advertisement
▼
Scroll to page 2
of 1101
Hirschmann Automation and Control GmbH
RSP
HiOS-3S
Rel. 08100
Reference Manual
Graphical User Interface
User Manual
Configuration
Reference Manual
Graphical User Interface
Rail Switch Power
HiOS-3S
RM GUI RSP
Release 8.1 12/2019
Technical support
https://hirschmann-support.belden.com
The naming of copyrighted trademarks in this manual, even when not specially indicated, should not be taken to mean that
these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may
be freely used by anyone.
© 2019 Hirschmann Automation and Control GmbH
Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into
any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation
of a backup copy of the software for your own use.
The performance features described here are binding only if they have been expressly agreed when the contract was made.
This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's
knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give
no guarantee in respect of the correctness or accuracy of the information in this document.
Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated
operating software. In addition, we refer to the conditions of use specified in the license contract.
You can get the latest version of this manual on the Internet at the Hirschmann product site (www.hirschmann.com).
Hirschmann Automation and Control GmbH
Stuttgarter Str. 45-51
72654 Neckartenzlingen
Germany
2019-12-05
RM GUI RSP
Release 8.1 12/2019
Contents
Contents
Safety instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
About this Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Notes on the Graphical User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1
1.1
1.2
1.3
1.4
1.5
1.6
1.7
Basic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Load/Save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
External Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
17
22
26
29
40
43
51
2
2.1
2.2
2.2.1
2.2.2
2.3
2.3.1
2.3.2
2.3.2.1
2.3.2.2
2.3.3
2.3.3.1
2.3.3.2
Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNTP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PTP Global. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PTP Boundary Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PTP Boundary Clock Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PTP Boundary Clock Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PTP Transparent Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PTP Transparent Clock Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PTP Transparent Clock Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53
53
57
58
62
64
65
67
68
73
76
77
80
3
3.1
3.2
3.3
3.3.1
3.3.2
3.4
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.5
Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Authentication List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
LDAP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
LDAP Role Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
IP Access Restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
SNMPv1/v2 Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Pre-login Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
4
4.1
4.2
Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Network Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Port Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
RM GUI RSP
Release 8.1 12/2019
3
Contents
4.3
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.4
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.5
4.5.1
4.6
4.6.1
4.6.2
4.6.3
4.6.4
4.7
4.7.1
4.7.2
4.7.3
4.7.4
4.8
4.8.1
4.8.2
4.8.3
4.8.4
802.1X Port Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1X Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1X Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1X Port Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1X EAPOL Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1X Port Authentication History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1X Integrated Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Accounting Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DoS Global. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP Snooping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP Snooping Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP Snooping Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP Snooping Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP Snooping Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dynamic ARP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dynamic ARP Inspection Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dynamic ARP Inspection Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dynamic ARP Inspection ARP Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dynamic ARP Inspection Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ACL IPv4 Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ACL MAC Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ACL Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ACL Time Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
129
130
133
139
141
143
145
146
147
149
151
153
155
156
157
160
162
164
167
168
169
171
173
176
177
178
179
187
193
195
5
5.1
5.2
5.3
5.4
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.5
5.5.1
5.5.2
5.5.3
5.6
5.6.1
Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switching Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rate Limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Filter for MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMP Snooping Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMP Snooping Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMP Snooping Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMP Snooping Querier. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMP Snooping Multicasts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MRP-IEEE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MRP-IEEE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MRP-IEEE Multiple MAC Registration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MRP-IEEE Multiple VLAN Registration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
198
198
201
204
206
207
209
213
216
219
220
221
222
226
229
230
4
RM GUI RSP
Release 8.1 12/2019
Contents
5.6.2
5.7
5.7.1
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.6.1
5.7.6.2
5.7.6.3
5.7.6.4
5.7.6.5
5.8
5.8.1
5.8.2
5.8.3
5.8.4
5.8.5
5.8.6
5.8.7
5.9
5.9.1
5.9.2
5.9.3
5.9.3.1
5.9.3.2
5.9.4
5.9.4.1
5.9.4.2
5.9.4.3
5.9.4.4
5.9.5
5.9.5.1
5.9.5.2
5.9.5.3
5.9.5.4
5.9.6
5.9.6.1
5.9.6.2
5.9.6.3
5.9.7
5.9.8
5.9.9
5.9.9.1
5.9.9.2
5.9.9.3
RM GUI RSP
GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
QoS/Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
QoS/Priority Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
QoS/Priority Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1D/p Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP DSCP Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Queue Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DiffServ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DiffServ Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DiffServ Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DiffServ Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DiffServ Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DiffServ Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLAN Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLAN Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLAN Voice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MAC Based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Subnet Based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protocol Based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
L2-Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HIPER Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DLR (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DLR Configuration (depends on hardware). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DLR Statistics (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PRP (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PRP Configuration (depends on hardware). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PRP DAN/VDAN Table (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PRP Proxy Node Table (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PRP Statistics (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HSR (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HSR Configuration (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HSR DAN/VDAN Table (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HSR Proxy Node Table (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HSR Statistics (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Spanning Tree Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Spanning Tree MSTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Spanning Tree Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Link Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FuseNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sub Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ring/Network Coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Redundant Coupling Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Release 8.1 12/2019
232
233
234
235
237
239
241
242
243
244
245
251
259
260
262
263
265
267
270
271
273
274
275
279
280
282
286
289
290
293
294
295
296
297
301
302
303
304
305
312
317
326
333
335
337
342
348
5
Contents
6
6.1
6.2
6.2.1
6.3
6.3.1
6.3.2
6.3.3
6.4
6.5
6.6
6.6.1
6.6.2
6.6.3
6.6.4
6.6.5
6.6.6
6.6.7
6.6.8
6.7
6.8
6.8.1
6.8.2
6.9
6.10
6.11
6.11.1
6.11.2
6.11.3
6.11.4
6.11.4.1
6.11.4.2
6.11.4.3
6.12
6.12.1
6.12.1.1
6.12.1.2
6.12.1.3
6.12.1.4
6.13
6.13.1
6.13.1.1
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Routing Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Routing Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Routing Interfaces Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ARP Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ARP Current. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ARP Static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Open Shortest Path First . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSPF Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSPF Stub Areas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSPF Not So Stubby Areas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSPF Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSPF Virtual Links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSPF Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSPF Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Routing Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tracking Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tracking Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
L3 Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Loopback Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multicast Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multicast Routing Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multicast Routing Boundary Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multicast Routing Static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMP Proxy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMP Proxy Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
L3-Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VRRP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VRRP Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VRRP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VRRP Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1:1 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1:1 NAT Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
351
351
354
355
360
361
363
364
365
368
374
376
384
386
388
391
397
400
402
413
417
418
424
425
430
432
433
437
439
440
441
448
450
452
452
453
467
469
471
472
473
474
7
7.1
7.1.1
7.1.2
Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Status Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
476
476
477
481
6
RM GUI RSP
Release 8.1 12/2019
Contents
7.1.3
7.1.3.1
7.1.4
7.1.5
7.2
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.2.6
7.3
7.3.1
7.3.2
7.3.3
7.4
7.5
7.5.1
7.5.2
7.5.3
7.5.4
7.5.5
7.6
7.6.1
7.6.2
7.7
7.7.1
7.7.2
7.8
7.8.1
7.8.2
7.8.3
7.8.4
Signal Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Signal Contact 1 / Signal Contact 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MAC Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Alarms (Traps) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardware State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP Address Conflict Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Selftest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email Notification Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email Notification Recipients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email Notification Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SFP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TP cable diagnosis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auto-Disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LLDP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LLDP Topology Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SFlow Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SFlow Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Report Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Persistent Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
488
489
493
496
498
499
500
501
503
508
509
511
512
516
517
519
522
523
525
527
539
543
547
548
552
555
557
559
560
561
565
568
569
8
8.1
8.1.1
8.1.2
8.2
8.2.1
8.2.2
8.2.3
8.3
8.3.1
8.3.1.1
8.3.1.2
8.3.1.3
Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP L2 Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP L2 Relay Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP L2 Relay Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP Server Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP Server Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP Server Lease Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS Client Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS Client Current . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS Client Static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
570
570
571
574
575
576
577
581
582
582
583
584
585
RM GUI RSP
Release 8.1 12/2019
7
Contents
8.3.1.4
8.4
8.4.1
8.4.2
8.4.3
8.4.4
8.5
DNS Client Static Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Industrial Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IEC61850-MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modbus TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PROFINET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EtherNet/IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
B
Further support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
C
Readers’ Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
8
587
588
589
592
594
597
598
RM GUI RSP
Release 8.1 12/2019
Safety instructions
Safety instructions
WARNING
UNCONTROLLED MACHINE ACTIONS
To avoid uncontrolled machine actions caused by data loss, configure all the data transmission
devices individually.
Before you start any machine which is controlled via data transmission, be sure to complete the
configuration of all data transmission devices.
Failure to follow these instructions can result in death, serious injury, or equipment
damage.
RM GUI RSP
Release 8.1 12/2019
9
About this Manual
About this Manual
The “Configuration” user manual contains the information you need to start operating the device. It
takes you step by step from the first startup operation through to the basic settings for operation in
your environment.
The “Installation” user manual contains a device description, safety instructions, a description of the
display, and the other information that you need to install the device.
The “Graphical User Interface” reference manual contains detailed information on using the
graphical user interface to operate the individual functions of the device.
The “Command Line Interface” reference manual contains detailed information on using the
Command Line Interface to operate the individual functions of the device.
The Industrial HiVision Network Management software provides you with additional options for
smooth configuration and monitoring:
Auto-topology discovery
Browser interface
Client/server structure
Event handling
Event log
Simultaneous configuration of multiple devices
Graphical user interface with network layout
SNMP/OPC gateway
10
RM GUI RSP
Release 8.1 12/2019
Key
Key
The designations used in this manual have the following meanings:
List
Work step
Link
Cross-reference with link
Note:
A note emphasizes a significant fact or draws your attention to a dependency.
Courier
Representation of a CLI command or field contents in the graphical user interface
Execution in the Graphical User Interface
Execution in the Command Line Interface
RM GUI RSP
Release 8.1 12/2019
11
Notes on the Graphical User Interface
Notes on the Graphical User Interface
The Graphical User Interface of the device is divided as follows:
Navigation area
Dialog area
Buttons
Navigation area
The Navigation area is located on the left side of the Graphical User Interface.
The Navigation area contains the following elements:
Toolbar
Filter
Menu
You have the option of collapsing the entire Navigation area, for example when displaying the
Graphical User Interface on small screens. To collapse or expand, you click the small arrow at the
top of the navigation area.
Toolbar
The toolbar at the top of the navigation area contains several buttons.
• When you position the mouse pointer over a button, a tooltip displays further information.
• If the connection to the device is lost, then the toolbar is grayed out.
The device automatically refreshes the toolbar information every 5 seconds.
Clicking the button refreshes the toolbar manually.
When you position the mouse pointer over the button, a tooltip displays the following information:
User:
Name of the logged in user
Device name:
Name of the device
Clicking the button opens the Device Security > User Management dialog.
When you position the mouse pointer over the button, a tooltip displays the summary of the
Diagnostics > System > Configuration Check dialog.
Clicking the button opens the Diagnostics > System > Configuration Check dialog.
12
RM GUI RSP
Release 8.1 12/2019
Notes on the Graphical User Interface
Clicking the button logs out the current user and displays the login page.
Displays the remaining time in seconds until the device automatically logs out an inactive user.
Clicking the button opens the Device Security > Management Access > Web dialog. There you can
specify the timeout.
When the configuration profile in the volatile memory (RAM) differs from the "Selected" configuration
profile in the non-volatile memory (NVM), this button is visible. Otherwise, the button is hidden.
Clicking the button opens the Basic Settings > Load/Save dialog.
By right-clicking the button you can save the current settings in the non-volatile memory (NVM).
When you position the mouse pointer over the button, a tooltip displays the following information:
Device Status: This section displays a compressed view of the Device status frame in the Basic
Settings > System dialog. The section displays the alarm that is currently active and whose
occurrence was recorded first.
Security Status: This section displays a compressed view of the Security status frame in the Basic
Settings > System dialog. The section displays the alarm that is currently active and whose
occurrence was recorded first.
Boot Parameter: If you permanently save changes to the settings and at least one boot
parameter differs from the configuration profile used during the last restart, then this section
displays a note.
The following settings cause the boot parameters to change:
– Basic Settings > External Memory dialog, Software auto update parameter
– Basic Settings > External Memory dialog, Config priority parameter
– Device Security > Management Access > Server dialog, SNMP tab, UDP port parameter
– Diagnostics > System > Selftest dialog, RAM test parameter
– Diagnostics > System > Selftest dialog, SysMon1 is available parameter
– Diagnostics > System > Selftest dialog, Load default config on error parameter
Clicking the button opens the Diagnostics > Status Configuration > Device Status dialog.
Filter
The filter enables you to reduce the number of menu items in the menu. When filtering, the menu
displays only menu items matching the search string entered in the filter field.
RM GUI RSP
Release 8.1 12/2019
13
Notes on the Graphical User Interface
Menu
The menu displays the menu items.
You have the option of filtering the menu items. See section “Filter”.
To display the corresponding dialog in the dialog area, you click the desired menu item. If the
selected menu item is a node containing sub-items, then the node expands or collapses while
clicking. The dialog area keeps the previously displayed dialog.
You have the option of expanding or collapsing every node in the menu at the same time. When
you right-click anywhere in the menu, a context menu displays the following entries:
Expand
Expands every node in the menu at the same time. The menu displays the menu items for every
level.
Collapse
Collapses every node in the menu at the same time. The menu displays the top level menu
items.
Dialog area
The Dialog area is located on the right side of the Graphical User Interface. When you click a menu
item in the Navigation area, the Dialog area displays the corresponding dialog.
Updating the display
If a dialog remains opened for a longer time, then the values in the device have possibly changed
in the meantime.
To update the display in the dialog, click the
button. Unsaved information in the dialog is lost.
Saving the settings
To transfer the changed settings to the volatile memory (RAM) of the device, click the
To keep the changed settings, even after restarting the device, proceed as follows:
Open the Basic Settings > Load/Save dialog.
In the table, highlight the desired configuration profile.
When in the Selected column the checkbox is unmarked, click the
Select item.
Click the
button.
button and then the
button and then the Save item.
Note: Unintentional changes to the settings can terminate the connection between your PC and the
device. To keep the device accessible, enable the Undo configuration modifications function in the
Basic Settings > Load/Save dialog, before changing any settings. Using the function, the device
continuously checks whether it can still be reached from the IP address of the user’s PC. If the
connection is lost, then the device loads the configuration profile saved in the non-volatile memory
(NVM) after the specified time. Afterwards, the device can be accessed again.
14
RM GUI RSP
Release 8.1 12/2019
Notes on the Graphical User Interface
Working with tables
The dialogs display numerous settings in table form.
When you modify a table cell, the table cell displays a red mark in its top-left corner. The red mark
indicates that your modifications are not yet transfered to the volatile memory (RAM) of the device.
You have the option of customizing the look of the tables to fit your needs. When you position the
mouse pointer over a column header, the column header displays a drop-down list button. When
you click this button, the drop-down list displays the following entries:
Sort ascending
Sorts the table entries in ascending order based on the entries of the selected column.
You recognize sorted table entries by an arrow in the column header.
Sort descending
Sorts the table entries in descending order based on the entries of the selected column.
You recognize sorted table entries by an arrow in the column header.
Columns
Displays or hides columns.
You recognize hidden columns by an unmarked checkbox in the drop-down list.
Filters
The table only displays the entries whose content matches the specified filter criteria of the
selected column.
You recognize filtered table entries by an emphasized column header.
You have the option of selecting multiple table entries simultaneously and subsequently applying
an action to them. This is useful when you are going to remove multiple table entries at the same
time.
Select several consecutive table entries:
Click the first desired table entry to highlight it.
Press and hold the <SHIFT> key.
Click the last desired table entry to highlight every desired table entry.
Select multiple individual table entries:
Click the first desired table entry to highlight it.
Press and hold the <CTRL> key.
Click the next desired table entry to highlight it.
Repeat until every desired table entry is highlighted.
Buttons
Here you find the description of the standard buttons. The special dialog-specific buttons are
described in the corresponding dialog help text.
Transfers the changes to the volatile memory (RAM) of the device and applies them to the device.
To save the changes in the non-volatile memory, proceed as follows:
Open the Basic Settings > Load/Save dialog.
In the table, highlight the desired configuration profile.
When in the Selected column the checkbox is unmarked, click the
item.
Click the
RM GUI RSP
Release 8.1 12/2019
button and then the Select
button to save your current changes.
15
Notes on the Graphical User Interface
Updates the fields with the values that are saved in the volatile memory (RAM) of the device.
Transfers the settings from the volatile memory (RAM) into the configuration profile designated as
“Selected” in the non-volatile memory (NVM).
When in the Basic Settings > External Memory dialog the checkbox in the Backup config when saving
column is marked, then the device generates a copy of the configuration profile in the external
memory.
Displays a submenu with menu items corresponding to the respective dialog.
Opens the Wizard dialog.
Adds a new table entry.
Removes the highlighted table entry.
Opens the online help.
16
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > System ]
1 Basic Settings
The menu contains the following dialogs:
System
Network
Software
Load/Save
External Memory
Port
Restart
1.1
System
[ Basic Settings > System ]
In this dialog, you monitor individual operating statuses.
Device status
The fields in this frame display the device status and inform you about alarms that have occurred.
When an alarm currently exists, the frame is highlighted.
You specify the parameters that the device monitors in the Diagnostics > Status Configuration > Device
Status dialog.
Note: If you connect only one power supply unit for the supply voltage to a device with a redundant
power supply unit, then the device reports an alarm. To help avoid this alarm, you deactivate the
monitoring of the missing power supply units in the Diagnostics > Status Configuration > Device Status
dialog.
Alarm counter
Displays the number of currently existing alarms.
When there is at least one currently existing alarm, the icon is visible.
When you position the mouse pointer over the icon, a tooltip displays the cause of the currently
existing alarms and the time at which the device triggered the alarm.
If a monitored parameter differs from the desired status, then the device triggers an alarm. The
Diagnostics > Status Configuration > Device Status dialog, Status tab displays an overview of the alarms.
RM GUI RSP
Release 8.1 12/2019
17
Basic Settings
[ Basic Settings > System ]
Security status
The fields in this frame display the security status and inform you about alarms that have occurred.
When an alarm currently exists, the frame is highlighted.
You specify the parameters that the device monitors in the Diagnostics > Status Configuration >
Security Status dialog.
Alarm counter
Displays the number of currently existing alarms.
When there is at least one currently existing alarm, the icon is visible.
When you position the mouse pointer over the icon, a tooltip displays the cause of the currently
existing alarms and the time at which the device triggered the alarm.
If a monitored parameter differs from the desired status, then the device triggers an alarm. The
Diagnostics > Status Configuration > Security Status dialog, Status tab displays an overview of the
alarms.
Signal contact status
The fields in this frame display the signal contact status and inform you about alarms that have
occurred. When an alarm currently exists, the frame is highlighted.
You specify the parameters that the device monitors in the Diagnostics > Status Configuration > Signal
Contact > Signal Contact 1/Signal Contact 2 dialog.
Alarm counter
Displays the number of currently existing alarms.
When there is at least one currently existing alarm, the icon is visible.
When you position the mouse pointer over the icon, a tooltip displays the cause of the currently
existing alarms and the time at which the device triggered the alarm.
If a monitored parameter differs from the desired status, then the device triggers an alarm. The
Diagnostics > Status Configuration > Signal Contact > Signal Contact 1/Signal Contact 2 dialog, Status tab
displays an overview of the alarms.
System data
The fields in this frame display operating data and information on the location of the device.
System name
Specifies the name for which the device is known in the network.
18
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > System ]
Possible values:
Alphanumeric ASCII character string with 0..255 characters
The following characters are allowed:
– 0..9
– a..z
– A..Z
– !#$%&'()*+,-./:;<=>?@[\\]^_`{}~
– <device name>-<MAC address> (default setting)
When creating HTTPS X.509 certificates, the application generating the certificate uses the
specified value as the domain name and common name.
The following functions use the specified value as a host name or FQDN (Fully Qualified Domain
Name). For compatibility, it is recommended to use only small letters, since not every system
compares the case in the FQDN. Verify that this name is unique in the whole network.
DHCP client
Syslog
IEC61850-MMS
PROFINET
Note: For compatibility in PROFINET environments, specify the PROFINET device name. In
PROFINET the name is limited to a maximum of 240 characters. Do not begin the name with a
number. Programs read the device name using SNMP and PROFINET DCP.
Location
Specifies the location of the device.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Contact person
Specifies the contact person for this device.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Device type
Displays the product name of the device.
Power supply 1
Power supply 2
Displays the status of the power supply unit on the relevant voltage supply connection.
Possible values:
present
defective
not installed
unknown
RM GUI RSP
Release 8.1 12/2019
19
Basic Settings
[ Basic Settings > System ]
Uptime
Displays the time that has elapsed since this device was last restarted.
Possible values:
Time in the format day(s), ...h ...m ...s
Temperature [°C]
Displays the current temperature in the device in °C.
You activate the monitoring of the temperature thresholds in the Diagnostics > Status Configuration >
Device Status dialog.
Upper temp. limit [°C]
Specifies the upper temperature threshold in °C.
The “Installation” user manual contains detailed information about setting the temperature
thresholds.
Possible values:
-99..99 (integer)
If the temperature in the device exceeds this value, then the device generates an alarm.
Lower temp. limit [°C]
Specifies the lower temperature threshold in °C.
The “Installation” user manual contains detailed information about setting the temperature
thresholds.
Possible values:
-99..99 (integer)
If the temperature in the device falls below this value, then the device generates an alarm.
LED status
This frame displays the states of the device status LEDs at the time of the last update. The
“Installation” user manual contains detailed information about the device status LEDs.
Parameters
Status
Power
20
Color Meaning
There is currently no device status alarm. The device status is OK.
There is currently at least one device status alarm. Therefore, see the
Device status frame above.
Device variant with 2 power supply units:
Only one supply voltage is active.
Device variant with 1 power supply unit:
The supply voltage is active.
Device variant with 2 power supply units:
Both supply voltages are active.
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > System ]
Parameters
RM
ACA
Color Meaning
The device is neither operating as a MRP ring manager nor as a DLR
supervisor.
Loss of redundancy reserve.
The device is operating as a MRP ring manager.
or
The device is operating as a DLR supervisor.
Redundancy reserve is available.
The device is operating as a MRP ring manager.
or
The device is operating as a DLR supervisor.
No external memory connected.
The external memory is connected, but not ready for operation.
The external memory is connected and ready for operation.
Port status
This frame displays a simplified view of the ports of the device at the time of the last update.
The icons represent the status of the individual ports. In some situations, the following icons
interfere with one another. When you position the mouse pointer over the appropriate port icon, a
tooltip displays a detailed information about the port state.
Parameters
<Port number>
Statu Meaning
s
The port is inactive.
The port does not send or receive any data.
The port is inactive.
The cable is connected. Active link.
The port is active.
No cable connected or no active link.
The port is active.
The cable is connected. Connection okay. Active link. Full-duplex mode
The half-duplex mode is enabled.
Verify the settings in the Basic Settings > Ports dialog, Configuration tab.
The port is in a blocking state due to a redundancy function.
The port operates as a router interface.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
21
Basic Settings
[ Basic Settings > Network ]
1.2
Network
[ Basic Settings > Network ]
This dialog lets you specify the IP, VLAN and HiDiscovery settings required for the access to the
device management through the network.
Management interface
This frame lets you specify the following settings:
The source from which the device management receives its IP parameters
VLAN in which the device management can be accessed
IP address assignment
Specifies the source from which the device management receives its IP parameters.
Possible values:
Local
The device uses the IP parameters from the internal memory. You specify the settings for this
in the IP parameter frame.
BOOTP
The device receives its IP parameters from a BOOTP or DHCP server.
The server evaluates the MAC address of the device, then assigns the IP parameters.
DHCP (default setting)
The device receives its IP parameters from a DHCP server.
The server evaluates the MAC address, the DHCP name, or other parameters of the device,
then assigns the IP parameters.
When the server also provides the addresses of DNS servers, the device displays these
addresses in the Advanced > DNS > Cache > Current dialog.
Note: If there is no response from the BOOTP or DHCP server, then the device sets the IP address
to 0.0.0.0 and makes another attempt to obtain a valid IP address.
VLAN ID
Specifies the VLAN in which the device management is accessible through the network. The device
management is accessible through ports that are members of this VLAN.
Possible values:
1..4042 (default setting: 1)
The prerequisite is that the VLAN is already configured. See the Switching > VLAN > Configuration
dialog.
Assign a VLAN ID that is not assigned to any router interface.
When you click the
button after changing the value, the Information window opens. Select the
port, over which you connect to the device in the future. After clicking the Ok button, the new device
management VLAN settings are assigned to the port.
• After that the port is a member of the VLAN and transmits the data packets without a VLAN tag
(untagged). See the Switching > VLAN > Configuration dialog.
•
The device assigns the port VLAN ID of the device management VLAN to the port. See the
Switching > VLAN > Port dialog.
After a short time the device is reachable over the new port in the new device management VLAN.
22
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Network ]
MAC address
Displays the MAC address of the device. The device management is accessible via the network
using the MAC address.
MAC-Adresse Konflikterkennung
Enables/disables the MAC-Adresse Konflikterkennung function.
Possible values:
marked
The MAC-Adresse Konflikterkennung function is enabled.
The device verifies that its MAC address is unique in the network.
unmarked (default setting)
The MAC-Adresse Konflikterkennung function is disabled.
BOOTP/DHCP
Client ID
Displays the DHCP client ID that the device sends to the BOOTP or DHCP server. If the server is
configured accordingly, then it reserves an IP address for this DHCP client ID. Therefore, the device
receives the same IP from the server every time it requests it.
The DHCP client ID that the device sends is the device name specified in the System name field in
the Basic Settings > System dialog.
HiDiscovery protocol v1/v2
This frame lets you specify settings for the access to the device using the HiDiscovery protocol.
On a PC, the HiDiscovery software displays the Hirschmann devices that can be accessed in the
network on which the HiDiscovery function is enabled. You can access these devices even if they
have invalid or no IP parameters assigned. The HiDiscovery software lets you assign or change the
IP parameters in the device.
Note: With the HiDiscovery software you access the device only through ports that are members
of the same VLAN as the device management. You specify which VLAN a certain port is assigned
to in the Switching > VLAN > Configuration dialog.
Operation
Enables/disables the HiDiscovery function in the device.
Possible values:
On (default setting)
HiDiscovery is enabled.
You can use the HiDiscovery software to access the device from your PC.
Off
HiDiscovery is disabled.
RM GUI RSP
Release 8.1 12/2019
23
Basic Settings
[ Basic Settings > Network ]
Access
Enables/disables the write access to the device using HiDiscovery.
Possible values:
readWrite (default setting)
The HiDiscovery software is given write access to the device.
With this setting you can change the IP parameters in the device.
readOnly
The HiDiscovery software is given read-only access to the device.
With this setting you can view the IP parameters in the device.
Recommendation: Change the setting to the value readOnly only after putting the device into
operation.
Signal
Activates/deactivates the flashing of the port LEDs as does the function of the same name in the
HiDiscovery software. The function lets you identify the device in the field.
Possible values:
marked
The flashing of the port LEDs is active.
The port LEDs flash until you disable the function again.
unmarked (default setting)
The flashing of the port LEDs is inactive.
Relay status
Activates/deactivates the HiDiscovery relay function. This function lets the HiDiscovery software to
find and display devices located in other subnets.
Possible values:
marked (default setting)
The HiDiscovery relay function is active.
The device forwards the HiDiscovery request packets sent from the device management into
directly connected subnets. The device also responds to requests with its IP parameters.
unmarked
The HiDiscovery relay function is inactive.
The HiDiscovery software finds only the devices located in the same subnet as the device
management.
IP parameter
This frame lets you assign the IP parameters manually. If you have selected the Local radio button
in the Management interface frame, IP address assignment option list, then these fields can be edited.
IP address
Specifies the IP address under which the device management can be accessed through the
network.
Possible values:
Valid IPv4 address
24
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Network ]
Verify that the IP subnet of the device management is not overlapping with any subnet connected
to another interface of the device:
• router interface
• loopback interface
Netmask
Specifies the netmask.
Possible values:
Valid IPv4 netmask
Gateway address
Specifies the IP address of a router through which the device accesses other devices outside its
own network.
Possible values:
Valid IPv4 address
If the device does not use the specified gateway, check whether another default gateway is
specified. The setting in the following dialog has precedence:
• Routing > Routing Table dialog, Next hop IP address column, if the value in the Network address
column and in the Netmask column is 0.0.0.0
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
25
Basic Settings
[ Basic Settings > Software ]
1.3
Software
[ Basic Settings > Software ]
This dialog lets you update the device software and display information about the device software.
You also have the option to restore a backup of the device software saved in the device.
Note: Before updating the device software, follow the version-specific notes in the Readme text file.
Version
Stored version
Displays the version number and creation date of the device software stored in the flash memory.
The device loads the device software during the next restart.
Running version
Displays the version number and creation date of the device software that the device loaded during
the last restart and is currently running.
Backup version
Displays the version number and creation date of the device software saved as a backup in the
flash memory. The device copied this device software into the backup memory during the last
software update or after you clicked the Restore button.
Restore
Restores the device software saved as a backup. In the process, the device changes the Stored
version and the Backup version of the device software.
Upon restart, the device loads the Stored version.
Bootcode
Displays the version number and creation date of the boot code.
Software update
Alternatively, when the image file is located in the external memory, the device lets you update the
device software by right-clicking in the table.
URL
Specifies the path and the file name of the image file with which you update the device software.
26
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Software ]
The device gives you the following options for updating the device software:
Software update from the PC
When the file is located on your PC or on a network drive, drag and drop the file in the
Alternatively click in the area to select the file.
area.
Software update from an FTP server
When the file is located on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
Software update from a TFTP server
When the file is located on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Software update from an SCP or SFTP server
When the file is located on an SCP or SFTP server, specify the URL for the file in one of the
following forms:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you enter
User name and Password, to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start
Updates the device software.
The device installs the selected file in the flash memory, replacing the previously saved device
software. Upon restart, the device loads the installed device software.
The device copies the existing software into the backup memory.
To remain logged in to the device during the software update, move the mouse pointer
occasionally. Alternatively, specify a sufficiently high value in the Device Security > Management
Access > Web dialog, field Web interface session timeout [min] before the software update.
Table
File location
Displays the storage location of the device software.
Possible values:
ram
Volatile memory of the device
flash
Non-volatile memory (NVM) of the device
sd-card
External SD memory (ACA31)
Index
Displays the index of the device software.
RM GUI RSP
Release 8.1 12/2019
27
Basic Settings
[ Basic Settings > Software ]
For the device software in the flash memory, the index has the following meaning:
1
Upon restart, the device loads this device software.
2
The device copied this device software into the backup area during the last software update.
File name
Displays the device-internal file name of the device software.
Firmware
Displays the version number and creation date of the device software.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
28
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Load/Save ]
1.4
Load/Save
[ Basic Settings > Load/Save ]
This dialog lets you save the device settings permanently in a configuration profile.
The device can hold several configuration profiles. When you activate an alternative configuration
profile, you change to other device settings. You have the option of exporting the configuration
profiles to your PC or to a server. You also have the option of importing the configuration profiles
from your PC or from a server to the device.
In the default setting, the device saves the configuration profiles unencrypted. If you enter a
password in the Configuration encryption frame, then the device saves both the current and the future
configuration profiles in an encrypted format.
Unintentional changes to the settings can terminate the connection between your PC and the
device. To keep the device accessible, enable the Undo configuration modifications function before
changing any settings. If the connection is lost, then the device loads the configuration profile saved
in the non-volatile memory (NVM) after the specified time.
External memory
Selected external memory
Displays the type of the external memory.
Possible values:
sd
External SD memory (ACA31)
Status
Displays the operating state of the external memory.
Possible values:
notPresent
No external memory connected.
removed
Someone has removed the external memory from the device during operation.
ok
The external memory is connected and ready for operation.
outOfMemory
The memory space is occupied in the external memory.
genericErr
The device has detected an error.
Configuration encryption
Active
Displays whether the configuration encryption is active/inactive in the device.
RM GUI RSP
Release 8.1 12/2019
29
Basic Settings
[ Basic Settings > Load/Save ]
Possible values:
marked
The configuration encryption is active.
If the configuration profile is encrypted and the password matches the password stored in the
device, then the device loads a configuration profile from the non-volatile memory (NVM).
unmarked
The configuration encryption is inactive.
If the configuration profile is unencrypted, then the device loads a configuration profile from the
non-volatile memory (NVM) only.
If in the Basic Settings > External Memory dialog, the Config priority column has the value first and
the configuration profile is unencrypted, then the Security status frame in the Basic Settings > System
dialog displays an alarm.
In the Diagnostics > Status Configuration > Security Status dialog, Global tab, Monitor column you specify
whether the device monitors the Load unencrypted config from external memory parameter.
Set password
Opens the Set password window that helps you to enter the password needed for the configuration
profile encryption. Encrypting the configuration profiles makes unauthorized access more difficult.
When you are changing an existing password, enter the existing password in the Old password
field. To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
In the New password field, enter the password.
To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
Mark the Save configuration afterwards checkbox to use encryption also for the Selected
configuration profile in the non-volatile memory (NVM) and in the external memory.
Note: If a maximum of 1 configuration profile is stored in the non-volatile memory (NVM) of the
device, then use this function only. Before creating additional configuration profiles, decide for or
against permanently activated configuration encryption in the device. Save additional configuration
profiles either unencrypted or encrypted with the same password.
If you are replacing a device with an encrypted configuration profile, for example due to a defect,
then you proceed as follows:
Restart the new device and assign the IP parameters.
Open the Basic Settings > Load/Save dialog on the new device.
Encrypt the configuration profile in the new device. See above. Enter the same password you
used in the defective device.
Install the external memory from the defective device in the new device.
Restart the new device.
When you restart the device, the device loads the configuration profile with the settings of the
defective device from the external memory. The device copies the settings into the volatile
memory (RAM) and into the non-volatile memory (NVM).
30
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Load/Save ]
Delete
Opens the Delete window which helps you to cancel the configuration encryption in the device.
In the Old password field, enter the existing password.
To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
Mark the Save configuration afterwards checkbox to remove the encryption also for the Selected
configuration profile in the non-volatile memory (NVM) and in the external memory.
Note: If you keep additional encrypted configuration profiles in the memory, then the device helps
prevent you from activating or designating these configuration profiles as "Selected".
Information
NVM in sync with running config
Displays whether the configuration profile in the volatile memory (RAM) and the "Selected"
configuration profile in the non-volatile memory (NVM) are the same.
Possible values:
marked
The configuration profiles are the same.
unmarked
The configuration profiles differ.
External memory in sync with NVM
Displays whether the "Selected" configuration profile in the external memory and the "Selected"
configuration profile in the non-volatile memory (NVM) are the same.
Possible values:
marked
The configuration profiles are the same.
unmarked
The configuration profiles differ.
Possible causes:
– No external memory is connected to the device.
– In the Basic Settings > External Memory dialog, the Backup config when saving function is
disabled.
Backup config on a remote server when saving
Operation
Enables/disables the Backup config on a remote server when saving function.
RM GUI RSP
Release 8.1 12/2019
31
Basic Settings
[ Basic Settings > Load/Save ]
Possible values:
Enabled
The Backup config on a remote server when saving function is enabled.
When you save the configuration profile in the non-volatile memory (NVM), the device
automatically backs up the configuration profile on the remote server specified in the URL field.
Disabled (default setting)
The Backup config on a remote server when saving function is disabled.
URL
Specifies path and file name of the backed up configuration profile on the remote server.
Possible values:
Alphanumeric ASCII character string with 0..128 characters
Example: tftp://192.9.200.1/cfg/config.xml
The device supports the following wildcards:
– %d
System date in the format YYYY-mm-dd
– %t
System time in the format HH_MM_SS
– %i
IP address of the device
– %m
MAC address of the device in the format AA-BB-CC-DD-EE-FF
– %p
Product name of the device
Set credentials
Opens the Credentials window which helps you to enter the credentials needed to authenticate on
the remote server.
In the User name field, enter the user name.
To display the user name in plain text instead of ***** (asterisks), mark the Display content
checkbox.
Possible values:
– Alphanumeric ASCII character string with 1..32 characters
In the Password field, enter the password.
To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
Possible values:
Alphanumeric ASCII character string with 6..64 characters
The following characters are allowed:
a..z
A..Z
0..9
!#$%&'()*+,-./:;<=>?@[\\]^_`{}~
32
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Load/Save ]
Undo configuration modifications
Operation
Enables/disables the Undo configuration modifications function. Using the function, the device
continuously checks whether it can still be reached from the IP address of the user’s PC. If the
connection is lost, after a specified time period the device loads the “Selected” configuration profile
from the non-volatile memory (NVM). Afterwards, the device can be accessed again.
Possible values:
On
The function is enabled.
– You specify the time period between the interruption of the connection and the loading of the
configuration profile in the field Timeout [s] to recover after connection loss.
– When the non-volatile memory (NVM) contains multiple configuration profiles, the device
loads the configuration profile designated as “Selected”.
Off (default setting)
The function is disabled.
Disable the function again before you close the Graphical User Interface. You thus help prevent
the device from restoring the configuration profile designated as “Selected”.
Note: Before you enable the function, save the settings in the configuration profile. Current
changes, that are saved temporarily, are therefore maintained in the device.
Timeout [s] to recover after connection loss
Specifies the time in seconds after which the device loads the “Selected” configuration profile from
the non-volatile memory (NVM) if the connection is lost.
Possible values:
30..600 (default setting: 600)
Specify a sufficiently large value. Take into account the time when you are viewing the dialogs of
the Graphical User Interface without changing or updating them.
Watchdog IP address
Displays the IP address of the PC on which you have enabled the function.
Possible values:
IPv4 address
(default setting: 0.0.0.0)
Table
Storage type
Displays the storage location of the configuration profile.
RM GUI RSP
Release 8.1 12/2019
33
Basic Settings
[ Basic Settings > Load/Save ]
Possible values:
RAM (volatile memory of the device)
In the volatile memory, the device stores the settings for the current operation.
NVM (non-volatile memory of the device)
When applying the function Undo configuration modifications or during a restart, the device loads
the “Selected” configuration profile from the non-volatile memory.
The non-volatile memory provides space for multiple configuration profiles, depending on the
number of settings saved in the configuration profile. The device manages a maximum of 20
configuration profiles in the non-volatile memory.
You can load a configuration profile into the volatile memory (RAM):
In the table, highlight the configuration profile.
Click the
button and then the Activate item.
ENVM (external memory)
In the external memory, the device saves a backup copy of the “Selected” configuration profile.
The prerequisite is that in the Basic Settings > External Memory dialog you mark the Backup config
when saving checkbox.
Profile name
Displays the name of the configuration profile.
Possible values:
running-config
Name of the configuration profile in the volatile memory (RAM).
config
Name of the factory setting configuration profile in the non-volatile memory (NVM).
User-defined name
The device lets you save a configuration profile with a user-specified name by highlighting an
existing configuration profile in the table, clicking the
button and then the Save As.. item.
To export the configuration profile as an XML file on your PC, click the link. Then you select the
storage location and specify the file name.
To save the file on a remote server, click the
button and then the Export... item.
Modification date (UTC)
Displays the time (UTC) at which a user last saved the configuration profile.
Selected
Displays whether the configuration profile is designated as “Selected”.
Possible values:
marked
The configuration profile is designated as “Selected”.
– When applying the function Undo configuration modifications or during a restart, the device
loads the configuration profile into the volatile memory (RAM).
– When you click the
configuration profile.
button, the device saves the temporarily saved settings in this
unmarked
Another configuration profile is designated as “Selected”.
To designate another configuration profile as “Selected”, you highlight the desired configuration
profile in the table, click the
34
button and then the Activate item.
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Load/Save ]
Encrypted
Displays whether the configuration profile is encrypted.
Possible values:
marked
The configuration profile is encrypted.
unmarked
The configuration profile is unencrypted.
You activate/deactivate the encryption of the configuration profile in the Configuration encryption
frame.
Encryption verified
Displays whether the password of the encrypted configuration profile matches the password stored
in the device.
Possible values:
marked
The passwords match. The device is able to unencrypt the configuration profile.
unmarked
The passwords are different. The device is unable to unencrypt the configuration profile.
Software version
Displays the version number of the device software that the device ran while saving the
configuration profile.
Fingerprint
Displays the checksum saved in the configuration profile.
When saving the settings, the device calculates the checksum and inserts it into the configuration
profile.
Fingerprint verified
Displays whether the checksum saved in the configuration profile is valid.
The device calculates the checksum of the configuration profile marked as “Selected” and
compares it with the checksum saved in this configuration profile.
Possible values:
marked
The calculated and the saved checksum match.
The saved settings are consistent.
unmarked
For the configuration profile marked as “Selected” applies:
The calculated and the saved checksum are different.
The configuration profile contains modified settings.
Possible causes:
– The file is damaged.
– The file system in the external memory is inconsistent.
– A user has exported the configuration profile and changed the XML file outside the device.
For the other configuration profiles the device has not calculated the checksum.
RM GUI RSP
Release 8.1 12/2019
35
Basic Settings
[ Basic Settings > Load/Save ]
The device verifies the checksum correctly only if the configuration profile has been saved before
as follows:
• on an identical device
• with the same software version, which the device is running
• with a lower or the same level of the device software
such as HiOS-2A or HiOS-3S on a device which runs HiOS-3S
Note: This function identifies changes to the settings in the configuration profile. The function does
not provide protection against operating the device with modified settings.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Removes the configuration profile highlighted in the table from the non-volatile memory (NVM) or
from the external memory.
If the configuration profile is designated as "Selected", then the device helps prevent you from
removing the configuration profile.
Save As..
Copies the configuration profile highlighted in the table and saves it with a user-specified name in
the non-volatile memory (NVM). The device designates the new configuration profile as “Selected”.
Note: Before creating additional configuration profiles, decide for or against permanently activated
configuration encryption in the device. Save additional configuration profiles either unencrypted or
encrypted with the same password.
If in the Basic Settings > External Memory dialog the checkbox in the Backup config when saving column
is marked, then the device designates the configuration profile of the same name in the external
memory as “Selected”.
Activate
Loads the settings of the configuration profile highlighted in the table to the volatile memory (RAM).
The device terminates the connection to the Graphical User Interface.
Reload the Graphical User Interface.
Login again.
The device immediately uses the settings of the configuration profile on the fly.
Enable the Undo configuration modifications function before you activate another configuration profile.
If the connection is lost afterwards, then the device loads the last configuration profile designated
as “Selected” from the non-volatile memory (NVM). The device can then be accessed again.
36
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Load/Save ]
If the configuration encryption is inactive, then the device loads an unencrypted configuration
profile. If the configuration encryption is active and the password matches the password stored in
the device, then the device loads an encrypted configuration profile.
When you activate an older configuration profile, the device takes over the settings of the functions
contained in this software version. The device sets the values of new functions to their default
value.
Select
Designates the configuration profile highlighted in the table as “Selected”. In the Selected column,
the checkbox is then marked.
When applying the function Undo configuration modifications or during a restart, the device loads the
settings of this configuration profile to the volatile memory (RAM).
If the configuration encryption in the device is disabled, then designate an unencrypted
configuration profile only as “Selected”.
If the configuration encryption in the device is enabled and the password of the configuration
profile matches the password saved in the device, then designate an encrypted configuration
profile only as “Selected”.
Otherwise, the device is unable to load and encrypt the settings in the configuration profile the next
time it restarts. For this case you specify in the Diagnostics > System > Selftest dialog whether the
device starts with the default settings or terminates the restart and stops.
