in the “Delete”-frame.
V Click“Delete configuration”.
Setting in the System Monitor:
V Select 5 “Erase main configuration file”
This menu offers you the possibility to set the Switch to its state of
delivery. Configurations being different from the state of delivery are
saved in the flash memory in the switch.cfg file by the Switch.
V Press the enter key to erase the switch.cfg file.
56
Basic - L3P
Release 3.1 06/07
Page 57
Loading/saving settings
3.2 Saving settings
3.2 Saving settings
The Switch enables you to save the settings you have made
D locally
D locally and on the ACA, or
D into a file.
3.2.1 Saving Locally (and on the ACA)
The Switch allows you to save the current configuration data in the local
permanent memory and the ACA.
V Select the Basics:Load/Save dialog.
V Click in the “Save”-frame “to Switch”.
V Click “Save configuration”.
As a result, the Switch saves the current configuration data into the
local nonvolatile memory and, provided that an ACA is connected,
also into the ACA.
V Enter the enable command to change to the Priviledged EXEC
mode.
V Enter the command
copy system:running-config nvram:startup-config
to save the current configuration data into both the local non-volatile
memory and into the ACA if an ACA is connected.
Basic - L3P
Release 3.1 06/07
57
Page 58
Loading/saving settings
3.2 Saving settings
3.2.2 Saving into a file on URL
The Switch allows you to save the current configuration data in a file in the
connected network.
V Select the Basics:Load/Save dialog.
V In the “Save” frame, click on
“in URL (binary)” to receive a binary file, or
“in URL (script)” to receive an editable and readable script.
V Type in the “URL” edit field the path under which you want the Switch
to save the configuration file.
V Click “Save configuration”.
The URL marks the path to the tftp server on which the Switch saves the
configuration file. The URL is written as follows:
tftp://IP address of the tftp server/path name/file name,
(e.g. tftp://149.218.112.5/switch/config.dat).
Note: The configuration file contains all configuration data, including the
password. Thus, note the access rights on the tftp server..
V Enter the enable command to change to the Priviledged EXEC
mode.
V Enter the command
copy nvram:startup-config tftp://149.218.112.159/
switch/config.dat if you want the Switch to save the current
configuration data into a binary file on a tftp server in the connected
network.
V Enter the command
copy nvram:startup-config tftp://149.218.112.159/
switch/config.txt if you want the Switch to save the current
configuration data into a script file on a tftp server in the connected
network.
58
Basic - L3P
Release 3.1 06/07
Page 59
Loading/saving settings
3.2 Saving settings
3.2.3 Saving into a binary file on the PC
The Switch allows you to save the current configuration data in a binary file
on your PC.
V Select the Basics:Load/Save dialog.
V Click in the “Save”-frame „to PC (binary)“.
V Enter in the "Save"-window the file name under which you want the
V Click “Save configuration”.
Switch to save the configuration file.
3.2.4 Saving as script on the PC
The Switch allows you to save the current configuration data in a editable and
readable file on your PC
V Select the Basics:Load/Save dialog.
V Click in the “Save”-frame „to PC (script)“.
V Enter in the "Save"-window the file name under which you want the
Switch to save the configuration file.
V Click “Save configuration”.
.
Basic - L3P
Release 3.1 06/07
59
Page 60
Loading/saving settings
3.2 Saving settings
60
Basic - L3P
Release 3.1 06/07
Page 61
Loading Software Updates
4 Loading Software Updates
Hirschmann is continuously working on improving the performance of its
products. So it is possible that you may find a more up to date release of
the
Switch software on the Hirschmann Internet site than the release the
you
have on your Switch.
U Checking the software release installed
V Select the Basics:Software dialog.
This dialog views the release number of the software installed on
your ACA.
enable
show sysinfo
Alarm.......................................... None
System Description............................. Hirschmann Rails
witch
System Name.................................... RS-1F1054
System Location................................ Hirschmann Rails
witch
System Contact................................. Hirschmann Automa
tion and Control GmbH
System Up Time................................. 0 days 0 hrs 45
mins 57 secs
System Date and Time (local time zone)......... 2007-04-21 08:00:06
System IP Address.............................. 10.0.1.13
Boot Software Release.......................... L2E-01.0.00
Boot Software Build Date....................... 2005-11-03 13:50
OS Software Release............................ L2E-03.1.00
OS Software Build Date......................... 2007-06-21 06:14
Hardware Revision.............................. 1.22 / 4 / 0103
Hardware Description........................... RS20-
1600T1T1SDAEHH
Serial Number.................................. 943434023000001191
Base MAC Address............................... 00:80:63:1f:10:54
Number of MAC Addresses........................ 32 (0x20)
Switch to Privileged EXEC mode.
Display the system information.
Basic - L3P
Release 3.1 06/07
61
Page 62
Loading Software Updates
U Loading the software
The Switch gives you three options for loading the software:
D From the ACA 21-USB (out-of-band)
D Via tftp from a tftp server (in-band)
D Via a file selector window from your PC
Note: The existing configuration of the Switch is still there after the new
software is installed.
62
Basic - L3P
Release 3.1 06/07
Page 63
Loading Software Updates
4.1 Loading the Software from the ACA
4.1 Loading the Software from
the ACA
Like an usual USB stick, you can also connect the ACA 21-USB to an USB
port of your PC and copy the Switch software to the main directory of the
ACA
21-USB.