Note: You only mark the configuration profiles saved in the non-volatile memory (NVM).
If in the Basic Settings > External Memory dialog the checkbox in the Backup config when saving column
is marked, then the device designates the configuration profile of the same name in the external
memory as “Selected”.
Import...
Opens the Import... window to import a configuration profile.
The prerequisite is that you have exported the configuration profile using the Export... button or
using the link in the Profile name column.
In the Select source drop-down list, select from where the device imports the configuration profile.
PC/URL
The device imports the configuration profile from the local PC or from a remote server.
External memory
The device imports the configuration profile from the external memory.
When PC/URL is selected above, in the Import profile from PC/URL frame you specify the
configuration profile file to be imported.
– Import from the PC
When the file is located on your PC or on a network drive, drag and drop the file in the
area. Alternatively click in the area to select the file.
– Import from an FTP server
When the file is located on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
RM GUI RSP
Release 8.1 12/2019
37
Basic Settings
[ Basic Settings > Load/Save ]
– Import from a TFTP server
When the file is located on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
– Import from an SCP or SFTP server
When the file is located on an SCP or SFTP server, specify the URL for the file in one of the
following forms:
scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you enter
User name and Password, to log on to the server.
scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
When External memory is selected above, in the Import profile from external memory frame you
specify the configuration profile file to be imported.
In the Profile name drop-down list, select the name of the configuration profile to be imported.
In the Destination frame you specify where the device saves the imported configuration profile.
In the Profile name field you specify the name under which the device saves the configuration
profile.
In the Storage type field you specify the storage location for the configuration profile. The
prerequisite is that in the Select source drop-down list you have selected the value PC/URL.
RAM
The device saves the configuration profile in the volatile memory (RAM) of the device. This
replaces the running-config, the device uses the settings of the imported configuration
profile immediately. The device terminates the connection to the Graphical User Interface.
Reload the Graphical User Interface. Login again.
NVM
The device saves the configuration profile in the non-volatile memory (NVM) of the device.
When you import a configuration profile, the device takes over the settings as follows:
• If the configuration profile was exported on the same device or on an identically equipped device
of the same type, then:
The device takes over the settings completely.
• If the configuration profile was exported on an other device, then:
The device takes over the settings which it can interpret based on its hardware equipment and
software level.
The remaining settings the device takes over from its running-config configuration profile.
Regarding configuration profile encryption, also read the help text of the Configuration encryption
frame. The device imports a configuration profile under the following conditions:
• The configuration encryption of the device is inactive. The configuration profile is unencrypted.
• The configuration encryption of the device is active. The configuration profile is encrypted with
the same password that the device currently uses.
Export...
Exports the configuration profile highlighted in the table and saves it as an XML file on a remote
server.
To save the file on your PC, click the link in the Profile name column to select the storage location
and specify the file name.
38
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Load/Save ]
The device gives you the following options for exporting a configuration profile:
Export to an FTP server
To save the file on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
Export to a TFTP server
To save the file on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Export to an SCP or SFTP server
To save the file on an SCP or SFTP server, specify the URL for the file in one of the following
forms:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Ok button, the device displays the Credentials window. There you enter
User name and Password, to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Load running-config as script
Imports a script file which modifies the current running config configuration profile.
The device gives you the following options to import a script file:
Import from the PC
When the file is located on your PC or on a network drive, drag and drop the file in the
Alternatively click in the area to select the file.
area.
Import from an FTP server
When the file is located on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
Import from a TFTP server
When the file is located on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Import from an SCP or SFTP server
When the file is located on an SCP or SFTP server, specify the URL for the file in one of the
following forms:
scp:// or sftp://<IP address>/<path>/<file name>
Save running-config as script
Saves the running config configuration profile as a script file on the local PC. This lets you
backup your current device settings or to use them on various devices.
Back to factory...
Resets the settings in the device to the default values.
The device deletes the saved configuration profiles from the volatile memory (RAM) and from the
non-volatile memory (NVM).
The device deletes the HTTPS certificate used by the web server in the device.
The device deletes the RSA key (Host Key) used by the SSH server in the device.
When an external memory is connected, the device deletes the configuration profiles saved in
the external memory.
After a brief period, the device reboots and loads the default values.
Back to default
Deletes the current operating (running config) settings from the volatile memory (RAM) .
RM GUI RSP
Release 8.1 12/2019
39
Basic Settings
[ Basic Settings > External Memory ]
1.5
External Memory
[ Basic Settings > External Memory ]
This dialog lets you activate functions that the device automatically executes in combination with
the external memory. The dialog also displays the operating state and identifying characteristics of
the external memory.
Table
Type
Displays the type of the external memory.
Possible values:
sd
External SD memory (ACA31)
Status
Displays the operating state of the external memory.
Possible values:
notPresent
No external memory connected.
removed
Someone has removed the external memory from the device during operation.
ok
The external memory is connected and ready for operation.
outOfMemory
The memory space is occupied in the external memory.
genericErr
The device has detected an error.
Writable
Displays whether the device has write access to the external memory.
Possible values:
marked
The device has write access to the external memory.
unmarked
The device has read-only access to the external memory. Possibly the write protection is
activated in the external memory.
Software auto update
Activates/deactivates the automatic device software update during the restart.
40
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > External Memory ]
Possible values:
marked (default setting)
The automatic device software update during the restart is activated. The device updates the
device software when the following files are located in the external memory:
– the image file of the device software
– a text file "startup.txt" with the content autoUpdate=<image_file_name>.bin
unmarked
The automatic device software update during the restart is deactivated.
SSH key auto upload
Activates/deactivates the loading of the RSA key from an external memory upon restart.
Possible values:
marked (default setting)
The loading of the RSA key is activated.
During a restart, the device loads the RSA key from the external memory when the following
files are located in the external memory:
– SSH RSA key file
– a text file “startup.txt” with the content
autoUpdateRSA=<filename_of_the_SSH_RSA_key>
The device displays messages on the system console of the serial interface.
unmarked
The loading of the RSA key is deactivated.
Note: When loading the RSA key from the external memory (ENVM), the device overwrites the
existing keys in the non-volatile memory (NVM).
Config priority
Specifies the memory from which the device loads the configuration profile upon reboot.
Possible values:
disable
The device loads the configuration profile from the non-volatile memory (NVM).
first
The device loads the configuration profile from the external memory.
When the device does not find a configuration profile in the external memory, it loads the
configuration profile from the non-volatile memory (NVM).
Note: When loading the configuration profile from the external memory (ENVM), the device
overwrites the settings of the Selected configuration profile in the non-volatile memory (NVM).
If the Config priority column has the value first and the configuration profile is unencrypted, then
the Security status frame in the Basic Settings > System dialog displays an alarm.
In the Diagnostics > Status Configuration > Security Status dialog, Global tab, Monitor column you specify
whether the device monitors the Load unencrypted config from external memory parameter.
Backup config when saving
Activates/deactivates creating a copy of the configuration profile in the external memory.
RM GUI RSP
Release 8.1 12/2019
41
Basic Settings
[ Basic Settings > External Memory ]
Possible values:
marked (default setting)
Creating a copy is activated. When you click in the Basic Settings > Load/Save dialog the Save
button, the device generates a copy of the configuration profile on the active external memory.
unmarked
Creating a copy is deactivated. The device does not generate a copy of the configuration profile.
Manufacturer ID
Displays the name of the memory manufacturer.
Revision
Displays the revision number specified by the memory manufacturer.
Version
Displays the version number specified by the memory manufacturer.
Name
Displays the product name specified by the memory manufacturer.
Serial number
Displays the serial number specified by the memory manufacturer.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
42
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Port ]
1.6
Port
[ Basic Settings > Port ]
This dialog lets you specify settings for the individual ports. The dialog also displays the operating
mode, connection status, bit rate and duplex mode for every port.
The dialog contains the following tabs:
[Configuration]
[Statistics]
[Utilization]
[Configuration]
Table
Port
Displays the port number.
Name
Name of the port.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
The following characters are allowed:
– <space>
– 0..9
– a..z
– A..Z
– !#$%&'()*+,-./:;<=>?@[\\]^_`{}~
Port on
Activates/deactivates the port.
Possible values:
marked (default setting)
The port is active.
unmarked
The port is inactive. The port does not send or receive any data.
State
Displays whether the port is currently physically enabled or disabled.
RM GUI RSP
Release 8.1 12/2019
43
Basic Settings
[ Basic Settings > Port ]
Possible values:
marked
The port is physically enabled.
unmarked
The port is physically disabled.
When the Port on function is active, the Auto-Disable function has disabled the port.
You specify the settings of the Auto-Disable function in the Diagnostics > Ports > Auto-Disable
dialog.
Power state (port off)
Specifies, whether the port is physically switched on or off when you deactivate the port with the
Port on function.
Possible values:
marked
The port remains physically enabled. A connected device receives an active link.
unmarked (default setting)
The port is physically disabled.
Auto power down
Specifies how the port behaves when no cable is connected.
Possible values:
no-power-save (default setting)
The port remains activated.
auto-power-down
The port changes to the energy-saving mode.
unsupported
The port does not support this function and remains activated.
Automatic configuration
Activates/deactivates the automatic selection of the operating mode for the port.
Possible values:
marked (default setting)
The automatic selection of the operating mode is active.
The port negotiates the operating mode independently using autonegotiation and detects the
devices connected to the TP port automatically (Auto Cable Crossing). This setting has priority
over the manual setting of the port.
Elapse several seconds until the port has set the operating mode.
unmarked
The automatic selection of the operating mode is inactive.
The port operates with the values you specify in the Manual configuration column and in the
Manual cable crossing (Auto. conf. off) column.
Grayed-out display
No automatic selection of the operating mode.
Manual configuration
Specifies the operating mode of the ports when the Automatic configuration function is disabled.
44
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Port ]
Possible values:
10 Mbit/s HDX
Half duplex connection
10 Mbit/s FDX
Full duplex connection
100 Mbit/s HDX
Half duplex connection
100 Mbit/s FDX
Full duplex connection
1000 Mbit/s FDX
Full duplex connection
Note: The operating modes of the port actually available depend on the device configuration.
Link/Current settings
Displays the operating mode which the port currently uses.
Possible values:
–
No cable connected, no link.
10 Mbit/s HDX
Half duplex connection
10 Mbit/s FDX
Full duplex connection
100 Mbit/s HDX
Half duplex connection
100 Mbit/s FDX
Full duplex connection
1000 Mbit/s FDX
Full duplex connection
Note: The operating modes of the port actually available depend on the device configuration.
Manual cable crossing (Auto. conf. off)
Specifies the devices connected to a TP port.
The prerequisite is that the Automatic configuration function is disabled.
Possible values:
mdi
The device interchanges the send- and receive-line pairs on the port.
mdix (default setting on TP ports)
The device helps prevent the interchange of the send- and receive-line pairs on the port.
auto-mdix
The device detects the send and receive line pairs of the connected device and automatically
adapts to them.
Example: When you connect an end device with a crossed cable, the device automatically
resets the port from mdix to mdi.
unsupported (default setting on optical ports or TP-SFP ports)
The port does not support this function.
RM GUI RSP
Release 8.1 12/2019
45
Basic Settings
[ Basic Settings > Port ]
Flow control
Activates/deactivates the flow control on the port.
Possible values:
marked (default setting)
The Flow control on the port is active.
The sending and evaluating of pause packets (full-duplex operation) or collisions (half-duplex
operation) is activated on the port.
To enable the flow control in the device, also activate the Flow control function in the
Switching > Global dialog.
Activate the flow control also on the port of the device that is connected to this port.
On an uplink port, activating the flow control can possibly cause undesired sending breaks in
the higher-level network segment (“wandering backpressure”).
unmarked
The Flow control on the port is inactive.
If you are using a redundancy function, then you deactivate the flow control on the participating
ports. If the flow control and the redundancy function are active at the same time, it is possible that
the redundancy function operates differently than intended.
Send trap (Link up/down)
Activates/deactivates the sending of SNMP traps when the device detects changes in the link up/
down status for this port.
Possible values:
marked (default setting)
The sending of SNMP traps is active.
When the device detects a link up/down status change, the device sends an SNMP trap.
unmarked
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status
Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
MTU
Specifies the maximum allowed size of Ethernet packets on the port in bytes.
Possible values:
1518..12288 (default setting: 1518)
With the setting 1518, the port transmits the Ethernet packets up to the following size:
– 1518 bytes without VLAN tag
(1514 bytes + 4 bytes CRC)
– 1522 bytes with VLAN tag
(1518 bytes + 4 bytes CRC)
This setting lets you increase the size of the Ethernet packets for specific applications. The
following list contains possible applications:
When you use the PRP redundancy protocol, it is possible that you require an MTU that is larger
by 6 bytes. (depends on hardware)
When you use the device in the transfer network with double VLAN tagging, it is possible that
you require an MTU that is larger by 4 bytes.
46
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Port ]
On other interfaces, you specify the maximum permissible size of the Ethernet packets as follows:
• Router interfaces
Routing > Interfaces > Configuration dialog, MTU value column
• HSR interfaces (depends on hardware)
Switching > L2-Redundancy > HSR > Configuration dialog, Configuration frame, MTU field
• PRP interfaces (depends on hardware)
Switching > L2-Redundancy > PRP > Configuration dialog, Configuration frame, MTU field
• Link Aggregation interfaces
Switching > L2-Redundancy > Link Aggregation dialog, MTU column
Signal
Activates/deactivates the port LED flashing. This function lets you identify the port in the field.
Possible values:
marked
The flashing of the port LED is active.
The port LED flashes until you disable the function again.
unmarked (default setting)
The flashing of the port LED is inactive.
Link monitoring
Activates/deactivates the Link monitoring function on the interface.
Use the Link monitoring function for end devices that do not support Far End Fault Indication (FEFI)
on optical links.
Possible values:
marked
The Link monitoring function is active.
If the device recognizes an established link, then the port LED illuminates. If the device
recognizes that a link has been lost, then the port LED extinguishes.
unmarked (default setting)
The Link monitoring function is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Clear port statistics
Resets the counter for the port statistics to 0.
[Statistics]
This tab displays the following overview per port:
Number of data packets/bytes received in the device
– Received packets
– Received octets
RM GUI RSP
Release 8.1 12/2019
47
Basic Settings
[ Basic Settings > Port ]
– Received unicast packets
– Received multicast packets
– Received broadcast packets
Number of data packets/bytes sent from the device
– Transmitted packets
– Transmitted octets
– Transmitted unicast packets
– Transmitted multicast packets
– Transmitted broadcast packets
Number of errors detected by the device
– Received fragments
– Detected CRC errors
– Detected collisions
Number of data packets per size category received on the device
– Packets 64 bytes
– Packets 65 to 127 bytes
– Packets 128 to 255 bytes
– Packets 256 to 511 bytes
– Packets 512 to 1023 bytes
– Packets 1024 to 1518 bytes
Number of data packets discarded by the device
– Received discards
– Transmitted discards
To sort the table by a specific criterion click the header of the corresponding row.
For example, to sort the table based on the number of received bytes in ascending order, click the
header of the Received octets column once. To sort in descending order, click the header again.
To reset the counter for the port statistics in the table to 0, proceed as follows:
In the Basic Settings > Port dialog, click the
button and then the Clear port statistics item.
or
In the Basic Settings > Restart dialog, click the Clear port statistics button.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Clear port statistics
Resets the counter for the port statistics to 0.
[Utilization]
This tab displays the utilization (network load) for the individual ports.
Table
Port
Displays the port number.
48
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Port ]
Utilization [%]
Displays the current utilization in percent in relation to the time interval specified in the Control
interval [s] column.
The utilization is the relationship of the received data quantity to the maximum possible data
quantity at the currently configured data rate.
Lower threshold [%]
Specifies a lower threshold for the utilization. If the utilization of the port falls below this value, then
the Alarm column displays an alarm.
Possible values:
0.00..100.00
(default setting: 0.00)
The value 0 deactivates the lower threshold.
Upper threshold [%]
Specifies an upper threshold for the utilization. If the utilization of the port exceeds this value, then
the Alarm column displays an alarm.
Possible values:
0.00..100.00
(default setting: 0.00)
The value 0 deactivates the upper threshold.
Control interval [s]
Specifies the interval in seconds.
Possible values:
1..3600 (default setting: 30)
Alarm
Displays the utilization alarm status.
Possible values:
marked
The utilization of the port is below the value specified in the Lower threshold [%] column or above
the value specified in the Upper threshold [%] column. The device sends an SNMP trap.
unmarked
The utilization of the port is above the value specified in the Lower threshold [%] column and below
the value specified in the Upper threshold [%] column.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
RM GUI RSP
Release 8.1 12/2019
49
Basic Settings
[ Basic Settings > Port ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Clear port statistics
Resets the counter for the port statistics to 0.
50
RM GUI RSP
Release 8.1 12/2019
Basic Settings
[ Basic Settings > Restart ]
1.7
Restart
[ Basic Settings > Restart ]
This dialog lets you restart the device, reset port counters and address tables, and delete log files.
Restart
Restart in
Displays the remaining time until the device restarts.
To update the display of the remaining time, click the
button.
Cancel
Aborts a delayed restart.
Cold start...
Opens the Restart dialog to initiate an immediate or delayed restart of the device.
If the configuration profile in the volatile memory (RAM) and the "Selected" configuration profile in
the non-volatile memory (NVM) differ, then the device displays the Warning dialog.
To permanently save the changes, click the Yes button in the Warning dialog.
To discard the changes, click No in the Warning dialog.
In the Restart in field you specify the delay time for the delayed restart.
Possible values:
– 00:00:00..596:31:23 (default setting: 00:00:00)
When the delay time elapsed, the device restarts and goes through the following phases:
If you activate the function in the Diagnostics > System > Selftest dialog, then the device performs
a RAM test.
The device starts the device software that the Stored version field displays in the Basic Settings >
Software dialog.
The device loads the settings from the "Selected" configuration profile. See the Basic Settings >
Load/Save dialog.
Note: During the restart, the device does not transfer any data. During this time, the device cannot
be accessed by the Graphical User Interface or other management systems.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset MAC address table
Removes the MAC addresses from the forwarding table that have in the Switching > Filter for MAC
Addresses dialog the value learned in the Status column.
RM GUI RSP
Release 8.1 12/2019
51
Basic Settings
[ Basic Settings > Restart ]
Reset ARP table
Removes the dynamically set up addresses from the ARP table.
See the Diagnostics > System > ARP dialog.
Clear port statistics
Resets the counter for the port statistics to 0.
See the Basic Settings > Port dialog, Statistics tab.
Reset IGMP snooping data
Removes the IGMP Snooping entries and resets the counter in the Information frame to 0.
See the Switching > IGMP Snooping > Global dialog.
Delete log file
Removes the logged events from the log file.
See the Diagnostics > Report > System Log dialog.
Delete persistent log file
Removes the log files from the external memory.
See the Diagnostics > Report > Persistent Logging dialog.
Clear email notification statistics
Resets the counters in the Information frame to 0.
See the Diagnostics > Email Notification > Global dialog.
52
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > Basic Settings ]
2 Time
The menu contains the following dialogs:
Basic Settings
SNTP
PTP
2.1
Basic Settings
[ Time > Basic Settings ]
The device is equipped with a buffered hardware clock. This clock maintains the correct time if the
power supply fails or you disconnect the device from the power supply. After the device is started,
the current time is available to you, for example for log entries.
The hardware clock bridges a power supply downtime of 3 hours. The prerequisite is that the power
supply of the device has been connected continually for at least 5 minutes beforehand.
In this dialog, you specify time-related settings independently of the time synchronization protocol
specified.
The dialog contains the following tabs:
[Global]
[Daylight saving time]
[Global]
In this tab, you specify the system time in the device and the time zone.
Configuration
System time (UTC)
Displays the current date and time with reference to Universal Time Coordinated (UTC).
Set time from PC
The device uses the time on the PC as the system time.
System time
Displays the current date and time with reference to the local time: System time = System time (UTC)
+ Local offset [min] + Daylight saving time
Time source
Displays the time source from which the device gets the time information.
RM GUI RSP
Release 8.1 12/2019
53
Time
[ Time > Basic Settings ]
The device automatically selects the available time source with the greatest accuracy.
Possible values:
local
System clock of the device.
sntp
The SNTP client is activated and the device is synchronized by an SNTP server.
ptp
PTP is activated and the clock of the device is synchronized with a PTP master clock.
Local offset [min]
Specifies the difference between the local time and System time (UTC) in minutes: Local offset [min] =
System time − System time (UTC)
Possible values:
-780..840 (default setting: 60)
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Daylight saving time]
In this tab, you activate the automatic daylight saving time function. You specify the beginning and
the end of summertime using a pre-defined profile, or you specify these settings individually. During
summertime, the device puts the local time forward by 1 hour.
Operation
Daylight saving time
Enables/disables the Daylight saving time mode.
Possible values:
On
The Daylight saving time mode is enabled.
The device automatically changes between summertime and wintertime.
Off (default setting)
The Daylight saving time mode is disabled.
The times at which the device changes between summertime and wintertime are specified in the
Summertime begin and Summertime end frames.
Profile...
Displays the Profile... dialog. There you select a pre-defined profile for the beginning and the end of
summertime. This profile overwrites the settings in the Summertime begin and Summertime end
frames.
54
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > Basic Settings ]
Summertime begin
In the first 3 fields you specify the day for the beginning of summertime, and in the last field the time.
When the time in the System time field reaches the value entered here, the device switches to
summertime.
Week
Specifies the week in the current month.
Possible values:
none (default setting)
first
second
third
fourth
last
Day
Specifies the day of the week.
Possible values:
none (default setting)
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Month
Specifies the month.
Possible values:
none (default setting)
January
February
March
April
May
June
July
August
September
October
November
December
RM GUI RSP
Release 8.1 12/2019
55
Time
[ Time > Basic Settings ]
System time
Specifies the time.
Possible values:
<HH:MM> (default setting: 00:00)
Summertime end
In the first 3 fields you specify the day for the end of summertime, and in the last field the time.
When the time in the System time field reaches the value entered here, the device switches to
wintertime.
Week
Specifies the week in the current month.
Possible values:
none (default setting)
first
second
third
fourth
last
Day
Specifies the day of the week.
Possible values:
none (default setting)
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Month
Specifies the month.
Possible values:
none (default setting)
January
February
March
April
56
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > SNTP ]
May
June
July
August
September
October
November
December
System time
Specifies the time.
Possible values:
<HH:MM> (default setting: 00:00)
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
2.2
SNTP
[ Time > SNTP ]
The Simple Network Time Protocol (SNTP) is a procedure described in the RFC 4330 for time
synchronization in the network.
The device lets you synchronize the system time in the device as an SNTP client. As the SNTP
server, the device makes the time information available to other devices.
The menu contains the following dialogs:
SNTP Client
SNTP Server
RM GUI RSP
Release 8.1 12/2019
57
Time
[ Time > SNTP > Client ]
2.2.1
SNTP Client
[ Time > SNTP > Client ]
In this dialog, you specify the settings with which the device operates as an SNTP client.
As an SNTP client the device obtains the time information from both SNTP servers and NTP servers
and synchronizes the local clock with the time of the time server.
Operation
Operation
Enables/disables the SNTP Client function of the device.
Possible values:
On
The SNTP Client function is enabled.
The device operates as an SNTP client.
Off (default setting)
The SNTP Client function is disabled.
Configuration
Mode
Specifies whether the device actively requests the time information from an SNTP server known and
configured in the network (Unicast mode) or passively waits for the time information from a random
SNTP server (Broadcast mode).
Possible values:
unicast (default setting)
The device takes the time information only from the configured SNTP server. The device sends
Unicast requests to the SNTP server and evaluates its responses.
broadcast
The device obtains the time information from one or more SNTP or NTP servers. The device
evaluates the Broadcasts or Multicasts only from these servers.
Request interval [s]
Specifies the interval in seconds at which the device requests time information from the SNTP
server.
Possible values:
5..3600 (default setting: 30)
Broadcast recv timeout [s]
Specifies the time in seconds a client in broadcast client mode waits before changing the value in
the field from syncToRemoteServer to notSynchronized when the client receives no broadcast
packets.
58
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > SNTP > Client ]
Possible values:
128..2048 (default setting: 320)
Disable client after successful sync
Activates/deactivates the disabling of the SNTP client after the device has successfully
synchronized the time.
Possible values:
marked
The disabling of the SNTP client is active.
The device deactivates the SNTP client after successful time synchronization.
unmarked (default setting)
The disabling of the SNTP client is inactive.
The SNTP client remains active after successful time synchronization.
State
State
Displays the status of the SNTP client.
Possible values:
disabled
The SNTP client is disabled.
notSynchronized
The SNTP client is not synchronized with any SNTP or NTP server.
synchronizedToRemoteServer
The SNTP client is synchronized with an SNTP or NTP server.
Table
In the table you specify the settings for up to 4 SNTP servers.
Index
Displays the index number to which the table entry relates.
Possible values:
1..4
The device automatically assigns this number.
When you delete a table entry, this leaves a gap in the numbering. When you create a new table
entry, the device fills the first gap.
RM GUI RSP
Release 8.1 12/2019
59
Time
[ Time > SNTP > Client ]
After starting, the device sends requests to the SNTP server configured in the first table entry. When
the server does not reply, the device sends its requests to the SNTP server configured in the next
table entry.
If none of the configured SNTP servers responds in the meantime, then the SNTP client interrupts
its synchronization. The device cyclically sends requests to each SNTP server until a server delivers
a valid time. The device synchronizes itself with this SNTP server, even if the other servers can be
reached again later.
Name
Specifies the name of the SNTP server.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
Address
Specifies the IP address of the SNTP server.
Possible values:
Valid IPv4 address or Hostname (default setting: 0.0.0.0)
Destination UDP port
Specifies the UDP Port on which the SNTP server expects the time information.
Possible values:
1..65535 (default setting: 123)
Exception: Port 2222 is reserved for internal functions.
Status
Displays the connection status between the SNTP client and the SNTP server.
Possible values:
success
The device has successfully synchronized the time with the SNTP server.
badDateEncoded
The time information received contains protocol errors - synchronization failed.
other
– The value 0.0.0.0 is entered for the IP address of the SNTP server - synchronization failed.
or
– The SNTP client is using a different SNTP server.
requestTimedOut
The device has not received a reply from the SNTP server - synchronization failed.
serverKissOfDeath
The SNTP server is overloaded. The device is requested to synchronize itself with another SNTP
server. When no other SNTP server is available, the device checks at intervals longer than the
setting in the Request interval [s] field, if the server is still overloaded.
60
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > SNTP > Client ]
serverUnsychronized
The SNTP server is not synchronized with either a local or an external reference time source synchronization failed.
versionNotSupported
The SNTP versions on the client and the server are incompatible with each other synchronization failed.
Active
Activates/deactivates the connection to the SNTP server.
Possible values:
marked
The connection to the SNTP server is activated.
The SNTP client has access to the SNTP server.
unmarked (default setting)
The connection to the SNTP server is deactivated.
The SNTP client has no access to the SNTP server.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
61
Time
[ Time > SNTP > Server ]
2.2.2
SNTP Server
[ Time > SNTP > Server ]
In this dialog, you specify the settings with which the device operates as an SNTP server.
The SNTP server provides the Universal Time Coordinated (UTC) without considering local time
differences.
If the setting is appropriate, then the SNTP server operates in the broadcast mode. In broadcast
mode, the SNTP server automatically sends broadcast messages or multicast messages according
to the broadcast send interval.
Operation
Operation
Enables/disables the SNTP Server function of the device.
Possible values:
On
The SNTP Server function is enabled.
The device operates as an SNTP server.
Off (default setting)
The SNTP Server function is disabled.
Note the setting in the Disable server at local time source checkbox in the Configuration frame.
Configuration
UDP port
Specifies the number of the UDP port on which the SNTP server of the device receives requests
from other clients.
Possible values:
1..65535 (default setting: 123)
Exception: Port 2222 is reserved for internal functions.
Broadcast admin mode
Activates/deactivates the Broadcast mode.
marked
The SNTP server replies to requests from SNTP clients in Unicast mode and also sends SNTP
packets in Broadcast mode as Broadcasts or Multicasts.
unmarked (default setting)
The SNTP server replies to requests from SNTP clients in the Unicast mode.
Broadcast destination address
Specifies the IP address to which the SNTP server of the device sends the SNTP packets in
Broadcast mode.
62
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > SNTP > Server ]
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Broadcast and Multicast addresses are permitted.
Broadcast UDP port
Specifies the number of the UDP port on which the SNTP server sends the SNTP packets in
Broadcast mode.
Possible values:
1..65535 (default setting: 123)
Exception: Port 2222 is reserved for internal functions.
Broadcast VLAN ID
Specifies the ID of the VLAN in which the SNTP server of the device sends the SNTP packets in
Broadcast mode.
Possible values:
0
The SNTP server sends the SNTP packets in the same VLAN in which the access to the device
management is possible. See the Basic Settings > Network dialog.
1..4042 (default setting: 1)
Broadcast send interval [s]
Specifies the time interval at which the SNTP server of the device sends SNTP broadcast packets.
Possible values:
64..1024 (default setting: 128)
Disable server at local time source
Activates/deactivates the disabling of the SNTP server when the device is synchronized to the local
clock.
Possible values:
marked
The disabling of the SNTP server is active.
If the device is synchronized to the local clock, then the device disables the SNTP server. The
SNTP server continues to reply to requests from SNTP clients. In the SNTP packet, the SNTP
server informs the clients that it is synchronized locally.
unmarked (default setting)
The disabling of the SNTP server is inactive.
If the device is synchronized to the local clock, then the SNTP server remains active.
State
State
Displays the state of the SNTP server.
RM GUI RSP
Release 8.1 12/2019
63
Time
[ Time > PTP ]
Possible values:
disabled
The SNTP server is disabled.
notSynchronized
The SNTP server is not synchronized with either a local or an external reference time source.
syncToLocal
The SNTP server is synchronized with the hardware clock of the device.
syncToRefclock
The SNTP server is synchronized with an external reference time source, for example PTP.
syncToRemoteServer
The SNTP server is synchronized with an SNTP server that is higher than the device in a
cascade.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
2.3
PTP
[ Time > PTP ]
The menu contains the following dialogs:
PTP Global
PTP Boundary Clock
PTP Transparent Clock
64
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > PTP > Global ]
2.3.1
PTP Global
[ Time > PTP > Global ]
In this dialog, you specify basic settings for the PTP protocol.
The Precision Time Protocol (PTP) is a procedure described in the IEEE 1588-2008 standard that
supplies the devices in the network with a precise time. The method synchronizes the clocks in the
network with a precision of a few 100 ns. The protocol uses Multicast communication, so the load
on the network due to the PTP synchronization messages is negligible.
PTP is significantly more accurate than SNTP. If the SNTP function and the PTP function are
enabled in the device at the same time, then the PTP function has priority.
With the Best Master Clock Algorithm, the devices in the network determine which device has the
most accurate time. The devices use the device with the most accurate time as the reference time
source (Grandmaster). Subsequently the participating devices synchronize themselves with this
reference time source.
If you want to transport PTP time accurately through your network, then use only devices with PTP
hardware support on the transport paths.
The protocol differentiates between the following clocks:
Boundary Clock (BC)
This clock has any number of PTP ports and operates as both PTP master and PTP slave. In its
respective network segment, the clock operates as an Ordinary Clock.
– As PTP slave, the clock synchronizes itself with a PTP master that is higher than the device
in the cascade.
– As PTP master, the clock forwards the time information via the network to PTP slaves that are
higher than the device in the cascade.
Transparent Clock (TC)
This clock has any number of PTP ports. In contrast to the Boundary Clock, this clock corrects
the time information before forwarding it, without synchronizing itself.
Operation IEEE1588/PTP
Operation IEEE1588/PTP
Enables/disables the PTP function.
Possible values:
On
The PTP function is enabled.
The device synchronizes its clock with PTP.
If the SNTP function and the PTP function are enabled in the device at the same time, then the
PTP function has priority.
Off (default setting)
The PTP function is disabled.
The device transmits the PTP synchronization messages without any correction on every port.
RM GUI RSP
Release 8.1 12/2019
65
Time
[ Time > PTP > Global ]
Configuration IEEE1588/PTP
PTP mode
Specifies the PTP version and mode of the local clock.
Possible values:
v2-transparent-clock (default setting)
v2-boundary-clock
Sync lower bound [ns]
Specifies the lower threshold value in nanoseconds for the path difference between the local clock
and the reference time source (Grandmaster). If the path difference falls below this value once, then
the local clock is classed as synchronized.
Possible values:
0..999999999
(default setting: 30)
Sync upper bound [ns]
Specifies the upper threshold value in nanoseconds for the path difference between the local clock
and the reference time source (Grandmaster). If the path difference exceeds this value once, then
the local clock is classed as unsynchronized.
Possible values:
31..1000000000
(default setting: 5000)
PTP management
Activates/deactivates the PTP management defined in the PTP standard.
Possible values:
marked
PTP management is activated.
unmarked (default setting)
PTP management is deactivated.
Status
Is synchronized
Displays whether the local clock is synchronized with the reference time source (Grandmaster).
If the path difference between the local clock and the reference time source (Grandmaster) falls
below the synchronization lower threshold one time, then the local clock is synchronized. This
status is kept until the path difference exceeds the synchronization upper threshold one time.
You specify the synchronization thresholds in the Configuration IEEE1588/PTP frame.
66
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > PTP > Boundary Clock ]
Max. offset absolute [ns]
Displays the maximum path difference in nanoseconds that has occurred since the local clock was
synchronized with the reference time source (Grandmaster).
PTP time
Displays the date and time for the PTP time scale when the local clock is synchronized with the
reference time source (Grandmaster). Format: Month Day, Year hh:mm:ss AM/PM
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
2.3.2
PTP Boundary Clock
[ Time > PTP > Boundary Clock ]
With this menu you can configure the Boundary Clock mode for the local clock.
The menu contains the following dialogs:
PTP Boundary Clock Global
PTP Boundary Clock Port
RM GUI RSP
Release 8.1 12/2019
67
Time
[ Time > PTP > Boundary Clock > Global ]
2.3.2.1 PTP Boundary Clock Global
[ Time > PTP > Boundary Clock > Global ]
In this dialog, you enter general, cross-port settings for the Boundary Clock mode for the local clock.
The Boundary Clock (BC) operates according to PTP version 2 (IEEE 1588-2008).
The settings are effective when the local clock operates as the Boundary Clock (BC). For this, you
select in the Time > PTP > Global dialog in the PTP mode field the value v2-boundary-clock.
Operation IEEE1588/PTPv2 BC
Priority 1
Specifies priority 1 for the device.
Possible values:
0..255 (default setting: 128)
The Best Master Clock Algorithm first evaluates priority 1 among the participating devices in order
to determine the reference time source (Grandmaster).
The lower you set this value, the more probable it is that the device becomes the reference time
source (Grandmaster). See the Grandmaster frame.
Priority 2
Specifies priority 2 for the device.
Possible values:
0..255 (default setting: 128)
When the previously evaluated criteria are the same for multiple devices, the Best Master Clock
Algorithm evaluates priority 2 of the participating devices.
The lower you set this value, the more probable it is that the device becomes the reference time
source (Grandmaster). See the Grandmaster frame.
Domain number
Assigns the device to a PTP domain.
Possible values:
0..255 (default setting: 0)
The device transmits time information from and to devices only in the same domain.
Status IEEE1588/PTPv2 BC
Two step
Displays that the clock is operating in Two-Step mode.
68
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > PTP > Boundary Clock > Global ]
Steps removed
Displays the number of communication paths passed through between the local clock of the device
and the reference time source (Grandmaster).
For a PTP slave, the value 1 means that the clock is connected with the reference time source
(Grandmaster) directly through 1 communication path.
Offset to master [ns]
Displays the measured difference (offset) between the local clock and the reference time source
(Grandmaster) in nanoseconds. The PTP slave calculates the difference from the time information
received.
In Two-Step mode the time information consists of 2 PTP synchronization messages each, which
the PTP master sends cyclically:
The first synchronization message (sync message) contains an estimated value for the exact
sending time of the message.
The second synchronization message (follow-up message) contains the exact sending time of
the first message.
The PTP slave uses the two PTP synchronization messages to calculate the difference (offset) from
the master and corrects its clock by this difference. Here the PTP slave also considers the Delay to
master [ns] value.
Delay to master [ns]
Displays the delay when transmitting the PTP synchronization messages from the PTP master to
the PTP slave in nanoseconds.
The PTP slave sends a “Delay Request” packet to the PTP master and thus determines the exact
sending time of the packet. When it receives the packet, the PTP master generates a time stamp
and sends this in a “Delay Response” packet back to the PTP slave. The PTP slave uses the two
packets to calculate the delay, and considers this starting from the next offset measurement.
The prerequisite is that the delay mechanism value of the slave ports is specified as e2e.
Grandmaster
This frame displays the criteria that the Best Master Clock Algorithm uses when evaluating the
reference time source (Grandmaster).
The algorithm first evaluates priority 1 of the participating devices. The device with the lowest value
for priority 1 is designated as the reference time source (Grandmaster). When the value is the same
for multiple devices, the algorithm takes the next criterion, and when this is also the same, the
algorithm takes the next criterion after this one. When every value is the same for multiple devices,
the lowest value in the Clock identity field decides which device is designated as the reference time
source (Grandmaster).
The device lets you influence which device in the network is designated as the reference time
source (Grandmaster). To do this, modify the value in the Priority 1 field or the Priority 2 field in the
Operation IEEE1588/PTPv2 BC frame.
Priority 1
Displays priority 1 for the device that is currently the reference time source (Grandmaster).
RM GUI RSP
Release 8.1 12/2019
69
Time
[ Time > PTP > Boundary Clock > Global ]
Clock class
Displays the class of the reference time source (Grandmaster). Parameter for the Best Master
Clock Algorithm.
Clock accuracy
Displays the estimated accuracy of the reference time source (Grandmaster). Parameter for the
Best Master Clock Algorithm.
Clock variance
Displays the variance of the reference time source (Grandmaster), also known as the Offset scaled
log variance. Parameter for the Best Master Clock Algorithm.
Priority 2
Displays priority 2 for the device that is currently the reference time source (Grandmaster).
Local time properties
Time source
Specifies the time source from which the local clock gets its time information.
Possible values:
atomicClock
gps
terrestrialRadio
ptp
ntp
handSet
other
internalOscillator (default setting)
UTC offset [s]
Specifies the difference between the PTP time scale and the UTC.
See the PTP timescale checkbox.
Possible values:
-32768..32767
Note: The default setting is the value valid on the creation date of the device software. You can find
further information in the "Bulletin C" of the Earth Rotation and Reference Systems Service (IERS):
http://www.iers.org/IERS/EN/Publications/Bulletins/bulletins.html
UTC offset valid
Specifies whether the value specified in the UTC offset [s] field is correct.
70
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > PTP > Boundary Clock > Global ]
Possible values:
marked
unmarked (default setting)
Time traceable
Displays whether the device gets the time from a primary UTC reference, for example from an NTP
server.
Possible values:
marked
unmarked
Frequency traceable
Displays whether the device gets the frequency from a primary UTC reference, for example from
an NTP server.
Possible values:
marked
unmarked
PTP timescale
Displays whether the device uses the PTP time scale.
Possible values:
marked
unmarked
According to IEEE 1588, the PTP time scale is the TAI atomic time started on 01.01.1970.
In contrast to UTC, TAI does not use leap seconds.
On 01.01.2017, the difference between TAI and UTC was +37 seconds.
Identities
The device displays the identities as byte sequences in hexadecimal notation.
The identification numbers (UUID) are made up as follows:
The device identification number consists of the MAC address of the device, with the values ff
and fe added between byte 3 and byte 4.
The port UUID consists of the device identification number followed by a 16-bit port ID.
Clock identity
Displays the device’s own identification number (UUID).
Parent port identity
Displays the port identification number (UUID) of the directly superior master device.
RM GUI RSP
Release 8.1 12/2019
71
Time
[ Time > PTP > Boundary Clock > Global ]
Grandmaster identity
Displays the identification number (UUID) of the reference time source (Grandmaster) device.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
72
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > PTP > Boundary Clock > Port ]
2.3.2.2 PTP Boundary Clock Port
[ Time > PTP > Boundary Clock > Port ]
In this dialog, you specify the Boundary Clock (BC) settings on each individual port.
The settings are effective when the local clock operates as the Boundary Clock (BC). For this, you
select in the Time > PTP > Global dialog in the PTP mode field the value v2-boundary-clock.
Table
Port
Displays the port number.
PTP enable
Activates/deactivates PTP synchronization message transmission on the port.
Possible values:
marked (default setting)
The transmission is activated. The port forwards and receives PTP synchronization messages.
unmarked
The transmission is deactivated. The port blocks PTP synchronization messages.
PTP status
Displays the current status of the port.
Possible values:
initializing
Initialization phase
faulty
Faulty mode: error in the PTP protocol.
disabled
PTP is disabled on the port.
listening
Device port is waiting for PTP synchronization messages.
pre-master
PTP pre-master mode
master
PTP master mode
passive
PTP passive mode
uncalibrated
PTP uncalibrated mode
slave
PTP slave mode
Sync interval
Specifies the interval in seconds at which the port transmits PTP synchronization messages.
RM GUI RSP
Release 8.1 12/2019
73
Time
[ Time > PTP > Boundary Clock > Port ]
Possible values:
0.25
0.5
1 (default setting)
2
Delay mechanism
Specifies the mechanism with which the device measures the delay for transmitting the PTP
synchronization messages.
Possible values:
disabled
The measurement of the delay for the PTP synchronization messages for the connected PTP
devices is inactive.
e2e (default setting)
End-to-End: As the PTP slave, the port measures the delay for the PTP synchronization
messages to the PTP master.
The device displays the measured value in the Time > PTP > Boundary Clock > Global dialog.
p2p
Peer-to-Peer: The device measures the delay for the PTP synchronization messages for the
connected PTP devices, provided that these devices support P2P.
This mechanism saves the device from having to determine the delay again in the case of a
reconfiguration.
P2P delay
Displays the measured Peer-to-Peer delay for the PTP synchronization messages.
The prerequisite is that you select the value p2p in the Delay mechanism column.
P2P delay interval [s]
Specifies the interval in seconds at which the port measures the Peer-to-Peer delay.
The prerequisite is that you have specified the value p2p on this port and on the port of the remote
device.
Possible values:
1 (default setting)
2
4
8
16
32
Network protocol
Specifies which protocol the port uses to transmit the PTP synchronization messages.
Possible values:
IEEE 802.3 (default setting)
UDP/IPv4
74
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > PTP > Boundary Clock > Port ]
Announce interval [s]
Specifies the interval in seconds at which the port transmits messages for the PTP topology
discovery.
Assign the same value to every device of a PTP domain.
Possible values:
1
2 (default setting)
4
8
16
Announce timeout
Specifies the number of announce intervals.
Example:
For the default setting (Announce interval [s] = 2 and Announce timeout = 3), the timeout is 3 ∙ 2 s = 6 s.
Possible values:
2..10 (default setting: 3)
Assign the same value to every device of a PTP domain.
E2E delay interval [s]
Displays the interval in seconds at which the port measures the End-to-End delay:
When the port is operating as the PTP master, the device assigns to the port the value 8.
When the port is operating as the PTP slave, the value is specified by the PTP master connected
to the port.
V1 hardware compatibility
Specifies whether the port adjusts the length of the PTP synchronization messages when you have
set in the Network protocol column the value udpIpv4.
It is possible that other devices in the network expect the PTP synchronization messages to be the
same length as PTPv1 messages.