V Connect the ACA 21-USB, to which you have copied the Switch software,
to the USB port of the Switch.
V Open the system monitor. (see “Opening the system monitor” on page
16).
V Select 2, and press the ENTER key to copy the software from the
ACA
21-USB into the local memory of the Switch.
On concluding the update, the System Monitor prompts you to press any
key to continue..
V Select 3 to start the new software on the Switch.
In addition, the system monitor features further options in connection with
your Switch software:
D Swapping the software images available
D Starting the software,
D Performing a cold start.
4.1.1 Swapping the software available
In this menu item of the system monitor you select one of two possible
software releases that you want to load.
The following window appears on the screen:
Basic - L3P
Release 3.1 06/07
63
Page 64
Loading Software Updates
4.1 Loading the Software from the ACA
Select Operating System Image
(Available OS: Selected: 1.00 (2004-08-26 07:15), Backup: 1.00 (2004-0826 07
:15(Locally selected: 1.00 (2004-08-26 07:15))
1 Swap OS images
2 Copy image to backup
3 Test stored images in Flash mem.
4 Test stored images in USB mem.
5 Apply and store selection
6 Cancel selection
sysMon1>
Fig. 18: Update operating system screen display
U Swap OS images
The memory of the Switch offers space for two images of the software.
This offers you e.g. the possibility to load a new version of the software
without erasing the existing version.
Select 1 to load the other software with the next reboot.
U Copy image to backup
Select 2 to save a copy of the active software.
U Test stored images in flash memory
Select 3 to test, if the stored images of the software in flash memory
contain valid codes.
64
Basic - L3P
Release 3.1 06/07
Page 65
Loading Software Updates
4.1 Loading the Software from the ACA
U Test stored images in USB memory
Select 4 to test, if the stored images of the software in ACA 21-USB contain valid codes.
U Apply and store selection
Select 5 to apply and store the selection of the software.
U Cancel selection
Select Sie 6 to cancel selection and leave this dialogue without changes.
4.1.2 Starting the software
This menu of the System monitor offers you the possibility to start the selected software.
4.1.3 Performing a cold start
This menu of the system monitor offers you the possibility to reset the hardware of the Switch and to reboot.
Basic - L3P
Release 3.1 06/07
65
Page 66
Loading Software Updates
4.2 Loading the Software from the tftp Server
4.2 Loading the Software from
the tftp Server
For a tftp update you need a tftp server on which the software to be loaded
is stored (see
V Select the Basics:Software dialog.
The URL identifies the path to the software stored on the tftp server. The
URL is in the format tftp://IP address of the tftp server/path name/file
name (e.g.
“tftp server for software updates” on page 207).
tftp://149.218.112.5/mice/mice.bin).
V Enter the path of the Switch software.
V Click “tftp Update” to load the software from the tftp server to the
Switch.
.
Fig. 19: Software update dialog
66
Basic - L3P
Release 3.1 06/07
Page 67
Loading Software Updates
4.2 Loading the Software from the tftp Server
V After the loading procedure has been completed successfully, activa-
te the new software as follows:
Select the Basics:Restart dialog und and perform a cold start.
V After booting the switch, click “Reload” in your browser to re-enable
your access to the Switch.
enable
copy tftp://10.0.1.159/
rsL2E.bin system:image
Switch to the Privileged EXEC mode.
Transfer the software file „rsL2E.bin” from the tftp
server with the IP address 10.0.1.159 to the
Switch.
Basic - L3P
Release 3.1 06/07
67
Page 68
Loading Software Updates
4.3 Loading Software via file selector
4.3 Loading Software via file
selector
For an update via a file selector window you need the Switch software on a
drive which you can reach via your PC.
V Select the Basics:Software dialog.
V In the file selection frame, click on “...”.
V In the file selection window, select the Switch software (switch.bin)
and click on “Open”.
V Click “Update”, to transfer the software to the Switch.
The end of the update is indicated by one of the following messages:
D Update completed successfully.
D Update failed. Reason: incorrect file.
D Update failed. Reason: file damaged.
D Update failed. Reason: flash error.
V After the software procedure has been completed successfully, go to
Basics:Restart, and perform a cold start (“Restart Switch”).
V Click “Reload” in your browser to re-enable Switch access after boo-
ting.
68
Basic - L3P
Release 3.1 06/07
Page 69
Configuring ports
5 Configuring ports
The port configuration consists of:
D Switching the port on and off,
D Selecting the operation mode,
D Displaying connection error messages,
D Configuring Power over Ethernet.
U Switching the port on and off
In the state on delivery, all ports are switched on. To enhance access
security, switch off the ports which you do not wish to connect..
V Select the Basics:Port Configuration dialog..
V Select in the “Port on” column the ports which are connected to a
device.
U Selecting the Operation Mode
In the state on delivery, all ports are switched to the “Automatic Configuration” mode.
V Select the Basics:Port Configuration Table dialog.
V If the device connected to this port requires a fixed setting
– select the operation mode (transmission rate, duplex operation) in
the “Manual Configuration” colimn, and
– deactivate the port in the “Autonegotiation” column.
Note: The active automatic configuration has priority over the manual
configuration.
Basic - L3P
Release 3.1 06/07
69
Page 70
Configuring ports
U Displaying connection error messages
In the state on delivery the Switch displays a connection error via the
signal contact and the LED display. The Switch allows you to disable the
displaying of connection error messages, for instance to prevent a
device that has been turned off from being interpreted as an interrupted
line.
V Select the Basics:Port Configuration dialog.
V In the “Signal Contact mask” column, select the ports whose connec-
tions you want to have monitored.
U Configuring Power over ETHERNET
If the Switch is equipped with PoE media modules, it will then offer you
the option of supplying current to devices such as IP phones via the
twisted-pair cable. PoE media modules support Power over ETHERNET
according to IEEE 802.3af.
The Power over Ethernet function is activated global and on all ports by
default.
Systempower for MS20/MS30 and Power MICE
The Switch provides the rated system performance for the sum of all PoE
ports plus a surplus. Because the PoE media module gets its operating
voltage externally, the Switch does not know the possible system power.
The Switch therefore assumes a “nominal system power” of 60 Watt per
PoE media module for now.
System power for MACH 4000
The Switch provides the rated system performance for the sum of all
PoE ports plus a surplus. Should the connected devices require more
power than is provided by the system, the Switch will then disable the
ports. Initially, the Switch disables the ports with the lowest PoE priority. If
several ports have the same priority, the switch will first disable the ports
with the higher port number.
70
Basic - L3P
Release 3.1 06/07
Page 71
Configuring ports
V Select the dialog Basics: Power over Ethernet.
V With “Function On/Off” you turn PoE either on or off.
V “Send trap” allows the switch to send a trap in the following cases:
– Whenever a value exceeds or falls below the performance
threshold.
– When switching the PoE supply voltage on or off on at least one
port.
V Enter the power threshold in “Threshold”. When this value is
exceeded/not achieved, the switch will send a trap, provided that
“Send trap” is enabled.
You enter the power threshold as a percentage of the nominal power
in relation to the power yielded.
V “Nominal Power” displays the performance that the switch nominally
provides for all PoE ports together.
V “Reserved Power” displays the maximum power that the Switch
provides to all the connected PoE devices together on the basis
of
their classification.
V “Delivered Power” indicates how large the current power requirement
is at all PoE ports.
The difference between the “nominal” and “reserved” power indicates
how much power is still available to the free PoE ports.
V In the “Port on” column, you can enable/disable the port.
V The “Status” column indicates the PoE status of the port.
V In the “Priority” column (MACH 4000), set the PoE priority of the port
to either low, high or critical.
V The class of the connected device is indicated in the “Class” column:
Class Maximum power provided
0 15.4 W = State on delivery
14.0 W
27.0 W
315.4 W
4 reserved, treat as class 0
V The “Name” column indicates the name of the port, see Basic
settings:Port configuration.
Basic - L3P
Release 3.1 06/07
71
Page 72
Configuring ports
Fig. 20: Power over Ethernet dialog
72
Basic - L3P
Release 3.1 06/07
Page 73
Protection from unauthorized access
6 Protection from unauthorized
access
Protect your network from unauthorized access. The Switch provides you
with the following functions for protecting against unauthorized access.
D Password for SNMP access,
D Setting the SSH/Telnet/Web-Based access,
D Disabling the HiDiscovery function,
D Port access control via IP- or MAC-address,
D Authentication according to 802.1X,
D Access Control Lists.
Basic - L3P
Release 3.1 06/07
73
Page 74
Protection from unauthorized access
6.1 Password for SNMP access
6.1 Password for SNMP access
6.1.1 Description Password for SNMP access
A network management station communicates with the Switch via the Simple
Network Management Protocol.
Every SNMP packet contains the IP address of the sending computer and the
password under which the sender of the packet wants to access the Switch
MIB.
The Switch receives the SNMP packet and compares the IP address of the
sending computer and the password with the entries in the MIB of the Switch
(see
has the appropriate access right, and if the IP address of the sending computer has been entered, then the Switch will allow access.
“Management Information BASE MIB” on page 220). If the password
In the delivery state, the Switch is accessible via the “public” password (read
only) and the “private” one (read and write) from every computer.
To protect your Switch from unwanted access:
V First define a new password which you can access from your computer
with all rights.
V Treat this community with discretion. Because everyone who knows the
password can access the Switch MIB with the IP address of your
computer.
V Limit the access rights of the known passwords or delete their entries.
74
Basic - L3P
Release 3.1 06/07
Page 75
Protection from unauthorized access
6.1 Password for SNMP access
6.1.2 Entering password for SNMP access
V Select the Security:Password / SNMPv3 access dialog.
This dialog gives you the option of changing the read and read/write
passwords for access to the Switch via Web-based Interface/CLI/
SNMP.
For security reasons, the read password and the read/write pass-
word must not be identical.
V The Web-based Interface and the User Interface communicate via
SNMP version 3.
V Select "Modify read-only password" to enter the read-only password.
V Enter the new read-only password in the line "New password" and re-
peat the entry in the line “Please retype".
Please note that passwords are case-sensitive.
V Select "Modify read-write password" to enter the read-write pass-
word.
V Enter the new read-write password in the line "New password" and
repeat the entry in the line “Please retype”.
V "Data encryption" encrypts the data of the Web-based management
which is transferred between your PC and the switch with SNMP V3.