Possible values:
auto (default setting)
The device automatically detects whether other devices in the network expect the PTP
synchronization messages to be the same length as PTPv1 messages. If this is the case, then
the device extends the length of the PTP synchronization messages before transmitting them.
on
The device extends the length of the PTP synchronization messages before transmitting them.
off
The device transmits PTP synchronization messages without changing the length.
Asymmetry
Corrects the measured delay value corrupted by asymmetrical transmission paths.
RM GUI RSP
Release 8.1 12/2019
75
Time
[ Time > PTP > Transparent Clock ]
Possible values:
-2000000000..2000000000 (default setting: 0)
The value represents the delay symmetry in nanoseconds.
A measured delay value of x ns corresponds to an asymmetry of x∙2 ns.
The value is positive if the delay from the PTP master to the PTP slave is longer than in the opposite
direction.
VLAN
Specifies the VLAN ID with which the device marks the PTP synchronization messages on this port.
Possible values:
none (default setting)
The device transmits PTP synchronization messages without a VLAN tag.
0..4042
You specify VLANs that you have already set up in the device from the list.
Verify that the port is a member of the VLAN.
See the Switching > VLAN > Configuration dialog.
VLAN priority
Specifies the priority with which the device transmits the PTP synchronization messages marked
with a VLAN ID (Layer 2, IEEE 802.1D).
Possible values:
0..7 (default setting: 4)
If you specified in the VLAN column the value none, then the device ignores the VLAN priority.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
2.3.3
PTP Transparent Clock
[ Time > PTP > Transparent Clock ]
With this menu you can configure the Transparent Clock mode for the local clock.
The menu contains the following dialogs:
PTP Transparent Clock Global
PTP Transparent Clock Port
76
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > PTP > Transparent Clock > Global ]
2.3.3.1 PTP Transparent Clock Global
[ Time > PTP > Transparent Clock > Global ]
In this dialog, you enter general, cross-port settings for the Transparent Clock mode for the local
clock. The Transparent Clock (TC) operates according to PTP version 2 (IEEE 1588-2008).
The settings are effective when the local clock operates as the Transparent Clock (TC). For this,
you select in the Time > PTP > Global dialog in the PTP mode field the value v2-transparent-clock.
Operation IEEE1588/PTPv2 TC
Delay mechanism
Specifies the mechanism with which the device measures the delay for transmitting the PTP
synchronization messages.
Possible values:
e2e (default setting)
As the PTP slave, the port measures the delay for the PTP synchronization messages to the PTP
master.
The device displays the measured value in the Time > PTP > Transparent Clock > Global dialog.
p2p
The device measures the delay for the PTP synchronization messages for every connected PTP
device, provided that the device supports P2P.
This mechanism saves the device from having to determine the delay again in the case of a
reconfiguration.
If you specify this value, then the value IEEE 802.3 is only available in the Network protocol field.
e2e-optimized
Like e2e, with the following special characteristics:
– The device transmits the delay requests of the PTP slaves only to the PTP master, even
though these requests are multicast messages. The device thus spares the other devices
from unnecessary multicast requests.
– If the master-slave topology changes, then the device relearns the port for the PTP master
as soon as it receives a synchronization message from another PTP master.
– If the device does not know a PTP master, then the device transmits delay requests to the
ports.
disabled
The delay measuring is disabled on the port. The device discards messages for the delay
measuring.
Primary domain
Assigns the device to a PTP domain.
Possible values:
0..255 (default setting: 0)
The device transmits time information from and to devices only in the same domain.
Network protocol
Specifies which protocol the port uses to transmit the PTP synchronization messages.
RM GUI RSP
Release 8.1 12/2019
77
Time
[ Time > PTP > Transparent Clock > Global ]
Possible values:
ieee8023 (default setting)
udpIpv4
Multi domain mode
Activates/deactivates the PTP synchronization message correction in every PTP domain.
Possible values:
marked
The device corrects PTP synchronization messages in every PTP domain.
unmarked (default setting)
The device corrects PTP synchronization messages only in the primary PTP domain. See the
Primary domain field.
VLAN ID
Specifies the VLAN ID with which the device marks the PTP synchronization messages on this port.
Possible values:
none (default setting)
The device transmits PTP synchronization messages without a VLAN tag.
0..4042
You specify VLANs that you have already set up in the device from the list.
VLAN priority
Specifies the priority with which the device transmits the PTP synchronization messages marked
with a VLAN ID (Layer 2, IEEE 802.1D).
Possible values:
0..7 (default setting: 4)
If you specified the value none in the VLAN ID field, then the device ignores the specified value.
Local synchronization
Syntonize
Activates/deactivates the frequency synchronization of the Transparent Clock with the PTP master.
Possible values:
marked (default setting)
The frequency synchronization is active.
The device synchronizes the frequency.
unmarked
The frequency synchronization is inactive.
The frequency remains constant.
Synchronize local clock
Activates/deactivates the synchronization of the local system time.
78
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > PTP > Transparent Clock > Global ]
Possible values:
marked
The synchronization is active.
The device synchronizes the local system time with the time received via PTP. The prerequisite
is that the Syntonize checkbox is marked.
unmarked (default setting)
The synchronization is inactive.
The local system time remains constant.
Current master
Displays the port identification number (UUID) of the directly superior master device on which the
device synchronizes its frequency.
If the value contains only zeros, this is because:
The Syntonize function is disabled.
or
The device cannot find a PTP master.
Offset to master [ns]
Displays the measured difference (offset) between the local clock and the PTP master in
nanoseconds. The device calculates the difference from the time information received.
The prerequisite is that the Synchronize local clock function is enabled.
Delay to master [ns]
Displays the delay when transmitting the PTP synchronization messages from the PTP master to
the PTP slave in nanoseconds.
Prerequisite:
The Synchronize local clock function is enabled.
In the Delay mechanism field, the value e2e is selected.
Status IEEE1588/PTPv2 TC
Clock identity
Displays the device’s own identification number (UUID).
The device displays the identities as byte sequences in hexadecimal notation.
The device identification number consists of the MAC address of the device, with the values ff and
fe added between byte 3 and byte 4.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
79
Time
[ Time > PTP > Transparent Clock > Port ]
2.3.3.2 PTP Transparent Clock Port
[ Time > PTP > Transparent Clock > Port ]
In this dialog, you specify the Transparent Clock (TC) settings on each individual port.
The settings are effective when the local clock operates as the Transparent Clock (TC). For this,
you select in the Time > PTP > Global dialog in the PTP mode field the value v2-transparent-clock.
Table
Port
Displays the port number.
PTP enable
Activates/deactivates the transmitting of PTP synchronization messages on the port.
Possible values:
marked (default setting)
The transmitting is active.
The port forwards and receives PTP synchronization messages.
unmarked
The transmitting is inactive.
The port blocks PTP synchronization messages.
P2P delay interval [s]
Specifies the interval in seconds at which the port measures the Peer-to-Peer delay.
The prerequisite is that you specify the value p2p on this port and on the port of the remote terminal.
See the Delay mechanism option list in the Time > PTP > Transparent Clock > Global dialog.
Possible values:
1 (default setting)
2
4
8
16
32
P2P delay
Displays the measured Peer-to-Peer delay for the PTP synchronization messages.
The prerequisite is that you select in the Delay mechanism option list the radio button p2p. See the
Delay mechanism field in the Time > PTP > Transparent Clock > Global dialog.
Asymmetry
Corrects the measured delay value corrupted by asymmetrical transmission paths.
80
RM GUI RSP
Release 8.1 12/2019
Time
[ Time > PTP > Transparent Clock > Port ]
Possible values:
-2000000000..2000000000 (default setting: 0)
The value represents the delay symmetry in nanoseconds.
A measured delay value of x ns corresponds to an asymmetry of x∙2 ns.
The value is positive if the delay from the PTP master to the PTP slave is longer than in the opposite
direction.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
81
Device Security
[ Device Security > User Management ]
3 Device Security
The menu contains the following dialogs:
User Management
Authentication List
LDAP
Management Access
Pre-login Banner
3.1
User Management
[ Device Security > User Management ]
If users log in with valid login data, then the device lets them have access to its device
management.
In this dialog you manage the users of the local user management. You also specify the following
settings here:
Settings for the login
Settings for saving the passwords
Specify policy for valid passwords
The methods that the device uses for the authentication you specify in the Device Security >
Authentication List dialog.
Configuration
This frame lets you specify settings for the login.
Login attempts
Number of login attempts possible.
Possible values:
0..5 (default setting: 0)
If the user makes one more unsuccessful login attempt, then the device locks access for the user.
The device lets only users with the administrator authorization remove the lock.
The value 0 deactivates the lock. The user has unlimited attempts to login.
Login attempts period
Displays the time period before the device resets the counter in the Login attempts field.
Possible values:
0..60 (default setting: 0)
82
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > User Management ]
Min. password length
The device accepts the password if it contains at least the number of characters specified here.
The device checks the password according to this setting, regardless of the setting for the Policy
check checkbox.
Possible values:
1..64 (default setting: 6)
Password policy
This frame lets you specify the policy for valid passwords. The device checks every new password
and password change according to this policy.
The settings effect the Password column. The prerequisite is that you mark the checkbox in the
Policy check column.
Upper-case characters (min.)
The device accepts the password if it contains at least as many upper-case letters as specified
here.
Possible values:
0..16 (default setting: 1)
The value 0 deactivates this setting.
Lower-case characters (min.)
The device accepts the password if it contains at least as many lower-case letters as specified here.
Possible values:
0..16 (default setting: 1)
The value 0 deactivates this setting.
Digits (min.)
The device accepts the password if it contains at least as many numbers as specified here.
Possible values:
0..16 (default setting: 1)
The value 0 deactivates this setting.
Special characters (min.)
The device accepts the password if it contains at least as many special characters as specified
here.
RM GUI RSP
Release 8.1 12/2019
83
Device Security
[ Device Security > User Management ]
Possible values:
0..16 (default setting: 1)
The value 0 deactivates this setting.
Table
Every user requires an active user account to gain access to the device management. The table
lets you set up and manage user accounts.
To change settings, click the desired parameter in the table and modify the value.
User name
Displays the name of the user account.
To create a new user account, click the
button.
Active
Activates/deactivates the user account.
Possible values:
marked
The user account is active. The device accepts the login of a user with this user name.
unmarked (default setting)
The user account is inactive. The device rejects the login of a user with this user name.
When one user account exists with the administrator access role, this user account is constantly
active.
Password
Displays ***** (asterisks) instead of the password with which the user logs in. To change the
password, click the relevant field.
Possible values:
Alphanumeric ASCII character string with 6..64 characters
The following characters are allowed:
– a..z
– A..Z
– 0..9
– !#$%&'()*+,-./:;<=>?@[\]^_`{}~
The minimum length of the password is specified in the Configuration frame. The device
differentiates between upper and lower case.
If the checkbox in the Policy check column is marked, then the device checks the password
according to the policy specified in the Password policy frame.
The device constantly checks the minimum length of the password, even if the checkbox in the
Policy check column is unmarked.
84
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > User Management ]
Role
Specifies the user role that regulates the access of the user to the individual functions of the device.
Possible values:
unauthorized
The user is blocked, and the device rejects the user log on.
Assign this value to temporarily lock the user account. If the device detects an error when
another role is being assigned, then the device assigns this role to the user account.
guest (default setting)
The user is authorized to monitor the device.
auditor
The user is authorized to monitor the device and to save the log file in the Diagnostics > Report >
Audit Trail dialog.
operator
The user is authorized to monitor the device and to change the settings – with the exception of
security settings for device access.
administrator
The user is authorized to monitor the device and to change the settings.
The device assigns the Service Type transferred in the response of a RADIUS server as follows to
a user role:
•
•
•
Administrative-User: administrator
Login-User: operator
NAS-Prompt-User: guest
User locked
Unlocks the user account.
Possible values:
marked
The user account is locked. The user has no access to the device management.
If the user makes too many unsuccessful log in attempts, then the device automatically locks
the user.
unmarked (grayed out) (default setting)
The user account is unlocked. The user has access to the device management.
Policy check
Activates/deactivates the password check.
Possible values:
marked
The password check is activated.
When you set up or change the password, the device checks the password according to the
policy specified in the Password policy frame.
unmarked (default setting)
The password check is deactivated.
SNMP auth type
Specifies the authentication protocol that the device applies for user access via SNMPv3.
RM GUI RSP
Release 8.1 12/2019
85
Device Security
[ Device Security > User Management ]
Possible values:
hmacmd5 (default value)
For this user account, the device uses protocol HMACMD5.
hmacsha
For this user account, the device uses protocol HMACSHA.
SNMP encryption type
Specifies the encryption protocol that the device applies for user access via SNMPv3.
Possible values:
none
No encryption.
des (default value)
DES encryption
aesCfb128
AES128 encryption
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the User name field, you specify the name of the user account.
Possible values:
– Alphanumeric ASCII character string with 1..32 characters
86
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Authentication List ]
3.2
Authentication List
[ Device Security > Authentication List ]
In this dialog you manage the authentication lists. In a authentication list you specify which method
the device uses for the authentication. You also have the option to assign pre-defined applications
to the authentication lists.
If users log in with valid login data, then the device lets them have access to its device
management. The device authenticates the users using the following methods:
User management of the device
LDAP
RADIUS
With the port-based access control according to IEEE 802.1X, if connected end devices log in with
valid login data, then the device lets them have access to the network. The device authenticates
the end devices using the following methods:
RADIUS
IAS (Integrated Authentication Server)
In the default setting the following authentication lists are available:
defaultDot1x8021AuthList
defaultLoginAuthList
defaultV24AuthList
Table
Note: If the table does not contain a list, then the access to the device management is only possible
using the Command Line Interface through the serial interface of the device. In this case, the device
authenticates the user by using the local user management. See the Device Security > User
Management dialog.
Name
Displays the name of the list.
To create a new list, click the
button.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
Policy 1
Policy 2
Policy 3
Policy 4
Policy 5
Specifies the authentication policy that the device uses for access using the application specified
in the Dedicated applications column.
The device gives you the option of a fall-back solution. For this, you specify another policy in each
of the policy fields. If the authentication with the specified policy is unsuccessful, then the device
can use the next policy, depending on the order of the values entered in each policy.
RM GUI RSP
Release 8.1 12/2019
87
Device Security
[ Device Security > Authentication List ]
Possible values:
local (default setting)
The device authenticates the users by using the local user management. See the Device
Security > User Management dialog.
You cannot assign this value to the authentication list defaultDot1x8021AuthList.
radius
The device authenticates the users with a RADIUS server in the network. You specify the
RADIUS server in the Network Security > RADIUS > Authentication Server dialog.
reject
The device accepts or rejects the authentication depending on which policy you try first. The
following list contains authentication scenarios:
– If the first policy in the authentication list is local and the device accepts the credentials of
the user, then it logs the user in without attempting the other polices.
– If the first policy in the authentication list is local and the device denies the credentials of
the user, then it attempts to log the user in using the other polices in the order specified.
– If the first policy in the authentication list is radius or ldapand the device rejects a login, then
the login is immediately rejected without attempting to login the user using another policy.
If there is no response from the RADIUS or LDAP server, then the device attempts to
authenticate the user with the next policy.
– If the first policy in the authentication list is reject, then the devices immediately rejects the
user login without attempting another policy.
– Verify that the authentication list defaultV24AuthList contains at least one policy different
from reject.
ias
The device authenticates the end devices logging in via 802.1X with the integrated
authentication server (IAS). The integrated authentication server manages the log in data in a
separate database. See the Network Security > 802.1X Port Authentication > Integrated Authentication
Server dialog.
You can only assign this value to the authentication list defaultDot1x8021AuthList.
ldap
The device authenticates the users with authentication data and access role saved in a central
location. You specify the Active Directory server that the device uses in the Network Security >
LDAP > Configuration dialog.
Dedicated applications
Displays the dedicated applications. When users access the device with the relevant application,
the device uses the specified policies for the authentication.
To allocate another application to the list or remove the allocation, click the
button and then the
Allocate applications item. The device lets you assign each application to exactly one list.
Active
Activates/deactivates the list.
Possible values:
marked
The list is activated. The device uses the policies in this list when users access the device with
the relevant application.
unmarked (default setting)
The list is deactivated.
88
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > LDAP ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Allocate applications
Opens the Allocate applications window.
The left field displays the applications that can be allocated to the highlighted list.
The right field displays the applications that are allocated to the highlighted list.
Buttons:
Moves every entry to the right field.
Moves the highlighted entries from the left field to the right field.
Moves the highlighted entries from the right field to the left field.
Moves every entry to the left field.
Note: When you move the entry WebInterface to the left field, the connection to the device is lost,
after you click the Ok button.
3.3
LDAP
[ Device Security > LDAP ]
The Lightweight Directory Access Protocol (LDAP) lets you authenticate and authorize the users at
a central point in the network. A widely used directory service accessible through LDAP is Active
Directory®.
The device forwards the log in data of the user to the authentication server using the LDAP protocol.
The authentication server decides whether the login data is valid and transfers the user’s
authorizations to the device.
Upon successful log on, the device saves the log on data temporarily in the cache. This speeds up
the logon process when users logon again. In this case, no complex LDAP search operation is
necessary.
The menu contains the following dialogs:
LDAP Configuration
LDAP Role Mapping
RM GUI RSP
Release 8.1 12/2019
89
Device Security
[ Device Security > LDAP > Configuration ]
3.3.1
LDAP Configuration
[ Device Security > LDAP > Configuration ]
This dialog lets you specify up to 4 authentication servers. An authentication server authenticates
and authorizes the users when the device forwards the login data to the server.
The device sends the log on data to the first authentication server. When no response comes from
this server, the device contacts the next server in the table.
Operation
Operation
Enables/disables the LDAP client.
If in the Device Security > Authentication List dialog you specify the value ldap in 1 of the rows Policy
1 to Policy 5, then the device uses the LDAP client. Prior to this, specify in the Device Security > LDAP >
Role Mapping dialog at least 1 Mapping for this role administrator. This provides you access to
the device as administrator after logging on through LDAP.
Possible values:
On
The LDAP client is enabled.
Off (default setting)
The LDAP client is disabled.
Configuration
Client cache timeout [min]
Specifies for how many minutes after successfully logging on the logon data of a user remain valid.
When a user logs on again within this time, no complex LDAP search operation is necessary. The
logon process is much faster.
Possible values:
1..1440 (default setting: 10)
Bind user
Specifies the user ID in the form of the “Distinguished Name” (DN) with which the device logs on to
the LDAP server.
If the LDAP server requires a user ID in the form of the “Distinguished Name” (DN) for the log on,
then this information is necessary. In Active Directory environments, this information is
unnecessary.
The device logs on to the LDAP server with the user ID to find the “Distinguished Name” (DN) for
the users logging on. The device conducts the search according to the settings in the fields Base
DN and User name attribute.
90
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > LDAP > Configuration ]
Possible values:
Alphanumeric ASCII character string with 0..64 characters
Bind user password
Specifies the password which the device uses together with the user ID specified in the Bind user
field when logging on to the LDAP server.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
Base DN
Specifies the starting point for the search in the directory tree in the form of the “Distinguished
Name” (DN).
Possible values:
Alphanumeric ASCII character string with 0..255 characters
User name attribute
Specifies the LDAP attribute which contains a biunique user name. Afterwards, the user uses the
user name contained in this attribute to log on.
Often the LDAP attributes userPrincipalName, mail, sAMAccountName and uid contain a unique
user name.
The device adds the character string specified in the Default domain field to the user name under the
following condition:
• The user name contained in the attribute does not contain the @ character.
• In the Default domain field, a domain name is specified.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
(default setting: userPrincipalName)
Default domain
Specifies the character string which the device adds to the user name of the users logging on if the
user name does not contain the @ character.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
CA certificate
URL
Specifies the path and file name of the certificate.
RM GUI RSP
Release 8.1 12/2019
91
Device Security
[ Device Security > LDAP > Configuration ]
The device accepts certificates with the following properties:
• X.509 format
• .PEM file name extension
• Base64-coded, enclosed by
-----BEGIN CERTIFICATE----and
-----END CERTIFICATE----For security reasons, we recommend to constantly use a certificate which is signed by a
certification authority.
The device gives you the following options for copying the certificate to the device:
Import from the PC
When the certificate is located on your PC or on a network drive, drag and drop the certificate
in the
area. Alternatively click in the area to select the certificate.
Import from an FTP server
When the certificate is on a FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<path>/<file name>
Import from a TFTP server
When the certificate is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Import from an SCP or SFTP server
When the certificate is on an SCP or SFTP server, specify the URL for the file in the following
form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you enter
User name and Password, to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start
Copies the certificate specified in the URL field to the device.
Table
Index
Displays the index number to which the table entry relates.
Description
Specifies the description.
You have the option to describe here the authentication server or note additional information.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Address
Specifies the IP address or the DNS name of the server.
92
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > LDAP > Configuration ]
Possible values:
IPv4 address (default setting: 0.0.0.0)
DNS name in the format <domain>.<tld> or <host>.<domain>.<tld>
_ldap._tcp.<domain>.<tld>
Using this DNS name, the device queries the LDAP server list (SRV Resource Record) from the
DNS server.
If in the Connection security row a value other than none is specified and the certificate contains only
DNS names of the server, then use a DNS name. Enable the Client function in the Advanced > DNS >
Client > Global dialog.
Destination TCP port
Specifies the TCP Port on which the server expects the requests.
If you have specified the value _ldap._tcp.domain.tld in the Address column, then the device
ignores this value.
Possible values:
0..65535 (default setting: 389)
Exception: Port 2222 is reserved for internal functions.
Frequently used TCP-Ports:
• LDAP: 389
• LDAP over SSL: 636
• Active Directory Global Catalogue: 3268
• Active Directory Global Catalogue SSL: 3269
Connection security
Specifies the protocol which encrypts the communication between the device and the
authentication server.
Possible values:
none
No encryption.
The device establishes an LDAP connection to the server and transmits the communication
including the passwords in clear text.
ssl
Encryption with SSL.
The device establishes a TLS connection to the server and tunnels the LDAP communication
over it.
startTLS (default setting)
Encryption with startTLS extension.
The device establishes an LDAP connection to the server and encrypts the communication.
The prerequisite for encrypted communication is that the device uses the correct time. If the
certificate contains only the DNS names, then you specify the DNS name of the server in the
Address row. Enable the Client function in the Advanced > DNS > Client > Global dialog.
If the certificate contains the IP address of the server in the “Subject Alternative Name” field, then
the device is able to verify the identity of the server without the DNS configuration.
RM GUI RSP
Release 8.1 12/2019
93
Device Security
[ Device Security > LDAP > Configuration ]
Server status
Displays the connection status and the authentication with the authentication server.
Possible values:
ok
The server is reachable.
If in the Connection security row a value other than none is specified, then the device has verified
the certificate of the server.
unreachable
Server is unreachable.
other
The device has not established a connection to the server yet.
Active
Activates/deactivates the use of the server.
Possible values:
marked
The device uses the server.
unmarked (default setting)
The device does not use the server.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Flush cache
Removes the cached log on data of the successfully logged on users.
94
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > LDAP > Role Mapping ]
3.3.2
LDAP Role Mapping
[ Device Security > LDAP > Role Mapping ]
This dialog lets you create up to 64 mappings to assign a role to users.
In the table, you specify whether the device assigns a role to the user based on an attribute with a
specific value or based on the group membership.
The device searches for the attribute and the attribute value within the user object.
By evaluating the “Distinguished Name” (DN) contained in the member attributes, the device
checks group the membership.
When a user logs on, the device searches for the following information on the LDAP server:
In the related user project, the device searches for attributes specified in the mappings.
In the group objects of the groups specified in the mappings, the device searches for the
member attributes.
On this basis, the device checks any mapping.
• Does the user object contain the required attribute?
or
• Is the user member of the group?
If the device does not find a match, then the user does not get access to the device.
If the device finds more than 1 mapping that applies to a user, then the setting in the Matching policy
field decides. The user either obtains the role with the more extensive authorizations or the 1st role
in the table that applies.
Configuration
Matching policy
Specifies which role the device applies if more than 1 mapping applies to a user.
Possible values:
highest (default setting)
The device applies the role with more extensive authorizations.
first
The device applies the rule which has the lower value in the Index column to the user.
Table
Index
Displays the index number to which the table entry relates.
Role
Specifies the user role that regulates the access of the user to the individual functions of the device.
RM GUI RSP
Release 8.1 12/2019
95
Device Security
[ Device Security > LDAP > Role Mapping ]
Possible values:
unauthorized
The user is blocked, and the device rejects the user log on.
Assign this value to temporarily lock the user account. If an error occurs when another role is
being assigned, then the device assigns this role to the user account.
guest (default setting)
The user is authorized to monitor the device.
auditor
The user is authorized to monitor the device and to save the log file in the Diagnostics > Report >
Audit Trail dialog.
operator
The user is authorized to monitor the device and to change the settings – with the exception of
security settings for device access.
administrator
The user is authorized to monitor the device and to change the settings.
Type
Specifies whether a group or an attribute with an attribute value is set in the Parameter column.
Possible values:
attribute (default setting)
The Parameter column contains an attribute with an attribute value.
group
The Parameter column contains the “Distinguished Name” (DN) of a group.
Parameter
Specifies a group or an attribute with an attribute value, depending on the setting in the Type
column.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
The device differentiates between upper and lower case.
– If in the Type column the value attribute is specified, then you specify the attribute in the
form of Attribute_name=Attribute_value.
Example: l=Germany
– If in the Type column the value group is specified, then you specify the “Distinguished Name”
(DN) of a group.
Example: CN=admin-users,OU=Groups,DC=example,DC=com
Active
Activates/deactivates the role mapping.
Possible values:
marked (default setting)
The role mapping is active.
unmarked
The role mapping is inactive.
96
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Management Access ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Index field, you specify the index number.
Possible values:
– 1..64
3.4
Management Access
[ Device Security > Management Access ]
The menu contains the following dialogs:
Server
IP Access Restriction
Web
Command Line Interface
SNMPv1/v2 Community
RM GUI RSP
Release 8.1 12/2019
97
Device Security
[ Device Security > Management Access > Server ]
3.4.1
Server
[ Device Security > Management Access > Server ]
This dialog lets you set up the server services which enable users or applications to access the
management of the device.
The dialog contains the following tabs:
[Information]
[SNMP]
[Telnet]
[SSH]
[HTTP]
[HTTPS]
[Information]
This tab displays as an overview which server services are enabled.
Table
SNMPv1
Displays whether the server service is active or inactive, which authorizes access to the device
using SNMP version 1. See the SNMP tab.
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
SNMPv2
Displays whether the server service is active or inactive, which authorizes access to the device
using SNMP version 2. See the SNMP tab.
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
SNMPv3
Displays whether the server service is active or inactive, which authorizes access to the device
using SNMP version 3. See the SNMP tab.
98
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Management Access > Server ]
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
Telnet server
Displays whether the server service is active or inactive, which authorizes access to the device
using Telnet. See the Telnet tab.
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
SSH server
Displays whether the server service is active or inactive, which authorizes access to the device
using Secure Shell. See the SSH tab.
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
HTTP server
Displays whether the server service is active or inactive, which authorizes access to the device
using the Graphical User Interface through HTTP. See the HTTP tab.
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
HTTPS server
Displays whether the server service is active or inactive, which authorizes access to the device
using the Graphical User Interface through HTTPS. See the HTTPS tab.
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
RM GUI RSP
Release 8.1 12/2019
99
Device Security
[ Device Security > Management Access > Server ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[SNMP]
This tab lets you specify settings for the SNMP agent of the device and to enable/disable access
to the device with different SNMP versions.
The SNMP agent enables access to the device management with SNMP-based applications.
Configuration
SNMPv1
Activates/deactivates the access to the device with SNMP version 1.
Possible values:
marked (default setting)
Access is activated.
unmarked
Access is deactivated.
You specify the community names in the Device Security > Management Access > SNMPv1/v2
Community dialog.
SNMPv2
Activates/deactivates the access to the device with SNMP version 2.
Possible values:
marked (default setting)
Access is activated.
unmarked
Access is deactivated.
You specify the community names in the Device Security > Management Access > SNMPv1/v2
Community dialog.
SNMPv3
Activates/deactivates the access to the device with SNMP version 3.
Possible values:
marked (default setting)
Access is activated.
unmarked
Access is deactivated.
Network management systems like Industrial HiVision use this protocol to communicate with the
device.
100
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Management Access > Server ]
UDP port
Specifies the number of the UDP port on which the SNMP agent receives requests from clients.
Possible values:
1..65535 (default setting: 161)
Exception: Port 2222 is reserved for internal functions.
To enable the SNMP agent to use the new port after a change, you proceed as follows:
Click the
button.
Select in the Basic Settings > Load/Save dialog the active configuration profile.
Click the
button to save the current changes.
Restart the device.
SNMPover802
Activates/deactivates the access to the device through SNMP over IEEE-802.
Possible values:
marked
Access is activated.
unmarked (default setting)
Access is deactivated.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Telnet]
This tab lets you enable/disable the Telnet server in the device and specify its settings.
The Telnet server enables access to the device management remotely through the Command Line
Interface. Telnet connections are unencrypted.
Operation
Operation
Enables/disables the Telnet server.
RM GUI RSP
Release 8.1 12/2019
101
Device Security
[ Device Security > Management Access > Server ]
Possible values:
On (default setting)
The Telnet server is enabled.
The access to the device management is possible through the Command Line Interface using
an unencrypted Telnet connection.
Off
The Telnet server is disabled.
Note: If the SSH server is disabled and you also disable Telnet, then the access to the Command
Line Interface is only possible through the serial interface of the device.
Configuration
TCP port
Specifies the number of the TCP port on which the device receives Telnet requests from clients.
Possible values:
1..65535 (default setting: 23)
Exception: Port 2222 is reserved for internal functions.
The server restarts automatically after the port is changed. Existing connections remain in place.
Connections
Displays how many Telnet connections are currently established to the device.
Connections (max.)
Specifies the maximum number of Telnet connections to the device that can be set up
simultaneously.
Possible values:
1..5 (default setting: 5)
Session timeout [min]
Specifies the timeout in minutes. After the device has been inactive for this time it ends the session
for the user logged on.
A change in the value takes effect the next time a user logs on to the device.
Possible values:
0
Deactivates the function. The connection remains established in the case of inactivity.
1..160 (default setting: 5)
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
102
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Management Access > Server ]
[SSH]
This tab lets you enable/disable the SSH server in the device and specify its settings required for
SSH. The server works with SSH version 2.
The SSH server enables access to the device management remotely through the Command Line
Interface. SSH connections are encrypted.
The SSH server identifies itself to the clients using its public RSA key. When first setting up the
connection, the client program displays the user the fingerprint of this key. The fingerprint contains
a Base64-coded character sequence that is easy to check. When you make this character
sequence available to the users via a reliable channel, they have the option to compare both
fingerprints. If the character sequences match, then the client is connected to the correct server.
The device lets you create the private and public keys (host keys) required for RSA directly in the
device. Otherwise you have the option to copy your own keys to the device in PEM format.
As an alternative, the device lets you load the RSA key (host key) from an external memory upon
restart. You activate this function in the Basic Settings > External Memory dialog, SSH key auto upload
column.
Operation
Operation
Enables/disables the SSH server.
Possible values:
On (default setting)
The SSH server is enabled.
The access to the device management is possible through the Command Line Interface using
an encrypted SSH connection.
You can start the server only if there is an RSA signature in the device.
Off
The SSH server is disabled.
When you disable the SSH server, the existing connections remain established. However, the
device helps prevent new connections from being set up.
Note: If the Telnet server is disabled and you also disable SSH, then the access to the Command
Line Interface is only possible through the serial interface of the device.
Configuration
TCP port
Specifies the number of the TCP port on which the device receives SSH requests from clients.
Possible values:
1..65535 (default setting: 22)
Exception: Port 2222 is reserved for internal functions.
The server restarts automatically after the port is changed. Existing connections remain in place.
RM GUI RSP
Release 8.1 12/2019
103
Device Security
[ Device Security > Management Access > Server ]
Sessions
Displays how many SSH connections are currently established to the device.
Sessions (max.)
Specifies the maximum number of SSH connections to the device that can be set up
simultaneously.
Possible values:
1..5 (default setting: 5)
Session timeout [min]
Specifies the timeout in minutes. After the user logged on has been inactive for this time, the device
ends the connection.
A change in the value takes effect the next time a user logs on to the device.
Possible values:
0
Deactivates the function. The connection remains established in the case of inactivity.
1..160 (default setting: 5)
Fingerprint
The fingerprint is an easy to verify string that uniquely identifies the host key of the SSH server.
After importing a new host key, the device continues to display the existing fingerprint until you
restart the server.
RSA Fingerprint
Displays the fingerprint of the public host key of the SSH server.
Signature
RSA present
Displays whether an RSA host key is present in the device.
Possible values:
marked
A key is present.
unmarked
No key is present.
Create
Generates a host key in the device. The prerequisite is that the SSH server is disabled.
104
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Management Access > Server ]
Length of the key created:
2048 bit (RSA)
To get the SSH server to use the generated host key, re-enable the SSH server.
Alternatively, you have the option to copy your own host key to the device in PEM format. See the
Key import frame.
Delete
Removes the host key from the device. The prerequisite is that the SSH server is disabled.
Oper status
Displays whether the device currently generates a host key.
It is possible that another user triggered this action.
Possible values:
rsa
The device currently generates an RSA host key.
none
The device does not generate a host key.
Key import
URL
Specifies the path and file name of your own RSA host key.
The device accepts the RSA key if it has the following key length:
• 2048 bit (RSA)
The device gives you the following options for copying the key to the device:
Import from the PC
When the host key is located on your PC or on a network drive, drag and drop the file that
contains the key in the
area. Alternatively click in the area to select the file.
Import from an FTP server
When the key is on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
Import from a TFTP server
When the key is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Import from an SCP or SFTP server
When the key is on an SCP or SFTP server, specify the URL for the file in the following form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you enter
User name and Password, to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
RM GUI RSP
Release 8.1 12/2019
105
Device Security
[ Device Security > Management Access > Server ]
Start
Copies the key specified in the URL field to the device.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[HTTP]
This tab lets you enable/disable the HTTP protocol for the web server and specify the settings
required for HTTP.
The web server provides the Graphical User Interface via an unencrypted HTTP connection. For
security reasons, disable the HTTP protocol and use the HTTPS protocol instead.
The device supports up to 10 simultaneous connections using HTTP or HTTPS.
Note: If you change the settings in this tab and click the
button, then the device ends the session
and disconnects every opened connection. To continue working with the Graphical User Interface,
login again.
Operation
Operation
Enables/disables the HTTP protocol for the web server.
Possible values:
On (default setting)
The HTTP protocol is enabled.
The access to the device management is possible through an unencrypted HTTP connection.
When the HTTPS protocol is also enabled, the device automatically redirects the request for a
HTTP connection to an encrypted HTTPS connection.
Off
The HTTP protocol is disabled.
When the HTTPS protocol is enabled, the access to the device management is possible through
an encrypted HTTPS connection.
Note: If the HTTP and HTTPS protocols are disabled, then you can enable the HTTP protocol using
the Command Line Interface command http server to get to the Graphical User Interface.
Configuration
TCP port
Specifies the number of the TCP port on which the web server receives HTTP requests from clients.
106
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Management Access > Server ]
Possible values:
1..65535 (default setting: 80)
Exception: Port 2222 is reserved for internal functions.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[HTTPS]
This tab lets you enable/disable the HTTPS protocol for the web server and specify the settings
required for HTTPS.
The web server provides the Graphical User Interface via an encrypted HTTP connection.
A digital certificate is required for the encryption of the HTTP connection. The device lets you create
this certificate yourself or to load an existing certificate onto the device.
The device supports up to 10 simultaneous connections using HTTP or HTTPS.
Note: If you change the settings in this tab and click the
button, then the device ends the session
and disconnects every opened connection. To continue working with the Graphical User Interface,
login again.
Operation
Operation
Enables/disables the HTTPS protocol for the web server.
Possible values:
On (default setting)
The HTTPS protocol is enabled.
The access to the device management is possible through an encrypted HTTPS connection.
When there is no digital certificate present, the device generates a digital certificate before it
enables the HTTPS protocol.
Off
The HTTPS protocol is disabled.
When the HTTP protocol is enabled, the access to the device management is possible through
an unencrypted HTTP connection.
Note: If the HTTP and HTTPS protocols are disabled, then you can enable the HTTPS protocol using
the Command Line Interface command https server to get to the Graphical User Interface.
RM GUI RSP
Release 8.1 12/2019
107
Device Security
[ Device Security > Management Access > Server ]
Configuration
TCP port
Specifies the number of the TCP port on which the web server receives HTTPS requests from
clients.
Possible values:
1..65535 (default setting: 443)
Exception: Port 2222 is reserved for internal functions.
Fingerprint
The fingerprint is an easily verified hexadecimal number sequence that uniquely identifies the
digital certificate of the HTTPS server.
After importing a new digital certificate, the device displays the current fingerprint until you restart
the server.
Fingerprint type
Specifies which fingerprint the Fingerprint field displays.
Possible values:
sha1
The Fingerprint field displays the SHA1 fingerprint of the certificate.
sha256
The Fingerprint field displays the SHA256 fingerprint of the certificate.
Fingerprint
Character sequence of the digital certificate used by the server.
When you change the settings in the Fingerprint type field, click afterwards the
the
button and then
button to update the display.
Certificate
Note: If the device uses a certificate that is not signed by a certification authority, then the web
browser displays a message while loading the Graphical User Interface. To continue, add an
exception rule for the certificate in the web browser.
Present
Displays whether the digital certificate is present in the device.
Possible values:
marked
The certificate is present.
unmarked
The certificate has been removed.
108
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Management Access > Server ]
Create
Generates a digital certificate in the device.
Until restarting the web server uses the previous certificate.
To get the web server to use the newly generated certificate, restart the web server. Restarting the
web server is possible only through the Command Line Interface.
Alternatively, you have the option of copying your own certificate to the device. See the Certificate
import frame.
Delete
Deletes the digital certificate.
Until restarting the web server uses the previous certificate.
Oper status
Displays whether the device currently generates or deletes a digital certificate.
It is possible that another user has triggered the action.
Possible values:
none
The device does currently not generate or delete a certificate.
delete
The device currently deletes a certificate.
generate
The device currently generates a certificate.
Certificate import
URL
Specifies the path and file name of the certificate.
The device accepts certificates with the following properties:
• X.509 format
• .PEM file name extension
• Base64-coded, enclosed by
• -----BEGIN PRIVATE KEY----and
-----END PRIVATE KEY----as well as
• -----BEGIN CERTIFICATE----and
-----END CERTIFICATE----• RSA key with 2048 bit length
RM GUI RSP
Release 8.1 12/2019
109
Device Security
[ Device Security > Management Access > Server ]
The device gives you the following options for copying the certificate to the device:
Import from the PC
When the certificate is located on your PC or on a network drive, drag and drop the certificate
in the
area. Alternatively click in the area to select the certificate.
Import from an FTP server
When the certificate is on a FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<path>/<file name>
Import from a TFTP server
When the certificate is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Import from an SCP or SFTP server
When the certificate is on an SCP or SFTP server, specify the URL for the file in the following
form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you enter
User name and Password, to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start
Copies the certificate specified in the URL field to the device.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
110
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Management Access > IP Access Restriction ]
3.4.2
IP Access Restriction
[ Device Security > Management Access > IP Access Restriction ]
This dialog enables you to restrict the access to the device management to specific IP address
ranges and selected IP-based applications.
If the function is disabled, then the access to the device management is possible from any IP
address and using every application.
If the function is enabled, then the access is restricted. You have access to the device
management only under the following conditions:
– At least one table entry is activated.
and
– You are accessing the device with a permitted application from a permitted IP address range.
Operation
Note: Before you enable the function, verify that at least one active entry in the table lets you
access. Otherwise, if you change the settings, then the connection to the device terminates. The
access to the device management is possible only using the Command Line Interface through the
serial interface.
Operation
Enables/disables the IP Access Restriction function.
Possible values:
On
The IP Access Restriction function is enabled.
The access to the device management is restricted.
Off (default setting)
The IP Access Restriction function is disabled.
Table
You have the option of defining up to 16 table entries and activating them separately.
Index
Displays the index number to which the table entry relates.
When you delete a table entry, this leaves a gap in the numbering. When you create a new table
entry, the device fills the first gap.
Possible values:
1..16
Address
Specifies the IP address of the network from which you allow the access to the device
management. You specify the network range in the Netmask column.
RM GUI RSP
Release 8.1 12/2019
111
Device Security
[ Device Security > Management Access > IP Access Restriction ]
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Netmask
Specifies the range of the network specified in the Address column.
Possible values:
Valid netmask (default setting: 0.0.0.0)
HTTP
Activates/deactivates the HTTP access.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
HTTPS
Activates/deactivates the HTTPS access.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
SNMP
Activates/deactivates the SNMP access.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
Telnet
Activates/deactivates the Telnet access.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
SSH
Activates/deactivates the SSH access.
112
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Management Access > IP Access Restriction ]
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
IEC61850-MMS
Activates/deactivates the access to the MMS server.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
Modbus TCP
Activates/deactivates the access to the Modbus TCP server.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
EtherNet/IP
Activates/deactivates the access to the EtherNet/IP server.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
PROFINET
Activates/deactivates the access to the PROFINET server.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
Active
Activates/deactivates the table entry.
RM GUI RSP
Release 8.1 12/2019
113
Device Security
[ Device Security > Management Access > IP Access Restriction ]
Possible values:
marked (default setting)
Table entry is activated. The device restricts the access to the device management to the
adjacent IP address range and the selected IP-based applications.
unmarked
Table entry is deactivated.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
114
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Management Access > Web ]
3.4.3
Web
[ Device Security > Management Access > Web ]
In this dialog, you specify settings for the Graphical User Interface.
Configuration
Web interface session timeout [min]
Specifies the timeout in minutes. After the device has been inactive for this time it ends the session
for the user logged on.
Possible values:
0..160 (default setting: 5)
The value 0 deactivates the function, and the user remains logged on when inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
115
Device Security
[ Device Security > Management Access > CLI ]
3.4.4
Command Line Interface
[ Device Security > Management Access > CLI ]
In this dialog, you specify settings for the Command Line Interface. You find detailed information
about the Command Line Interface in the “Command Line Interface” reference manual.
The dialog contains the following tabs:
[Global]
[Login banner]
[Global]
This tab lets you change the prompt in the Command Line Interface and specify the automatic
closing of sessions through the serial interface when they have been inactive.
The device has the following serial interfaces.
V.24 interface
Configuration
Login prompt
Specifies the character string that the device displays in the Command Line Interface at the start of
every command line.
Possible values:
Alphanumeric ASCII character string with 0..128 characters
(0x20..0x7E) including space characters
Wildcards
– %d date
– %i IP address
– %m MAC address
– %p product name
– %t time
Default setting: (RSP)
Changes to this setting are immediately effective in the active Command Line Interface session.
Serial interface timeout [min]
Specifies the time in minutes after which the device automatically closes the session of a logged
on user in the Command Line Interface via the serial interface when it has been inactive.
Possible values:
0..160 (default setting: 5)
The value 0 deactivates the function, and the user remains logged on when inactive.
A change in the value takes effect the next time a user logs on to the device.
For Telnet and SSH, you specify the timeout in the Device Security > Management Access > Server
dialog.
116
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Management Access > CLI ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Login banner]
In this tab, you replace the start screen of the Command Line Interface with your own text.
In the default setting, the start screen displays information about the device, such as the software
version and the device settings. With the function in this tab, you deactivate this information and
replace it with an individually specified text.