You can set "Data encryption" differently for the access with read
passwordand read/write password.
Basic - L3P
Release 3.1 06/07
75
Page 76
Protection from unauthorized access
6.1 Password for SNMP access
Fig. 21: Password dialog
Important: If you do not know a password with read/write access, you
will not have write access to the
Switch!
Note: After changing the password for write access, restart the Web interface in order to access the Switch.
Note: For security reasons, the passwords are not displayed. Make a
note of every change! You cannot access the
Switch without a valid
password!
Note: For security reasons, SNMP version 3 encrypts the password.
With the setting SNMPv1 or SNMPv2 in the Security:SNMPv1/v2
Access dialog, the password becomes readable again.
Note: In SNMP version 3, use 5 up to 32 characters for the password,
because many applications do not accept shorter passwords.
76
Basic - L3P
Release 3.1 06/07
Page 77
Protection from unauthorized access
6.1 Password for SNMP access
V Select the Security:SNMPv1/v2 Access dialog. This dialog
gives you the option to select the access via SNMPv1 or SNMPv2. In
the state on delivery both protocols are enabled. Thus you can
manage the Switch via HiVision and communicate with earlier
versions of SNMP.
Please note that passwords are case-sensitive.
Select “SNMPv1/2c on” to be able to communicate with earlier versions
of SNMP.
If you select SNMPv1 or SNMPv2 in the table you can determine which
IP addresses are allowed to access the
Switch and which kind of passwords are to be used.
The table allows up to 8 entries.
For security reasons, the read password and the read/write password
must not be identical.
Please note that passwords are case-sensitive.
Index Current number for this table entry
Password Password, the computer has to use, to have access to the Switch. This
password is indepentent of the SNMPv3 password.
IP address IP address of the computer that is allowed to access the Switch.
IP mask IP mask to the IP address.
Access Mode Access Mode determines if the computer has read-only or read-write
access.
Active Enabling/Disabling this table entry.
Basic - L3P
Release 3.1 06/07
77
Page 78
Protection from unauthorized access
6.1 Password for SNMP access
Fig. 22: Dialog SNMPv1/v2 access
V To create a new line in the table click "Create entry" .
V To delete an entry select the line in the table and click "Delete".
78
Basic - L3P
Release 3.1 06/07
Page 79
Protection from unauthorized access
6.2 Setting Telnet/Web/SSH access
6.2 Setting Telnet/Web/SSH
access
6.2.1 Description Telnet/Web access
The Telnet server of the Switch allows you to configure the Switch using the
Command Line Interface (in-band). You can switch off the Telnet server to
prevent Telnet access to the Switch.
In the state of delivery, the server is switched on.
After the Telnet server has been switched off, a new access to the Switch
with a Telnet connection is not possible. An existing Telnet connection
remains.
Note: The command line interface (out-of-band) and the Security:Tel
net/Web Access dialog in the Web-based Interface allow you to to activate
the telnet server again.
6.2.2 Description Web access
The Web server of the Switch allows you to configure the Switch using the
Web-based interface. You can switch off the Web server to prevent Web
access to the Switch.
In the state of delivery, the server is switched on.
After the Web server has been switched off, a new logon with a Web browser
is not possible. The logon in the opened browser window keeps active.
Note: The command line interface allows you to activate the Web server
again.
Basic - L3P
Release 3.1 06/07
79
Page 80
Protection from unauthorized access806.2 Setting Telnet/Web/SSH access
6.2.3 Description of SSH access
The SSH server of the Switch allows you to configure the Switch by using the
Command Line Interface (in-band) (see
page 212). You can deactivate the SSH server to prevent SSH access to the
Switch.
The server is deactivated by default.
After the SSH server has been deactivated, you will no longer be able to
access the switch via a new SSH connection. An existing SSH connection
will be preserved.
Note: The command-line interface (out-of-band) and the dialog
Security:Telnet/Web Access in the web-based interface offer the
option of reactivating the SSH server.
“Preparing for access via SSH” on
Basic - L3P
Release 3.1 06/07
Page 81
Protection from unauthorized access
6.2 Setting Telnet/Web/SSH access
6.2.4 Enabling/disabling Telnet/Web/SSH access
V Select the Security:Telnet/Web/SSH Access dialog.
V Switch off the server to which you wish to disable access.
V Enter the command enable to switch to the privileged EXEC mode.
V Enter the command transport input telnet to switch on the
telnet server.
V Enter the command no transport input telnet to switch off
the telnet server.
V Enter the command ip http server to switch on the Web server.
V Enter the command no ip http server to switch off the Web
server.
Basic - L3P
Release 3.1 06/07
81
Page 82
Protection from unauthorized access
6.3 Disabling HiDiscovery function
6.3 Disabling HiDiscovery
function
6.3.1 Description HiDiscovery protocol
The HiDiscovery protocol (see “Entering the IP parameters via HiDiscovery”
on page 35) allows you to assign an IP address to the Switch on the basis of
its MAC address. HiDiscovery is a layer 2 protocol.
Note: For security reasons, either limit or switch off completely the HiDiscovery function of the Switch after assigning the IP parameters.
82
Basic - L3P
Release 3.1 06/07
Page 83
Protection from unauthorized access
6.3 Disabling HiDiscovery function
6.3.2 Disabling HiDiscovery function
V Select the Basics:Network. dialog.