To display your own text in the Command Line Interface and in the Graphical User Interface before
the login, you use the Device Security > Pre-login Banner dialog.
Operation
Operation
Enables/disables the Login banner function.
Possible values:
On
The Login banner function is enabled.
The device displays the text information specified in the Banner text field to the users that login
to the device using the Command Line Interface.
Off (default setting)
The Login banner function is disabled.
The start screen displays information about the device. The text information in the Banner text
field is kept.
Banner text
Banner text
Specifies the character string that the device displays in the Command Line Interface at the start of
every session.
Possible values:
Alphanumeric ASCII character string with 0..1024 characters
(0x20..0x7E) including space characters
<Tab>
<Line break>
Remaining characters
Displays how many characters are still remaining in the Banner text field for the text information.
RM GUI RSP
Release 8.1 12/2019
117
Device Security
[ Device Security > Management Access > CLI ]
Possible values:
1024..0
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
118
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Management Access > SNMPv1/v2 Community ]
3.4.5
SNMPv1/v2 Community
[ Device Security > Management Access > SNMPv1/v2 Community ]
In this dialog, you specify the community name for SNMPv1/v2 applications.
Applications send requests via SNMPv1/v2 with a community name in the SNMP data packet
header. Depending on the community name, the application gets read authorization or read and
write authorization for the device.
You activate the access to the device via SNMPv1/v2 in the Device Security > Management Access >
Server dialog.
Table
Community
Displays the authorization for SNMPv1/v2 applications to the device:
Write
For requests with the community name entered, the application receives read and write
authorization for the device.
Read
For requests with the community name entered, the application receives read authorization for
the device.
Name
Specifies the community name for the adjacent authorization.
Possible values:
Alphanumeric ASCII character string with 0..32 characters
private (default setting for read and write authorizations)
public (default setting for read authorization)
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
119
Device Security
[ Device Security > Pre-login Banner ]
3.5
Pre-login Banner
[ Device Security > Pre-login Banner ]
This dialog lets you display a greeting or information text to users before they login to the device.
The users see this text in the login dialog of the Graphical User Interface and of the Command Line
Interface. Users logging in with SSH see the text - regardless of the client used - before or during
the login.
To display the text only in the Command Line Interface, use the settings in the Device Security >
Management Access > CLI dialog.
Operation
Operation
Enables/disables the Pre-login Banner function.
Using the Pre-login Banner function, the device displays a greeting or information text in the login
dialog of the Graphical User Interface and of the Command Line Interface.
Possible values:
On
The Pre-login Banner function is enabled.
The device displays the text specified in the Banner text field in the login dialog.
Off (default setting)
The Pre-login Banner function is disabled.
The device does not display a text in the login dialog. When you enter a text in the Banner text
field, this text is saved in the device.
Banner text
Banner text
Specifies information text that the device displays in the Login dialog of the Graphical User Interface
and of the Command Line Interface.
Possible values:
Alphanumeric ASCII character string with 0..512 characters
(0x20..0x7E) including space characters
<Tab>
<Line break>
Remaining characters
Displays how many characters are still remaining in the Banner text field.
Possible values:
512..0
120
RM GUI RSP
Release 8.1 12/2019
Device Security
[ Device Security > Pre-login Banner ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
121
Network Security
[ Network Security > Overview ]
4 Network Security
The menu contains the following dialogs:
Network Security Overview
Port Security
802.1X Port Authentication
RADIUS
DoS
DHCP Snooping
Dynamic ARP Inspection
ACL
4.1
Network Security Overview
[ Network Security > Overview ]
This dialog displays the network security rules used in the device.
Parameter
Port/VLAN
Specifies whether the device displays VLAN- and/or port-based rules.
Possible values:
All (default setting)
The device displays the VLAN- and port-based rules specified by you.
Port: <Port Number>
The device displays port-based rules for a specific port. This selection is available, when you
specified one or more rules for this port.
VLAN: <VLAN ID>
The device displays VLAN-based rules for a specific VLAN. This selection is available, when
you specified one or more rules for this VLAN.
ACL
Displays the ACL rules in the overview.
You edit ACL rules in the Network Security > ACL dialog.
1:1 NAT
Displays the 1:1 NAT rules in the overview.
You edit 1:1 NAT rules in the Routing > NAT > 1:1 NAT dialog.
All
Marks the adjacent checkboxes. The device displays the related rules in the overview.
122
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > Overview ]
None
Unmarks the adjacent checkboxes. The device does not display any rules in the overview.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
123
Network Security
[ Network Security > Port Security ]
4.2
Port Security
[ Network Security > Port Security ]
The device lets you transmit only data packets from desired senders on one port. When this
function is enabled, the device checks the VLAN ID and MAC address of the sender before it
transmits a data packet. The device discards data packets from other senders and logs this event.
If the Auto-Disable function is activated, the device disables the port. This restriction makes MAC
Spoofing attacks more difficult. The Auto-Disable function enables the relevant port again
automatically when the parameters are no longer being exceeded.
In this dialog a Wizard window helps you to connect the ports with one or more desired sources. In
the device these addresses are known as Static entries (/). To view the specified static addresses,
highlight the relevant port and click the
button.
To simplify the setup process, the device lets you record the desired senders automatically. The
device “learns” the senders by evaluating the received data packets. In the device these addresses
are known as Dynamic entries. When a user-defined upper limit has been reached (Dynamic limit), the
device stops the “learning” on the relevant port and transmits only the data packets of the senders
already recorded. When you adjust the upper limit to the number of expected senders, you thus
make MAC Flooding attacks more difficult.
Note: With the automatic recording of the Dynamic entries, the device constantly discards the 1st
data packet from unknown senders. Using this 1st data packet, the device checks whether the
upper limit has been reached. The device records the sender until the upper limit is reached.
Afterwards, the device transmits data packets that it receives on the relevant port from this sender.
Operation
Operation
Enables/disables the Port Security function.
Possible values:
On
The Port Security function is enabled.
The device checks the VLAN ID and MAC address of the source before it transmits a data
packet.
The device transmits a received data packet only if its source is desired on the relevant port.
Also activate the checking of the source on the relevant ports.
Off (default setting)
The Port Security function is disabled.
The device transmits every received data packet without checking the source.
Configuration
Auto-disable
Activates/deactivates the Auto-Disable function for Port Security.
124
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > Port Security ]
Possible values:
marked
The Auto-Disable function for Port Security is active.
Also mark the checkbox in the Auto-disable column for the relevant ports.
unmarked (default setting)
The Auto-Disable function for Port Security is inactive.
Table
Port
Displays the port number.
Active
Activates/deactivates the checking of the source on the port.
Possible values:
marked
The device checks every data packet received on the port and transmits it only if the source of
the data packet is allowed. Also enable the function in the Operation frame.
unmarked (default setting)
The device transmits every data packet received on the port without checking the source.
Note: When you operate the device as an active subscriber within an MRP ring, we recommend
that you unmark the checkbox.
Auto-disable
Activates/deactivates the Auto-Disable function for the parameters that the Port Security function is
monitoring on the port.
Possible values:
marked (default setting)
The Auto-Disable function is active on the port.
The prerequisite is that you mark the checkbox Auto-disable in the Configuration frame.
– If the port registers source MAC addresses that are not allowed or more source MAC
addresses than specified in the Dynamic limit column, then the device disables the port. The
“Link status” LED for the port flashes 3× per period.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently disabled due
to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the relevant port in
the Reset timer [s] column.
unmarked
The Auto-Disable function on the port is inactive.
Send trap
Activates/deactivates the sending of SNMP traps when the device discards data packets from an
undesired sender on the port.
RM GUI RSP
Release 8.1 12/2019
125
Network Security
[ Network Security > Port Security ]
Possible values:
marked
If the device discards data packets from a sender that is not allowed on the port, then the device
sends an SNMP trap.
unmarked (default setting)
The sending of SNMP traps is deactivated.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status
Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Trap interval [s]
Specifies the delay time in seconds that the device waits after sending an SNMP trap before
sending the next SNMP trap.
Possible values:
0..3600 (default setting: 0)
The value 0 deactivates the delay time.
Dynamic limit
Specifies the upper limit for the number of automatically registered sources (Dynamic entries). When
the upper limit is reached, the device stops “learning” on this port.
Adjust the value to the number of expected sources.
If the port registers more senders than specified here, then the port disables the Auto-Disable
function. The prerequisite is that you mark the checkbox in the Auto-disable column and the Autodisable checkbox in the Configuration frame.
Possible values:
0
Deactivates the automatic registering of sources on this port.
1..600 (default setting: 600)
Static limit
Specifies the upper limit for the number of sources connected to the port (Static entries (/)). The
Wizard window helps you to connect the port with one or more desired sources.
Possible values:
0..64 (default setting: 64)
The value 0 helps prevent you from connecting a source with the port.
Dynamic entries
Displays the number of senders that the device has automatically determined.
See the Wizard window, Dynamic entries field.
126
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > Port Security ]
Static entries
Displays the number of senders that are linked with the port.
See the Wizard window, Static entries (/) field.
Last violating VLAN ID/MAC
Displays the VLAN ID and MAC address of an undesired sender whose data packets the device
last discarded on this port.
Sent traps
Displays the number of discarded data packets on this port that caused the device to send an
SNMP trap.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Port security (Wizard)]
The Wizard window helps you to connect the ports with one or more desired sources. After you
specify the settings, click the Finish button.
Note: The device saves the sources connected with the port until you deactivate the checking of
the source on the relevant port or in the Operation frame.
After closing the Wizard window, click the
button to save your settings.
[Port security (Wizard) – Select port]
Port
Specifies the port that you assign to the sender in the next step.
[Port security (Wizard) – Addresses]
VLAN ID
Specifies the VLAN ID of the desired source.
Possible values:
1..4042
To transfer the VLAN ID and the MAC address to the Static entries (/) field, click the Add button.
RM GUI RSP
Release 8.1 12/2019
127
Network Security
[ Network Security > Port Security ]
MAC address
Specifies the MAC address of the desired source.
Possible values:
Valid Unicast MAC address
Specify the value with a colon separator, for example 00:11:22:33:44:55.
To transfer the VLAN ID and the MAC address to the Static entries (/) field, click the Add button.
Add
Transfers the values specified in the VLAN ID and MAC address fields to the Static entries (/) field.
Static entries (/)
Displays the VLAN ID and MAC address of desired senders connected to the port.
The device uses this field to display the number of senders connected to the port and the upper
limit. You specify the upper limit for the number of entries in the table, Static limit field.
Note: You cannot assign a MAC address that you assign to this port to any other port.
Remove
Removes the entries highlighted in the Static entries (/) field.
Moves the entries highlighted in the Dynamic entries field to the Static entries (/) field.
Moves every entry from the Dynamic entries field to the Static entries (/) field.
When the Dynamic entries field contains more entries than are allowed in theStatic entries (/) field, the
device moves the foremost entries until the upper limit is reached.
Dynamic entries
Displays in ascending order the VLAN ID and MAC address of the senders automatically recorded
on this port. The device transmits data packets from these senders when receiving the data packets
on this port.
You specify the upper limit for the number of entries in the table, Dynamic limit field.
The and buttons allow you to transfer entries from this field into the Static entries (/) field. In this
way, you connect the relevant senders with the port.
128
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > 802.1X Port Authentication ]
4.3
802.1X Port Authentication
[ Network Security > 802.1X Port Authentication ]
With the port-based access control according to IEEE 802.1X, the device monitors the access to
the network from connected end devices. The device (authenticator) lets an end device (supplicant)
have access to the network if it logs in with valid login data. The authenticator and the end devices
communicate via the EAPoL (Extensible Authentication Protocol over LANs) authentication
protocol.
The device supports the following methods to authenticate end devices:
radius
A RADIUS server in the network authenticates the end devices.
ias
The Integrated Authentication Server (IAS) implemented in the device authenticates the end
devices. Compared to RADIUS, the IAS provides only basic functions.
The menu contains the following dialogs:
802.1X Global
802.1X Port Configuration
802.1X Port Clients
802.1X EAPOL Port Statistics
802.1X Port Authentication History
802.1X Integrated Authentication Server
RM GUI RSP
Release 8.1 12/2019
129
Network Security
[ Network Security > 802.1X Port Authentication > Global ]
4.3.1
802.1X Global
[ Network Security > 802.1X Port Authentication > Global ]
This dialog lets you specify basic settings for the port-based access control.
Operation
Operation
Enables/disables the 802.1X Port Authentication function.
Possible values:
On
The 802.1X Port Authentication function is enabled.
The device checks the access to the network from connected end devices.
The port-based access control is enabled.
Off (default setting)
The 802.1X Port Authentication function is disabled.
The port-based access control is disabled.
Configuration
VLAN assignment
Activates/deactivates the assigning of the relevant port to a VLAN. This function lets you provide
selected services to the connected end device in this VLAN.
Possible values:
marked
The assigning is active.
If the end device successfully authenticates itself, then the device assigns to the relevant port
the VLAN ID transferred by the RADIUS authentication server.
unmarked (default setting)
The assigning is inactive.
The relevant port is assigned to the VLAN specified in the Network Security > 802.1X Port
Authentication > Port Configuration dialog, Assigned VLAN ID row.
Dynamic VLAN creation
Activates/deactivates the automatic creation of the VLAN assigned by the RADIUS authentication
server if the VLAN does not exist.
Possible values:
marked
The automatic VLAN creation is active.
The device creates the VLAN if it does not exist.
unmarked (default setting)
The automatic VLAN creation is inactive.
If the assigned VLAN does not exist, then the port remains assigned to the original VLAN.
130
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > 802.1X Port Authentication > Global ]
Monitor mode
Activates/deactivates the monitor mode.
Possible values:
marked
The monitor mode is active.
The device monitors the authentication and helps with diagnosing detected errors. If an end
device has not logged in successfully, then the device gives the end device access to the
network.
unmarked (default setting)
The monitor mode is inactive.
MAC authentication bypass format options
Group size
Specifies the size of the MAC address groups. The device splits the MAC address for
authentication into groups. The size of the groups is specified in half bytes, each of which is
represented as 1 character.
Possible values:
1
The device splits the MAC address into 12 groups of 1 character.
Example: A:A:B:B:C:C:D:D:E:E:F:F
2
The device splits the MAC address into 6 groups of 2 characters.
Example: AA:BB:CC:DD:EE:FF
4
The device splits the MAC address into 3 groups of 4 characters.
Example: AABB:CCDD:EEFF
12 (default setting)
The device formats the MAC address as 1 group of 12 characters.
Example: AABBCCDDEEFF
Group separator
Specifies the character which separates the groups.
Possible values:
dash
:
colon
.
dot
Upper or lower case
Specifies whether the device formats the authentication data in lowercase or uppercase letters.
RM GUI RSP
Release 8.1 12/2019
131
Network Security
[ Network Security > 802.1X Port Authentication > Global ]
Possible values:
lower-case
upper-case
Password
Specifies the optional password for the clients which use the authentication bypass.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
After entering the field displays ***** (asterisk) instead of the password.
<empty>
The device uses the username of the client also as the password.
Information
Monitor mode clients
Displays to how many end devices the device gave network access even though they did not login
successfully.
The prerequisite is that you activate the Monitor mode function. See the Configuration frame.
Non monitor mode clients
Displays the number of end devices to which the device gave network access after successful login.
Policy 1
Displays the method that the device currently uses to authenticate the end devices using
IEEE 802.1X.
You specify the method used in the Device Security > Authentication List dialog.
To authenticate the end devices through a RADIUS server, you assign the radius policy to the
8021x list.
To authenticate the end devices through the Integrated Authentication Server (IAS) you assign
the ias policy to the 8021x list.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
132
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > 802.1X Port Authentication > Port Configuration ]
4.3.2
802.1X Port Configuration
[ Network Security > 802.1X Port Authentication > Port Configuration ]
This dialog lets you specify the access settings for every port.
When multiple end devices are connected to a port, the device lets you authenticate these
individually (multi-client authentication). In this case, the device lets logged in end devices have
access to the network. In contrast, the device blocks access for unauthenticated end devices, or
for end devices whose authentication has elapsed.
Table
Port
Displays the port number.
Port initialization
Activates/deactivates the port initialization in order to activate the access control on the port or reset
it to its initial state. Use this function only on ports in which the Port control column contains the value
auto or multiClient.
Possible values:
marked
The port initialization is active.
When the initialization is complete, the device changes the value to unmarked again.
unmarked (default setting)
The port initialization is inactive.
The device keeps the current port status.
Port reauthentication
Activates/deactivates the one-time reauthentication request.
Use this function only on ports in which the Port control column contains the value auto or
multiClient.
The device also lets you periodically request the end device to login again. See the Periodic
reauthentication column.
Possible values:
marked
The one-time reauthentication request is active.
The device requests the end device to login again. Afterwards, the device changes the value to
unmarked again.
unmarked (default setting)
The one-time reauthentication request is inactive.
The device keeps the end device logged in.
Authentication activity
Displays the current status of the Authenticator (Authenticator PAE state).
RM GUI RSP
Release 8.1 12/2019
133
Network Security
[ Network Security > 802.1X Port Authentication > Port Configuration ]
Possible values:
initialize
disconnected
connecting
authenticating
authenticated
aborting
held
forceAuth
forceUnauth
Backend authentication state
Displays the current status of the connection to the authentication server (Backend
Authentication state).
Possible values:
request
response
success
fail
timeout
idle
initialize
Authentication state
Displays the current status of the authentication on the port (Controlled Port Status).
Possible values:
authorized
The end device is logged in successfully.
unauthorized
The end device is not logged in.
Users (max.)
Specifies the upper limit for the number of end devices that the device authenticates on this port at
the same time. This upper limit applies only to ports in which the Port control column contains the
value multiClient.
Possible values:
1..16 (default setting: 16)
Port control
Specifies how the device grants access to the network (Port control mode).
134
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > 802.1X Port Authentication > Port Configuration ]
Possible values:
forceUnauthorized
The device blocks the access to the network. You use this setting if an end device is connected
to the port that does not receive access to the network.
auto
The device grants access to the network if the end device logged in successfully. You use this
setting if an end device is connected to the port that logs in at the authenticator.
Note: If other end devices are connected through the same port, then they get access to the
network without additional authentication.
forceAuthorized (default setting)
When end devices do not support IEEE 802.1X, the device grants access to the network. You
use this setting if an end device is connected to the port that receives access to the network
without logging in.
multiClient
The device grants access to the network if the end device logs in successfully.
If the end device does not send any EAPOL data packets, then the device grants or denies
access to the network individually depending on the MAC address of the end device. See the
MAC authorized bypass column.
You use this setting if multiple end devices are connected to the port or if the MAC authorized
bypass function is required.
Quiet period [s]
Specifies the time period in seconds in which the authenticator does not accept any more logins
from the end device after an unsuccessful log in attempt (Quiet period [s]).
Possible values:
0..65535 (default setting: 60)
Transmit period [s]
Specifies the period in seconds after which the authenticator requests the end device to login again.
After this waiting period, the device sends an EAP request/identity data packet to the end device.
Possible values:
1..65535 (default setting: 30)
Supplicant timeout period [s]
Specifies the period in seconds for which the authenticator waits for the login of the end device.
Possible values:
1..65535 (default setting: 30)
Server timeout [s]
Specifies the period in seconds for which the authenticator waits for the response from the
authentication server (RADIUS or IAS).
Possible values:
1..65535 (default setting: 30)
RM GUI RSP
Release 8.1 12/2019
135
Network Security
[ Network Security > 802.1X Port Authentication > Port Configuration ]
Requests (max.)
Specifies how many times the authenticator requests the end device to login until the time specified
in the Supplicant timeout period [s] column has elapsed. The device sends an EAP request/identity
data packet to the end device as often as specified here.
Possible values:
0..10 (default setting: 2)
Assigned VLAN ID
Displays the ID of the VLAN that the authenticator assigned to the port. This value applies only on
ports in which the Port control column contains the value auto.
Possible values:
0..4042 (default setting: 0)
You find the VLAN ID that the authenticator assigned to the ports in the Network Security > 802.1X
Port Authentication > Port Clients dialog.
For the ports in which the Port control column contains the value multiClient, the device assigns
the VLAN tag based on the MAC address of the end device when receiving data packets without a
VLAN tag.
Assignment reason
Displays the cause for the assignment of the VLAN ID. This value applies only on ports in which
the Port control column contains the value auto.
Possible values:
notAssigned (default setting)
radius
guestVlan
unauthenticatedVlan
You find the VLAN ID that the authenticator assigned to the ports for a supplicant in the Network
Security > 802.1X Port Authentication > Port Clients dialog.
Reauthentication period [s]
Specifies the period in seconds after which the authenticator periodically requests the end device
to login again.
Possible values:
1..65535 (default setting: 3600)
Periodic reauthentication
Activates/deactivates periodic reauthentication requests.
136
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > 802.1X Port Authentication > Port Configuration ]
Possible values:
marked
The periodic reauthentication requests are active.
The device periodically requests the end device to login again. You specify this time period in
the Reauthentication period [s] column.
If the authenticator assigned the ID of a Voice VLAN, Unauthenticated VLAN or Guest VLAN to
the end device, then this setting becomes ineffective.
unmarked (default setting)
The periodic reauthentication requests are inactive.
The device keeps the end device logged in.
Guest VLAN ID
Specifies the ID of the VLAN that the authenticator assigns to the port if the end device does not
log in during the time period specified in the Guest VLAN period column. This value applies only on
ports in which the Port control column contains the value auto or multiClient.
This function lets you grant end devices, without IEEE 802.1X support, access to selected services
in the network.
Possible values:
0 (default setting)
The authenticator does not assign a Guest VLAN to the port.
When you enable the MAC-based authentication in the MAC authorized bypass column, the
device automatically sets the value to 0.
1..4042
Note: The MAC authorized bypass function and the Guest VLAN ID function cannot be in use
simultaneously.
Guest VLAN period
Specifies the period in seconds for which the authenticator waits for EAPOL data packets after the
end device is connected. If this period elapses, then the authenticator grants the end device access
to the network and assigns the port to the Guest VLAN specified in the Guest VLAN ID column.
Possible values:
1..300 (default setting: 90)
Unauthenticated VLAN ID
Specifies the ID of the VLAN that the authenticator assigns to the port if the end device does not
login successfully. This value applies only on ports in which the Port control column contains the
value auto.
This function lets you grant end devices without valid login data access to selected services in the
network.
Possible values:
0..4042 (default setting: 0)
The effect of the value 0 is that the authenticator does not assign a Unauthenticated VLAN to the
port.
Note: Assign to the port a VLAN set up statically in the device.
RM GUI RSP
Release 8.1 12/2019
137
Network Security
[ Network Security > 802.1X Port Authentication > Port Configuration ]
MAC authorized bypass
Activates/deactivates the MAC-based authentication.
This function lets you authenticate end devices without IEEE 802.1X support on the basis of their
MAC address.
Possible values:
marked
The MAC-based authentication is active.
The device sends the MAC address of the end device to the RADIUS authentication server. The
device assigns the supplicant by its MAC address to the corresponding VLAN as if the
authentication was performed through IEEE 802.1X directly.
unmarked (default setting)
The MAC-based authentication is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
138
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > 802.1X Port Authentication > Port Clients ]
4.3.3
802.1X Port Clients
[ Network Security > 802.1X Port Authentication > Port Clients ]
This dialog displays information on the connected end devices.
Table
Port
Displays the port number.
User name
Displays the user name with which the end device logged in.
MAC address
Displays the MAC address of the end device.
Filter ID
Displays the name of the filter list that the RADIUS authentication server assigned to the end device
after successful authentication.
The authentication server transfers the filter ID attributes in the Access Accept data packet.
Assigned VLAN ID
Displays the VLAN ID that the authenticator assigned to the port after the successful authentication
of the end device.
If for the port in the Network Security > 802.1X Port Authentication > Port Configuration dialog, Port control
column the value multiClient is specified, then the device assigns the VLAN tag based on the
MAC address of the end device when receiving data packets without a VLAN tag.
Assignment reason
Displays the reason for the assignment of the VLAN.
Possible values:
default
radius
unauthenticatedVlan
guestVlan
monitorVlan
invalid
The field only displays a valid value as long as the client is authenticated.
RM GUI RSP
Release 8.1 12/2019
139
Network Security
[ Network Security > 802.1X Port Authentication > Port Clients ]
Session timeout
Displays the remaining time in seconds until the log in of the end device expires. This value applies
only if for the port in the Network Security > 802.1X Port Authentication > Port Configuration dialog, Port
control column the value auto or multiClient is specified.
The authentication server assigns the timeout period to the device through RADIUS. The value 0
means that the authentication server has not assigned a timeout.
Termination action
Displays the action performed by the device when the login has elapsed.
Possible values:
default
reauthenticate
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
140
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > 802.1X Port Authentication > Statistics ]
4.3.4
802.1X EAPOL Port Statistics
[ Network Security > 802.1X Port Authentication > Statistics ]
This dialog displays which EAPOL data packets the end device has sent and received for the
authentication of the end devices.
Table
Port
Displays the port number.
Received packets
Displays the total number of EAPOL data packets that the device received on the port.
Transmitted packets
Displays the total number of EAPOL data packets that the device sent on the port.
Start packets
Displays the number of EAPOL start data packets that the device received on the port.
Logoff packets
Displays the number of EAPOL logoff data packets that the device received on the port.
Response/ID packets
Displays the number of EAP response/identity data packets that the device received on the port.
Response packets
Displays the number of valid EAP response data packets that the device received on the port
(without EAP response/identity data packets).
Request/ID packets
Displays the number of EAP request/identity data packets that the device received on the port.
Request packets
Displays the number of valid EAP request data packets that the device received on the port (without
EAP request/identity data packets).
Invalid packets
Displays the number of EAPOL data packets with an unknown frame type that the device received
on the port.
RM GUI RSP
Release 8.1 12/2019
141
Network Security
[ Network Security > 802.1X Port Authentication > Statistics ]
Received error packets
Displays the number of EAPOL data packets with an invalid packet body length field that the device
received on the port.
Packet version
Displays the protocol version number of the EAPOL data packet that the device last received on
the port.
Source of last received packet
Displays the sender MAC address of the EAPOL data packet that the device last received on the
port.
The value 00:00:00:00:00:00 means that the port has not received any EAPOL data packets yet.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
142
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > 802.1X Port Authentication > Port Authentication History ]
4.3.5
802.1X Port Authentication History
[ Network Security > 802.1X Port Authentication > Port Authentication History ]
The device registers the authentication process of the end devices that are connected to its ports.
This dialog displays the information recorded during the authentication.
Table
Port
Displays the port number.
Authentification time stamp
Displays the time at which the authenticator authenticated the end device.
Result age
Displays since when this entry has been entered in the table.
MAC address
Displays the MAC address of the end device.
VLAN ID
Displays the ID of the VLAN that was assigned to the end device before the login.
Authentication status
Displays the status of the authentication on the port.
Possible values:
success
The authentication was successful.
failure
The authentication failed.
Access status
Displays whether the device grants the end device access to the network.
Possible values:
granted
The device grants the end device access to the network.
denied
The device denies the end device access to the network.
Assigned VLAN ID
Displays the ID of the VLAN that the authenticator assigned to the port.
RM GUI RSP
Release 8.1 12/2019
143
Network Security
[ Network Security > 802.1X Port Authentication > Port Authentication History ]
Assignment type
Displays the type of the VLAN that the authenticator assigned to the port.
Possible values:
default
radius
unauthenticatedVlan
guestVlan
monitorVlan
notAssigned
Assignment reason
Displays the reason for the assignment of the VLAN ID and the VLAN type.
802.1X Port Authentication History
Port
Simplifies the table and displays only the entries relating to the port selected here. This makes it
easier for you to record the table and sort it as you desire.
Possible values:
all
The table displays the entries for every port.
<Port number>
The table displays the entries that apply to the port selected here.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
144
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > 802.1X Port Authentication > Integrated Authentication Server ]
4.3.6
802.1X Integrated Authentication Server
[ Network Security > 802.1X Port Authentication > Integrated Authentication Server ]
The Integrated Authentication Server (IAS) lets you authenticate end devices using IEEE 802.1X.
Compared to RADIUS, the IAS has a very limited range of functions. The authentication is based
only on the user name and the password.
In this dialog you manage the login data of the end devices. The device lets you set up to 100 sets
of login data.
To authenticate the end devices through the Integrated Authentication Server you assign in the
Device Security > Authentication List dialog the ias policy to the 8021x list.
Table
User name
Displays the user name of the end device.
To create a new user, click the
button.
Password
Specifies the password with which the user authenticates.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
The device differentiates between upper and lower case.
Active
Activates/deactivates the login data.
Possible values:
marked
The login data is active. An end device has the option of logging in through IEEE 802.1X using
this login data.
unmarked (default setting)
The login data is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
145
Network Security
[ Network Security > RADIUS ]
4.4
RADIUS
[ Network Security > RADIUS ]
With its factory settings, the device authenticates users based on the local user management.
However, as the size of a network increases, it becomes more difficult to keep the login data of the
users consistent across the devices.
RADIUS (Remote Authentication Dial-In User Service) lets you authenticate and authorize the
users at a central point in the network. A RADIUS server performs the following tasks here:
Authentication
The authentication server authenticates the users when the RADIUS client at the access point
forwards the login data of the users to the server.
Authorization
The authentication server authorizes logged in users for selected services by assigning various
parameters for the relevant end device to the RADIUS client at the access point.
Accounting
The accounting server records the traffic data that has occurred during the port authentication
according to IEEE 802.1X. This enables you to subsequently determine which services the
users have used, and to what extent.
If you assign the radius policy to an application in the Device Security > Authentication List dialog,
then the device operates in the role of the RADIUS client. The device forwards the users’ login data
to the primary authentication server. The authentication server decides whether the login data is
valid and transfers the user’s authorizations to the device.
The device assigns the Service Type transferred in the response of a RADIUS server as follows to
a user role existing in the device:
• Administrative-User: administrator
• Login-User: operator
• NAS-Prompt-User: guest
The device also lets you authenticate end devices with IEEE 802.1X through an authentication
server. To do this, you assign the radius policy to the 8021x list in the Device Security >
Authentication List dialog.
The menu contains the following dialogs:
RADIUS Global
RADIUS Authentication Server
RADIUS Accounting Server
RADIUS Authentication Statistics
RADIUS Accounting Statistics
146
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > RADIUS > Global ]
4.4.1
RADIUS Global
[ Network Security > RADIUS > Global ]
This dialog lets you specify basic settings for RADIUS.
RADIUS configuration
Retransmits (max.)
Specifies how many times the device retransmits an unanswered request to the authentication
server before the device sends the request to an alternative authentication server.
Possible values:
1..15 (default setting: 4)
Timeout [s]
Specifies how many seconds the device waits for a response after a request to an authentication
server before it retransmits the request.
Possible values:
1..30 (default setting: 5)
Accounting
Activates/deactivates the accounting.
Possible values:
marked
Accounting is active.
The device sends the traffic data to an accounting server specified in the Network Security >
RADIUS > Accounting Server dialog.
unmarked (default setting)
Accounting is inactive.
NAS IP address (attribute 4)
Specifies the IP address that the device transfers to the authentication server as attribute 4. Specify
the IP address of the device or another available address.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
In many cases, there is a firewall between the device and the authentication server. In the Network
Address Translation (NAT) in the firewall changes the original IP address, and the authentication
server receives the translated IP address of the device.
The device transfers the IP address in this field unchanged across the Network Address Translation
(NAT).
RM GUI RSP
Release 8.1 12/2019
147
Network Security
[ Network Security > RADIUS > Global ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Deletes the statistics in the Network Security > RADIUS > Authentication Statistics dialog and in the
Network Security > RADIUS > Accounting Statistics dialog.
148
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > RADIUS > Authentication Server ]
4.4.2
RADIUS Authentication Server
[ Network Security > RADIUS > Authentication Server ]
This dialog lets you specify up to 8 authentication servers. An authentication server authenticates
and authorizes the users when the device forwards the login data to the server.
The device sends the login data to the specified primary authentication server. When the server
does not respond, the device contacts the specified authentication server that is highest in the
table. When no response comes from this server either, the device contacts the next server in the
table.
Table
Index
Displays the index number to which the table entry relates.
Name
Displays the name of the server.
To change the value, click the relevant field.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
(default setting: Default-RADIUS-Server)
Address
Specifies the IP address of the server.
Possible values:
Valid IPv4 address
Destination UDP port
Specifies the number of the UDP port on which the server receives requests.
Possible values:
0..65535 (default setting: 1812)
Exception: Port 2222 is reserved for internal functions.
Secret
Displays ****** (asterisks) when you specify a password with which the device logs in to the server.
To change the password, click the relevant field.
Possible values:
Alphanumeric ASCII character string with 1..64 characters
You get the password from the administrator of the authentication server.
RM GUI RSP
Release 8.1 12/2019
149
Network Security
[ Network Security > RADIUS > Authentication Server ]
Primary server
Specifies the authentication server as primary or secondary.
Possible values:
marked
The server is specified as the primary authentication server. The device sends the login data for
authenticating the users to this authentication server.
When you activate multiple servers, the device specifies the last server activated as the primary
authentication server.
unmarked (default setting)
The server is the secondary authentication server. When the device does not receive a
response from the primary authentication server, the device sends the login data to the
secondary authentication server.
Active
Activates/deactivates the connection to the server.
The device uses the server, if you specify in the Device Security > Authentication List dialog the value
radius in one of the rows Policy 1 to Policy 5.
Possible values:
marked (default setting)
The connection is active. The device sends the login data for authenticating the users to this
server if the preconditions named above are fulfilled.
unmarked
The connection is inactive. The device does not send any login data to this server.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Index field, you specify the index number.
In the Address field, you specify the IP address of the server.
150
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > RADIUS > Accounting Server ]
4.4.3
RADIUS Accounting Server
[ Network Security > RADIUS > Accounting Server ]
This dialog lets you specify up to 8 accounting servers. An accounting server records the traffic data
that has occurred during the port authentication according to IEEE 802.1X. The prerequisite is that
you activate in the Network Security > RADIUS > Global menu the Accounting function.
The device sends the traffic data to the first accounting server that can be reached. When the
accounting server does not respond, the device contacts the next server in the table.
Table
Index
Displays the index number to which the table entry relates.
Possible values:
1..8
Name
Displays the name of the server.
To change the value, click the relevant field.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
(default setting: Default-RADIUS-Server)
Address
Specifies the IP address of the server.
Possible values:
Valid IPv4 address
Destination UDP port
Specifies the number of the UDP port on which the server receives requests.
Possible values:
0..65535 (default setting: 1813)
Exception: Port 2222 is reserved for internal functions.
Secret
Displays ****** (asterisks) when you specify a password with which the device logs in to the server.
To change the password, click the relevant field.
Possible values:
Alphanumeric ASCII character string with 1..16 characters
You get the password from the administrator of the authentication server.
RM GUI RSP
Release 8.1 12/2019
151
Network Security
[ Network Security > RADIUS > Accounting Server ]
Active
Activates/deactivates the connection to the server.
Possible values:
marked (default setting)
The connection is active. The device sends traffic data to this server if the preconditions named
above are fulfilled.
unmarked
The connection is inactive. The device does not send any traffic data to this server.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Index field, you specify the index number.
In the Address field, you specify the IP address of the server.
152
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > RADIUS > Authentication Statistics ]
4.4.4
RADIUS Authentication Statistics
[ Network Security > RADIUS > Authentication Statistics ]
This dialog displays information about the communication between the device and the
authentication server. The table displays the information for each server in a separate row.
To delete the statistic, click in the Network Security > RADIUS > Global dialog the Clear RADIUS
statistics? button.
Table
Name
Displays the name of the server.
Address
Displays the IP address of the server.
Round trip time
Displays the time interval in hundredths of a second between the last response received from the
server (Access Reply/Access Challenge) and the corresponding data packet sent (Access
Request).
Access requests
Displays the number of access data packets that the device sent to the server. This value does not
take repetitions into account.
Retransmitted access-request packets
Displays the number of access data packets that the device retransmitted to the server.
Access accepts
Displays the number of access accept data packets that the device received from the server.
Access rejects
Displays the number of access reject data packets that the device received from the server.
Access challenges
Displays the number of access challenge data packets that the device received from the server.
Malformed access responses
Displays the number of malformed access response data packets that the device received from the
server (including data packets with an invalid length).
RM GUI RSP
Release 8.1 12/2019
153
Network Security
[ Network Security > RADIUS > Authentication Statistics ]
Bad authenticators
Displays the number of access response data packets with an invalid authenticator that the device
received from the server.
Pending requests
Displays the number of access request data packets that the device sent to the server to which it
has not yet received a response from the server.
Timeouts
Displays how many times no response to the server was received before the specified waiting time
elapsed.
Unknown types
Displays the number data packets with an unknown data type that the device received from the
server on the authentication port.
Packets dropped
Displays the number of data packets that the device received from the server on the authentication
port and then discarded them.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
154
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > RADIUS > Accounting Statistics ]
4.4.5
RADIUS Accounting Statistics
[ Network Security > RADIUS > Accounting Statistics ]
This dialog displays information about the communication between the device and the accounting
server. The table displays the information for each server in a separate row.
To delete the statistic, click in the Network Security > RADIUS > Global dialog the Clear RADIUS
statistics? button.
Table
Name
Displays the name of the server.
Address
Displays the IP address of the server.
Round trip time
Displays the time interval in hundredths of a second between the last response received from the
server (Accounting Response) and the corresponding data packet sent (Accounting Request).
Accounting-request packets
Displays the number of accounting request data packets that the device sent to the server. This
value does not take repetitions into account.
Retransmitted accounting-request packets
Displays the number of accounting request data packets that the device retransmitted to the server.
Received packets
Displays the number of accounting response data packets that the device received from the server.
Malformed packets
Displays the number of malformed accounting response data packets that the device received from
the server (including data packets with an invalid length).
Bad authenticators
Displays the number of accounting response data packets with an invalid authenticator that the
device received from the server.
Pending requests
Displays the number of accounting request data packets that the device sent to the server to which
it has not yet received a response from the server.
RM GUI RSP
Release 8.1 12/2019
155
Network Security
[ Network Security > DoS ]
Timeouts
Displays how many times no response to the server was received before the specified waiting time
elapsed.
Unknown types
Displays the number data packets with an unknown data type that the device received from the
server on the accounting port.
Packets dropped
Displays the number of data packets that the device received from the server on the accounting
port and then discarded them.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
4.5
DoS
[ Network Security > DoS ]
Denial of Service (DoS) is a cyber-attack that aims to bring down specific services or devices. In
this dialog you can set up several filters to help protect the device itself and other devices in the
network from DoS attacks.
The menu contains the following dialogs:
DoS Global
156
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > DoS > Global ]
4.5.1
DoS Global
[ Network Security > DoS > Global ]
In this dialog, you specify the DoS settings for the TCP/UDP, IP and ICMP protocols.
TCP/UDP
A scanner uses port scans to prepare network attacks. The scanner uses different techniques to
determine running devices and open ports. This frame lets you activate filters for specific scanning
techniques.
The device supports the detection of the following scan types:
Null scans
Xmas scans
SYN/FIN scans
TCP Offset attacks
TCP SYN attacks
L4 Port attacks
Minimal Header scans
Null Scan filter
Activates/deactivates the Null Scan filter.
The Null Scan filter detects incoming data packets with no TCP flags set and discards them.
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
Xmas filter
Activates/deactivates the Xmas filter.
The Xmas filter detects incoming data packets with the TCP flags FIN, URG and PUSH set
simultaneously and discards them.
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
SYN/FIN filter
Activates/deactivates the SYN/FIN filter.
The SYN/FIN filter detects incoming data packets with the TCP flags SYN and FIN set
simultaneously and discards them.
RM GUI RSP
Release 8.1 12/2019
157
Network Security
[ Network Security > DoS > Global ]
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
TCP Offset protection
Activates/deactivates the TCP Offset protection.
The TCP Offset protection detects incoming TCP data packets whose fragment offset field of the
IP header is equal to 1 and discards them.
The TCP Offset protection accepts UDP and ICMP packets whose fragment offset field of the IP
header is equal to 1.
Possible values:
marked
The protection is active.
unmarked (default setting)
The protection is inactive.
TCP SYN protection
Activates/deactivates the TCP SYN protection.
The TCP SYN protection detects incoming data packets with the TCP flag SYN set and a L4 source
port <1024 and discards them.
Possible values:
marked
The protection is active.
unmarked (default setting)
The protection is inactive.
L4 Port protection
Activates/deactivates the L4 Port protection.
The L4 Port protection detects incoming TCP and UDP data packets whose source port number
and destination port number are identical and discards them.
Possible values:
marked
The protection is active.
unmarked (default setting)
The protection is inactive.
Min. Header Size filter
Activates/deactivates the Minimal Header filter.
The Minimal Header filter detects incoming data packets whose IP payload length in the IP header
less the outer IP header size is smaller than the minimum TCP header size. If this is the first
fragment that the device detects, then the device discards the data packet.
158
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > DoS > Global ]
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
Min. TCP header size
Displays the minimum size of a valid TCP header.
IP
This frame lets you activate or deactivate the Land Attack filter. With the land attack method, the
attacking station sends data packets whose source and destination addresses are identical to
those of the recipient. When you activate this filter, the device detects data packets with identical
source and destination addresses and discards these data packets.
Land Attack filter
Activates/deactivates the Land Attack filter.
The Land Attack filter detects incoming IP data packets whose source and destination IP address
are identical and discards them.
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
ICMP
This dialog provides you with filter options for the following ICMP parameters:
Fragmented data packets
ICMP packets from a specific size upwards
Broadcast pings
Filter fragmented packets
Activates/deactivates the filter for fragmented ICMP packets.
The filter detects fragmented ICMP packets and discards them.
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
RM GUI RSP
Release 8.1 12/2019
159
Network Security
[ Network Security > DHCP Snooping ]
Filter by packet size
Activates/deactivates the filter for incoming ICMP packets.
The filter detects ICMP packets whose payload size exceeds the size specified in the Allowed
payload size [byte] field and discards them.
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
Allowed payload size [byte]
Specifies the maximum allowed payload size of ICMP packets in bytes.
Mark the Filter by packet size checkbox if you want the device to discard incoming data packets
whose payload size exceeds the maximum allowed size for ICMP packets.
Possible values:
0..1472 (default setting: 512)
Drop broadcast ping
Activates/deactivates the filter for Broadcast Pings. Broadcast Pings are a known evidence for
Smurf Attacks.
Possible values:
marked
The filter is active.
The device detects Broadcast Pings and drops them.
unmarked (default setting)
The filter is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
4.6
DHCP Snooping
[ Network Security > DHCP Snooping ]
DHCP Snooping is a function that supports the network security. DHCP Snooping monitors DHCP
packets between the DHCP client and the DHCP server and acts like a firewall between the
unsecured hosts and the secured DHCP servers.
In this dialog, you configure and monitor the following device properties:
Validate DHCP packets from untrusted sources and filter out invalid packets.
Limit DHCP data traffic from trusted and untrusted sources.
160
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > DHCP Snooping ]
Set up and update the DHCP Snooping binding database. This database contains the MAC
address, IP address, VLAN and port of DHCP clients at untrusted ports.
Validate follow-up requests from untrusted hosts on the basis of the DHCP Snooping binding
database.
You can activate DHCP Snooping globally and for a specific VLAN. You specify the security status
(trusted or untrusted) on individual ports. Verify that the DHCP service can be reached via trusted
ports. For DHCP Snooping you typically configure the user/client ports as untrusted and the uplink
ports as trusted.