V Switch off the HiDiscovery function in the “HiDiscovery Protocol”
frame, or limit access to “read-only”.
V Enter the command enable to switch to the privileged EXEC mode.
V Enter the command network protocol hidiscovery off to
switch off the HiDiscovery function.
V Enter the command network protocol hidiscovery read-
only to switch on.the HiDiscovery function with the read-only access
right.
V Enter the commandnetwork protocol hidiscovery read-
write to switch on the HiDiscovery function with the read-write
access right.
Basic - L3P
Release 3.1 06/07
83
Page 84
Protection from unauthorized access
6.4 Port access control
6.4 Port access control
6.4.1 Description port access control
The Switch protects every port from unauthorized access.
Depending of your choice the Switch checks the MAC address or the IP
address of the connected device.
The following functions are available for monitoring every individual port:
D Who has access to this port?
The Switch recognizes 2 classes of access control:
– All: no access restriction
MAC address 00:00:00:00:00:00 oder
IP address 0.0.0.0.
– User: only an assigned user has access.
the user you define by his MAC address or his
IP address.
D What should happen after an unauthorized access attempt?
The Switch can respond in three selectable ways to an unauthorized
access attempt:
– non: no response
– trapOnly: message by sending a trap
– portDisable: message by sending a trap and
Note: Since the Switch is a layer 2 device, it translates the stored IP addresses into MAC addresses. This requires that a MAC address be assigned to
exactly one IP address.
Please keep in mind that when using a router, several IP addresses can be
assigned to one MAC address, namely that of the router. This means that all
packets of the router will pass the port unchecked if the permitted IP address
is that of the router.
If a connected device sends packets with other MAC addresses and a permitted IP address, the Switch will disable the port.
disabling a port
84
Basic - L3P
Release 3.1 06/07
Page 85
Protection from unauthorized access
6.4 Port access control
6.4.2 Defining port access control
V Select the Security:Port Security dialog.
V First select, whether you wish the MAC based or the IP based port
security.
V If you have selected MAC based you enter in the “Allowed MAC
addresses” column the the MAC addresses of the devices with which
a data exchange at this port is permitted. You can enter up to 10 MAC
addresses each ot these seperated with a space character. Without
entry, reception from all devices is allowed.
D The “Current MAC address” column shows the MAC address of the
device from which data was last received. By pressing the left mouse
button, you can copy an entry from the “Current MAC address”
column into the “Allowed MAC address” column.
V If you selected IP based, enter in the column “Allowed IP addesses”
the IP addresses of the devices, with which data exchange at this
port is allowed. You can enter up to 10 IP addresses each ot these
seperated with a space character. Without entry, reception from all
devices is allowed.
V In the “Action” column you select whether an unauthorized access at-
tempt should be followed by
– no action (none) or
– the sending of an alarm (trapOnly) or
– switching off the port by making a corresponding entry in the port
configuration table (see
“Configuring ports” on page 69) and sending
an alarm (trap) (portDisable).
Basic - L3P
Release 3.1 06/07
85
Page 86
Protection from unauthorized access
6.4 Port access control
Fig. 23: Port Security dialog
Note: This entry in the port configuration table is part of the configuration
(
“Loading/saving settings” on page 51) and is saved together with the
configuration.
Note: An alarm (trap) can only be sent if at least one recipient is entered
under
“Configuring traps” on page 168 and both the appropriate status
and “Port Security” are marked.
86
Basic - L3P
Release 3.1 06/07
Page 87
Protection from unauthorized access
6.5 Port Authentication
6.5 Port Authentication
6.5.1 Description Port-Based Network Access Control (802.1X)
The Port-Based Network Access Control is a method described in the
standard IEEE 802.1X for the authentication and authorization of devices in
IEEE 802 networks which are connected to a port of the Switch, and which
want to access the Switch and/or the network connected to the Switch.
The authentication and authorization is carried out by the Authenticator, in
this case the Switch. This authenticates (or does not authenticate) the
supplicant (the querying device, e.g. a PC), which means that it permits the
access to the services it provides, or else refuses it. In the process, the
Switch accesses an external authentication server (RADIUS server), which
checks the authentication data of the supplicant. The supplicant and the
Switch exchange the authentication data via the Extensible Authentication
Protocol (EAP), while the Switch and the server exchange the authentication
data via the RADIUS protocol.
Power MICE
Fig. 24: Radius server connection
802.1X SupplicantSwitch/AuthenticatorRadius Server
D0 D0 D0D0
Basic - L3P
Release 3.1 06/07
87
Page 88
Protection from unauthorized access
6.5 Port Authentication
6.5.2 Authentication process
A supplicant tries to communicate via a Switch port.
D The Switch requests authentication from the supplicant. At that time only
EAPOL traffic is permitted between the supplicant and the Switch.
D The supplicant replies his identification data.
D The Switch forwards the identication data to the authentication server.
D The authentication server replies concerning the autherization.
D The Switch evaluates the reply and allows access to the supplicant at this
port (or leaves the port in the blocked state).
6.5.3 Preparing the switch for the
802.1X
V Configure your own IP parameters (for the Switch).
V Globally Switch on the function of the 802.1X port authentication.