The menu contains the following dialogs:
DHCP Snooping Global
DHCP Snooping Configuration
DHCP Snooping Statistics
DHCP Snooping Bindings
RM GUI RSP
Release 8.1 12/2019
161
Network Security
[ Network Security > DHCP Snooping > Global ]
4.6.1
DHCP Snooping Global
[ Network Security > DHCP Snooping > Global ]
This dialog lets you configure the global DHCP Snooping parameters for your device:
Activate/deactivate DHCP Snooping globally.
Activate/deactivate Auto-Disable globally.
Enable/disable the checking of the source MAC address.
Configure the name, storage location and storing interval for the binding database.
Operation
Operation
Enables/disables the DHCP Snooping function globally.
Possible values:
On
Off (default setting)
Configuration
Verify MAC
Activates/deactivates the source MAC address verification in the Ethernet packet.
Possible values:
marked
The source MAC address verification is active.
The device compares the source MAC address with the MAC address of the client in the
received DHCP packet.
unmarked (default setting)
The source MAC address verification is inactive.
Auto-disable
Activates/deactivates the Auto-Disable function for DHCP Snooping.
Possible values:
marked
The Auto-Disable function for DHCP Snooping is active.
Also mark the checkbox in the Auto-disable column on the Port tab in the Network Security > DHCP
Snooping > Configuration dialog for the relevant ports.
unmarked (default setting)
The Auto-Disable function for DHCP Snooping is inactive.
162
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > DHCP Snooping > Global ]
Binding database
Remote file name
Specifies the name of the file in which the device saves the DHCP Snooping binding database.
Note:
The device saves only dynamic bindings in the persistent binding database. The device saves static
bindings in the configuration profile.
Remote IP address
Specifies the remote IP address under which the device saves the persistent DHCP Snooping
binding database. With the value 0.0.0.0 the device saves the binding database locally.
Possible values:
Valid IPv4 address
0.0.0.0 (default setting)
The device saves the DHCP Snooping binding database locally.
Store interval [s]
Specifies the time delay in seconds after which the device saves the DHCP Snooping binding
database when the device identifies a change in the database.
Possible values:
15..86400 (default setting: 300)
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
163
Network Security
[ Network Security > DHCP Snooping > Configuration ]
4.6.2
DHCP Snooping Configuration
[ Network Security > DHCP Snooping > Configuration ]
This dialog lets you configure DHCP Snooping for individual ports and for individual VLANs.
The dialog contains the following tabs:
[Port]
[VLAN ID]
[Port]
In this tab, you configure the DHCP Snooping function for individual ports.
Configure a port as trusted/untrusted.
Activate/deactivate the logging of invalid packets for individual ports.
Limit the number of DHCP packets.
Deactivate a port automatically if the DHCP data traffic exceeds the specified limit.
Table
Port
Displays the port number.
Trust
Activates/deactivates the security status (trusted, untrusted) of the port.
When this function is active, the port is configured as trusted. Typically, you have connected the
trusted port to a DHCP server.
When this function is inactive, the port is configured as untrusted.
Possible values:
marked
The port is specified as trusted. DHCP Snooping forwards permissible client packets through
trusted ports.
unmarked (default setting)
The port is configured as untrusted. On untrusted ports, the device compares the receiver port
with the client port in the binding database.
Log
Activates/deactivates the logging of invalid packets that the device determines on this port.
Possible values:
marked
The logging of invalid packets is active.
unmarked (default setting)
The logging of invalid packets is inactive.
164
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > DHCP Snooping > Configuration ]
Rate limit
Specifies the maximum number of DHCP packets per burst interval for this port. If the number of
incoming DHCP packets is currently exceeding the specified limit in a burst interval, then the device
discards the additional incoming DHCP packets.
The value -1 deactivates the limitation.
Possible values:
-1 (default setting)
Deactivates the limitation of the number of DHCP packets per burst interval on this port.
0..150packets per interval
Limits the maximum number of DHCP packets per burst interval on this port.
You specify the burst interval in the Burst interval column.
If you activate the auto-disable function, then the device also disables the port. You find the autodisable function in the Auto-disable column.
Burst interval
Specifies the length of the burst interval in seconds on this port. The burst interval is relevant for
the rate limiting function.
You specify the maximum number of DHCP packets per burst interval in the Rate limit column.
Possible values:
1..15 (default setting: 1)
Auto-disable
Activates/deactivates the Auto-Disable function for the parameters that the DHCP Snooping function
is monitoring on the port.
Possible values:
marked (default setting)
The Auto-Disable function is active on the port.
The prerequisite is that in the Network Security > DHCP Snooping > Global dialog the Auto-disable
checkbox in the Configuration frame is marked.
– If the port receives more DHCP packets than specified in the Rate limit field in the time
specified in the Burst interval column, then the device disables the port. The “Link status” LED
for the port flashes 3× per period.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently disabled due
to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the relevant port in
the Reset timer [s] column.
unmarked
The Auto-Disable function on the port is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
165
Network Security
[ Network Security > DHCP Snooping > Configuration ]
[VLAN ID]
In this tab, you configure the DHCP Snooping function for individual VLANs.
Table
VLAN ID
Displays the VLAN ID to which the table entry relates.
Active
Activates/deactivates the DHCP Snooping function in this VLAN.
The DHCP Snooping function forwards valid DHCP client messages to the trusted ports in VLANs
without the Routing function.
Possible values:
marked
The DHCP Snooping function is active in this VLAN.
unmarked (default setting)
The DHCP Snooping function is inactive in this VLAN.
The device forwards DHCP packets according to the switching settings without monitoring the
packets. The binding database remains unchanged.
Note: To enable DHCP Snooping for a port, enable the DHCP Snooping function globally in the
Network Security > DHCP Snooping > Global dialog. Verify that you assigned the port to a VLAN in
which DHCP Snooping is enabled.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
166
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > DHCP Snooping > Statistics ]
4.6.3
DHCP Snooping Statistics
[ Network Security > DHCP Snooping > Statistics ]
With DHCP Snooping, the device logs detected errors and generates statistics. In this dialog, you
monitor the DHCP Snooping statistics for each port.
The device logs the following:
Errors detected when validating the MAC address of the DHCP client
DHCP client messages with a detected incorrect port
DHCP server messages to untrusted ports
Table
Port
Displays the port number.
MAC verify failures
Displays the number of discrepancies between the MAC address of the DHCP client in the ‘chaddr’
field of the DHCP data packet and the source address in the Ethernet packet.
Invalid client messages
Displays the number of incoming DHCP client messages received on the port for which the device
expects the client on another port according to the DHCP Snooping binding database.
Invalid server messages
Displays the number of DHCP server messages the device received on the untrusted port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Resets the entire table.
RM GUI RSP
Release 8.1 12/2019
167
Network Security
[ Network Security > DHCP Snooping > Bindings ]
4.6.4
DHCP Snooping Bindings
[ Network Security > DHCP Snooping > Bindings ]
DHCP Snooping uses DHCP messages to set up and update the binding database.
Static bindings
The device lets you enter up to 1024 static DHCP Snooping bindings in the database.
Dynamic bindings
The dynamic binding database contains data for clients only on untrusted ports.
This menu lets you specify the settings for static and dynamic bindings.
Set up new static bindings and set them to active/inactive.
Display, activate/deactivate or delete static bindings that have been set up.
Table
MAC address
Specifies the MAC address in the table entry that you bind to a IP address and VLAN ID.
Possible values:
Valid Unicast MAC address
Specify the value with a colon separator, for example 00:11:22:33:44:55.
IP address
Specifies the IP address for the static DHCP Snooping binding.
Possible values:
Valid Unicast IPv4 address smaller than 224.x.x.x and outside the range 127.0.0.0/8
(default setting: 0.0.0.0)
VLAN ID
Specifies the ID of the VLAN to which the table entry applies.
Possible values:
<ID of the VLANs that are set up>
Port
Specifies the port for the static DHCP Snooping binding.
Possible values:
Available ports
Remaining binding time
Displays the remaining time for the dynamic DHCP Snooping binding.
Active
Activates/deactivates the specified static DHCP Snooping binding.
168
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > Dynamic ARP Inspection ]
Possible values:
marked
The static DHCP Snooping binding is active.
unmarked (default setting)
The static DHCP Snooping binding is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the MAC address field, you specify the MAC address which you bind to an IP address and a VLAN
ID.
Removes the highlighted table entry.
The prerequisite is that the checkbox in the Active column is unmarked.
Also, the device removes the dynamic bindings of this port created with the IP Source Guard function.
4.7
Dynamic ARP Inspection
[ Network Security > Dynamic ARP Inspection ]
Dynamic ARP Inspection is a function that supports the network security. This function analyzes ARP
packets, logs them, and discards invalid and hostile ARP packets.
The Dynamic ARP Inspection function helps prevent a range of man-in-the-middle attacks. With this
kind of attack, a hostile station listens in on the data traffic from other subscribers by encroaching
on the ARP cache of its unsuspecting neighbors. The hostile station sends ARP requests and ARP
responses and enters the IP address of another subscriber for its own MAC address in the IP-toMAC address relationship (binding).
RM GUI RSP
Release 8.1 12/2019
169
Network Security
[ Network Security > Dynamic ARP Inspection ]
Using the following measures, the Dynamic ARP Inspection function helps ensure that the device only
forwards valid ARP requests and ARP responses.
Listening in on ARP requests and ARP responses on untrusted ports.
Verifying that the determined packets have a valid IP to MAC address relationship (binding)
before the device updates the local ARP cache and before the device forwards the packets to
the related destination address.
Discarding invalid ARP packets.
The device lets you specify up to 100 active ARP ACLs (access lists). You can activate up to 20
rules for each ARP ACL.
The menu contains the following dialogs:
Dynamic ARP Inspection Global
Dynamic ARP Inspection Configuration
Dynamic ARP Inspection ARP Rules
Dynamic ARP Inspection Statistics
170
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > Dynamic ARP Inspection > Global ]
4.7.1
Dynamic ARP Inspection Global
[ Network Security > Dynamic ARP Inspection > Global ]
Configuration
Verify source MAC
Activates/deactivates the source MAC address verification. The device executes the check in both
ARP requests and ARP responses.
Possible values:
marked
The source MAC address verification is active.
The device checks the source MAC address of the received ARP packets.
– The device transmits ARP packets with a valid source MAC address to the related
destination address and updates the local ARP cache.
– The device discards ARP packets with an invalid source MAC address.
unmarked (default setting)
The source MAC address verification is inactive.
Verify destination MAC
Activates/deactivates the destination MAC address verification. The device executes the check in
ARP responses.
Possible values:
marked
The destination MAC address verification is active.
The device checks the destination MAC address of the incoming ARP packets.
– The device transmits ARP packets with a valid destination MAC address to the related
destination address and updates the local ARP cache.
– The device discards ARP packets with an invalid destination MAC address.
unmarked (default setting)
The checking of the destination MAC address of the incoming ARP packets is inactive.
Verify IP address
Activates/deactivates the IP address verification.
In ARP requests, the device checks the source IP address. In ARP responses, the device checks
the destination and source IP address.
The device designates the following IP addresses as invalid:
• 0.0.0.0
• Broadcast addresses 255.255.255.255
• Multicast addresses 224.0.0.0/4 (Class D)
• Class E addresses 240.0.0.0/4 (reserved for subsequent purposes)
• Loopback addresses in the range 127.0.0.0/8.
RM GUI RSP
Release 8.1 12/2019
171
Network Security
[ Network Security > Dynamic ARP Inspection > Global ]
Possible values:
marked
The IP address verification is active.
The device checks the IP address of the incoming ARP packets. The device transmits ARP
packets with a valid IP address to the related destination address and updates the local ARP
cache. The device discards ARP packets with an invalid IP address.
unmarked (default setting)
The IP address verification is inactive.
Auto-disable
Activates/deactivates the Auto-Disable function for Dynamic ARP Inspection.
Possible values:
marked
The Auto-Disable function for Dynamic ARP Inspection is active.
Also mark the checkbox in the Port column on the Auto-disable tab in the Network Security >
Dynamic ARP Inspection > Configuration dialog for the relevant ports.
unmarked (default setting)
The Auto-Disable function for Dynamic ARP Inspection is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
172
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > Dynamic ARP Inspection > Configuration ]
4.7.2
Dynamic ARP Inspection Configuration
[ Network Security > Dynamic ARP Inspection > Configuration ]
The dialog contains the following tabs:
[Port]
[VLAN ID]
[Port]
Table
Port
Displays the port number.
Trust
Activates/deactivates the monitoring of ARP packets on untrusted ports.
Possible values:
marked
Monitoring is active.
The device monitors ARP packets on untrusted ports.
The device immediately forwards ARP packets on trusted ports.
unmarked (default setting)
Monitoring is inactive.
Rate limit
Specifies the maximum number of ARP packets per interval on this port. If the rate of incoming ARP
packets is currently exceeding the specified limit in a burst interval, then the device discards the
additional incoming ARP packets. You specify the burst interval in the Burst interval column.
Optionally, the device also deactivates the port if you activate the auto-disable function. You
enable/disable the Auto-Disable function in the Auto-disable column.
Possible values:
-1 (default setting)
Deactivates the limitation of the number of ARP packets per burst interval on this port.
0..300packets per interval
Limits the maximum number of ARP packets per burst interval on this port.
Burst interval
Specifies the length of the burst interval in seconds on this port. The burst interval is relevant for
the rate limiting function.
You specify the maximum number of ARP packets per burst interval in the Rate limit column.
RM GUI RSP
Release 8.1 12/2019
173
Network Security
[ Network Security > Dynamic ARP Inspection > Configuration ]
Possible values:
1..15 (default setting: 1)
Auto-disable
Activates/deactivates the Auto-Disable function for the parameters that the Dynamic ARP Inspection
function is monitoring on the port.
Possible values:
marked (default setting)
The Auto-Disable function is active on the port.
The prerequisite is that in the Network Security > Dynamic ARP Inspection > Global dialog the Autodisable checkbox in the Configuration frame is marked.
– If the port receives more ARP packets than specified in the Rate limit field in the time specified
in the Burst interval column, then the device disables the port. The “Link status” LED for the
port flashes 3× per period.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently disabled due
to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the relevant port in
the Reset timer [s] column.
unmarked
The Auto-Disable function on the port is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[VLAN ID]
Table
VLAN ID
Displays the VLAN ID to which the table entry relates.
Log
Activates/deactivates the logging of invalid ARP packets that the device determines in this VLAN.
If the device detects an error when checking the IP, source MAC or destination MAC address, or
when checking the IP-to-MAC address relationship (binding), then the device identifies an ARP
packet as invalid.
Possible values:
marked
The logging of invalid packets is active.
The device registers invalid ARP packets.
unmarked (default setting)
The logging of invalid packets is inactive.
174
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > Dynamic ARP Inspection > Configuration ]
Binding check
Activates/deactivates the checking of incoming ARP packets that the device receives on untrusted
ports and on VLANs for which the Dynamic ARP Inspection function is active. For these ARP packets
the device checks the ARP ACL and the DHCP Snooping relationship (bindings).
Possible values:
marked (default setting)
The binding check of ARP packets is active.
unmarked
The binding check of ARP packets is inactive.
ACL strict
Activates/deactivates the strict checking of incoming ARP packets based on the ARP ACL rules
specified.
Possible values:
marked
The strict checking is active.
The device checks the incoming ARP packets based on the ARP ACL rule specified in the ARP
ACL column.
unmarked (default setting)
The strict checking is inactive.
The device checks the incoming ARP packets based on the ARP ACL rule specified in the ARP
ACL column and subsequently on the entries in the DHCP Snooping database.
ARP ACL
Specifies the ARP ACL that the device uses.
Possible values:
<rule name>
You create and edit the rules in the Network Security > Dynamic ARP Inspection > ARP Rules dialog.
Active
Activates/deactivates the Dynamic ARP Inspection function in this VLAN.
Possible values:
marked
The Dynamic ARP Inspection function is active in this VLAN.
unmarked (default setting)
The Dynamic ARP Inspection function is inactive in this VLAN.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
175
Network Security
[ Network Security > Dynamic ARP Inspection > ARP Rules ]
4.7.3
Dynamic ARP Inspection ARP Rules
[ Network Security > Dynamic ARP Inspection > ARP Rules ]
This dialog lets you specify rules for checking and filtering ARP packets.
Table
Name
Displays the name of the ARP rule.
Source IP address
Specifies the source address of the IP data packets to which the device applies the rule.
Possible values:
Valid IPv4 address
The device applies the rule to IP data packets with the specified source address.
Source MAC address
Specifies the source address of the MAC data packets to which the device applies the rule.
Possible values:
Valid MAC address
The device applies the rule to MAC data packets with the specified source address.
Active
Activates/deactivates the ARP rule.
Possible values:
marked (default setting)
The rule is active.
unmarked
The rule is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Name field, you specify the name of the ARP rule.
In the Source IP address field, you specify the source IP address of the ARP rule.
In the Source MAC address field, you specify the source MAC address of the ARP rule.
176
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > Dynamic ARP Inspection > Statistics ]
4.7.4
Dynamic ARP Inspection Statistics
[ Network Security > Dynamic ARP Inspection > Statistics ]
This window displays the number of discarded and forwarded ARP packets in an overview.
Table
VLAN ID
Displays the VLAN ID to which the table entry relates.
Packets forwarded
Displays the number of ARP packets that the device forwards after checking them using the
Dynamic ARP Inspection function.
Packets dropped
Displays the number of ARP packets that the device discards after checking them using the
Dynamic ARP Inspection function.
DHCP drops
Displays the number of ARP packets that the device discards after checking the DHCP Snooping
relationship (binding).
DHCP permits
Displays the number of ARP packets that the device forwards after checking the DHCP Snooping
relationship (binding).
ACL drops
Displays the number of ARP packets that the device discards after checking them using the ARP
ACL rules.
ACL permits
Displays the number of ARP packets that the device forwards after checking them using the ARP
ACL rules.
Bad source MAC
Displays the number of ARP packets that the device discards after the Dynamic ARP Inspection
function detected an error in the source MAC address.
Bad destination MAC
Displays the number of ARP packets that the device discards after the Dynamic ARP Inspection
function detected an error in the destination MAC address.
RM GUI RSP
Release 8.1 12/2019
177
Network Security
[ Network Security > ACL ]
Invalid IP address
Displays the number of ARP packets that the device discards after the Dynamic ARP Inspection
function detected an error in the IP address.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Resets the entire table.
4.8
ACL
[ Network Security > ACL ]
In this menu, you specify the settings for the Access Control Lists (ACL). Access Control Lists
contain rules which the device applies successively to the data stream on its ports or VLANs.
If a data packet complies with the criteria of one or more rules, then the device applies the action
specified in the first rule that applies to the data stream. The device ignores the rules following.
Possible actions include:
permit: The device transmits the data packet to a port or to a VLAN.
When necessary, the device transmits a copy of the data packets to a further port.
deny: The device drops the data packet.
In the default setting, the device forwards every data packet. Once you assign an Access Control
List to an interface or VLAN, there is changing this behavior. The device enters at the end of an
Access Control List an implicit Deny-All rule. Consequently, the device discards data packets that
do not meet any of the rules. If you want a different behavior, then add a "permit" rule at the end of
your Access Control Lists.
Proceed as follows to set up Access Control Lists and rules:
Make a time profile if necessary. See the Network Security > ACL > Time Profile dialog. The device
applies Access Control Lists with a time profile at specified times instead of permanently.
Make a rule and specify the rule settings. See the Network Security > ACL > IPv4 Rule dialog, or
the Network Security > ACL > MAC Rule dialog.
Assign the Access Control List to the Ports and VLANs of the device. See the Network Security >
ACL > Assignment dialog.
The menu contains the following dialogs:
ACL IPv4 Rule
ACL MAC Rule
ACL Assignment
ACL Time Profile
178
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > ACL > IPv4 Rule ]
4.8.1
ACL IPv4 Rule
[ Network Security > ACL > IPv4 Rule ]
In this dialog, you specify the rules that the device applies to the IP data packets.
An Access Control List (group) contains one or more rules. The device applies the rules of an
Access Control List successively, beginning with the rule with the lowest value in the Index column.
The device lets you filter according to the following criteria:
Source or destination IP address of a data packet
Type of the transmitting protocol
Source or destination port of a data packet
Classification according to DSCP
Classification according to ToS
Table
Group name
Displays the name of the Access Control List. The Access Control List contains the rules.
Index
Displays the number of the rule within the Access Control List.
If the Access Control List contains multiple rules, then the device processes the rule with the lowest
value first.
Match every packet
Specifies to which IP data packets the device applies the rule.
Possible values:
marked (default setting)
The device applies the rule to every IP data packet.
unmarked
The device applies the rule to IP data packets depending on the value in the following fields:
– Source IP address, Destination IP address, Protocol
– DSCP, TOS priority, TOS mask
– ICMP type, ICMP code
– IGMP type
– Established
– Packet fragmented
– TCP flag
Source IP address
Specifies the source address of the IP data packets to which the device applies the rule.
RM GUI RSP
Release 8.1 12/2019
179
Network Security
[ Network Security > ACL > IPv4 Rule ]
Possible values:
?.?.?.? (default setting)
The device applies the rule to IP data packets with any source address.
Valid IPv4 address
The device applies the rule to IP data packets with the specified source address.
You use the ? character as a wild card.
Example 192.?.?.32: The device applies the rule to IP data packets whose source address
begins with 192. and ends with .32.
Valid IPv4 address/bit mask
The device applies the rule to IP data packets with the specified source address. The inverse
bit mask lets you specify the address range with bit-level accuracy.
Example 192.168.1.1/0.0.0.127: The device applies the rule to IP data packets with a source
address in the range from 192.168.1.0 to ….127.
Destination IP address
Specifies the destination address of the IP data packets to which the device applies the rule.
Possible values:
?.?.?.? (default setting)
The device applies the rule to IP data packets with any destination address.
Valid IPv4 address
The device applies the rule to IP data packets with the specified destination address.
You use the ? character as a wild card.
Example 192.?.?.32: The device applies the rule to IP data packets whose source address
begins with 192. and ends with .32.
Valid IPv4 address/bit mask
The device applies the rule to IP data packets with the specified destination address. The
inverse bit mask lets you specify the address range with bit-level accuracy.
Example 192.168.1.1/0.0.0.127: The device applies the rule to IP data packets with a
destination address in the range from 192.168.1.0 to ….127.
Protocol
Specifies the protocol type of the IP data packets to which the device applies the rule.
Possible values:
any (default setting)
The device applies the rule to every IP data packet without considering the protocol type.
icmp
igmp
ip-in-ip
tcp
udp
ip
Source TCP/UDP port
Specifies the source port of the IP data packets to which the device applies the rule. The
prerequisite is that you specify in the Protocol column the value TCP or UDP.
180
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > ACL > IPv4 Rule ]
Possible values:
any (default setting)
The device applies the rule to every IP data packet without considering the source port.
1..65535
The device applies the rule only to IP data packets containing the specified source port.
To specify a port range, you can use one of the following operators:
– <
Range below the specified port number
– >
Range above the specified port number
– !=
Entire port range except the specified port
Destination TCP/UDP port
Specifies the destination port of the IP data packets to which the device applies the rule. The
prerequisite is that you specify in the Protocol column the value TCP or UDP.
Possible values:
any (default setting)
The device applies the rule to every IP data packet without considering the destination port.
1..65535
The device applies the rule only to IP data packets containing the specified destination port.
To specify a port range, you can use one of the following operators:
– <
Range below the specified port number
– >
Range above the specified port number
– !=
Entire port range except the specified port
DSCP
Specifies the Differentiated Service Code Point (DSCP value) in the header of the IP data packets
to which the device applies the rule.
Possible values:
– (default setting)
The device applies the rule to every IP data packet without considering the DSCP value.
0..63
The device applies the rule only to IP data packets containing the specified DSCP value.
TOS priority
Specifies the IP precedence (ToS value) in the header of the IP data packets to which the device
applies the rule.
Possible values:
any (default setting)
The device applies the rule to every IP data packet without considering the ToS value.
0..7
The device applies the rule only to IP data packets containing the specified ToS value.
RM GUI RSP
Release 8.1 12/2019
181
Network Security
[ Network Security > ACL > IPv4 Rule ]
TOS mask
Specifies the bit mask for the ToS value in the header of the IP data packets to which the device
applies the rule. The prerequisite is that you specify in the TOS priority column a ToS value.
Possible values:
any (default setting)
The device applies the rule to IP data packets and considers the ToS value completely.
1..1f
The device applies the rule to IP data packets and considers the bits of the ToS value specified
in the bit mask.
ICMP type
Specifies the ICMP type in the TCP header of the IP data packets to which the device applies the
rule.
Possible values:
-1 (default setting)
ICMP type matching is inactive.
0..255
The device applies the rule to every IP data packet and considers the specified ICMP type.
ICMP code
Specifies the ICMP code in the TCP header of the IP data packets to which the device applies the
rule. The prerequisite is that, in the ICMP type field, you specify an ICMP value.
Possible values:
-1 (default setting)
ICMP code matching is inactive.
0..255
The device applies the rule to every IP data packet and considers the specified ICMP code.
IGMP type
Specifies the IGMP type in the TCP header of the IP data packets to which the device applies the
rule.
Possible values:
0 (default setting)
IGMP type matching is inactive.
1..255
The device applies the rule to every IP data packet and considers the specified IGMP type.
Established
Activates/deactivates applying the ACL rule to TCP data packets which have either the RST bit, or
the ACK bit set in the TCP header.
Possible values:
marked
The device applies the rule to every IP data packet in which the RST bit, or the ACK bit is set in
the TCP header.
unmarked (default setting)
Matching is inactive.
182
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > ACL > IPv4 Rule ]
Packet fragmented
Activates/deactivates applying the ACL rule to fragmented packets.
Possible values:
marked
The device applies the ACL rule to fragmented packets.
unmarked (default setting)
Matching is inactive.
TCP flag
Specifies the TCP flag and mask value.
The device lets you enter multiple values, by separating the values with a comma.
Specify the flags as either + or -.
Possible values:
- (default setting)
TCP flag matching is inactive.
When you use this value in combination with the following flags, the device considers packets
in which the flag is not set.
+
When you use this value in combination with the following flags, the device considers packets
in which the flag is set.
fin
Indicates that the sending device has finished its transmission.
syn
Indicates that the Synchronize sequence numbers are significant. Only the first packet sent
from each end device has this flag set.
rst
Indicates a reset on the link.
psh
Indicates the push function, in which a device asks to push the buffered data to the receiving
application.
ack
Indicates that the Acknowledgment field is significant. Every packet, after the initial syn packet
sent by the client, has this flag set.
urg
Indicates that the Urgent pointer field is significant.
Action
Specifies how the device handles received IP data packets when the device applies the rule.
Possible values:
permit (default setting)
The device transmits the IP data packets.
deny
The device drops the IP data packets.
RM GUI RSP
Release 8.1 12/2019
183
Network Security
[ Network Security > ACL > IPv4 Rule ]
Redirection port
Specifies the port on which the device transmits the IP data packets. The prerequisite is that you
specify in the Action column the value permit.
Possible values:
– (default setting)
The Redirection port function is disabled.
<Port number>
The device transmits the IP data packets on the specified port.
The device does not provide the option of mirroring IP data packets across VLAN boundaries or to
router interfaces.
Mirror port
Specifies the port on which the device transmits a copy of the IP data packets. The prerequisite is
that you specify in the Action column the value permit.
Possible values:
– (default setting)
The Mirror port function is disabled.
<Port number>
The device transmits a copy of the IP data packets on the specified port.
The device does not provide the option of mirroring IP data packets across VLAN boundaries or to
router interfaces.
Assigned queue ID
Specifies the priority queue to which the device assigns the IP data packets.
Possible values:
0..7 (default setting: 0)
Log
Activates/deactivates the logging in the log file. See the Diagnostics > Report > System Log dialog.
Possible values:
marked
Logging is activated.
The prerequisite is that you assign the Access Control List in the Network Security > ACL >
Assignment dialog to a VLAN or port.
The device registers in the log file, in an interval of 30 s, how many times it applied the deny rule
to IP data packets.
unmarked (default setting)
Logging is deactivated.
The device lets you activate this function for up to 128 deny rules.
Time profile
Specifies whether the device applies the rule permanently or time-controlled.
184
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > ACL > IPv4 Rule ]
Possible values:
<empty> (default setting)
The device applies the rule permanently.
[Time Profile]
The device applies the rule only at the times specified in the time profile. You edit the time profile
in the Network Security > ACL > Time Profile dialog.
Rate limit
Specifies the limit for the data transfer rate for the port specified in the Redirection port column. The
limit applies to the summary of the data sent and received.
This function limits the data stream on the port or in the VLAN:
Possible values:
0 (default setting)
No limitation of the data transfer rate.
1..4294967295
If the data transfer rate on the port exceeds the value specified, then the device discards surplus
IP data packets. The prerequisite is that you specify in the Burst size column a value >0. You
specify the measurement unit of the limit in the Unit column.
Unit
Specifies the measurement unit for the data transfer rate specified in the Rate limit column.
Possible values:
kbps (default setting)
kByte per second
pps
Data packet per second
Burst size
Specifies the limit in KByte for the data volume during temporary bursts.
Possible values:
0 (default setting)
No limitation of the data volume.
1..128
If during temporary bursts on the port the data volume exceeds the value specified, then the
device discards surplus MAC data packets. The prerequisite is that you specify in the Rate limit
column a value >0.
Recommendation:
If the bandwidth is known:
Burst size = bandwidth x allowed duration of a burst / 8.
If the bandwidth is unknown:
Burst size = 10 x MTU (Maximum Transmission Unit) of the port.
RM GUI RSP
Release 8.1 12/2019
185
Network Security
[ Network Security > ACL > IPv4 Rule ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Group name field, you specify the name of the Access Control List to which the rule
belongs.
In the Index field, you specify the number of the rule within the Access Control List. If the Access
Control List contains multiple rules, then the device processes the rule with the lowest value first.
186
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > ACL > MAC Rule ]
4.8.2
ACL MAC Rule
[ Network Security > ACL > MAC Rule ]
In this dialog, you specify the rules that the device applies to the MAC data packets.
An Access Control List (group) contains one or more rules. The device applies the rules of an
Access Control List successively, beginning with the rule with the lowest value in the Index column.
The device lets you filter according to the following criteria:
Source or destination MAC address of a data packet
Type of the transmitting protocol
Membership of a specific VLAN
Service class of a data packet
Table
Group name
Displays the name of the Access Control List. The Access Control List contains the rules.
Index
Displays the number of the rule within the Access Control List.
If the Access Control List contains multiple rules, then the device processes the rule with the lowest
value first.
Match every packet
Specifies to which MAC data packets the device applies the rule.
Possible values:
marked (default setting)
The device applies the rule to every MAC data packet.
The device ignores the value in the fields Source MAC address, Destination MAC address, Ethertype,
Ethertype custom value, VLAN ID, and COS.
unmarked
The device applies the rule to MAC data packets depending on the value in the fields Source
MAC address, Destination MAC address, Ethertype, Ethertype custom value, VLAN ID, and COS.
Source MAC address
Specifies the source address of the MAC data packets to which the device applies the rule.
RM GUI RSP
Release 8.1 12/2019
187
Network Security
[ Network Security > ACL > MAC Rule ]
Possible values:
??:??:??:??:??:?? (default setting)
The device applies the rule to MAC data packets with any source address.
Valid MAC address
The device applies the rule to MAC data packets with the specified source address.
You use the ? character as a wild card.
Example 00:11:??:??:??:??: The device applies the rule to MAC data packets whose source
address begins with 00:11.
Valid MAC address/bit mask
The device applies the rule to MAC data packets with the specified source address. The bit
mask lets you specify the address range with bit-level accuracy.
Example 00:11:22:33:44:54/FF:FF:FF:FF:FF:FC: The device applies the rule to MAC data
packets with a source address in the range from 00:11:22:33:44:54 to …:57.
Destination MAC address
Specifies the destination address of the MAC data packets to which the device applies the rule.
Possible values:
??:??:??:??:??:?? (default setting)
The device applies the rule to MAC data packets with any destination address.
Valid MAC address
The device applies the rule to MAC data packets with the specified destination address.
You use the ? character as a wild card.
Example 00:11:??:??:??:??: The device applies the rule to MAC data packets whose
destination address begins with 00:11.
Valid MAC address/bit mask
The device applies the rule to MAC data packets with the specified source address. The bit
mask lets you specify the address range with bit-level accuracy.
Example 00:11:22:33:44:54/FF:FF:FF:FF:FF:FC: The device applies the rule to MAC data
packets with a destination address in the range from 00:11:22:33:44:54 to …:57.
Ethertype
Specifies the Ethertype keyword of the MAC data packets to which the device applies the rule.
Possible values:
custom (default setting)
The device applies the value specified in the Ethertype custom value column.
appletalk
arp
ibmsna
ipv4
ipv6
ipxold
mplsmcast
mplsucast
netbios
novell
rarp
pppoe
188
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > ACL > MAC Rule ]
Ethertype custom value
Specifies the Ethertype value of the MAC data packets to which the device applies the rule. The
prerequisite is that in the Ethertype column the value custom is specified.
Possible values:
any (default setting)
The device applies the rule to every MAC data packet without considering the Ethertype value.
600..ffff
The device applies the rule only to MAC data packets containing the Ethertype value specified
here.
VLAN ID
Specifies the VLAN ID of the MAC data packets to which the device applies the rule.
Possible values:
0 (default setting)
The device applies the rule to every MAC data packet without considering the VLAN ID.
1..4042
COS
Specifies the Class of Service (COS) value of the MAC data packets to which the device applies
the rule.
Possible values:
0..7
any (default setting)
The device applies the rule to every MAC data packet without considering the Class of Service
value.
Note: For data packets without a VLAN tag, the device uses the port priority instead of the COS
value.
Action
Specifies how the device handles received MAC data packets when the device applies the rule.
Possible values:
permit (default setting)
The device transmits the MAC data packets.
deny
The device discards the MAC data packets.
Redirection port
Specifies the port on which the device transmits the MAC data packets. The prerequisite is that in
the Action column the value permit is specified.
RM GUI RSP
Release 8.1 12/2019
189
Network Security
[ Network Security > ACL > MAC Rule ]
Possible values:
– (default setting)
The Redirection port function is disabled.
<Port number>
The device transmits the MAC data packets on the specified port.
The device does not provide the option of mirroring IP data packets across VLAN boundaries or to
router interfaces.
Mirror port
Specifies the port on which the device transmits a copy of the MAC data packets. The prerequisite
is that in the Action column the value permit is specified.
Possible values:
– (default setting)
The Mirror port function is disabled.
<Port number>
The device transmits a copy of the MAC data packets on the specified port.
The device does not provide the option of mirroring IP data packets across VLAN boundaries or to
router interfaces.
Assigned queue ID
Specifies the ID of the priority queue on which the device transmits the MAC data packets.
Possible values:
0..7 (default setting: 0)
Log
Activates/deactivates the logging in the log file. See the Diagnostics > Report > System Log dialog.
Possible values:
marked
Logging is activated.
The prerequisite is that you assign the Access Control List in the Network Security > ACL >
Assignment dialog to a VLAN or port.
The device registers in the log file, in an interval of 30 s, how many times it applied the deny rule
to MAC data packets.
unmarked (default setting)
Logging is deactivated.
The device lets you activate this function for up to 128 deny rules.
Time profile
Specifies whether the device applies the rule permanently or time-controlled.
190
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > ACL > MAC Rule ]
Possible values:
<empty> (default setting)
The device applies the rule permanently.
[Time Profile]
The device applies the rule only at the times specified in the time profile. You edit the time profile
in the Network Security > ACL > Time Profile dialog.
Rate limit
Specifies the limit for the data transfer rate for the port specified in the Redirection port column. The
limit applies to the summary of the data sent and received.
This function limits the data stream on the port or in the VLAN:
Possible values:
0 (default setting)
No limitation of the data transfer rate.
1..4294967295
If the data transfer rate on the port exceeds the value specified, then the device discards surplus
MAC data packets. The prerequisite is that you specify in the Burst size column a value >0. You
specify the measurement unit of the limit in the Unit column.
Unit
Specifies the unit of measurement for the data transfer rate specified in the Rate limit column.
Possible values:
kbps (default setting)
kByte per second
pps
Data packet per second
Burst size
Specifies the limit in KByte for the data volume during temporary bursts.
Possible values:
0 (default setting)
No limitation of the data volume.
1..128
If during temporary bursts on the port the data volume exceeds the value specified, then the
device discards surplus MAC data packets. The prerequisite is that you specify in the Rate limit
column a value >0.
Recommendation:
If the bandwidth is known:
Burst size = bandwidth x allowed duration of a burst / 8.
If the bandwidth is unknown:
Burst size = 10 x MTU (Maximum Transmission Unit) of the port.
RM GUI RSP
Release 8.1 12/2019
191
Network Security
[ Network Security > ACL > MAC Rule ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Group name field, you specify the name of the Access Control List to which the rule
belongs.
In the Index field, you specify the number of the rule within the Access Control List. If the Access
Control List contains multiple rules, then the device processes the rule with the lowest value first.
192
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > ACL > Assignment ]
4.8.3
ACL Assignment
[ Network Security > ACL > Assignment ]
This dialog lets you assign one or more Access Control Lists to the ports and VLANs of the device.
By assigning a priority you specify the processing sequence, provided you assign one or more
Access Control Lists to a port or VLAN.
The device applies rules successively, namely in the sequence specified by the rule index. You
specify the priority of a group in the Priority column. The lower the number, the higher the priority.
In this process, the device applies the rules with a high priority before the rules with a low priority.
The assignment of Access Control Lists to ports and VLANs results in the following different types
of ACL:
Port-based IPv4-ACLs
Port-based MAC ACLs
VLAN-based IPv4 ACLs
VLAN-based MAC ACLs
Note: Before you enable the function, verify that at least one active entry in the table lets you
access. Otherwise, the connection to the device terminates if you change the settings. To access
the device management is possible only using the CLI through the serial interface of the device.
Table
Group name
Displays the name of the Access Control List. The Access Control List contains the rules.
Type
Displays whether the Access Control List contains MAC rules or IPv4 rules.
Possible values:
mac
The Access Control List contains MAC rules.
ip
The Access Control List contains IPv4 rules.
You edit Access Control Lists with IPv4 rules in the Network Security > ACL > IPv4 Rule dialog. You
edit Access Control Lists with MAC rules in the Network Security > ACL > ACL MAC Rule dialog.
Port
Displays the port to which the Access Control List is assigned. The field remains empty when the
Access Control List is assigned to a VLAN.
VLAN ID
Displays the VLAN to which the Access Control List is assigned. The field remains empty when the
Access Control List is assigned to a port.
RM GUI RSP
Release 8.1 12/2019
193
Network Security
[ Network Security > ACL > Assignment ]
Direction
Displays that the device applies the Access Control List to received data packets.
Priority
Displays the priority of the Access Control List.
Using the priority, you specify the sequence in which the device applies the Access Control Lists to
the data stream. The device applies the rules in ascending order starting with priority 1.
Possible values:
1..4294967295
If an Access Control List is assigned to a port and to a VLAN with the same priority, then the device
applies the rules to the port first.
Active
Activates/deactivates the Access Control List on the port or in the VLAN.
Possible values:
marked (default setting)
The Access Control List is active.
unmarked
The Access Control List is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create dialog to assign a rule to a port or a VLAN.
In the Port/VLAN field, you specify the port or the VLAN ID.
In the Priority field, you specify the source MAC address of the ARP rule.
In the Direction field, you specify the data packets to which the device applies the rule.
In the Group name filed, you specify which rule the device assigns to the port or VLAN.
194
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > ACL > Time Profile ]
4.8.4
ACL Time Profile
[ Network Security > ACL > Time Profile ]
This dialog lets you edit time profiles. If you assign a time profile to a MAC or IPv4 rule, then the
device applies the rule at the times specified in the time profile. If no time profile is assigned, the
device applies the rule permanently.
The device lets you create up to 100 time profiles with up to 10 time periods.
The device applies the MAC and IPv4 rules during the time specified within the time period.
If you specify the time periods using the Absolute option, then the device applies the rule one
time.
If you specify the time periods using the Periodic option, then the device applies the rule
recurrently.
The implied Deny-All rule of the ACLs is constantly valid independently of the time control.
Table
Note: If you reconfigure a time period, then first specify the end time and then the start time.
Otherwise, the dialog displays an error message.
Profile name
Displays the name of the time profile. The time profile contains the time periods.
Index
Displays the number of the time period within the time profile. The device automatically assigns this
number.
Absolute
Start date
Specifies the date at which the device starts to apply the one-time rule.
Possible values:
YYYY-MM-DD or DD.MM.YY
(depending on the language preferences of your web browser)
Start time
Specifies the time at which the device starts to apply the one-time rule.
Possible values:
hh:mm
Hour:Minute
End date
Specifies the date at which the device terminates the one-time rule.
RM GUI RSP
Release 8.1 12/2019
195
Network Security
[ Network Security > ACL > Time Profile ]
Possible values:
YYYY-MM-DD or DD.MM.YY
(depending on the language preferences of your web browser)
End time
Specifies the time at which the device terminates the one-time rule.
Possible values:
hh:mm
Hour:Minute
Periodic
Starting days
Specifies the days of the week on which the device periodically starts to apply the rule.
Possible values:
Sun
Mon
Tue
Wed
Thu
Fri
Sat
Start time
Specifies the time at which the device periodically starts to apply the rule.
Possible values:
hh:mm
Hour:Minute
Ending days
Specifies the days of the week on which the device periodically terminates the rule.
Possible values:
Sun
Mon
Tue
Wed
Thu
Fri
Sat
End time
Specifies the time at which the device periodically terminates the rule.
196
RM GUI RSP
Release 8.1 12/2019
Network Security
[ Network Security > ACL > Time Profile ]
Possible values:
hh:mm
Hour:Minute
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create dialog to create a new time period.
In the Profile name field, you specify the name of the time profile to which the time period belongs.
In the Type field, you specify the type of time period.
– With the Periodic radio button, you specify a time period at which the device activates the
recurring rule.
– With the Absolute radio button, you specify a time period at which the device activates the rule
one time. Within every time profile, exactly one such time period is allowed.
In the Start frame, you specify the time at which the device starts to apply the rule.
In the End frame, you specify the time at which the device terminates to apply the rule.
RM GUI RSP
Release 8.1 12/2019
197
Switching
[ Switching > Global ]
5 Switching
The menu contains the following dialogs:
Switching Global
Rate Limiter
Filter for MAC Addresses
IGMP Snooping
MRP-IEEE
GARP
QoS/Priority
VLAN
L2-Redundancy
5.1
Switching Global
[ Switching > Global ]
This dialog lets you specify the following settings:
Change the Aging time of the address table
Enable the flow control in the device
Enable the VLAN Unaware Mode
If a large number of data packets are received in the priority queue of a port at the same time, then
this can cause the port memory to overflow. This happens, for example, when the device receives
data on a Gigabit port and forwards it to a port with a lower bandwidth. The device discards surplus
data packets.
The flow control mechanism described in standard IEEE 802.3 helps ensure that no data packets
are lost due to a port memory overflowing. Shortly before a port memory is completely full, the
device signals to the connected devices that it is not accepting any more data packets from them.
In full-duplex mode, the device sends a pause data packet.
In half-duplex mode, the device simulates a collision.
Then the connected devices do not send any more data packets for as long as the signaling takes.
On uplink ports, this can possibly cause undesired sending breaks in the higher-level network
segment (“wandering backpressure”).
According to standard IEEE 802.1Q, the device forwards data packets with a VLAN tag in a VLAN
≥1. However, a small number of applications on connected end devices send or receive data
packets with a VLAN ID=0. When the device receives one of these data packets, before forwarding
it the device overwrites the original value in the data packet with the VLAN ID of the receiving port.
If you activate the VLAN Unaware Mode, then this deactivates the VLAN settings in the device. The
device then transparently forwards the data packets and evaluates the priority information
contained only in the data packet.
Configuration
MAC address
Displays the MAC address of the device.
198
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > Global ]
Aging time [s]
Specifies the aging time in seconds.
Possible values:
10..500000 (default setting: 30)
The device monitors the age of the learned unicast MAC addresses. The device deletes address
entries that exceed a particular age (aging time) from its address table.
You find the address table in the Switching > Filter for MAC Addresses dialog.
In connection with the router redundancy, specify a time ≥ 30 s.
Flow control
Activates/deactivates the flow control in the device.
Possible values:
marked
The flow control is active in the device.
Additionally activate the flow control on the required ports. See the Basic Settings > Port dialog,
Configuration tab, checkbox in the Flow control column.
unmarked (default setting)
The flow control is inactive in the device.
If you are using a redundancy function, then deactivate the flow control on the participating ports.
If the flow control and the redundancy function are active at the same time, it is possible that the
redundancy function operates differently than intended.
VLAN unaware mode
Activates/deactivates the VLAN unaware mode.
Possible values:
marked
The VLAN unaware mode is active.
The device works in the VLAN Unaware bridging mode (802.1Q):
– The device ignores the VLAN settings in the device and the VLAN tags in the data packets.
The device transmits the data packets based on their destination MAC address or
destination IP address in VLAN 1.
– The device ignores the VLAN settings specified in the Switching > VLAN > Configuration and
Switching > VLAN > Port dialogs. Every port is assigned to VLAN 1.
– The device evaluates the priority information contained in the data packet.
Note: You specify the VLAN ID 1 for every function in the device which uses VLAN settings. Among
other things, this applies to static filters, MRP and IGMP Snooping.
unmarked (default setting)
The VLAN unaware mode is inactive.
The device works in the VLAN-aware bridging mode (802.1Q):
– The device evaluates the VLAN tags in the data packets.
– The device transmits the data packets based on their destination MAC address or
destination IP address in the corresponding VLAN.
– The device evaluates the priority information contained in the data packet.
RM GUI RSP
Release 8.1 12/2019
199
Switching
[ Switching > Global ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
200
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > Rate Limiter ]
5.2
Rate Limiter
[ Switching > Rate Limiter ]
The device lets you limit the traffic on the ports in order to help provide stable operation even with
a large traffic volume. If the traffic on a port exceeds the traffic value entered, then the device
discards the excess traffic on this port.
The rate limiter function operates only on Layer 2, and is used to limit the effects of storms of data
packets that flood the device (typically Broadcasts).
The rate limiter function ignores protocol information on higher levels, such as IP or TCP.
The dialog contains the following tabs:
[Ingress]
[Egress]
[Ingress]
In this tab, you enable the Rate Limiter function. The threshold value specifies the maximum amount
of traffic the port receives. If the traffic on this port exceeds the threshold value, then the device
discards the excess traffic on this port.
Table
Port
Displays the port number.
Threshold unit
Specifies the unit for the threshold value:
Possible values:
percent (default setting)
Specifies the threshold value as a percentage of the data rate of the port.
pps
Specifies the threshold value in data packets per second.
Broadcast mode
Activates/deactivates the rate limiter function for received broadcast data packets.
Possible values:
marked
unmarked (default setting)
If the threshold value is exceeded, then the device discards the excess broadcast data packets on
this port.
RM GUI RSP
Release 8.1 12/2019
201
Switching
[ Switching > Rate Limiter ]
Broadcast threshold
Specifies the threshold value for received broadcasts on this port.
Possible values:
0..14880000 (default setting: 0)
The value 0 deactivates the rate limiter function on this port.
If you select the value percent in the Threshold unit column, then enter a percentage value
from 0 to 100.
If you select the value pps in the Threshold unit column, then enter an absolute value for the
data rate.
Multicast mode
Activates/deactivates the rate limiter function for received multicast data packets.
Possible values:
marked
unmarked (default setting)
If the threshold value is exceeded, then the device discards the excess multicast data packets on
this port.
Multicast threshold
Specifies the threshold value for received multicasts on this port.
Possible values:
0..14880000 (default setting: 0)
The value 0 deactivates the rate limiter function on this port.
If you select the value percent in the Threshold unit column, then enter a percentage value
from 0 to 100.
If you select the value pps in the Threshold unit column, then enter an absolute value for the
data rate.
Unknown unicast mode
Activates/deactivates the rate limiter function for received unicast data packets with an unknown
destination address.
Possible values:
marked
unmarked (default setting)
If the threshold value is exceeded, then the device discards the excess unicast data packets on this
port.
Unicast threshold
Specifies the threshold value for received unicasts with an unknown destination address on this
port.
202
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > Rate Limiter ]
Possible values:
0..14880000 (default setting: 0)
The value 0 deactivates the rate limiter function on this port.
If you select the value percent in the Threshold unit, then enter a percentage value from 0 to
100.
If you select the value pps in the Threshold unit column, then enter an absolute value for the
data rate.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Egress]
In this tab, you specify the egress transmission rate on the port.
Table
Port
Displays the port number.
Bandwidth [%]
Specifies the egress transmission rate.
Possible values:
0 (default setting)
The bandwidth limitation is disabled.
1..100
The bandwidth limitation is enabled.
This value specifies the percentage of overall link speed for the port in 1% increments.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
203
Switching
[ Switching > Filter for MAC Addresses ]
5.3
Filter for MAC Addresses
[ Switching > Filter for MAC Addresses ]
This dialog lets you display and edit address filters for the address table. Address filters specify the
way the data packets are forwarded in the device based on the destination MAC address.
Each row in the table represents one filter. The device automatically sets up the filters. The device
lets you set up additional filters manually.
The device transmits the data packets as follows:
When the table contains an entry for the destination address of a data packet, the device
transmits the data packet from the receiving port to the port specified in the table entry.
When there is no table entry for the destination address, the device transmits the data packet
from the receiving port to every other port.
Table
To delete the learned MAC addresses from the address table, click in the Basic Settings > Restart
dialog the Reset MAC address table button.
Address
Displays the destination MAC address to which the table entry applies.
VLAN ID
Displays the ID of the VLAN to which the table entry applies.
The device learns the MAC addresses for every VLAN separately (independent VLAN learning).
Status
Displays how the device has set up the address filter.
Possible values:
learned
Address filter set up automatically by the device based on received data packets.
permanent
Address filter set up manually. The address filter stays set up permanently.
IGMP
Address filter automatically set up by IGMP Snooping.
mgmt
MAC address of the device. The address filter is protected against changes.
MRP-MMRP
Multicast address filter automatically set up by MMRP.
GMRP
Multicast address filter automatically set up by GMRP.
<Port number>
Displays how the corresponding port transmits data packets which it directs to the adjacent
destination address.
204
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > Filter for MAC Addresses ]
Possible values:
–
The port does not transmit any data packets to the destination address.
learned
The port transmits data packets to the destination address. The device created the filter
automatically based on received data packets.
IGMP learned
The port transmits data packets to the destination address. The device created the filter
automatically based on IGMP.
unicast static
The port transmits data packets to the destination address. A user created the filter.
multicast static
The port transmits data packets to the destination address. A user created the filter.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Address field, you specify the destination MAC address.
In the VLAN ID field, you specify the ID of the VLAN.
In the Port field, you specify the port.
– Select one port if the destination MAC address is a unicast address.
– Select one or more ports if the destination MAC address is a multicast address.
– Select no port to create a discard filter. The device discards data packets with the destination
MAC address specified in the table entry.
Reset MAC address table
Removes the MAC addresses from the forwarding table that have the value learned in the Status
column.
RM GUI RSP
Release 8.1 12/2019
205
Switching
[ Switching > IGMP Snooping ]
5.4
IGMP Snooping
[ Switching > IGMP Snooping ]
The Internet Group Management Protocol (IGMP) is a protocol for dynamically managing Multicast
groups. The protocol describes the distribution of Multicast data packets between routers and end
devices on Layer 3.
The device lets you use the IGMP Snooping function to also use the IGMP mechanisms on Layer 2:
Without IGMP Snooping, the device transmits the Multicast data packets to every port.
With the activated IGMP Snooping function, the device transmits the Multicast data packets only
on ports to which Multicast receivers are connected. This reduces the network load. The device
evaluates the IGMP data packets transmitted on Layer 3 and uses the information on Layer 2.
Activate the IGMP Snooping function not until the following conditions are fulfilled:
– There is a Multicast router in the network that creates IGMP queries (periodic queries).
– The devices participating in IGMP Snooping forward the IGMP queries.
The device links the IGMP reports with the entries in its address table. When a multicast receiver
joins a multicast group, the device creates a table entry for this port in the Switching > Filter for MAC
Addresses dialog. When the multicast receiver leaves the multicast group, the device removes the
table entry.
The menu contains the following dialogs:
IGMP Snooping Global
IGMP Snooping Configuration
IGMP Snooping Enhancements
IGMP Snooping Querier
IGMP Snooping Multicasts
206
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > IGMP Snooping > Global ]
5.4.1
IGMP Snooping Global
[ Switching > IGMP Snooping > Global ]
This dialog lets you enable the IGMP Snooping protocol in the device and also configure it for each
port and each VLAN.
Operation
Operation
Enables/disables the IGMP Snooping function in the device.
Possible values:
On
The IGMP Snooping function is enabled in the device according to RFC 4541 (Considerations for
Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping
Switches).
Off (default setting)
The IGMP Snooping function is disabled in the device.
The device transmits received query, report, and leave data packets without evaluating them.
Received data packets with a Multicast destination address are transmitted to every port by the
device.
Information
Multicast control packets processed
Displays the number of Multicast control data packets processed.
This statistic encompasses the following packet types:
• IGMP Reports
• IGMP Queries version V1
• IGMP Queries version V2
• IGMP Queries version V3
• IGMP Queries with an incorrect version
• PIM or DVMRP packets
The device uses the Multicast control data packets to create the address table for transmitting the
Multicast data packets.
Possible values:
0..2 31 -1
You use the Reset IGMP snooping data button in the Basic Settings > Restart dialog or the command
using the Command Line Interface to reset the IGMP Snooping entries,
including the counter for the processed multicast control data packets.
clear igmp-snooping
RM GUI RSP
Release 8.1 12/2019
207
Switching
[ Switching > IGMP Snooping > Global ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset IGMP snooping counters
Removes the IGMP Snooping entries and resets the counter in the Information frame to 0.
208
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > IGMP Snooping > Configuration ]
5.4.2
IGMP Snooping Configuration
[ Switching > IGMP Snooping > Configuration ]
This dialog lets you enable the IGMP Snooping function in the device and also configure it for each
port and each VLAN.
The dialog contains the following tabs:
[VLAN ID]
[Port]
[VLAN ID]
In this tab, you configure the IGMP Snooping function for every VLAN.
Table
VLAN ID
Displays the ID of the VLAN to which the table entry applies.
Active
Activates/deactivates the IGMP Snooping function for this VLAN.
The prerequisite is that the IGMP Snooping function is globally enabled.
Possible values:
marked
IGMP Snooping is activated for this VLAN. The VLAN has joined the Multicast data stream.
unmarked (default setting)
IGMP Snooping is deactivated for this VLAN. The VLAN has left the Multicast data stream.
Group membership interval
Specifies the time in seconds for which a VLAN from a dynamic Multicast group remains entered
in the address table when the device does not receive any more report data packets from the VLAN.
Specify a value larger than the value in the Max. response time column.
Possible values:
2..3600 (default setting: 260)
Max. response time
Specifies the time in seconds in which the members of a multicast group should respond to a query
data packet. For their response, the members specify a random time within the response time. You
thus help prevent the multicast group members from responding to the query at the same time.
Specify a value smaller than the value in the Group membership interval column.
RM GUI RSP
Release 8.1 12/2019
209
Switching
[ Switching > IGMP Snooping > Configuration ]
Possible values:
1..25 (default setting: 10)
Fast leave admin mode
Activates/deactivates the Fast Leave function for this VLAN.
Possible values:
marked
When the Fast Leave function is active and the device receives an IGMP Leave message from
a multicast group, the device immediately removes the entry from its address table.
unmarked (default setting)
When the Fast Leave function is inactive, the device first sends MAC-based queries to the
members of the multicast group and removes an entry when a VLAN does not send any more
report messages.
MRP expiration time
Multicast Router Present Expiration Time. Specifies the time in seconds for which the device waits
for a query on this port that belongs to a VLAN. When the port does not receive a query data packet,
the device removes the port from the list of ports with connected multicast routers.
You have the option of configuring this parameter only if the port belongs to an existing VLAN.
Possible values:
0
unlimited timeout - no expiration time
1..3600 (default setting: 260)
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Port]
In this tab, you configure the IGMP Snooping function for every port.
Table
Port
Displays the port number.
Active
Activates/deactivates the IGMP Snooping function for this port.
The prerequisite is that the IGMP Snooping function is globally enabled.
210
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > IGMP Snooping > Configuration ]
Possible values:
marked
IGMP Snooping is active on this port. The device includes the port in the multicast data stream.
unmarked (default setting)
IGMP Snooping is inactive on this port. The port left the multicast data stream.
Group membership interval
Specifies the time in seconds for which a port, from a dynamic multicast group, remains entered in
the address table when the device does not receive any more report data packets from the port.
Possible values:
2..3600 (default setting: 260)
Specify the value larger than the value in the Max. response time column.
Max. response time
Specifies the time in seconds in which the members of a multicast group should respond to a query
data packet. For their response, the members specify a random time within the response time. You
thus help prevent the multicast group members from responding to the query at the same time.
Possible values:
1..25 (default setting: 10)
Specify a value lower than the value in the Group membership interval column.
MRP expiration time
Specifies the Multicast Router Present Expiration Time. The MRP expiration time is the time in
seconds for which the device waits for a query packet on this port. When the port does not receive
a query data packet, the device removes the port from the list of ports with connected multicast
routers.
Possible values:
0
unlimited timeout - no expiration time
1..3600 (default setting: 260)
Fast leave admin mode
Activates/deactivates the Fast Leave function for this port.
Possible values:
marked
When the Fast Leave function is active and the device receives an IGMP Leave message from
a multicast group, the device immediately removes the entry from its address table.
unmarked (default setting)
When the Fast Leave function is inactive, the device first sends MAC-based queries to the
members of the multicast group and removes an entry when a port does not send any more
report messages.
Static query port
Activates/deactivates the Static query port mode.
RM GUI RSP
Release 8.1 12/2019
211
Switching
[ Switching > IGMP Snooping > Configuration ]
Possible values:
marked
The Static query port mode is active.
The port is a static query port in the VLANs that are set up.
If you use the Redundant Coupling Protocol function and the device operates as slave, then do not
activate the Static query port mode for the ports on the secondary ring/network.
unmarked (default setting)
The Static query port mode is inactive.
The port is not a static query port. The device transmits IGMP report messages to the port only
if it receives IGMP queries.
VLAN IDs
Displays the ID of the VLANs to which the table entry applies.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
212
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > IGMP Snooping > Snooping Enhancements ]
5.4.3
IGMP Snooping Enhancements
[ Switching > IGMP Snooping > Snooping Enhancements ]
This dialog lets you select a port for a VLAN ID and to configure the port.
Table
VLAN ID
Displays the ID of the VLAN to which the table entry applies.
<Port number>
Displays for every VLAN set up in the device whether the relevant port is a query port. Additionally,
the field displays whether the device transmits every Multicast stream in the VLAN to this port.
Possible values:
–
The port is not a query port in this VLAN.
L = Learned
The device detected the port as a query port because the port received IGMP queries in this
VLAN. The port is not a statically configured query port.
A = Automatic
The device detected the port as a query port. The prerequisite is that you configure the port as
Learn by LLDP.
S = Static (manual setting)
A user specified the port as a static query port. The device transmits IGMP reports only to ports
on which it previously received IGMP queries – and to statically configured query ports.
To assign this value, proceed as follows:
Open the Wizard window.
On the Configuration page, mark the Static checkbox.
P = Learn by LLDP (manual setting)
A user specified the port as Learn by LLDP.
With the Link Layer Discovery Protocol (LLDP), the device detects Hirschmann devices
connected directly to the port. The device denotes the detected query ports with A.
To assign this value, proceed as follows:
Open the Wizard window.
On the Configuration page, mark the Learn by LLDP checkbox.
F = Forward All (manual setting)
A user specified the port so that the device transmits every received Multicast stream in the
VLAN to this port. Use this setting for diagnostics purposes, for example.
To assign this value, proceed as follows:
Open the Wizard window.
On the Configuration page, mark the Forward all checkbox.
RM GUI RSP
Release 8.1 12/2019
213
Switching
[ Switching > IGMP Snooping > Snooping Enhancements ]
Display categories
Enhances the clarity of the display. The table emphasizes the cells which contain the specified
value. This helps to analyze and sort the table according to your needs.
Learned (L)
The table displays cells which contain the value L and possibly further values. Cells which
contain other values than L only, the table displays with the “-“ symbol.
Static (S)
The table displays cells which contain the value S and possibly further values. Cells which
contain other values than S only, the table displays with the “-“ symbol.
Automatic (A)
The table displays cells which contain the value A and possibly further values. Cells which
contain other values than A only, the table displays with the “-“ symbol.
Learned by LLDP (P)
The table displays cells which contain the value P and possibly further values. Cells which
contain other values than P only, the table displays with the “-“ symbol.
Forward all (F)
The table displays cells which contain the value F and possibly further values. Cells which
contain other values than F only, the table displays with the “-“ symbol.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Wizard window that helps you to select and configure the ports.
[Selection VLAN/Port (Wizard)]
On the Selection VLAN/Port page you assign a VLAN ID to port.
On the Configuration page you specify the settings for the port.
After closing the Wizard window, click the
button to save your settings.
[Selection VLAN/Port (Wizard) – Selection VLAN/Port]
VLAN ID
Select the ID of the VLAN.
Possible values:
1..4042
Port
Select the port.
214
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > IGMP Snooping > Snooping Enhancements ]
Possible values:
<Port number>
[Selection VLAN/Port (Wizard) – Configuration]
VLAN ID
Displays the ID of the selected VLAN.
Port
Displays the number of the selected port.
Static
Specifies the port as a static query port in the VLANs that are set up. The device transmits IGMP
report messages to the ports at which it receives IGMP queries. This lets you also transmit IGMP
report messages to other selected ports (enable) or connected Hirschmann devices (Automatic).
Learn by LLDP
Specifies the port as Learn by LLDP. Lets the device detect directly connected Hirschmann
devices using LLDP and learn the related ports as a query port.
Forward all
Specifies the port as Forward all. With the Forward all setting, the device transmits at this port
every data packet with a Multicast address in the destination address field.
RM GUI RSP
Release 8.1 12/2019
215
Switching
[ Switching > IGMP Snooping > Querier ]
5.4.4
IGMP Snooping Querier
[ Switching > IGMP Snooping > Querier ]
The device lets you send a Multicast stream only to those ports to which a Multicast receiver is
connected.
To determine which ports Multicast receivers are connected to, the device sends query data
packets to the ports at a definable interval. When a Multicast receiver is connected, it joins the
Multicast stream by responding to the device with a report data packet.
This dialog lets you configure the Snooping Querier settings globally and for the VLANs that are set
up.
Operation
Operation
Enables/disables the IGMP Querier function globally in the device.
Possible values:
On
Off (default setting)
Configuration
In this frame you specify the IGMP Snooping Querier settings for the general query data packets.
Protocol version
Specifies the IGMP version of the general query data packets.
Possible values:
1
IGMP v1
2 (default setting)
IGMP v2
3
IGMP v3
Query interval [s]
Specifies the time in seconds after which the device generates general query data packets itself
when it has received query data packets from the Multicast router.
Possible values:
1..1800 (default setting: 60)
216
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > IGMP Snooping > Querier ]
Expiry interval [s]
Specifies the time in seconds after which an active querier switches from the passive state back to
the active state if it has not received any query packets for longer than specified here.
Possible values:
60..300 (default setting: 125)
Table
In the table you specify the Snooping Querier settings for the VLANs that are set up.
VLAN ID
Displays the ID of the VLAN to which the table entry applies.
Active
Activates/deactivates the IGMP Snooping Querier function for this VLAN.
Possible values:
marked
The IGMP Snooping Querier function is active for this VLAN.
unmarked (default setting)
The IGMP Snooping Querier function is inactive for this VLAN.
Current state
Displays whether the Snooping Querier is active for this VLAN.
Possible values:
marked
The Snooping Querier is active for this VLAN.
unmarked
The Snooping Querier is inactive for this VLAN.
Address
Specifies the IP address that the device adds as the source address in generated general query
data packets. You use the address of the multicast router.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Protocol version
Displays the IGMP protocol version of the general query data packets.
RM GUI RSP
Release 8.1 12/2019
217
Switching
[ Switching > IGMP Snooping > Querier ]
Possible values:
1
IGMP v1
2
IGMP v2
3
IGMP v3
Max. response time
Displays the time in seconds in which the members of a Multicast group should respond to a query
data packet. For their response, the members specify a random time within the response time. This
helps prevent every Multicast group member to respond to the query at the same time.
Last querier address
Displays the IP address of the Multicast router from which the last received IGMP query was sent
out..
Last querier version
Displays the IGMP version that the Multicast router used when sending out the last IGMP query
received in this VLAN.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
218
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > IGMP Snooping > Multicasts ]
5.4.5
IGMP Snooping Multicasts
[ Switching > IGMP Snooping > Multicasts ]
The device lets you specify how it transmits data packets with unknown Multicast addresses: Either
the device discards these data packets, floods them to every port, or transmits them only to the
ports that previously received query packets.
The device also lets you transmit the data packets with known Multicast addresses to the query
ports.
Configuration
Unknown multicasts
Specifies how the device transmits the data packets with unknown Multicast addresses.
Possible values:
Discard
The device discards data packets with an unknown MAC/IP Multicast address.
Send to all ports (default setting)
The device forwards data packets with an unknown MAC/IP Multicast address to the registered
ports.
Send to query ports
The device forwards data packets with an unknown MAC/IP Multicast address to the query
ports.
Table
In the table you specify the settings for known Multicasts for the VLANs that are set up.
VLAN ID
Displays the ID of the VLAN to which the table entry applies.
Known multicasts
Specifies how the device transmits the data packets with known Multicast addresses.
Possible values:
send to query and registered ports
The device forwards data packets with an unknown MAC/IP Multicast address to the query ports
and to the registered ports.
send to registered ports (default setting)
The device forwards data packets with an unknown MAC/IP Multicast address to registered
ports.
RM GUI RSP
Release 8.1 12/2019
219
Switching
[ Switching > MRP-IEEE ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
5.5
MRP-IEEE
[ Switching > MRP-IEEE ]
The IEEE 802.1ak amendment to the IEEE 802.1Q standard introduced the Multiple Registration
Protocol (MRP) to replace the Generic Attribute Registration Protocol (GARP). The IEEE also
modified and replaced the GARP applications, GARP Multicast Registration Protocol (GMRP) and
GARP VLAN Registration Protocol (GVRP). The Multiple MAC Registration Protocol (MMRP) and
the Multiple VLAN Registration Protocol (MVRP) replace these protocols.
MRP-IEEE helps confine traffic to the required areas of the LAN. To confine traffic, the MRPIEEE applications distribute attribute values to participating MRP-IEEE devices across a LAN
registering and de-registering multicast group membership and VLAN identifiers.
Registering group participants lets you reserve resources for specific traffic transversing a LAN.
Defining resource requirements regulates the level of traffic, allowing the devices to determine the
required resources and provides for dynamic maintenance of the allocated resources.
The menu contains the following dialogs:
MRP-IEEE Configuration
MRP-IEEE Multiple MAC Registration Protocol
MRP-IEEE Multiple VLAN Registration Protocol
220
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > MRP-IEEE > Configuration ]
5.5.1
MRP-IEEE Configuration
[ Switching > MRP-IEEE > Configuration ]
This dialog lets you set the various MRP timers. By maintaining a relationship between the various
timer values, the protocol operates efficiently and with less likelihood of unnecessary attribute
withdraws and re-registration. The default timer values effectively maintain these relationships.
When you reconfigure the timers, maintain the following relationships:
To allow for re-registration after a Leave or LeaveAll event, even if there is a lost message,
specify the LeaveTime to: ≥ (2x JoinTime) + 60.
To minimize the volume of rejoining traffic generated following a LeaveAll event, specify the
value for the LeaveAll timer larger than the LeaveTime value.
Table
Port
Displays the port number.
Join time [1/100s]
Specifies the Join timer which controls the interval between transmit opportunities applied to the
Applicant state machine.
Possible values:
10..100 (default setting: 20)
Leave time [1/100s]
Specifies the Leave timer which controls the period that the Registrar state machine waits in the
leave (LV) state before transiting to the empty (MT) state.
Possible values:
20..600 (default setting: 60)
Leave all time [1/100s]
Specifies the LeaveAll timer which controls the frequency with which the LeaveAll state machine
generates LeaveAll PDUs.
Possible values:
200..6000 (default setting: 1000)
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
221
Switching
[ Switching > MRP-IEEE > MMRP ]
5.5.2
MRP-IEEE Multiple MAC Registration Protocol
[ Switching > MRP-IEEE > MMRP ]
The Multiple MAC Registration Protocol (MMRP) lets end devices and MAC switches register and
de-register group membership and individual MAC address information with switches located in the
same LAN. The switches within the LAN disseminate the information through switches that support
extended filtering services. Using the MAC address information, MMRP lets you confine multicast
traffic to the required areas of a Layer 2 network.
For an example of how MMRP works, consider a security camera mounted on a mast overlooking
a building. The camera sends multicast packets onto a LAN. You have 2 end devices installed for
surveillance in separate locations. You register the MAC addresses of the camera and the 2 end
devices in the same multicast group. You then specify the MMRP settings on the ports to send the
multicast group packets to the 2 end devices.
The dialog contains the following tabs:
[Configuration]
[Service requirement]
[Statistics]
[Configuration]
In this tab, you select active MMRP port participants and set the device to transmit periodic events.
The dialog also lets you enable VLAN registered MAC address broadcasting.
A periodic state machine exists for each port and transmits periodic events regularly to the applicant
state machines associated with active ports. Periodic events contain information indicating the
status of the devices associated with the active port.
Operation
Operation
Enables/disables the global MMRP function in the device. The device participates in MMRP
message exchanges.
Possible values:
On
The device is a normal participant in MMRP message exchanges.
Off (default setting)
The device ignores MMRP messages.
Configuration
Periodic state machine
Enables/disables the global periodic state machine in the device.
222
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > MRP-IEEE > MMRP ]
Possible values:
On
With MMRP Operation enabled globally, the device transmits MMRP messages in one-second
intervals, on MMRP participating ports.
Off (default setting)
Disables the periodic state machine in the device.
Table
Port
Displays the port number.
Active
Activates/deactivates the port MMRP participation.
Possible values:
marked (default setting)
With MMRP enabled globally and on this port, the device sends and receives MMRP messages
on this port.
unmarked
Disables the port MMRP participation.
Restricted group registration
Activates/deactivates the restriction of dynamic MAC address registration using MMRP on the port.
Possible values:
marked
If enabled and a static filter entry for the MAC address exists on the VLAN concerned, then the
device registers the MAC address attributes dynamically.
unmarked (default setting)
Activates/deactivates the restriction of dynamic MAC address registration using MMRP on the
port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Service requirement]
This tab contains forwarding parameters for each active VLAN, specifying the ports on which
multicast forwarding applies. The device lets you statically setup VLAN ports as Forward all or
Forbidden. You set the Forbidden MMRP service requirement statically only through the
Graphical User Interface or Command Line Interface.
A port is setup only as ForwardAll or Forbidden.
RM GUI RSP
Release 8.1 12/2019
223
Switching
[ Switching > MRP-IEEE > MMRP ]
Table
VLAN ID
Displays the ID of the VLAN.
<Port number>
Specifies the service requirement handling for the port.
Possible values:
FA
Specifies the ForwardAll traffic setting on the port. The device forwards traffic destined to
MMRP registered multicast MAC addresses on the VLAN. The device forwards traffic to ports
which MMRP has dynamically setup or ports which the administrator has statically setup as
ForwardAll ports.
F
Specifies the Forbidden traffic setting on the port. The device blocks dynamic MMRP
ForwardAll service requirements. With ForwardAll requests blocked on this port in this VLAN,
the device blocks traffic destined to MMRP registered multicast MAC addresses on this port.
Furthermore, the device blocks MMRP service request for changing this value on this port.
- (default setting)
Disables the forwarding functions on this port.
Learned
Displays values setup by MMRP service requests.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Statistics]
Devices on a LAN exchange Multiple MAC Registration Protocol Data Units (MMRPDU) to maintain
statuses of devices on an active MMRP port. This tab lets you monitor the MMRP traffic statistics
for each port.
Information
Transmitted MMRP PDU
Displays the number of MMRPDUs transmitted in the device.
Received MMRP PDU
Displays the number of MMRPDUs received in the device.
Received bad header PDU
Displays the number of MMRPDUs received with a bad header in the device.
224
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > MRP-IEEE > MMRP ]
Received bad format PDU
Displays the number of MMRPDUs with a bad data field that were not transmitted in the device.
Transmission failed
Displays the number of MMRPDUs not transmitted in the device.
Table
Port
Displays the port number.
Transmitted MMRP PDU
Displays the number of MMRPDUs transmitted on the port.
Received MMRP PDU
Displays the number of MMRPDUs received on the port.
Received bad header PDU
Displays the number of MMRPDUs with a bad header that were received on the port.
Received bad format PDU
Displays the number of MMRPDUs with a bad data field that were not transmitted on the port.
Transmission failed
Displays the number of MMRPDUs not transmitted on the port.
Last received MAC address
Displays the last MAC address from which the port received MMRPPDUs.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Resets the port statistics counters and the values in the Last received MAC address column.
RM GUI RSP
Release 8.1 12/2019
225
Switching
[ Switching > MRP-IEEE > MVRP ]
5.5.3
MRP-IEEE Multiple VLAN Registration Protocol
[ Switching > MRP-IEEE > MVRP ]
The Multiple VLAN Registration Protocol (MVRP) provides a mechanism that lets you distribute
VLAN information and configure VLANs dynamically. For example, when you configure a VLAN on
an active MVRP port, the device distributes the VLAN information to other MVRP enabled devices.
Using the information received, an MVRP enabled device dynamically creates the VLAN trunks on
other MVRP enabled devices as needed.
The dialog contains the following tabs:
[Configuration]
[Statistics]
[Configuration]
In this tab, you select active MVRP port participants and set the device to transmit periodic events.
A periodic state machine exists for each port and transmits periodic events regularly to the applicant
state machines associated with active ports. Periodic events contain information indicating the
status of the VLANs associated with the active port. Using the periodic events, MVRP enabled
switches dynamically maintain the VLANs.
Operation
Operation
Enables/disables the global Applicant Administrative Control which specifies whether the Applicant
state machine participates in MMRP message exchanges.
Possible values:
On
Normal Participant. The Applicant state machine participates in MMRP message exchanges.
Off (default setting)
Non-Participant. The Applicant state machine ignores MMRP messages.
Configuration
Periodic state machine
Enables/disables the periodic state machine in the device.
226
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > MRP-IEEE > MVRP ]
Possible values:
On
The periodic state machine is enabled.
With MVRP Operation enabled globally, the device transmits MVRP periodic events in 1 second
intervals, on MVRP participating ports.
Off (default setting)
The periodic state machine is disabled.
Disables the periodic state machine in the device.
Table
Port
Displays the port number.
Active
Activates/deactivates the port MVRP participation.
Possible values:
marked (default setting)
With MVRP enabled globally and on this port, the device distributes VLAN membership
information to MVRP-aware devices connected to this port.
unmarked
Disables the port MVRP participation.
Restricted VLAN registration
Activates/deactivates the Restricted VLAN registration function on this port.
Possible values:
marked
If enabled and a static VLAN registration entry exists, then the device lets you create a dynamic
VLAN for this entry.
unmarked (default setting)
Disables the Restricted VLAN registration function on this port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
227
Switching
[ Switching > MRP-IEEE > MVRP ]
[Statistics]
Devices on a LAN exchange Multiple VLAN Registration Protocol Data Units (MVRPDU) to
maintain statuses of VLANs on active ports. This tab lets you monitor the MVRP traffic.
Information
Transmitted MVRP PDU
Displays the number of MVRPDUs transmitted in the device.
Received MVRP PDU
Displays the number of MVRPDUs received in the device.
Received bad header PDU
Displays the number of MVRPDUs received with a bad header in the device.
Received bad format PDU
Displays the number of MVRPDUs with a bad data field that the device blocked.
Transmission failed
Displays the number of failures while adding a message into the MVRP queue.
Message queue failures
Displays the number of MVRPDUs that the device blocked.
Table
Port
Displays the port number.
Transmitted MVRP PDU
Displays the number of MVRPDUs transmitted on the port.
Received MVRP PDU
Displays the number of MVRPDUs received on the port.
Received bad header PDU
Displays the number of MVRPDUs with a bad header that the device received on the port.
Received bad format PDU
Displays the number of MVRPDUs with a bad data field that the device blocked on the port.
228
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > GARP ]
Transmission failed
Displays the number of MVRPDUs that the device blocked on the port.
Registrations failed
Displays the number of failed registration attempts on the port.
Last received MAC address
Displays the last MAC address from which the port received MMRPDUs.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Resets the port statistics counters and the values in the Last received MAC address column.
5.6
GARP
[ Switching > GARP ]
The Generic Attribute Registration Protocol (GARP) is defined by the IEEE to provide a generic
framework so switches can register and deregister attribute values, such as VLAN identifiers and
multicast group membership.
When an attribute for a participant is registered or deregistered according to GARP, the participant
is modified according to specific rules. The participants are a set of reachable end stations and
network devices. The defined set of participants at any given time, along with their attributes, is the
reachability tree for the subset of the network topology. The device forwards the data frames only
to the registered end stations. The station registration helps prevent attempts to send data to the
end stations that are unreachable.
Note: Before you enable the GMRP function, verify that the MMRP function is disabled.
The menu contains the following dialogs:
GMRP
GVRP
RM GUI RSP
Release 8.1 12/2019
229
Switching
[ Switching > GARP > GMRP ]
5.6.1
GMRP
[ Switching > GARP > GMRP ]
The GARP Multicast Registration Protocol (GMRP) is a Generic Attribute Registration Protocol
(GARP) that provides a mechanism allowing network devices and end stations to dynamically
register group membership. The devices register group membership information with the devices
attached to the same LAN segment. GARP also lets the devices distribute the information across
the network devices that support extended filtering services.
GMRP and GARP are industry-standard protocols defined by the IEEE 802.1P.
Operation
Operation
Enables/disables the global GMRP function in the device. The device participates in GMRP
message exchanges.
Possible values:
On
GMRP is enabled.
Off (default setting)
The device ignores GMRP messages.
Multicasts
Unknown multicasts
Enables/disables the unknown multicast data to be either flooded or discarded.
Possible values:
discard
The device discards unknown multicast data.
flood (default setting)
The device forwards unknown multicast data to every port.
Table
Port
Displays the port number.
GMRP active
Activates/deactivates the port GMRP participation.
The prerequisite is that the GMRP function is globally enabled.
230
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > GARP > GMRP ]
Possible values:
marked (default setting)
The port GMRP participation is active.
unmarked
The port GMRP participation is inactive.
Service requirement
Specifies the ports on which multicast forwarding applies.
Possible values:
Forward all unregistered groups (default setting)
The device forwards data destined to GMRP-registered multicast MAC addresses on the VLAN.
The device forwards data to the unregistered groups.
Forward all groups
The device forwards data destined to every group, registered or unregistered.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
231
Switching
[ Switching > GARP > GVRP ]
5.6.2
GVRP
[ Switching > GARP > GVRP ]
The GARP VLAN Registration Protocol (GVRP) or Generic VLAN Registration Protocol is a
protocol that facilitates control of Virtual Local Area Networks (VLANs) within a larger network.
GVRP is a Layer 2 network protocol, used to automatically configure devices in a VLAN network.
GVRP is a GARP application that provides IEEE 802.1Q-compliant VLAN pruning, and creating
dynamic VLAN on 802.1Q trunk ports. With GVRP, the device exchanges VLAN configuration
information with other GVRP devices. Thus, the device reduces the unnecessary broadcast and
unknown unicast traffic. Exchanging VLAN configuration information also lets you dynamically
create and manage VLANs connected through the 802.1Q trunk ports.
Operation
Operation
Enables/disables the GVRP function globally in the device. The device participates in GVRP
message exchanges. If the function is disabled, then the device ignores GVRP messages.
Possible values:
On
The GVRP function is enabled.
Off (default setting)
The GVRP function is disabled.
Table
Port
Displays the port number.
GVRP active
Activates/deactivates the port GVRP participation.
The prerequisite is that the GVRP function is globally enabled.
Possible values:
marked (default setting)
The port GVRP participation is active.
unmarked
The port GVRP participation is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
232
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority ]
5.7
QoS/Priority
[ Switching > QoS/Priority ]
Communication networks transmit a number of applications at the same time that have different
requirements as regards availability, bandwidth and latency periods.
QoS (Quality of Service) is a procedure defined in IEEE 802.1D. It is used to distribute resources
in the network. You therefore have the possibility of providing minimum bandwidth for necessary
applications. The prerequisite is that the end devices and the devices in the network support
prioritized data transmission. Data packets with high priority are given preference when transmitted
by devices in the network. You transfer data packets with lower priority when there are no data
packets with a higher priority to be transmitted.
The device provides the following setting options:
You specify how the device evaluates QoS/prioritization information for inbound data packets.
For outbound packets, you specify which QoS/prioritization information the device writes in the
data packet (for example priority for management packets, port priority).
Note: If you use the functions in this menu, then disable the flow control. The flow control is inactive
if in the Switching > Global dialog, Configuration frame the Flow control checkbox is unmarked.
The menu contains the following dialogs:
QoS/Priority Global
QoS/Priority Port Configuration
802.1D/p Mapping
IP DSCP Mapping
Queue Management
DiffServ
RM GUI RSP
Release 8.1 12/2019
233
Switching
[ Switching > QoS/Priority > Global ]
5.7.1
QoS/Priority Global
[ Switching > QoS/Priority > Global ]
The device lets you maintain access to the device management, even in situations with heavy
utilization. In this dialog you specify the required QoS/priority settings.
Configuration
VLAN priority for management packets
Specifies the VLAN priority for sending management data packets. Depending on the VLAN
priority, the device assigns the data packet to a specific traffic class and thus to a specific priority
queue of the port.
Possible values:
0..7 (default setting: 0)
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every VLAN
priority.
IP DSCP value for management packets
Specifies the IP DSCP value for sending management data packets. Depending on the IP DSCP
value, the device assigns the data packet to a specific traffic class and thus to a specific priority
queue of the port.
Possible values:
0 (be/cs0)..63
(default setting: 0 (be/cs0))
Some values in the list also have a DSCP keyword, for example 0 (be/cs0), 10 (af11) and 46
(ef). These values are compatible with the IP precedence model.
In the Switching > QoS/Priority > IP DSCP Mapping dialog you assign a traffic class to every IP DSCP
value.
Queues per port
Displays the number of priority queues per port.
The device has 8 priority queues per port. You assign every priority queue to a specific traffic class
(traffic class according to IEEE 802.1D).
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
234
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority > Port Configuration ]
5.7.2
QoS/Priority Port Configuration
[ Switching > QoS/Priority > Port Configuration ]
In this dialog, you specify for every port how the device processes received data packets based on
their QoS/priority information.
Table
Port
Displays the port number.
Port priority
Specifies what VLAN priority information the device writes into a data packet if the data packet
contains no priority information. After this, the device transmits the data packet depending on the
value specified in the Trust mode column.
Possible values:
0..7 (default setting: 0)
Trust mode
Specifies how the device handles a received data packet if the data packet contains QoS/priority
information.
Possible values:
untrusted
The device transmits the data packet according to the priority specified in the Port priority column.
The device ignores the priority information contained in the data packet.
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every VLAN
priority.
trustDot1p (default setting)
The device transmits the data packet according to the priority information in the VLAN tag.
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every VLAN
priority.
trustIpDscp
– If the data packet is an IP packet, then:
The device transmits the data packet according to the IP DSCP value contained in the data
packet.
In the Switching > QoS/Priority > IP DSCP Mapping dialog you assign a traffic class to every IP
DSCP value.
– If the data packet is not an IP packet, then:
The device transmits the data packet according to the priority specified in the Port priority
column.
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every
VLAN priority.
Untrusted traffic class
Displays the traffic class assigned to the VLAN priority information specified in the Port priority
column. In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every
VLAN priority.
RM GUI RSP
Release 8.1 12/2019
235
Switching
[ Switching > QoS/Priority > Port Configuration ]
Possible values:
0..7
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
236
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority > 802.1D/p Mapping ]
5.7.3
802.1D/p Mapping
[ Switching > QoS/Priority > 802.1D/p Mapping ]
The device transmits data packets with a VLAN tag according to the contained QoS/priority
information with a higher or lower priority.
In this dialog, you assign a traffic class to every VLAN priority. You assign the traffic classes to the
priority queues of the ports.
Table
VLAN priority
Displays the VLAN priority.
Traffic class
Specifies the traffic class assigned to the VLAN priority.
Possible values:
0..7
0 assigned to the priority queue with the lowest priority.
7 assigned to the priority queue with the highest priority.
Note: Among other things redundancy mechanisms use the highest traffic class. Therefore, select
another traffic class for application data.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Default assignment of the VLAN priority to traffic classes
RM GUI RSP
VLAN Priority
Traffic class
Content description according to IEEE 802.1D
0
2
1
0
2
1
3
3
4
4
Best Effort
Normal data without prioritizing
Background
Non-time-sensitive data and background services
Standard
Normal data
Excellent Effort
Crucial data
Controlled Load
Time-sensitive data with a high priority
Release 8.1 12/2019
237
Switching
[ Switching > QoS/Priority > 802.1D/p Mapping ]
238
VLAN Priority
Traffic class
Content description according to IEEE 802.1D
5
5
6
6
7
7
Video
Video transmission with delays and jitter < 100 ms
Voice
Voice transmission with delays and jitter < 10 ms
Network Control
Data for network management and redundancy mechanisms
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority > IP DSCP Mapping ]
5.7.4
IP DSCP Mapping
[ Switching > QoS/Priority > IP DSCP Mapping ]
The device transmits IP data packets according to the DSCP value contained in the data packet
with a higher or lower priority.
In this dialog, you assign a traffic class to every DSCP value. You assign the traffic classes to the
priority queues of the ports.
Table
DSCP value
Displays the DSCP value.
Traffic class
Specifies the traffic class which is assigned to the DSCP value.
Possible values:
0..7
0 assigned to the priority queue with the lowest priority.