V Set the 802.1X port control to “auto”. The default setting is
“force-authorized”.
V Enter the “shared secret” between the Authenticator and the Radius
server. The shared secret is a text string specified by the Radius server
administrator.
V Enter the IP address and the port of the Radius server. The default UDP
port of the Radius server is the port 1812.
port authentication
88
Basic - L3P
Release 3.1 06/07
Page 89
Protection from unauthorized access
6.5.4 Setting 802.1X
U Configurating the Radius server
V Select the Security:802.1x Port Authentication:RA
DIUS-Server dialog
This dialog allows you to enter the data for one, two or three Radius
servers.
V Click on “Create entry” to open the dialog window for entering the
IP address of a Radius server.
V Confirm the IP address entered using “OK”.
You thus create a new row in the table for this Radius server.
V In the “UDP port” column you enter the UDP port for the Radius
server.
V In the “Shared secret” column you enter the character string which
you get as a key from the administrator of your Radius server.
V With “Primary server” you name this server as the first server
which the Switch should contact for port authentication queries.
If this server is not available, then the Switch contacts the next
server in the table.
V “Selected server” shows which server the Switch actually sends
its queries to.
V With “Delete entry” you delete the selected row in the table.
6.5 Port Authentication
U Selecting ports
V Select the Security:802.1x Port Authentication:Port
Configuration dialog
V In the column “Port Control” select “auto” for the Switches at
which you want portbased network control to be active.
U Port-Based Network Access Control
V Select the Security:802.1x Port Authentication:Glo
bal dialog.
V With “Function” you enable the function.
Basic - L3P
Release 3.1 06/07
89
Page 90
Protection from unauthorized access
6.6 Access Control Lists (ACL)
6.6 Access Control Lists (ACL)
Access Control Lists (ACL) provide you with the option of filtering,
forwarding, redirecting or prioritising data packets on receipt. The Switch
offers
D MAC-based ACLs
D IP-based ACLs
The switch considers the ACLs when it receives a package. This is why the
lists are called Ingress ACLs.
The Switch offers the following ACL capabilities:
D Up to 100 ACLs
D 10 rules per ACLs
D Up to 100 rules per interface
D Up to 1000 rules on all interfaces together
D Possible actions:
– permit and deny
– in combination with permit: assign-queue and redirect
D “Deny everything” is always the (invisible) final rule. It comes into effect
if
no other rules apply to this interface.
Note: In the prioritizing with “assign queue”, the Switch overwrites any
priority entered in the VLAN tag (see
The configuration of ACLs includes the following steps:
page 137) of a data packet.
D First of all define ACL and then
D attach the ACL to one or all interfaces.
You can connect ACLs to all physical ports and to all link aggregation
interfaces.
90
Release 3.1 06/07
Basic - L3P
Page 91
Protection from unauthorized access
6.6 Access Control Lists (ACL)
The sequence used in defining the rules of a list, and the sequence in which
these lists are attached to an interface, determines the sequence in which the
rules and lists are used (see
“Specifying the sequence of the rules” on page
100).
Note:
With Power MICE and MACH 4000, you can use either MAC-based or
IP-based ACLs for each interface.
With MACH 4002-24G/48G, you can use both MAC-based and IP-based
ACLs for each interface.
6.6.1 Description of IP-based ACLs
The switch decides between standard and extended IP-based ACLs.
ACLs
D 1 to 99 are standard IP-based ACLs and
D 100 to 199 are extended IP-based ACLs.
Standard IP-based ACLs provide the following criteria for filtering:
D IP source address with network mask
D All data packets (match every)
Extended IP-based ACLs provide the following criteria for filtering:
D All data packets (every)
D Protocol number or protocol (IP, ICMP, IGMP, TCP, UDP)
D IP source address with network mask or all IP source addresses (any)
D Layer 4 protocol number of the source (UDP port, TCP port)
D IP destination address with network mask or all IP destination
D Layer 4 protocol number of the destination (UDP port, TCP port)
D TOS field with mask
D DSCP field
D IP precedence field
with an ID number (ACL ID)
addresses
(any)
Basic - L3P
Release 3.1 06/07
91
Page 92
Protection from unauthorized access
6.6 Access Control Lists (ACL)
Note: If you use IP ACLs at ports which belong to a HIPER-Ring or which are
part of a Ring/Network Coupling add the following rule to the ACLs:
PERMIT
Protocol: UDP
Source IP: ANY
Destination IP: 0.0.0.0/32
Source Port: 0
Destination Port: 0
CLI Command:
access-list 1xx permit udp any eq 0 0.0.0.0 0.0.0.0 eq 0
Note: IP ddress masks in the rules for ACLs are inverse. This means that if you
want to mask an individual IP address, you select the network mask 0.0.0.0.
6.6.2 Description of MAC-based ACLs
While you identify IP-based ACLs using an ID number, you identify
MAC-based ACLs using a unique name of your choice.