7 assigned to the priority queue with the highest priority.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Default assignment of the DSCP values to traffic classes
RM GUI RSP
DSCP Value
DSCP Name
Traffic class
0
1-7
8
9,11,13,15
10,12,14
16
17,19,21,23
18,20,22
24
25,27,29,31
26,28,30
32
33,35,37,39
34,36,38
Best Effort /CS0
2
2
0
0
0
1
1
1
3
3
3
4
4
4
Release 8.1 12/2019
CS1
AF11,AF12,AF13
CS2
AF21,AF22,AF23
CS3
AF31,AF32,AF33
CS4
AF41,AF42,AF43
239
Switching
[ Switching > QoS/Priority > IP DSCP Mapping ]
240
DSCP Value
DSCP Name
Traffic class
40
41,42,43,44,45,47
46
48
49-55
56
57-63
CS5
5
5
5
6
6
7
7
EF
CS6
CS7
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority > Queue Management ]
5.7.5
Queue Management
[ Switching > QoS/Priority > Queue Management ]
This dialog lets you enable and disable the Strict priority function for the traffic classes. When you
disable the Strict priority function, the device processes the priority queues of the ports with
"Weighted Fair Queuing".
You also have the option of assigning a minimum bandwidths to every traffic classes which the
device uses to process the priority queues with "Weighted Fair Queuing"
Table
Traffic class
Displays the traffic class.
Strict priority
Activates/deactivates the processing of the port priority queue with Strict priority for this traffic class.
Possible values:
marked (default setting)
The processing of the port priority queue with Strict priority is active.
– The port forwards only data packets that are in the priority queue with the highest priority.
When this priority queue is empty, the port forwards data packets that are in the priority
queue with the next lower priority.
– The port forwards data packets with a lower traffic class after the priority queues with a higher
priority are empty. In unfavorable situations, the port does not send these data packets.
– When you select this setting for a traffic class, the device also enables the function for traffic
classes with a higher priority.
– Use this setting for applications such as VoIP or video that require the least possible delay.
unmarked
The processing of the port priority queue with Strict priority is inactive. The device uses "Weighted
Fair Queuing"/"Weighted Round Robin" (WRR) to process the port priority queue.
– The device assigns a minimum bandwidth to each traffic class.
– Even under a high network load the port transmits data packets with a low traffic class.
– When you select this setting for a traffic class, the device also disables the function for traffic
classes with a lower priority.
Min. bandwidth [%]
Specifies the minimum bandwidth for this traffic class when the device is processing the priority
queues of the ports with "Weighted Fair Queuing".
Possible values:
0..100 (default setting: 0 = the device does not reserve any bandwidth for this traffic class)
The value specified in percent refers to the available bandwidth on the port. When you disable the
Strict priority function for every traffic class, the maximum bandwidth is available on the port for the
"Weighted Fair Queuing".
The maximum total of the assigned bandwidths is 100 %.
RM GUI RSP
Release 8.1 12/2019
241
Switching
[ Switching > QoS/Priority > DiffServ ]
Max. bandwidth [%]
Specifies the shaping rate at which a Traffic Class transmits packets (Queue Shaping).
Possible values:
0 (default setting)
The device does not reserve any bandwidth for this traffic class.
1..100
The device reserves the specified bandwidth for this traffic class. The specified value in percent
refers to the maximum available bandwidth on this port.
For example, using queue shaping lets you limit the rate of a strict-high priority queue. Limiting a
strict-high priority queue lets the device also process low-priority queues. To use queue shaping,
you set the maximum bandwidth for a particular queue.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
5.7.6
DiffServ
[ Switching > QoS/Priority > DiffServ ]
Differentiated Services (DiffServ) filter data packets in order to prioritize or limit the data stream.
• In a class, you specify the filter criteria.
• In a policy, you link the class with actions.
The device applies the actions of the policy to those data packets that meet the filter criteria of the
assigned class.
To configure DiffServ, perform the following steps:
Create a class with the filter criteria.
Create a policy.
Assign a class with the filter criteria to the policy.
Specify the actions of the policy.
Assign the policy to a port.
Activate the DiffServ function.
The device lets you use the following per class and per instance configurations:
13 rules per class
28 instances per policy
3 attributes per instance
The menu contains the following dialogs:
DiffServ Overview
DiffServ Global
DiffServ Class
DiffServ Policy
DiffServ Assignment
242
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority > DiffServ > Overview ]
5.7.6.1 DiffServ Overview
[ Switching > QoS/Priority > DiffServ > Overview ]
This dialog displays the configured DiffServ settings.
Port
Port
Simplifies the table and displays the entries relating to a specific port. Displaying the table in this
fashion makes it easier for you to sort the table as you desire.
Possible values:
All (default setting)
The table displays the entries for every port.
<Port number>
The table displays the entries that apply to the selected port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
243
Switching
[ Switching > QoS/Priority > DiffServ > Global ]
5.7.6.2 DiffServ Global
[ Switching > QoS/Priority > DiffServ > Global ]
In this dialog, you enable the DiffServ function.
Operation
Operation
Enables/disables the DiffServ function.
Possible values:
On
The DiffServ function is enabled.
The device processes traffic according to the DiffServ rules.
Off (default setting)
The DiffServ function is disabled.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
244
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority > DiffServ > Class ]
5.7.6.3 DiffServ Class
[ Switching > QoS/Priority > DiffServ > Class ]
In this dialog, you specify the data packets to which the device executes the actions specified in the
Policy dialog. This assignment is called a class.
Only one class can be assigned to a policy. This means each class can contain multiple filter
criteria.
Table
Class name
Specifies the name of the DiffServ class. The device lets you change the class name directly in the
table.
Possible values:
Alphanumeric ASCII character string with 1..31 characters
Criteria
Displays the specified criteria for this rule.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
Create
Class name
Specifies the name of the DiffServ class.
Possible values:
Alphanumeric ASCII character string with 1..31 characters
Type
Specifies the type of Class Rule for matching; this determines the individual match conditions for
the present class rule.
Depending on which value you select, the following visible parameters change.
To match every packet regardless of content, select the value every.
RM GUI RSP
Release 8.1 12/2019
245
Switching
[ Switching > QoS/Priority > DiffServ > Class ]
Possible values:
cos (default setting)
dstip
dstl4port
dstmac
every
ipdscp
ipprecedence
iptos
protocol
refclass
srcip
srcl4port
srcmac
cos2
etype
vlanid
vlanid2
Type = cos
COS
Specifies the class of service as the match value for the class.
Possible values:
0..7 (default setting: 0)
Type = dstip
Destination IP address
Specifies the destination IP address as the match value for the class.
Possible values:
Valid IP address
Destination IP address mask
Specifies the mask for the destination IP address.
Possible values:
Valid netmask
Type = dstl4port
Destination port
Specifies the destination Layer 4 port as the match value for the class.
Possible values:
Valid TCP or UDP port number
246
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority > DiffServ > Class ]
Type = dstmac
Destination MAC address
Specifies the destination MAC address as the match value for the class.
Possible values:
Valid MAC address
Destination MAC address mask
Specifies the mask for the destination MAC address.
Possible values:
Valid netmask
Type = ipdscp
DSCP
Specifies the IP DiffServ Code Point (DSCP) as the match value for the class.
Possible values:
0..63 (default setting: 0(be/cs0))
Type = ipprecedence
TOS priority
Specifies the IP Precedence as the match value for the class. The precedence bits are the highorder 3 bits of the Service Type octet in the IPv4 header.
Possible values:
0..7 (default setting: 0)
Type = iptos
TOS mask
Specifies the IP TOS bits and mask as the match value for the class. The TOS bits are the 8 bits
of the Service Type octet in the IPv4 header.
Possible values:
0x00..0xFF
Type = protocol
Protocol number
Specifies the internet protocol number as the match value for the class.
RM GUI RSP
Release 8.1 12/2019
247
Switching
[ Switching > QoS/Priority > DiffServ > Class ]
Possible values:
0..255
Some common values are listed here:
– 1
ICMP
– 2
IGMP
– 4
IPv4
– 6
TCP
– 17
UDP
– 255
A rule with this value matches every protocol in the list.
The IANA defined the “Assigned Internet Protocol Numbers” that you enter here.
To find a list of the assigned numbers use the following link: www.iana.org/assignments/protocolnumbers/protocol-numbers.xhtml.
Type = refclass
Ref class
Specifies the parent class as a corresponding reference class. This reference class uses the set of
match rules specified in a parent class as the match value.
Possible values:
<Name of the DiffServ Class>
Conditions:
If the reference class refers only to the parent class, then the parent class to which the user
binds this rule and the reference class produce the same results.
Any attempt to delete the parent class while still referenced to by another class fails.
If the reference class uses the parent class as the match value, then any subsequent change to
the parent class rules changes the reference class rules only.
You add subsequent rules to the parent class compatible with the rules existing in the reference
class.
Type = srcip
Source IP address
Specifies the source IP address as the match value for the class.
Possible values:
Valid IP address
Source IP address mask
Specifies the mask for the source IP address.
Possible values:
Valid netmask
248
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority > DiffServ > Class ]
Type = srcl4port
Source port
Specifies the source Layer 4 port as the match value for the class.
Possible values:
Valid TCP or UDP port number
Type = srcmac
Source MAC address
Specifies the source MAC address as the match value for the class.
Possible values:
Valid MAC address and mask
Source MAC address mask
Specifies the mask for the source MAC address.
Possible values:
Valid netmask
Type = cos2
COS 2
Specifies a secondary class of service as the match value for the class.
Possible values:
0..7 (default setting: 0)
Type = etype
Etype
Specifies the Ethertype as the match value for the class.
Possible values:
custom (default setting)
You specify the Ethertype in the Etype value field.
appletalk
arp
ibmsna
ipv4
ipv6
ipx
mplsmcast
mplsucast
netbios
novell
RM GUI RSP
Release 8.1 12/2019
249
Switching
[ Switching > QoS/Priority > DiffServ > Class ]
pppoe
rarp
Etype value
Specifies the user-defined Ethertype value.
The prerequisite is that in the Etype field you specify the value custom.
Possible values:
0x0600..0xFFFF
Type = vlanid
VLAN ID
Specifies the VLAN ID as the match value for the class.
Possible values:
1..4042
Type = vlanid2
VLAN2 ID
Specifies the secondary VLAN ID as the match value for the class.
Possible values:
1..4042
250
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority > DiffServ > Policy ]
5.7.6.4 DiffServ Policy
[ Switching > QoS/Priority > DiffServ > Policy ]
In this dialog, you specify which actions the device performs on data packets which fulfill the filter
criteria specified in the Class dialog. This assignment is called a policy.
Only one policy can be assigned to a port. Each policy can contain multiple actions.
Table
Policy name
Displays the name of the policy.
To change the value, click the relevant field.
Possible values:
Alphanumeric ASCII character string with 1..31 characters
Direction
Displays that the device applies the policy to received data packets.
Class name
Displays the name of the class that is assigned to the policy.
The filter criteria are specified in the class.
Attribute
Displays the action that the device performs on the data packets.
To change an existing action, select the affected row, click the
attribute item.
To add additional actions to a policy, click the
button and then the Modify
button.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
Modify attribute
Specifies the action that the device performs on the data packets.
RM GUI RSP
Release 8.1 12/2019
251
Switching
[ Switching > QoS/Priority > DiffServ > Policy ]
Create
In this dialog you create a new policy or add further actions to an existing policy.
Policy name
Specifies the name of the policy.
To create a new policy, add a new name.
To add more actions to an existing policy, select a name in the list.
Possible values:
Alphanumeric ASCII character string with 1..31 characters
Direction
Displays that the device applies the policy to received data packets.
Class name
Assigns the class to the policy.
The filter criteria are specified in the class.
Type
Specifies the policy type.
Depending on which value you select, the following visable parameters change.
Possible values:
markCosVal (default setting)
markIpDscpVal
markIpPrecedenceVal
policeSimple
policeTworate
assignQueue
drop
redirect
mirror
markCosAsSecCos
252
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority > DiffServ > Policy ]
Type = markCosVal
Overwrites the priority field in the VLAN tag of the Ethernet packets:
• in the VLAN tag, the device overwrites the priority value in the COS parameter.
• With QinQ-tagged data packets, the device writes the value to the outer tag (C tag).
• With data packets without VLAN tags, the device adds a priority tag.
Can be combined with Type = redirect and mirror.
COS
Specifies the priority value that the device writes to the priority field of the VLAN tag of the Ethernet
packets.
Possible values:
0..7
Type = markIpDscpVal
Overwrites the DS field of the IP packets.
The device writes the value specified in the DSCP parameter to the DS field. Subsequent devices
in the network to which the device forwards the IP packets, prioritize the IP packets according to
this setting. For making the device prioritize the IP packets, also enter the IP packets with
Type = assignQueue into the desired queue.
Can be combined with Type = assignQueue, redirect and mirror.
DSCP
Specifies the value that the device writes to the DS field of the IP packets.
Possible values:
0..63
Type = markIpPrecedenceVal
Overwrites the TOS field of the IP packets.
The device writes the value specified in the TOS priority parameter to the TOS field.
Can be combined with Type = assignQueue, redirect and mirror.
TOS priority
Specifies the value that the device writes to the TOS field of the IP packets.
Possible values:
0..7
RM GUI RSP
Release 8.1 12/2019
253
Switching
[ Switching > QoS/Priority > DiffServ > Policy ]
Type = policeSimple
Limits the classified data stream to the values specified in the Simple C rate and Simple C burst fields:
• If the transfer rate and burst size of the data stream are below the specified values, then the
device applies the action specified in the Conform action field.
• If the transfer rate and burst size of the data stream are above the specified values, then the
device applies the action specified in the Non conform action field.
Can be combined with Type = assignQueue, redirect and mirror.
Simple C rate
Specifies the committed rate in kbit/s.
Upper limit
Possible values:
1..4294967295
Simple C burst
Specifies the committed burst size in kBytes.
Possible values:
0..128
Conform action,Non conform action
In the Conform action field, you specify the action that the device applies to the compliant data
stream. Compliant means that the data stream is under the limits specified in the parameters Simple
C rate and Simple C burst.
In the Non conform action field, you specify the action that the device applies to the non-compliant
data stream. Non-compliant means that the data stream is over the limits specified in the
parameters Simple C rate and Simple C burst.
Possible values:
drop
Discards the data packets.
markDscp
Overwrites the DS field of the IP packets.
The device writes the value specified in the adjacent field [0..63] to the DS field.
markPrec
Overwrites the TOS field of the IP packets.
The device writes the value specified in the adjacent field [0..7] to the TOS field.
send
Sends the data packets.
markCos
Overwrites the priority field in the VLAN tag of the Ethernet packets:
– in the VLAN tag, the device overwrites the priority value in the COS parameter.
– With QinQ-tagged Ethernet packets, the device writes the value to the outer tag (C tag).
– With Ethernet packets without VLAN tags, the device adds a priority tag.
254
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority > DiffServ > Policy ]
markCos2
With QinQ-tagged Ethernet packets, overwrites the priority field in the inner tag (S tag) with the
value specified in the adjacent field [0..7].
markCosAsSecCos
Overwrites the priority field in the outer tag (C tag) with the priority value of the inner tag (S tag).
Color conform class
Specifies the class of the received data stream that the devices designates as conform (green).
Possible values:
blind
The device operates in the color-blind mode. The devices designates the complete data stream
received as conform (green).
<Name of the DiffServ Class>
The devices designates only this class of the received data stream as conform (green).
Those classes are selectable for which in the Switching > QoS/Priority > DiffServ > Class dialog,
Criteria column a rule of the type cos, ipdscp, ipprec, cos2 is specified.
Verify that the filter criteria of the class selected in the Class name drop-down list above and of the
class selected in this drop-down list, is neither identical nor exclude each other. Exclusion criteria
are:
• The filter criteria have the same rule type, for example cos and cos. Use classes with a different
rule type, for example cos and ipdscp.
• One of the classes references with the rule type refclass another class that conflicts with the
used classes.
Type = policeTworate
Limits the classified data stream to the values specified in the Two rate C rate, Two rate C burst, Two
rate P rate, and Two rate P burst fields.
• If the transfer rate and burst size are below Two rate C rate and Two rate C burst, then the device
applies the Conform action action to the data stream.
• If the transfer rate and burst size are between Two rate C rate and Two rate P rate as well as Two
rate C burst and Two rate P burst, then the device applies the Exceed action action to the data
stream.
• If the transfer rate and burst size are above Two rate P rate and Two rate P burst, then the device
applies the Non conform action action to the data stream.
Can be combined with Type = assignQueue, redirect and mirror.
Two rate C rate
Specifies the committed rate in kbit/s.
Possible values:
1..4294967295
Two rate C burst
Specifies the committed burst size in kBytes.
Possible values:
0..128
RM GUI RSP
Release 8.1 12/2019
255
Switching
[ Switching > QoS/Priority > DiffServ > Policy ]
Two rate P rate
Specifies the peak rate (max. allowable transfer rate of the data stream) in kbit/s.
Possible values:
1..4294967295
Two rate P burst
Specifies the peak burst size (max. allowable burst size) in kBytes.
Possible values:
1..128
Conform action
Conform value
Exceed action
Exceed value
Non conform action
Non conform value
In the Conform action field, you specify the action that the device applies to the compliant data
stream. Compliant means that transfer rate and burst size are below Two rate C rate and Two rate C
burst.
In the Exceed action field, you specify the action that the device applies to the data stream. The
prerequisite is that the transfer rate and burst size are between Two rate C rate and Two rate P rate
as well as Two rate C burst and Two rate P burst.
In the Non conform action field, you specify the action that the device applies to the non-compliant
data stream. Non-compliant means that the transfer rate and burst size are above Two rate P rate
and Two rate P burst.
Possible values:
drop
Discards the data packets.
markDscp
Overwrites the DS field of the IP packets.
The device writes the value specified in the adjacent field [0..63] to the DS field.
markPrec
Overwrites the TOS field of the IP packets.
The device writes the value specified in the adjacent field [0..7] to the TOS field.
send
Sends the data packets.
markCos
Overwrites the priority field in the VLAN tag of the Ethernet packets:
– in the VLAN tag, the device overwrites the priority value in the COS parameter.
– With QinQ-tagged Ethernet packets, the device writes the value to the outer tag (C tag).
– With Ethernet packets without VLAN tags, the device adds a priority tag.
256
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority > DiffServ > Policy ]
markCos2
With QinQ-tagged Ethernet packets, overwrites the priority field in the inner tag (S tag) with the
value specified in the adjacent field [0..7].
markCosAsSecCos
Overwrites the priority field in the outer tag (C tag) with the priority value of the inner tag (S tag).
Color conform class
Specifies the class of the received data stream that the devices designates as conform (green).
Possible values:
0 - blind
The device operates in the color blind mode. The devices designates the complete data stream
received as conform (green).
<Name of the DiffServ Class>
The devices designates only this class of the received data stream as conform (green).
Those classes are selectable for which in the Switching > QoS/Priority > DiffServ > Class dialog,
Criteria column a rule of the type cos, ipdscp, ipprec, cos2 is specified.
Verify that the filter criteria of the class selected in the Class name drop-down list above and of the
class selected in this drop-down list, is neither identical nor exclude each other. Exclusion criteria
are:
• The filter criteria have the same rule type, for example cos and cos. Use classes with a different
rule type, for example cos and ipdscp.
• One of the classes references with the rule type refclass another class that conflicts with the
used classes.
Type = assignQueue
Changes the priority queue into which the device adds the data packets.
The device enqueues the data packets into the priority queue with the ID specified in the Queue ID
parameter.
Can be combined with Type = drop, markCosVal and markCosAsSecCos.
Queue ID
Specifies the ID of the priority queue into which the device adds the data packets. See the Traffic
class field and the Switching > QoS/Priority > 802.1D/p Mapping dialog.
Possible values:
0..7
Type = drop
Discards the data packets.
Can be combined with Type = mirror if mirror is set up first.
RM GUI RSP
Release 8.1 12/2019
257
Switching
[ Switching > QoS/Priority > DiffServ > Policy ]
Type = redirect
The device forwards the received data stream to the port specified in the Redirection interface field.
Can be combined with Type = markCosVal, markIpDscpVal, markIpPrecedenceVal,
policeSimple, policeTworate, assignQueue and markCosAsSecCos.
Redirection interface
Specifies the destination port.
Possible values:
<Port number>
Number of the destination port. The device forwards the data packets to this port.
Note: The destination port needs sufficient bandwidth to absorb the data stream. If the copied data
stream exceeds the bandwidth of the destination port, then the device discards surplus data
packets on the destination port.
Type = mirror
The device copies the received data stream and also transfers it to the port specified in the Mirror
interface field.
Can be combined with Type = markCosVal, markIpDscpVal, markIpPrecedenceVal,
policeSimple, policeTworate, assignQueue and markCosAsSecCos.
Mirror interface
Specifies the destination port.
Possible values:
<Port number>
Number of the destination port. The device copies the data packets to this port.
Note: The destination port needs sufficient bandwidth to absorb the data stream. If the copied data
stream exceeds the bandwidth of the destination port, then the device discards surplus data
packets on the destination port.
Type = markCosAsSecCos
Overrides the priority field in the outer VLAN tag of the Ethernet packets with the priority value of
the inner VLAN tag.
Can be combined with Type = assignQueue, redirect and mirror.
258
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > QoS/Priority > DiffServ > Assignment ]
5.7.6.5 DiffServ Assignment
[ Switching > QoS/Priority > DiffServ > Assignment ]
In this dialog you assign the policy to a port.
Table
Port
Displays the port number.
Direction
Displays the interface direction to which you assigned the policy.
Policy name
Displays the name of the policy assigned to the interface.
Status
Displays the port status.
Active
Activates/deactivates the DiffServ parameters associated with this row.
Possible values:
marked
The device forwards traffic according to the specified DiffServ settings.
unmarked
The device forwards traffic without regarding the specified DiffServ settings.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
Create
Port
Specifies the port to which the table entry relates.
RM GUI RSP
Release 8.1 12/2019
259
Switching
[ Switching > VLAN ]
Possible values:
Available ports
Direction
Specifies the direction in which the device applies the policy.
Possible values:
In (default setting)
Out
Policy
Specifies the policy assigned to the port.
Possible values:
Available policies
5.8
VLAN
[ Switching > VLAN ]
With VLAN (Virtual Local Area Network) you distribute the data traffic in the physical network to
logical subnetworks. This provides you with the following advantages:
High flexibility
– With VLAN you distribute the data traffic to logical networks in the existing infrastructure.
Without VLAN, it would be necessary to have additional devices and complicated cabling.
– With VLAN you specify network segments independently of the location of the individual end
devices.
Improved throughput
– In VLANs data packets can be transferred by priority.
When the priority is high, the device transfers the data of a VLAN preferentially, for example
for time-sensitive applications such as VoIP phone calls.
– When the data packets and Broadcasts are distributed in small network segments instead of
in the entire network, the network load is considerably reduced.
Increased security
The distribution of the data traffic among individual logical networks makes unwanted accessing
more difficult and strengthens the system against attacks such as MAC Flooding or MAC
Spoofing.
The device supports packet-based “tagged” VLANs according to the IEEE 802.1Q standard. The
VLAN tagging in the data packet indicates the VLAN to which the data packet belongs.
The device transmits the tagged data packets of a VLAN only on ports that are assigned to the
same VLAN. This reduces the network load.
The device learns the MAC addresses for every VLAN separately (independent VLAN learning).
The device prioritizes the received data stream in the following sequence:
Voice VLAN
MAC-based VLAN
IP subnet-based VLAN
260
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > VLAN ]
Protocol-based VLAN
Port-based VLAN
The menu contains the following dialogs:
VLAN Global
VLAN Configuration
VLAN Port
VLAN Voice
MAC Based VLAN
Subnet Based VLAN
Protocol Based VLAN
RM GUI RSP
Release 8.1 12/2019
261
Switching
[ Switching > VLAN > Global ]
5.8.1
VLAN Global
[ Switching > VLAN > Global ]
This dialog lets you view general VLAN parameters for the device.
Configuration
Max. VLAN ID
Highest ID assignable to a VLAN.
See the Switching > VLAN > Configuration dialog.
VLANs (max.)
Displays the maximum number of VLANs possible.
See the Switching > VLAN > Configuration dialog.
VLANs
Number of VLANs currently configured in the device.
See the Switching > VLAN > Configuration dialog.
The VLAN ID 1 is constantly present in the device.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Clear...
Resets the VLAN settings of the device to the default setting.
Note that you lose your connection to the device if you have changed the VLAN ID for the device
management in the Basic Settings > Network dialog.
262
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > VLAN > Configuration ]
5.8.2
VLAN Configuration
[ Switching > VLAN > Configuration ]
In this dialog, you manage the VLANs. To set up a VLAN, create a further row in the table. There
you specify for each port if it transmits data packets of the respective VLAN and if the data packets
contain a VLAN tag.
You distinguish between the following VLANs:
The user sets up static VLANs.
The device sets up dynamic VLANs automatically and removes them if the prerequisites cease
to apply.
For the following functions the device creates dynamic VLANs:
– MRP: If you assign to the ring ports a non-existing VLAN, then the device creates this VLAN.
– MVRP: The device creates a VLAN based on the messages of neighboring devices.
– Routing: The device creates a VLAN for every router interface.
Note: The settings are effective only if the VLAN Unaware Mode is disabled. See the Switching >
Global dialog.
Table
VLAN ID
ID of the VLAN.
The device supports up to 256 VLANs simultaneously set up.
Possible values:
1..4042
Status
Displays how the VLAN is set up.
Possible values:
other
VLAN 1
or
VLAN set up using the 802.1X Port Authentication function. See the Network Security > 802.1X Port
Authentication dialog.
permanent
VLAN set up by the user.
or
VLAN set up using the MRP function. See the Switching > L2-Redundancy > MRP dialog.
If you save the changes in the non-volatile memory, then the VLANs with this setting remain set
up after a restart.
dynamicMvrp
VLAN set up using the MVRP function. See the Switching > MRP-IEEE > MVRP dialog.
VLANs with this setting are write-protected. The device removes a VLAN from the table as soon
as the last port leaves the VLAN.
RM GUI RSP
Release 8.1 12/2019
263
Switching
[ Switching > VLAN > Configuration ]
Creation time
Displays the time of VLAN creation.
The field displays the time stamp for the operating time (system uptime).
Name
Specifies the name of the VLAN.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
<Port number>
Specifies if the respective port transmits data packets of the VLAN and if the data packets contain
a VLAN tag.
Possible values:
- (default setting)
The port is not a member of the VLAN and does not transmit data packets of the VLAN.
T = Tagged
The port is a member of the VLAN and transmits the data packets with a VLAN tag. You use this
setting for uplink ports, for example.
LT = Tagged Learned
The port is a member of the VLAN and transmits the data packets with a VLAN tag.
The device created the entry automatically based on the GVRP or MVRP function.
F = Forbidden
The port is not a member of the VLAN and does not transmit data packets of this VLAN.
Additionally, the device helps prevent the port from becoming a VLAN member through the
MVRP function.
U = Untagged (default setting for VLAN 1)
The port is a member of the VLAN and transmits the data packets without a VLAN tag. Use this
setting if the connected device does not evaluate any VLAN tags, for example on end ports.
LU = Untagged Learned
The port is a member of the VLAN and transmits the data packets without a VLAN tag.
The device created the entry automatically based on the GVRP or MVRP function.
Note: Verify that the port on which the network management station is connected is a member of
the VLAN in which the device transmits the management data. In the default setting, the device
transmits the management data on VLAN 1. Otherwise, the connection to the device terminates
when you transfer the changes to the device. The access to the device management is possible
only using the Command Line Interface through the serial interface.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the VLAN ID field, you specify the ID of the VLAN.
264
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > VLAN > Port ]
5.8.3
VLAN Port
[ Switching > VLAN > Port ]
In this dialog you specify how the device handles received data packets that have no VLAN tag, or
whose VLAN tag differs from the VLAN ID of the port.
This dialog lets you assign a VLAN to the ports and thus specify the port VLAN ID.
Additionally, you also specify for each port how the device transmits data packets if the VLAN
Unaware mode is disabled and one of the following situations occurs:
The port receives data packets without a VLAN tagging.
The port receives data packets with VLAN priority information (VLAN ID 0, priority tagged).
The VLAN tagging of the data packet differs from the VLAN ID of the port.
Note: The settings are effective only if the VLAN Unaware Mode is disabled. See the Switching >
Global dialog.
Table
Port
Displays the port number.
Port-VLAN ID
Specifies the ID of the VLAN which the devices assigns to data packets without a VLAN tag. The
prerequisite is that you specify in the Acceptable packet types column the value admitAll.
Possible values:
ID of a VLAN you set up (default setting: 1)
If you use the MRP function and you did not assign a VLAN to the ring ports, then you specify the
value 1 here for the ring ports. Otherwise, the device assigns the value to the ring ports
automatically.
Acceptable packet types
Specifies whether the port transmits or discards received data packets without a VLAN tag.
Possible values:
admitAll (default setting)
The port accepts data packets both with and without a VLAN tag.
admitOnlyVlanTagged
The port accepts only data packets tagged with a VLAN ID ≥ 1.
Ingress filtering
Activates/deactivates the ingress filtering.
RM GUI RSP
Release 8.1 12/2019
265
Switching
[ Switching > VLAN > Port ]
Possible values:
marked
The ingress filtering is active.
The device compares the VLAN ID in the data packet with the VLANs of which the device is a
member. See the Switching > VLAN > Configuration dialog. If the VLAN ID in the data packet
matches one of these VLANs, then the port transmits the data packet. Otherwise, the device
discards the data packet.
unmarked (default setting)
The ingress filtering is inactive.
The device transmits received data packets without comparing the VLAN ID. Thus the port also
transmits data packets with a VLAN ID of which the port is not a member.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
266
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > VLAN > Voice ]
5.8.4
VLAN Voice
[ Switching > VLAN > Voice ]
Use the Voice VLAN feature to separate voice and data traffic on a port, by VLAN and/or priority.
A primary benefit of Voice VLAN is safeguarding the quality of voice traffic when data traffic on the
port is high.
The device detects VoIP phones using the Link Layer Discovery Protocol - Media Endpoint
Discovery (LLDP-MED). The device then adds the appropriate port to the member set of the
configured Voice VLAN. The member set is either tagged or untagged. Tagging depends on the
Voice VLAN interface mode (VLAN ID, Dot1p, None, Untagged).
Another benefit of the Voice VLAN feature is that the VoIP phone obtains VLAN ID or priority
information via LLDP-MED from the device. As a result, the VoIP phone sends voice data tagged
as priority, or untagged. This depends on the configured Voice VLAN Interface mode. You activate
Voice VLAN on the port which is connecting to the VoIP phone.
Operation
Operation
Enables/disables the VLAN Voice function of the device globally.
Possible values:
On
Off (default setting)
Table
Port
Displays the port number.
Voice VLAN mode
Specifies whether the port transmits or discards received data packets without a voice VLAN
tagging or with voice VLAN priority information.
Possible values:
disabled (default setting)
Deactivates the VLAN Voice function for this table entry.
none
Lets the IP telephone use its own configuration for sending untagged voice traffic.
vlan/dot1p-priority
The port filters data packets of the voice VLAN using the vlan and dot1p priority tags.
untagged
The port filters data packets without a voice VLAN tag.
RM GUI RSP
Release 8.1 12/2019
267
Switching
[ Switching > VLAN > Voice ]
vlan
The port filters data packets of the voice VLAN using the vlan tag.
dot1p-priority
The port filters data packets of the voice VLAN using the dot1p priority tags. If you select this
value, then additionally specify a proper value in the Priority column.
Data priority mode
Specifies the trust mode for the data traffic on the particular port.
The device uses this mode for data traffic on the voice VLAN, when it detects a VoIP telephone and
a PC and when these devices use the same cable for transmitting and receiving data.
Possible values:
trust (default setting)
If voice traffic is present on the interface, then the data traffic uses the normal priority with this
setting.
untrust
If voice traffic is present and the Voice VLAN mode is set to dot1p-priority, then the data has
the priority 0. If the interface only transmits data, then the data has the normal priority.
Status
Displays the status of the Voice VLAN on the port.
Possible values:
marked
The Voice VLAN is enabled.
unmarked
The Voice VLAN is disabled.
VLAN ID
Specifies the ID of the VLAN to which the table entry applies.
To forward traffic to this VLAN ID using this filter, select in the Voice VLAN mode column the value
vlan.
Possible values:
0..4042
Priority
Specifies the Voice VLAN Priority of the port. The prerequisite is that you specify in the Voice VLAN
mode column the value dot1p-priority.
Possible values:
0..7
none
Deactivates the Voice VLAN Priority of the port.
Bypass authentication
Activates the Voice VLAN Authentication mode.
268
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > VLAN > Voice ]
If you deactivate the function and set the value in the Voice VLAN mode column to dot1p-priority,
then voice devices require an authentication.
Possible values:
marked (default setting)
If you activated the function in the Dialog Network Security > 802.1X Port Authentication > Global
dialog, then set the Port control parameter for this port to the multiClient value before activating
this function. The parameter Port control you find in the Network Security > 802.1X Port
Authentication > Global dialog.
unmarked
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
269
Switching
[ Switching > VLAN > MAC Based VLAN ]
5.8.5
MAC Based VLAN
[ Switching > VLAN > MAC Based VLAN ]
In a MAC-based VLAN, the device forwards traffic based on the source MAC address associated
with a VLAN. User-defined filters determine whether a packet belongs to a particular VLAN.
MAC-based VLANs specify the filtering criteria only for untagged or priority-tagged packets. Assign
a port to a MAC-based VLAN for a specific source MAC address. The device then forwards
untagged packets received with the configured MAC address to the MAC-based VLAN ID. Other
untagged packets are subject to normal VLAN classification rules.
Table
MAC address
Displays the MAC address to which the table entry relates.
The device supports up to 256 simultaneous MAC-based VLAN assignments.
Possible values:
Valid MAC address
VLAN ID
Displays the ID of the VLAN to which the table entry applies.
Possible values:
1..4042 (set up VLAN IDs)
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the MAC address field, you specify the MAC address.
In the VLAN ID field, you specify the ID of the VLAN.
270
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > VLAN > Subnet Based VLAN ]
5.8.6
Subnet Based VLAN
[ Switching > VLAN > Subnet Based VLAN ]
In IP subnet-based VLANs, the device forwards traffic based on the source IP address and subnet
mask associated with the VLAN. User-defined filters determine whether a packet belongs to a
particular VLAN.
IP subnet-based VLANs specify the filtering criteria only for untagged packets or priority tagged
packets. Assign a port to an IP subnet-based VLAN for a specific source address. The device then
forwards untagged packets received with the configured address to the IP subnet-based VLAN ID.
To configure an IP subnet based VLAN, specify an IP address, a subnet mask, and the
corresponding VLAN identifier. When multiple entries apply, the device uses the entry with the
longest prefix first.
Table
IP address
Displays the IP address to which you assign the subnetwork based VLAN.
The device supports up to 128 VLANs set up simultaneously to subnetwork based VLANs.
Possible values:
Valid IP address
Netmask
Displays the netmask to which you assign the subnetwork based VLAN.
Possible values:
Valid IP netmask
VLAN ID
Displays the VLAN ID.
Possible values:
1..4042
RM GUI RSP
Release 8.1 12/2019
271
Switching
[ Switching > VLAN > Subnet Based VLAN ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the IP address field, you specify the IP address.
In the Netmask field, you specify the netmask.
In the VLAN ID field, you specify the ID of the VLAN.
272
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > VLAN > Protocol Based VLAN ]
5.8.7
Protocol Based VLAN
[ Switching > VLAN > Protocol Based VLAN ]
In a protocol-based VLAN, specified ports bridge traffic based on the L3 protocol (EtherType)
associated with the VLAN. User-defined packet filters determine whether a packet belongs to a
particular VLAN.
Protocol-based VLANs specify the filtering criteria only for untagged packets. Assign a port to a
protocol-based VLAN for a specific protocol. The device then forwards untagged packets received
with the configured protocol to the protocol-based VLAN ID. The device assigns other untagged
packets with the port VLAN ID.
Table
Group ID
Displays the group identifier of the protocol-based VLAN entry.
The device supports up to 128 protocol-based VLAN associations simultaneously.
Possible values:
1..128
Name
Specifies the group name of the protocol-based VLAN entry.
Possible values:
Alphanumeric ASCII character string with 1..16 characters
VLAN ID
Specifies the ID of the VLAN.
Possible values:
1..4042
Port
Specifies the ports that are assigned to the group.
Possible values:
<Port number>
Select the ports in the drop-down list.
Ethertype
Specifies the Ethertype value assigned to the VLAN.
The Ethertype is a two-octet field in an Ethernet packet to indicate which protocol the payload
contains.
RM GUI RSP
Release 8.1 12/2019
273
Switching
[ Switching > L2-Redundancy ]
Possible values:
0x0600..0xFFFF
Ethertype as a hexadecimal number sequence
When you enter a decimal value, the device converts the value into a hexadecimal number
sequence when you click the Add button.
ip
Ethertype keyword for IPv4 (equivalent to 0x0800)
arp
Ethertype keyword for ARP (equivalent to 0x0806)
ipx
Ethertype keyword for IPX (equivalent to 0x8137)
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
5.9
L2-Redundancy
[ Switching > L2-Redundancy ]
The menu contains the following dialogs:
MRP
HIPER Ring
DLR (depends on hardware)
PRP (depends on hardware)
HSR (depends on hardware)
Spanning Tree
Link Aggregation
Link Backup
FuseNet
274
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > MRP ]
5.9.1
MRP
[ Switching > L2-Redundancy > MRP ]
The Media Redundancy Protocol (MRP) is a protocol that lets you set up high-availability, ringshaped network structures. An MRP ring with Hirschmann devices is made up of up to 100 devices
that support the MRP protocol according to IEC 62439.
If a section fails, then the ring structure of an MRP ring changes back into a line structure. The
maximum recovery time can be configured.
The Ring Manager function of the device closes the ends of a backbone in a line structure to a
redundant ring.
Note: Spanning Tree and Ring Redundancy have an effect on each other. Deactivate the Spanning
Tree protocol for the ports connected to the MRP ring. See the Switching > L2-Redundancy > Spanning
Tree > Port dialog.
When you work with oversized Ethernet packets (the value in the MTU column for the port is > 1518,
see the Basic Settings > Port dialog), the switching time of the MRP ring reconfiguration depends on
the following parameters:
Bandwidth of the ring line
Size of the Ethernet packets
Number of devices in the ring
Set the recovery time sufficiently large to help avoid delays in the MRP packages due to latencies
in the devices. You can find the formula for calculating the switching time in IEC 62439-2, section
9.5.
Operation
Operation
Enables/disables the MRP function.
After you configured the parameters for the MRP ring, enable the function here.
Possible values:
On
The MRP function is enabled.
After you configured the devices in the MRP ring, the redundancy is active.
Off (default setting)
The MRP function is disabled.
Ring port 1/Ring port 2
Port
Specifies the number of the port that is operating as a ring port.
RM GUI RSP
Release 8.1 12/2019
275
Switching
[ Switching > L2-Redundancy > MRP ]
Possible values:
<Port number>
Number of the ring port
Note: If the device uses the software supporting Fast MRP, then you cannot select a Link
Aggregation port as a ring port.
Operation
Displays the operating status of the ring port.
Possible values:
forwarding
The port is enabled, connection exists.
blocked
The port is blocked, connection exists.
disabled
The port is disabled.
not-connected
No connection exists.
Fixed backup
Activates/deactivates the backup port function for the Ring port 2.
Note: The switch over to the primary port can exceed the maximum ring recovery time.
Possible values:
marked
The Ring port 2 backup function is active. When the ring is closed, the ring manager reverts back
to the primary ring port.
unmarked (default setting)
The Ring port 2 backup function is inactive. When the ring is closed, the ring manager continues
to send data on the secondary ring port.
Configuration
Ring manager
Enables/disables the Ring manager function.
If there is one device at each end of the line, then you activate this function.
Possible values:
On
The Ring manager function is enabled.
The device operates as a ring manager.
Off (default setting)
The Ring manager function is disabled.
The device operates as a ring client.
276
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > MRP ]
Advanced mode
Activates/deactivates the advanced mode for fast recovery times.
Possible values:
marked (default setting)
Advanced mode active.
MRP-capable Hirschmann devices support this mode.
unmarked
Advanced mode inactive.
Select this setting if another device in the ring does not support this mode.
Ring recovery
Specifies the maximum recovery time in milliseconds for reconfiguration of the ring. This setting is
effective if the device operates as a ring manager.
Possible values:
500ms
200ms (default setting)
30ms (depends on hardware)
10ms (depends on hardware)
Shorter switching times make greater demands on the response time of every individual device in
the ring. Use values lower than 500ms if the other devices in the ring also support this shorter
recovery time.
Note: The switching times 30ms and 10ms are available for devices with an FPGA (hardware for
extended functions). The product code indicates whether your device supports Fast MRP. In order
to use the functions, load the device software supporting Fast MRP.
Set the switching time to 10ms only if you use up to 20 devices in the ring that support this switching
time. If you use more than 20 of these devices, then set the switching time to at least 30ms.
When you are working with oversized Ethernet packets, the number of devices in the ring is limited.
Note that the switching time depends on several parameters. See the description above.
VLAN ID
Specifies the ID of the VLAN which you assign to the ring ports.
Possible values:
0 (default setting)
No VLAN assigned.
Assign in the Switching > VLAN > Configuration dialog to the ring ports for VLAN 1 the value U.
1..4042
VLAN assigned.
If you assign to the ring ports a non-existing VLAN, then the device creates this VLAN. In the
Switching > VLAN > Configuration dialog, the device creates an entry in the table for the VLAN and
assigns the value T to the ring ports.
RM GUI RSP
Release 8.1 12/2019
277
Switching
[ Switching > L2-Redundancy > MRP ]
Information
Information
Displays messages for the redundancy configuration and the possible causes of errors.
When the device operates as a ring client or a ring manager, the following messages are possible:
Redundancy available
The redundancy is set up. When a component of the ring is down, the redundant line takes over
its function.
Configuration error: Error on ringport link.
Error in the cabling of the ring ports.
When the device operates as a ring manager, the following messages are possible:
Configuration error: Packets from another ring manager received.
Another device exists in the ring that operates as the ring manager.
Enable the Ring manager function only on one device in the ring.
Configuration error: Ring link is connected to wrong port.
A line in the ring is connected with a different port instead of with a ring port. The device only
receives test data packets on 1 ring port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Delete ring configuration
Disables the redundancy function and resets the settings in the dialog to the default setting.
278
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > HIPER Ring ]
5.9.2
HIPER Ring
[ Switching > L2-Redundancy > HIPER Ring ]
The concept of HIPER ring redundancy enables the construction of high-availability, ring-shaped
networks. This device provides a HIPER ring client. This function lets you extend an existing HIPER
ring or to replace a device already participating as a client in a HIPER ring.
A HIPER ring contains a Ring Manager (RM) which controls the ring. The RM sends watchdog
packets into the ring on both the primary and secondary ports. When the RM receives the watchdog
packets on both ports, the primary port remains in the forwarding state and the secondary port
remains in the discarding state.
The device operates only in the ring client mode. This means that the device is able to recognize
and forward the watchdog packets on the ring ports and can also forward the change in link status
to the RM for example, LinkDown and LinkUp packets.
The device only supports Fast Ethernet and Gigabit Ethernet ports as ring ports. Furthermore, the
device only supports HIPER ring in VLAN 1.
Note: Spanning Tree and Ring Redundancy have an effect on each other. Deactivate the Spanning
Tree protocol for the ports connected to the HIPER ring. See the Switching > L2-Redundancy >
Spanning Tree > Port dialog.
Note: Configure the devices of the HIPER ring individually. Before you connect the redundant link,
complete the configuration of every device of the HIPER ring. You thus help avoid loops during the
configuration phase.
Operation
Operation
Enables/disables the HIPER Ring client.
Possible values:
On
The HIPER Ring client is enabled.
Off (default setting)
The HIPER Ring client is disabled.