MAC-based ACLs provide the following criteria for filtering:
D Source MAC addresses or all sources (any)
D Destination MAC addresses or all destinations (any)
D Ethernet types, also areas
D VLAN ID
D VLAN priority (COS)
D Secondary VLAN ID
D Secondary VLAN priority
Note: If you use ACLs at ports which belong to a HIPER-Ring or which are
part of a Ring/Network Coupling add the following rule to the ACLs:
92
Basic - L3P
Release 3.1 06/07
Page 93
Protection from unauthorized access
6.6 Access Control Lists (ACL)
PERMIT
Source MAC: ANY
Destination MAC: 00:80:63:00:00:00
Destination MAC mask: 01:00:00:ff:ff:ff
CLI Command: in Config-mac-access mode:
permit any 00:80:63:00:00:00 01:00:00:ff:ff:ff
Note: If you are using MAC ACLs at ports located in the MRP-Ring, you add
the following rule to the ACLs:
PERMIT
Source MAC: ANY
Destination MAC: 01:15:4E:00:00:00
Destination MAC mask: 00:00:00:00:00:03
CLI command in the Config-mac-access mode:
permit any 01:15:4E:00:00:00 00:00:00:00:00:03
Note: MAC address masks in the rules of ACLs are inverse.
This means that if you want to mask a single MAC address, you select the
network mask 00:00:00:00:00:00.
If you want to mask MAC addresses in the range from 00:80:63:00:00:00
to
00:80:63:FF:FF:FF, you select the network mask 00:00:00:FF:FF:FF.
Basic - L3P
Release 3.1 06/07
93
Page 94
Protection from unauthorized access
6.6.3 Configuring IP ACLs
Example: Extended ACL
IP: 10.0.1.11/24
CB
Interface: 2.3
Interface: 3.1
6.6 Access Control Lists (ACL)
IP: 10.0.1.13/24
DA
IP: 10.0.1.159/24
Interface: 2.1Interface: 1.3
IP: 10.0.1.158/24
B and C are not allowed to communicate with A.
enable
configure
access-list 100 permit ip
10.0.1.11 0.0.0.0
10.0.1.158 0.0.0.0
access-list 100 permit any
any
access-list 110 permit ip
10.0.1.11 0.0.0.0
10.0.1.158 0.0.0.0
access-list 100 permit any
any
Switch to the privileged EXEC mode.
Switch to the configuration mode.
Create the extended ACL 100 with the first rule.
This denies data traffic from the IP source address
10.0.1.11 to the IP destination address 10.0.1.158.
Add to ACL 100 a further rule. This permits data
traffic from any IP source address to any IP desti
nation address.
Create the extended ACL 110 with the first rule.
This denies data traffic from the IP source address
10.0.1.13 to the IP destination address 10.0.1.158.
Add to ACL 110 a further rule. This permits data
traffic from any IP source address to any IP desti
nation address.
-
-
exit
show ip access-lists 100
94
Switch to the privileged EXEC mode.
Display the rules of ACL 100.
Basic - L3P
Release 3.1 06/07
Page 95
Protection from unauthorized access
show ip access-lists 100
ACL ID: 100
Rule Number: 1
Action......................................... deny
Match All...................................... FALSE
Protocol....................................... 255(ip)
Source IP Address.............................. 10.0.1.11
Source IP Mask................................. 0.0.0.0
Destination IP Address......................... 10.0.1.158
Destination IP Mask............................ 0.0.0.0
Rule Number: 2
Action......................................... permit
Match All...................................... TRUE
6.6 Access Control Lists (ACL)
configure
interface 2/3
ip access-group 100 in
exit
interface 3/1
ip access-group 110 in
exit
exit
show access-lists interface 2/3 in
ACL Type ACL ID Sequence Number
-------- ------------------------------- --------------IP 100 1
Switch to the configuration mode.
Switch to the interface configuration mode for
Interface 2/3.
Attach ACL 100 to interface 2/3 for received data.
Switch to the configuration mode.
Switch to the interface configuration mode for
Interface3/1.
Attach ACL 110 to interface 3/1 for received data.
Switch to the configuration mode.
Switch to the privileged EXEC mode.
6.6.4 Configuring MAC ACLs
Example: MAC ACL
Filtering AppleTalk and IPX from the entire network.
Basic - L3P
Release 3.1 06/07
95
Page 96
Protection from unauthorized access
6.6 Access Control Lists (ACL)
enable
configure
mac access-list extended
ipx-apple
deny any any ipx
deny any any appletalk
permit any any
exit
mac access-group ipx-apple
in
exit
show mac access-lists
MAC ACL Name Rules Direction Interface(s)
------------------------------- ----- --------- -----------------ipx-apple 3 inbound 1/1,1/2,1/3,1/4,2/
1,2/2,2/3,2/4,3/1,3/2
show access-lists interface 1/1 in
Switch to the privileged EXEC mode.
Switch to the configuration mode.
Create the extended ACL „ipx-apple“
Add the rule „deny IPX“ to the list .
Add the rule „deny AppleTalk“ to the list.
Add the rule „permit all other data“ to the list.
Switch to the configuration mode.
Attach ACL „ipx-apple“ to all interfaces.
Switch to the privileged EXEC mode.
Display MAC ACLs.
ACL Type ACL ID Sequence Number
-------- ------------------------------- --------------MAC ipx-apple 1
96
Basic - L3P
Release 3.1 06/07
Page 97
Protection from unauthorized access
6.6 Access Control Lists (ACL)
6.6.5 Configuring priorities with IP ACLs
Example: Extended ACL with prioritizing using IP precedence (Layer 3),
see
“IP ToS / DiffServ” on page 139.
enable
configure
access-list 102 permit ip
any any precedence 0 assignqueue 2
access-list 102 permit ip
any any precedence 1 assignqueue 0
access-list 102 permit ip
any any precedence 2 assignqueue 1
access-list 102 permit ip
any any precedence 3 assignqueue 3
access-list 102 permit ip
any any precedence 4 assignqueue 4
.
.
access-list 102 permit ip
any any precedence 7 assignqueue 7
Switch to the privileged EXEC mode.
Switch to the configuration mode.
Create the extended ACL 102 with the first rule.
This rule assigns the priority 2 to Precedence 0.
Add to ACL 102 a further rule. This rule assigns
the priority 0 to Precedence 1.
Add to ACL 102 a further rule. This rule assigns
the priority 1 to Precedence 2.
Add to ACL 102 a further rule. This rule assigns
the priority 3 to Precedence 3.
Add to ACL 102 a further rule. This rule assigns
the priority 4 to Precedence 4.
.
.
.
Add to ACL 102 a further rule. This rule assigns
the priority 7 to Precedence 7.
exit
show ip access-lists 102
Switch to the privileged EXEC mode.
Display the rules of ACL 102.
Basic - L3P
Release 3.1 06/07
97
Page 98
Protection from unauthorized access
show access-lists 102
ACL ID: 102
Rule Number: 1
Action......................................... permit
Match All...................................... FALSE
Protocol....................................... 255(ip)
IP Precedence.................................. 0
Assign Queue................................... 2
Rule Number: 2
Action......................................... permit
Match All...................................... FALSE
Protocol....................................... 255(ip)
IP Precedence.................................. 1
Assign Queue................................... 0
6.6 Access Control Lists (ACL)
Rule Number: 3
Action......................................... permit
Match All...................................... FALSE
Protocol....................................... 255(ip)
IP Precedence.................................. 2
--More-- or (q)uit
Assign Queue................................... 1
Rule Number: 4
Action......................................... permit
Match All...................................... FALSE
Protocol....................................... 255(ip)
IP Precedence.................................. 3
Assign Queue................................... 3
Rule Number: 5
Action......................................... permit
Match All...................................... FALSE
Protocol....................................... 255(ip)
IP Precedence.................................. 4
Assign Queue................................... 4
.
.
Rule Number: 8
Action......................................... permit
Match All...................................... FALSE
Protocol....................................... 255(ip)
IP Precedence.................................. 7
Assign Queue................................... 7
98
Basic - L3P
Release 3.1 06/07
Page 99
Protection from unauthorized access
6.6 Access Control Lists (ACL)
configure
interface 2/1
ip access-group 102 in
exit
exit
show access-lists interface
2/1 in
show access-lists interface 2/1 in
ACL Type ACL ID Sequence Number
-------- ------------------------------- --------------IP 100 1
IP 102 3
Switch to the configuration mode.
Switch to the interface configuration mode for
Interface 2/1.
Attach ACL 102 to interface 2/1.
Switch to the configuration mode.
Switch to the privileged EXEC mode.
Display the ACLs attached to interface 2/1 for
incoming data.
Example: Extended ACL with prioritizing using the Simple Network
Management protocol (Layer 4)
enable
configure
access-list 104 permit udp
any any eq snmp assign
-queue 5
exit
show ip access-lists 104
show ip access-lists 104
ACL ID: 104
Rule Number: 1
Action......................................... permit
Match All...................................... FALSE
Protocol....................................... 17(udp)
Destination L4 Port Keyword.................... 161(snmp)
Assign Queue................................... 5
Switch to the privileged EXEC mode.
Switch to the configuration mode.
Create the extended ACL 104 with the firs rule,
This rule assigns the priority t to all frames (=161) .
This rule overwrites any priority contained in a
VLAN tag with the value 5.
Switch to the privileged EXEC mode.
Display the rules of ACL 104.
Basic - L3P
Release 3.1 06/07
99
Page 100
Protection from unauthorized access
6.6 Access Control Lists (ACL)
configure
interface 2/1
ip access-group 104 in
exit
exit
show access-lists interface
2/1 in
show access-lists interface 2/1 in
ACL Type ACL ID Sequence Number
-------- ------------------------------- --------------IP 100 1
IP 102 3
IP 104 4
Switch to the configuration mode.
Switch to the interface configuration mode for
Interface 2/1.
Attach ACL 104 to nterface 2/1.
Switch to the configuration modes.
Switch to the privileged EXEC mode.
Display the ACLs attached to interface 2/1 for
incoming data
6.6.6 Specifying the sequence of the rules
The usage of the ACLs depends on their sequence. The first list that applies
is used. You can influence the sequence by assigning the sequence number.
A small sequence number has priority over a higher one.
enable
configure
ip access-group 100 in 10
ip access-group 102 in 30
ip access-group 104 in 20
exit
show access-lists interface
2/1 in
Switch to the privileged EXEC mode.
Switch to the configuration mode.
Assign the „Sequence Number“ 10 to ACL 100.
Assign the „Sequence Number“ 30 to ACL 102.
Assign the „Sequence Number“ 20 to ACL 104.
Switch to the privileged EXEC mode.
Display the ACLs attached to interface 2/1 for
incoming data.
100
Basic - L3P
Release 3.1 06/07
Loading...