Ring port 1/Ring port 2
Port
Specifies the port number of the primary/secondary ring port.
Possible values:
- (default setting)
No primary/secondary ring port selected.
<Port number>
Number of the ring port
RM GUI RSP
Release 8.1 12/2019
279
Switching
[ Switching > L2-Redundancy > DLR ]
State
Displays the state of the primary/secondary ring port.
Possible values:
not-available
The HIPER Ring client is disabled.
or
No primary or secondary ring port selected.
active
The ring port is enabled and logically up.
inactive
The ring port is logically down.
As soon as the link goes down on a ring port, the device sends a LinkDown packet to the Ring
Manager on the other ring port.
Information
Mode
Displays that the device is able to operate in the ring client mode.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
5.9.3
DLR
(depends on hardware)
[ Switching > L2-Redundancy > DLR ]
The Device Level Ring (DLR) protocol provides high network availability in a ring topology. The
primarily intent for the DLR protocol is implementation in EtherNet/IP end-devices that have 2
Ethernet ports and embedded Layer 2 switch technology. The DLR protocol provides network fault
detection and reconfiguration to support demanding control applications.
The DLR network uses a ring supervisor to monitor the network. The ring supervisor controls data
on the ring by sending data only on the primary ring port until a break in the ring occurs. When a
break in the ring occurs, the ring supervisor unblocks the secondary port allowing the data to reach
the ring participants located on the other side of the break.
To maintain control of the network, the active ring supervisor sends Beacon packets through both
ports. The device lets you specify the interval between consecutive Beacon packets. The Beacon
packets help detect breaks in the ring, send Ring State messages to the participants, and also
contain the following information:
the precedence of the active ring supervisor
the MAC address of the active ring supervisor
the Beacon timeout
the DLR VLAN ID
280
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > DLR ]
In the supervisor mode, the device also sends Announce packets, once every second, through the
unblocked port only. The Announce packets also contain Ring State messages.
In the non-supervisor mode, the device functions as a Beacon-based participant. Upon receiving a
Ring Fault State message from the active ring supervisor, the Beacon-based participant flushes its
unicast MAC address table, and conducts a Neighbor Check. The Neighbor Check helps isolate a
break between adjacent participants.
DLR uses a VLAN to distribute information contained in the Beacon Packet, to other ring
participants as priority tagged. The default setting for the DLR VLAN ID is 0. VLAN ID is 0 is only
set in this dialog. You use VLAN ID 0 in conjunction with the VLAN unaware mode.
Verify that the functions which directly affect the DLR function have the following settings:
EtherNet/IP
Spanning Tree
VLAN
IGMP Snooping
Advanced > Industrial Protocols > EtherNet/IP dialog
• Operation = On
• Write access = marked
Switching > L2-Redundancy > Spanning Tree > Global dialog
• Operation = Off
Switching > Global dialog
• VLAN unaware mode = marked
Switching > IGMP Snooping > Global dialog
• Operation = On
Switching > IGMP Snooping > Configuration dialog, Port tab
• Active = marked
Switching > IGMP Snooping > Snooping Enhancements dialog
• DLR ring ports = SF (Static and Forward all)
Switching > IGMP Snooping > Querier dialog
• Operation = On
Note: DLR is available for devices with an FPGA (hardware for extended functions). The product
code indicates whether your device supports DLR. In order to use the functions, load the device
software supporting DLR.
The menu contains the following dialogs:
DLR Configuration (depends on hardware)
DLR Statistics (depends on hardware)
RM GUI RSP
Release 8.1 12/2019
281
Switching
[ Switching > L2-Redundancy > DLR > Configuration ]
5.9.3.1 DLR Configuration
(depends on hardware)
[ Switching > L2-Redundancy > DLR > Configuration ]
In this dialog, you specify the role of the device in the ring. When you specify the device as a ring
supervisor, the device sends Beacon packets containing its precedence for active ring supervisor
candidacy. As active ring supervisor, the device monitors the ring for breaks, and sends
configuration information to the ring participants.
Operation
Operation
Enables/disables the DLR function globally.
Possible values:
On (default setting)
The DLR function is enabled.
Off
The DLR function is disabled.
Table
Ring index
Displays the index number to which the table entry relates.
Name
Specifies the name of the DLR ring.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Ring port 1
Specifies the first of 2 ring ports used to connect the device to the DLR ring.
Possible values:
<Port number> (default setting: 1/1)
Select the port from the drop-down list.
Ring port 1 status
Displays the status of ring port 1.
282
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > DLR > Configuration ]
Possible values:
disabled
The port is disabled.
To enable the port, open the Basic Settings > Port dialog, Configuration tab. In the Port on column,
mark the appropriate checkbox.
blocked
The port is the secondary port, sending and receiving only Beacon packets.
forwarding
The port is the primary port, sending and receiving data, Beacon packets, and Announce
packets.
notConnected
The port is physically unconnected.
Ring port 2
Specifies the second of 2 ring ports used to connect the device to the DLR ring.
Possible values:
<Port number> (default setting: 1/2)
Select the port from the drop-down list.
Ring port 2 status
Displays the status of ring port 2.
Possible values:
disabled
The port is disabled.
To enable the port, open the Basic Settings > Port dialog, Configuration tab. In the Port on column,
mark the appropriate checkbox.
blocked
The port is the secondary port, sending and receiving only Beacon packets.
forwarding
The port is the primary port, sending and receiving data, Beacon packets, and Announce
packets.
notConnected
The port is physically unconnected.
Supervisor active
Activates/deactivates the supervisor function.
Possible values:
marked (default setting)
The device is configured as a ring supervisor. The device monitors the ring for breaks. If a break
in the ring occurs, then the device unblocks and forwards data on the secondary port.
unmarked
The device is a Beacon-based ring participant.
Status
Displays the status of the device in the DLR ring.
RM GUI RSP
Release 8.1 12/2019
283
Switching
[ Switching > L2-Redundancy > DLR > Configuration ]
Possible values:
backup
Another device in the same ring is the active supervisor.
supervisor
This device is the active supervisor.
node
The device functions as a Beacon-based ring participant.
nonDlr
The device has detected that the network topology is something other than a ring using the DLR
protocol.
unsupported
The configuration in the row is invalid.
Supervisor precedence
Specifies the precedence value of the device for the ring supervisor selection. The device sends
the value to other ring devices in the Beacon packets. When another ring supervisor is present on
the same ring, the device with the higher value is selected active ring supervisor. When both values
are the same, the device with the higher MAC address becomes active supervisor.
Possible values:
0..255 (default setting: 0)
A numerically higher value indicates a higher precedence.
Beacon interval [µs]
Specifies the interval, in microseconds, at which the supervisor sends Beacon packets. The ring
supervisor transmits a Beacon packet through both of its Ethernet ports once per Beacon interval.
When the ring is intact, the device receives the Beacon packet on the opposite ports, and leaves
the blocked port in the blocking mode.
Possible values:
400..100000 (default setting: 400)
Lower interval times increase the recovery time. When the ring contains only DLR participants,
use the following formula to calculate:
Minimum value = 13 * Number of ring participants
Beacon timeout [µs]
Specifies the amount of time, in microseconds, the device listens for Beacon packets. After the
device times out the reception of a Beacon packet, it takes the appropriate action depending on its
role as an active supervisor or ring participant.
Possible values:
1600..500000 (default setting: 1960)
Set this value to at least 4 times the value specified in the Beacon interval [µs] column.
When the ring contains only DLR participants, use the following formula to calculate:
Maximum value = (Number of ring participants * (1 - 0.1) * 25) + (Number of
ring participants * 0.1 * 137)
VLAN ID
Specifies the VLAN ID used to send the DLR protocol messages to the other devices on the ring.
The active supervisor informs the ring participants which VLAN ID to use in the Beacon packets.
Create and configure the VLAN in the Switching > VLAN > Configuration dialog.
284
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > DLR > Configuration ]
The prerequisite for setting the VLAN ID to 0 is that you activate the VLAN unaware mode. In the
Switching > Global dialog, mark the VLAN unaware mode checkbox.
Possible values:
0..4042 (default setting: 0)
Active
Activates/deactivates the DLR configuration.
Possible values:
marked
The DLR configuration is active.
unmarked (default setting)
The DLR configuration is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Service action
Opens the Service action dialog to specify the DLR services that the device uses to help locate and
clear detected faults.
Possible values:
verifyFaultLocation (default setting)
The supervisor verifies the fault location by retransmitting the Locate_Fault packet to ring
participants.
clearRapidFaults
Clears the Rapid Fault condition where the ring supervisor detected a cycle of rapid ring faults.
restartSignOn
Restarts the Sign On process and refreshes the participants list.
RM GUI RSP
Release 8.1 12/2019
285
Switching
[ Switching > L2-Redundancy > DLR > Statistics ]
5.9.3.2 DLR Statistics
(depends on hardware)
[ Switching > L2-Redundancy > DLR > Statistics ]
This dialog displays the status of the ring, the type of topology, number of participants, and other
information to help you to analyze the network.
This dialog also displays a list of participating ring participants. The active ring supervisor gathers
the information contained in the participants list using the Sign_On packet. If the participants list is
too large, then the DLR Object returns, Reply Data Too Large (code 0x11).
The dialog contains the following tabs:
[Status]
[Participants]
[Status]
Table
Ring index
Displays the index number to which the table entry relates.
Capability
Displays the capabilities of the device.
Possible values:
announce
The device is an announce-based ring participant.
beacon
The device is capable of sending Beacon packets.
supervisor
The device is capable of being a supervisor.
gateway
The device is capable of being a gateway.
flushTable
The device is capable of flushing the unicast MAC address table.
Status
Displays the status of the device in the DLR ring.
Possible values:
backup
Another device in the same ring is the active supervisor.
supervisor
This device is the active supervisor.
node
The device functions as a Beacon-based ring participant.
286
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > DLR > Statistics ]
nonDlr
The device has detected that the network topology is something other than a ring using the DLR
protocol.
unsupported
The row parameters are invalid.
Network topology
Displays the current network topology mode.
Possible values:
linear
The network is linear.
ring
The network is a DLR ring.
Network status
Displays the current network status.
Possible values:
normal
After the device receives Beacon packets on both ports, the supervisor transitions to the
NORMAL_STATE, flushes the unicast MAC address table, and reconfigures a port to blocking.
The device sends Beacon packets with the Ring State set to RING_NORMAL_STATE. The ring
supervisor also sends an Announce packet out of the forwarding port, with the Ring State set to
RING_NORMAL_STATE.
ringFault
The reasons for which the device displays the value are as follows:
– Upon boot up, an enabled ring supervisor starts in the FAULT_STATE with both ports
forwarding packets.
– The device received a Beacon packet from another supervisor with a higher precedence.
– Upon receipt of a Beacon packet with the Ring State set to RING_FAULT_STATE.
When the device is in the FAULT_STATE, the ring supervisor continues to send Beacon
packets, in order to detect ring restoration.
loop
The device has detected a loop in the network.
partial
The device detected a partial network fault where the Beacon packets are lost only in 1 direction.
If the active ring supervisor detects a partial fault, then it blocks traffic on 1 port and sets a status
value in the DLR Object. The condition requires user intervention.
rapidFault
The device detected a rapid fault, 5 faults in a 30 second period. Rapid faults can lead to an
instable network. If the active ring supervisor detects a rapid fault, then it blocks traffic on 1 port
and sets a status value in the DLR Object. The condition requires user intervention. To reset the
device open the Switching > L2-Redundancy > DLR > Configuration dialog and set the value
clearRapidFaults in the Service column.
Last status change
Displays the time, in seconds, since the network status last changed.
Participants
Displays the number of devices in the ring protocol participants list.
RM GUI RSP
Release 8.1 12/2019
287
Switching
[ Switching > L2-Redundancy > DLR > Statistics ]
Supervisor IP address
Displays the IPv4 address assigned to the active supervisor.
Supervisor MAC address
Displays the MAC address of the active ring supervisor.
Supervisor precedence
Displays the precedence value of the active ring supervisor.
Faults
Displays the number of times that the device has detected a ring fault, since starting as either the
active or the backup supervisor.
Port 1 IP address
Displays the IPv4 address assigned to port 1.
Port 1 MAC address
Displays the MAC address of last active ring participant on port 1.
Port 2 IP address
Displays the IPv4 address assigned to port 2.
Port 2 MAC address
Displays the MAC address of last active ring participant on port 2.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Participants]
Only the active ring supervisor displays the ring participants.
Table
Index
Displays the index number to which the table entry relates.
Address
Displays the IP address of the participating ring participant.
288
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > PRP ]
MAC address
Displays the MAC address of the participating ring participant.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
5.9.4
PRP
(depends on hardware)
[ Switching > L2-Redundancy > PRP ]
The Parallel Redundancy Protocol (PRP) is defined in the international standard IEC 62439-3. PRP
uses 2 independent LANs with any ring, star, bus and mesh topologies, providing a high availability
of network connections.
To connect the device to the PRP network, use either 100 Mbit/s FDX or 1000 Mbit/s FDX on
both of the specially marked ports, Port A and Port B.
The maximum allowed size of Ethernet packets on these ports is restricted to 1534 bytes. See the
MTU column in the Basic Settings > Port dialog.
The main advantage of PRP is that the destination node receives packets from the source as long
as 1 LAN is available. The absence of the second LAN due to repairs or maintenance has no impact
on the packet transmission.
The network device which connects the end devices to the network implements the PRP protocol.
The Ethernet switches in both LANs are standard switches that are oblivious to PRP. A Double
Attached Node implementing PRP (DANP) is a network device with PRP functionality and has 1
connection into each independent LAN. A Single Attached Node (SAN) is a standard Ethernet
device with a single LAN interface directly connected to one of the redundant LANs. For this reason,
a SAN is unable to use the redundant LAN.
A Redundancy Box (RedBox) is a network device which implements the PRP functionality for
standard ethernet devices. A standard ethernet device when connected to a PRP network via a
RedBox is a virtual DANP (VDAN).
Note: PRP is available for devices with an FPGA (hardware for extended functions). The product
code indicates whether your device supports PRP. In order to use the functions, load the device
software supporting PRP.
Note: If the inter-frame gap is shorter than the latency between the 2 LANs, then a frame-ordering
mismatch can occur. Frame-ordering mismatch is a phenomenon of the PRP protocol. The only
solution to help avoid a frame-ordering mismatch is to verify that the inter-frame gap is greater than
the latency between the LANs.
The menu contains the following dialogs:
PRP Configuration (depends on hardware)
PRP DAN/VDAN Table (depends on hardware)
PRP Proxy Node Table (depends on hardware)
PRP Statistics (depends on hardware)
RM GUI RSP
Release 8.1 12/2019
289
Switching
[ Switching > L2-Redundancy > PRP > Configuration ]
5.9.4.1 PRP Configuration
(depends on hardware)
[ Switching > L2-Redundancy > PRP > Configuration ]
In this dialog, you enable/disable the PRP function, and configure PRP supervision packet reception
and transmission.
The MRP and Spanning Tree functions cannot operate on the same ports as the PRP function.
Disable the MRP function or choose different ports. Deactivate the Spanning Tree function on the
PRP ports.
Note: When PRP is active, it uses the interfaces 1/1 and 1/2. As seen in the Switching > VLAN,
Switching > Rate Limiter and Switching > Filter for MAC Addresses dialogs, the PRP function replaces the
interfaces 1/1 and 1/2 with the interface prp/1. Configure the VLAN membership, the rate limiting,
and the MAC filtering for the interface prp/1.
Operation
Operation
Enables/disables the PRP function.
Possible values:
On
The PRP function is enabled globally.
When this function is active, the device processes the data stream according to the set up.
Off (default setting)
The PRP function is disabled globally.
To help avoid network loops, disable the PRP function on Port A or Port B before disabling the
PRP function globally.
Note: When you use SFPs for PRP ports and the device only supports 100 Mbit/s, verify that the
SFPs support 100 Mbit/s.
Port A / Port B
Physical port
Displays the number of the physical port which the device uses as the PRP Port A or Port B.
Port A admin state
Enables/disables the PRP function on the port.
Possible values:
On (default setting)
The PRP function on the port is enabled.
Off
The PRP function on the port is disabled.
290
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > PRP > Configuration ]
Supervision packet receiver
Evaluate supervision packets
Activates/deactivates the analysis of the supervision packets.
Possible values:
marked (default setting)
The analysis of the supervision packets is activated.
The device receives Supervision Packets and analyzes them.
unmarked
The analysis of the supervision packets is deactivated.
The device receives supervision packets without analyzing them.
Supervision packet sender
Active
Enables/disables the transmission of supervision packets.
Possible values:
On (default setting)
The transmission of supervision packets is enabled. The RedBox transmits its own supervision
packets.
Off
The transmission of supervision packets is disabled.
Send VDAN packets
Activates/deactivates the transmission of VDAN supervision packets.
The prerequisite is that you activate the Supervision packet sender first.
Possible values:
marked (default setting)
The transmission of VDAN supervision packets is active.
The RedBox transmits both its own supervision packets and the supervision packets for the
VDANs listed in the PRP Proxy Node Table.
unmarked
The transmission of VDAN supervision packets is inactive.
Configuration
MTU
Specifies the maximum allowed size of Ethernet packets on the interface in bytes.
RM GUI RSP
Release 8.1 12/2019
291
Switching
[ Switching > L2-Redundancy > PRP > Configuration ]
Possible values:
1518..1530 (default setting: 1518)
With the setting 1518, the port transmits the Ethernet packets up to the following size:
– 1518 bytes without VLAN tag
(1514 bytes + 4 bytes CRC)
– 1522 bytes with VLAN tag
(1518 bytes + 4 bytes CRC)
This setting lets you increase the size of the Ethernet packets for specific applications.
Speed
Specifies the speed of the PRP interface. The prerequisite is that both PRP member ports operate
with the specified speed.
Possible values:
100Mbps (default setting)
1Gbps
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
292
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > PRP > DAN/VDAN Table ]
5.9.4.2 PRP DAN/VDAN Table
(depends on hardware)
[ Switching > L2-Redundancy > PRP > DAN/VDAN Table ]
This dialog lets you analyze the LANs. This is helpful for example, when the Last seen A counter of
one port continually increases while the Last seen B counter remains the same (and the other way
round). This condition indicates an interruption of LAN connection.
DAN/VDAN means Double Attached Node / Virtual Double Attached Node.
Table
Index
Displays the index number to which the table entry relates.
MAC address
Displays the MAC address of the node.
Last seen A
Displays the time between received first packets for this node on LAN A. When the counter
threshold reaches 497 days, it restarts from 0.
Last seen B
Displays the time between received first packets for this node on LAN B. When the counter
threshold reaches 497 days, it restarts from 0.
Remote node type
Displays the type of node.
Possible values:
redboxp
Management
vdanp
Client
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Resets the entire table.
RM GUI RSP
Release 8.1 12/2019
293
Switching
[ Switching > L2-Redundancy > PRP > Proxy Node Table ]
5.9.4.3 PRP Proxy Node Table
(depends on hardware)
[ Switching > L2-Redundancy > PRP > Proxy Node Table ]
This dialog informs you of the connected devices for which this device provides PRP redundancy.
Note: The Redbox supports up to 128 hosts. If this number is exceeded with Redbox, then the
device drops the packets.
Table
Index
Displays the index number to which the table entry relates.
Possible values:
1..128
MAC address
Displays the MAC address of the connected devices for which this device implements PRP
redundancy.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Resets the entire table.
294
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > PRP > Statistics ]
5.9.4.4 PRP Statistics
(depends on hardware)
[ Switching > L2-Redundancy > PRP > Statistics ]
This dialog lists receive events for various MIB Managed Objects. Each entry represents link
degradation for the MIB Managed Objects listed in the description column. The table lists how many
times the event occurred for each path through the device. The Port A entries for example, specify
the path between the transceiver, through the Link Redundancy Entity (LRE) to the UDP and TCP
layers.
Table
Description
Displays the MIB Managed Objects description to which the Port A, Port B, and Interlink entries refer.
Port A
Displays the number of MIB Managed Objects events on Port A. The device examines the traffic as
it passes from receive transceiver A to the LRE.
Port B
Displays the number of MIB Managed Objects events on Port B. The device examines the traffic as
it passes from receive transceiver B to the LRE.
Interlink
Displays the number of MIB Managed Objects events on the interlink. The counters are active for
the MIB Managed Objects that pertain to the interlink. The other counters remain empty. A sample
is made of the traffic as it passes from the LRE to the switch.
CPU port
Displays the number of MIB Managed Objects events on the CPU Port. There is one MIB Managed
Object that pertains to the CPU Port. The other counters remain empty. A sample is made of the
traffic as it passes from receive transceiver to the CPU.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Resets the entire table.
RM GUI RSP
Release 8.1 12/2019
295
Switching
[ Switching > L2-Redundancy > HSR ]
5.9.5
HSR
(depends on hardware)
[ Switching > L2-Redundancy > HSR ]
An HSR-based ring offers zero recovery time (HSR = High-availability Seamless Redundancy).
HSR is suited for applications that demand high availability and short reaction times. For example,
protection applications for electrical station automation and controllers for synchronized drives
which require constant connection.
HSR Redundancy Boxes (RedBox) use 2 Ethernet ports operating in parallel to connect to a ring.
An HSR RedBox operating in this configuration is a Doubly Attached Node implementing the HSR
protocol (DANH). A standard ethernet device connected to the HSR ring through an HSR RedBox
is a Virtual DANH (VDANH).
The transmitting HSR node or HSR RedBox sends twin packets, 1 in each direction, on the ring.
For identification, the HSR node injects the twin packets with an HSR tag. The HSR tag consists of
a port identifier, the length of the payload and a sequence number. In a normal operating ring, the
destination HSR node or RedBox receives both packets within a certain time skew. An HSR node
forwards the first packet to arrive to the upper layers and discards the second packet when it
arrives. A RedBox on the other hand forwards the first packet to the VDANHs and discards the
second packet when it arrives.
The device performs a specific role in the network. Configure a device as an HSR RedBox
connecting standard ethernet devices to an HSR ring. Configure a device as an HSR node
connecting a PRP LAN to an HSR ring.
A single HSR ring accommodates up to 7 PRP LANs. Configure the device to identify and tag the
traffic addressed for the connected PRP LAN.
The number of HSR nodes in the ring should not exceed 50. If the HSR interface speed is 1Gbps,
then the number should not exceed 300.
It is useful to limit the traffic injected into the HSR ring. If there are any third party devices with a
higher latency in the ring, then you reduce the number of ring participants. Verify that the sum of
bandwidths applied to the HSR nodes is less than 84 %.
Note: HSR is available for devices with an FPGA (hardware for extended functions). The product
code indicates whether your device supports HSR. In order to use the functions, load the device
software supporting HSR.
The menu contains the following dialogs:
HSR Configuration (depends on hardware)
HSR DAN/VDAN Table (depends on hardware)
HSR Proxy Node Table (depends on hardware)
HSR Statistics (depends on hardware)
296
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > HSR > Configuration ]
5.9.5.1 HSR Configuration
(depends on hardware)
[ Switching > L2-Redundancy > HSR > Configuration ]
In this dialog, you enable the HSR function, configure HSR supervision packets, and specify the
function that the device executes in the HSR ring.
The MRP and Spanning Tree functions cannot operate on the same ports as the HSR function.
Disable the MRP function or choose different ports. Deactivate the Spanning Tree function on the
HSR ports.
Note: When HSR is active, it uses the interfaces 1/1 and 1/2. As seen in the Switching > Rate Limiter
and Switching > Filter for MAC Addresses dialogs, the HSR function replaces the interfaces 1/1 and 1/
2 with the interface hsr/1. Set up the VLAN membership and the rate limiting for the interface hsr/
1.
Operation
Operation
Enables/disables the HSR function globally.
Possible values:
On
When this function is active, the device processes the data stream according to the set up.
Off (default setting)
Note: When you use SFPs for HSR ports and the device only supports 100 Mbit/s, verify that the
SFPs support 100 Mbit/s.
Port A / Port B
Physical port
Displays the number of the physical port which the device uses as the HSR Port A or Port B.
Port A admin state
Enables/disables the HSR function on the port.
Possible values:
On (default setting)
The HSR function on the port is enabled.
Off
The HSR function on the port is disabled.
RM GUI RSP
Release 8.1 12/2019
297
Switching
[ Switching > L2-Redundancy > HSR > Configuration ]
Supervision packet receiver
Evaluate supervision packets
Activates/deactivates the supervision packet analysis.
Possible values:
marked (default setting)
Supervision packet analysis is active.
The device receives supervision data packets and analyzes them.
unmarked
Supervision packet analysis is inactive.
The device receives supervision data packets without analyzing them.
Supervision packet sender
Active
Enables/disables the transmission of supervision packets.
Possible values:
On (default setting)
The transmission of supervision packets is enabled. The RedBox transmits its own supervision
packets.
Off
The transmission of supervision packets is disabled.
Send VDAN packets
Activates/deactivates the transmission of VDAN supervision packets.
The prerequisite is that you enable the transmission of supervision packets. See the Active field.
Possible values:
marked
The transmission of VDAN supervision packets is active.
The RedBox transmits both its own supervision packets and the supervision packets for the
VDANs listed in the HSR Proxy Node Table.
unmarked (default setting)
The transmission of VDAN supervision packets is inactive.
Configuration
(depends on hardware)
MTU
Specifies the maximum allowed size of Ethernet packets on the interface in bytes.
298
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > HSR > Configuration ]
Possible values:
1518..1530 (default setting: 1518)
With the setting 1518, the port transmits the Ethernet packets up to the following size:
– 1518 bytes without VLAN tag
(1514 bytes + 4 bytes CRC)
– 1522 bytes with VLAN tag
(1518 bytes + 4 bytes CRC)
This setting lets you increase the size of the Ethernet packets for specific applications.
Note: If you increase the value, then it can be necessary to increase the MTU size of other ports
by the same amount. See the MTU column in the Basic Settings > Port dialog, Configuration tab.
Speed
Specifies the speed of the HSR interface. The prerequisite is that both HSR member ports operate
with the specified speed.
Possible values:
100Mbps (default setting)
1Gbps
HSR parameter
HSR mode
Specifies the forwarding capacity of the device for unicast traffic.
Possible values:
modeh (default setting)
If the host functions as a proxy for a destination device, then it removes unicast traffic from the
ring and forwards it to the destination address.
modeu
If the host operates as a proxy for a destination device, then it forwards unicast traffic around
the ring and forwards it to the destination address. If the packets return to the source node, then
it discards the unicast traffic.
Switching node type
Specifies the function that the device executes in the HSR ring.
Possible values:
hsrredboxsan (default setting)
You use this setting if you connect SANs to the device within a HSR ring.
hsrredboxprpa
You use this setting to connect the corresponding device with PRP LAN A. Furthermore, set the
Redbox identity parameter for the corresponding network connection.
hsrredboxprpb
You use this setting to connect the corresponding device with PRP LAN B. Furthermore, set the
Redbox identity parameter for the corresponding network connection.
RM GUI RSP
Release 8.1 12/2019
299
Switching
[ Switching > L2-Redundancy > HSR > Configuration ]
Note: If you specify the value hsrredboxprpa or hsrredboxprpb, then increase the MTU size on
the interface. See the Configuration frame, MTU field.
Also increase the MTU size of the ports connected with LAN A and B in the PRP networks by the
same amount. See the MTU column in the Basic Settings > Port dialog, Configuration tab.
Redbox identity
Specifies the tags for the PRP LAN traffic.
The parameter identifies and tags the data traffic for the PRP LAN that you connect to this device.
The device identifies the traffic for up to 7 PRP LANs that you connect to the HSR ring.
The prerequisite is that you set the Switching node type parameter to hsrredboxprpa or to
hsrredboxprpb.
Possible values:
id1a (default setting)
Use this value to handle the HSR data traffic for LAN A in PRP network 1.
id1b
Use this value to handle the HSR data traffic for LAN B in PRP network 1.
id2a
Use this value to handle the HSR data traffic for LAN A in PRP network 2.
id2b
Use this value to handle the HSR data traffic for LAN B in PRP network 2.
id7a
Use this value to handle the HSR data traffic for LAN A in PRP network 7.
id7b
Use this value to handle the HSR data traffic for LAN B in PRP network 7.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
300
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > HSR > DAN/VDAN Table ]
5.9.5.2 HSR DAN/VDAN Table
(depends on hardware)
[ Switching > L2-Redundancy > HSR > DAN/VDAN Table ]
This dialog lets you analyze the LANs. This is helpful for example, when the Last seen A counter of
one port continually increases while the Last seen B counter remains the same (and the other way
round). This condition indicates an interruption of LAN connection.
DAN/VDAN means Double Attached Node / Virtual Double Attached Node.
Table
Index
Displays the index number to which the table entry relates.
MAC address
Displays the MAC address of the node.
Last seen A
Displays the time between received first packets for this node on LAN A. When the counter
threshold reaches 497 days, it restarts from 0.
Last seen B
Displays the time between received first packets for this node on LAN B. When the counter
threshold reaches 497 days, it restarts from 0.
Remote node type
Displays the type of node.
Possible values:
redboxh
Management
vdanh
Client
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Resets the entire table.
RM GUI RSP
Release 8.1 12/2019
301
Switching
[ Switching > L2-Redundancy > HSR > Proxy Node Table ]
5.9.5.3 HSR Proxy Node Table
(depends on hardware)
[ Switching > L2-Redundancy > HSR > Proxy Node Table ]
This dialog informs you of the connected devices for which this device provides HSR redundancy.
Table
Index
Displays the index number to which the table entry relates.
Possible values:
1..128
MAC address
Displays the MAC addresses of the connected devices for which this device implements HSR
redundancy.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Resets the entire table.
302
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > HSR > Statistics ]
5.9.5.4 HSR Statistics
(depends on hardware)
[ Switching > L2-Redundancy > HSR > Statistics ]
This dialog lists receive events for various MIB Managed Objects. Each entry represents link
degradation for the MIB Managed Objects listed in the description column. The table lists how many
times the event occurred for each path through the device. The Port A entries for example, specify
the path between the transceiver, through the Link Redundancy Entity (LRE) to the UDP and TCP
layers.
Table
Description
Displays the MIB Managed Objects description to which the Port A, Port B, and Interlink entries refer.
Port A
Displays the number of MIB Managed Objects events on Port A. The device examines the traffic as
it passes from receive transceiver A to the LRE.
Port B
Displays the number of MIB Managed Objects events on Port B. The device examines the traffic as
it passes from receive transceiver B to the LRE.
Interlink
Displays the number of MIB Managed Objects events on the interlink. The counters are active for
the MIB Managed Objects that pertain to the interlink. The other counters remain empty. A sample
is made of the traffic as it passes from the LRE to the switch.
CPU port
Displays the number of MIB Managed Objects events on the CPU Port. There is one MIB Managed
Object that pertains to the CPU Port. The other counters remain empty. A sample is made of the
traffic as it passes from receive transceiver to the CPU.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Resets the entire table.
RM GUI RSP
Release 8.1 12/2019
303
Switching
[ Switching > L2-Redundancy > Spanning Tree ]
5.9.6
Spanning Tree
[ Switching > L2-Redundancy > Spanning Tree ]
The Spanning Tree Protocol (STP) is a protocol that deactivates redundant paths of a network in
order to help avoid loops. If a network component becomes inoperable on the path, then the device
calculates the new topology and reactivates these paths.
The Rapid Spanning Tree Protocol (RSTP) enables fast switching to a newly calculated topology
without interrupting existing connections. RSTP gets average reconfiguration times of less than a
second. When you use RSTP in a ring with 10 to 20 devices, you can get reconfiguration times in
the order of milliseconds.
The device supports the Multiple Spanning Tree Protocol (MSTP) standardized in IEEE 802.1,
which is a further development of the Spanning Tree Protocol (STP).
Note: When you connect the device to the network through twisted pair SFPs instead of through
usual twisted pair ports, the reconfiguration of the network takes slightly longer.
The menu contains the following dialogs:
Spanning Tree Global
Spanning Tree MSTP
Spanning Tree Port
304
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Spanning Tree > Global ]
5.9.6.1 Spanning Tree Global
[ Switching > L2-Redundancy > Spanning Tree > Global ]
In this dialog, you enable/disable the Spanning Tree function and specify the bridge settings.
Operation
Operation
Enables/disables the Spanning Tree function in the device.
Possible values:
On (default setting)
Off
The device behaves transparently. The device floods received Spanning Tree data packets like
multicast data packets to the ports.
Variant
Variant
Specifies the protocol used for the Spanning Tree function:
Possible values:
rstp (default setting)
The protocol RSTP is active.
With RSTP (IEEE 802.1Q-2005), the Spanning Tree function operates for the underlying physical
layer.
mstp
The protocol MSTP is active.
To help avoid longer recovery times, specify the maximum value 40 in the Tx holds field.
Traps
Send trap
Activates/deactivates the sending of SNMP traps for the following events:
• Another bridge takes over the root bridge role.
• The topology changes. A port changes its Port state from forwarding into discarding or from
discarding into forwarding.
Possible values:
marked
The sending of SNMP traps is active.
unmarked (default setting)
The sending of SNMP traps is inactive.
RM GUI RSP
Release 8.1 12/2019
305
Switching
[ Switching > L2-Redundancy > Spanning Tree > Global ]
Ring only mode
Active
Activates/deactivates the Ring only mode function, in which the device does not verify the age of the
BPDUs.
Possible values:
marked
The Ring only mode function is active. Use this setting for applications for RSTP rings with
diameters greater than 40.
unmarked (default setting)
The Ring only mode function is inactive.
First port
Specifies the port number of the first interface.
Possible values:
<Port number> (default setting: -)
Second port
Specifies the port number of the second interface.
Possible values:
<Port number> (default setting: -)
Bridge configuration
Bridge ID
Displays the bridge ID of the device.
The device with the lowest bridge ID numerical value takes over the role of the root bridge in the
network.
Possible values:
<Bridge priority> / <MAC address>
Value in the Priority field / MAC address of the device
Priority
Specifies the bridge priority of the device.
Possible values:
0..61440 in steps of 4096 (default setting: 32768)
To make this device the root bridge, assign the lowest numeric priority value in the network to the
device.
306
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Spanning Tree > Global ]
Hello time [s]
Specifies the time in seconds between the sending of two configuration messages (Hello data
packets).
Possible values:
1..2 (default setting: 2)
If the device takes over the role of the root bridge, then the other devices in the network use the
value specified here.
Otherwise, the device uses the value specified by the root bridge. See the Root information frame.
Due to the interaction with the Tx holds parameter, we recommend that you do not change the
default setting.
Forward delay [s]
Specifies the delay time for the status change in seconds.
Possible values:
4..30 (default setting: 15)
If the device takes over the role of the root bridge, then the other devices in the network use the
value specified here.
Otherwise, the device uses the value specified by the root bridge. See the Root information frame.
In the RSTP protocol, the bridges negotiate a status change without a specified delay.
The Spanning Tree protocol uses the parameter to delay the status change between the statuses
disabled, discarding, learning, forwarding.
The parameters Forward delay [s] and Max age have the following relationship:
Forward delay [s] ≥ (Max age/2) + 1
If you enter values in the fields that contradict this relationship, then the device replaces these
values with the last valid values or with the default value.
Max age
Specifies the maximum permitted branch length for example, the number of devices to the root
bridge.
Possible values:
6..40 (default setting: 20)
If the device takes over the role of the root bridge, then the other devices in the network use the
value specified here.
Otherwise, the device uses the value specified by the root bridge. See the Root information frame.
The Spanning Tree protocol uses the parameter to specify the validity of STP-BPDUs in seconds.
Tx holds
Limits the maximum transmission rate for sending BPDUs.
RM GUI RSP
Release 8.1 12/2019
307
Switching
[ Switching > L2-Redundancy > Spanning Tree > Global ]
Possible values:
1..40 (default setting: 10)
To help avoid longer recovery times when using the MSTP protocol, set the maximum value to 40.
When the device sends a BPDU, the device increments a counter on this port.
If the counter reaches the value specified here, then the port stops sending BPDUs. On the one
hand, this reduces the load generated by RSTP, and on the other when the device does not receive
BPDUs, a communication interruption can be caused.
The device decrements the counter by 1 every second. In the following second, the device sends
a maximum of 1 new BPDU.
BPDU guard
Activates/deactivates the BPDU Guard function in the device.
With this function, the device helps protect your network from incorrect configurations, attacks with
STP-BPDUs, and unwanted topology changes.
Possible values:
marked
The BPDU guard is active.
– The device applies the function to manually specified edge ports. For these ports, in the
Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab the checkbox in the Admin
edge port column is marked.
– If an edge port receives an STP-BPDU, then the device disables the port. For this port, in the
Basic Settings > Port dialog, Configuration tab the checkbox in the Port on column is unmarked.
unmarked (default setting)
The BPDU guard is inactive.
To reset the status of the port to the value forwarding, you proceed as follows:
If the port is still receiving BPDUs, then:
– In the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab unmark the checkbox
in the Admin edge port column.
or
– In the Switching > L2-Redundancy > Spanning Tree > Global dialog, unmark the BPDU guard
checkbox.
To re-enable the port again you use the Auto-Disable function. Alternatively, proceed as follows:
– Open the Basic Settings > Port dialog, Configuration tab.
– Mark the checkbox in the Port on column.
BPDU filter (all admin edge ports)
Activates/deactivates the STP-BPDU filter on every manually specified edge port. For these ports,
in the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab the checkbox in the Admin
edge port column is marked.
308
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Spanning Tree > Global ]
Possible values:
marked
The BPDU filter is active on every edge port.
The function does not use these ports in Spanning Tree operations.
– The device does not send STP-BPDUs on these ports.
– The device drops any STP-BPDUs received on these ports.
unmarked (default setting)
The global BPDU filter is inactive.
You have the option to explicitly activate the BPDU filter for single ports. See the Port BPDU filter
column in the Switching > L2-Redundancy > Spanning Tree > Port dialog.
Auto-disable
Activates/deactivates the Auto-Disable function for the parameters that BPDU guard is monitoring on
the port.
Possible values:
marked
The Auto-Disable function for the BPDU guard is active.
– When the port receives an STP-BPDU, the device disables an edge port. The “Link status”
LED for the port flashes 3× per period.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently disabled due
to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the relevant port in
the Reset timer [s] column.
unmarked (default setting)
The Auto-Disable function for the BPDU guard is inactive.
Root information
Bridge ID
Displays the bridge ID of the current root bridge.
Possible values:
<Bridge priority> / <MAC address>
Priority
Displays the bridge priority of the current root bridge.
Possible values:
0..61440 in steps of 4096
Hello time [s]
Displays the time in seconds that the root bridge specifies between the sending of two configuration
messages (Hello data packets).
RM GUI RSP
Release 8.1 12/2019
309
Switching
[ Switching > L2-Redundancy > Spanning Tree > Global ]
Possible values:
1..2
The device uses this specified value. See the Bridge configuration frame.
Forward delay [s]
Specifies the delay time in seconds set up by the root bridge for status changes.
Possible values:
4..30
The device uses this specified value. See the Bridge configuration frame.
In the RSTP protocol, the bridges negotiate a status change without a specified delay.
The Spanning Tree protocol uses the parameter to delay the status change between the statuses
disabled, discarding, learning, forwarding.
Max age
Specifies the maximum permitted branch length that the root bridge sets up for example, the
number of devices to the root bridge.
Possible values:
6..40 (default setting: 20)
The Spanning Tree protocol uses the parameter to specify the validity of STP-BPDUs in seconds.
Topology information
Bridge is root
Displays if the device currently has the role of the root bridge.
Possible values:
marked
The device currently has the role of the root bridge.
unmarked
Another device currently has the role of the root bridge.
Root port
Displays the number of the port from which the current path leads to the root bridge.
If the device takes over the role of the root bridge, then the field displays the value 0.
Root path cost
Specifies the path cost for the path that leads from the root port of the device to the root bridge of
the layer 2 network.
310
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Spanning Tree > Global ]
Possible values:
0..200000000
If the value 0 is specified, then the device takes over the role of the root bridge.
Topology changes
Displays how many times the device has put a port into the forwarding status using the Spanning
Tree function since the Spanning Tree instance was started.
Time since topology change
Displays the time since the last topology change.
Possible values:
<days, hours:minutes:seconds>
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
311
Switching
[ Switching > L2-Redundancy > Spanning Tree > MSTP ]
5.9.6.2 Spanning Tree MSTP
[ Switching > L2-Redundancy > Spanning Tree > MSTP ]
In this dialog you manage the settings of the global and local MST instances.
In contrast to the local MST instances, the global MST instance is configured permanently in the
device. The global MST instance contains the VLANs that are not explicitly allocated to a local MST
instance.
The device supports up to 16 local MST instances. To create a local MST instance, click the
button.
While STP has a single Spanning Tree spanning the network, MSTP lets you set up one Spanning
Tree per VLAN or group of VLANs. Thus it is possible to specify several smaller Spanning Trees
covering one network.
How to help avoid longer convergence times:
Only use devices in the network that support RSTP or MSTP.
Adjust the following parameters to the topology and number of bridges:
– Maximum allowed number of devices to the root bridge
Switching > L2-Redundancy > Spanning Tree > Global dialog, Max age field
– Maximum allowed number of bridges within the MST region in a branch to the root bridge
Switching > L2-Redundancy > Spanning Tree > MSTP dialog, Global CIST parameter frame, Hops
(max.) field
For bridges in an MST region, specify identical values for the following parameters:
Name of the MST region
Revision level of the MST region
Allocation of the VLANs to the MST instances
– Include ports connecting the bridges of an MST region as tagged members in the VLANs set
up on the bridges. You thus help avoid potential connection breaks within the MST region
when the topology is changed.
– Include ports connecting an MST region with other MST regions or with the CST region
(boundary ports) as tagged members in the VLANs set up in both regions. You thus help
avoid potential connection breaks when topology changes affecting the boundary ports are
made.
MST region identifier
Name
Specifies the name of the MST region to which the device belongs.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
Revision level
Specifies the version number of the MST region to which the device belongs.
Possible values:
0..65535 (default setting: 1)
312
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Spanning Tree > MSTP ]
Checksum
Displays the MD5 checksum of the MST configuration.
Global CIST parameter
Hops (max.)
Specifies the maximum number of bridges within the MST region in a branch to the root bridge.
Possible values:
6..40 (default setting: 20)
Attached VLANs
Displays the IDs of the VLANs that are assigned only to the global MST instance and to no other
local MST instance.
Possible values:
ID of the statically configured VLANs
(default setting: 1)
Bridge ID
Displays the bridge ID of the device.
Possible values:
<Bridge priority> / <MAC address>
The value is made up as follows:
– Value in the Priority field. See the Switching > L2-Redundancy > Spanning Tree > Global dialog,
Bridge configuration frame.
– MAC address of the device.
Root ID
Displays the bridge ID of the current CIST root bridge of the whole Layer 2 network.
Possible values:
<Bridge priority> / <MAC address>
The device with the numerically lowest bridge ID takes over the role of the CIST root bridge in the
network. The following devices are able to take over the role of the root bridge:
Bridges not belonging to any MST region
Bridges belonging to the global instance of an MST region
In the whole Layer 2 network, the bridges use the time settings of the CIST root bridge, for example
Hello time [s].
Regional root ID
Displays the Bridge ID of the current root bridge that belongs to the global instance of the MST
region to which this device belongs.
RM GUI RSP
Release 8.1 12/2019
313
Switching
[ Switching > L2-Redundancy > Spanning Tree > MSTP ]
Possible values:
<Bridge priority> / <MAC address>
The values in the Regional root ID and Root ID fields are identical when the regional root bridge has
the lowest bridge ID in the whole Layer 2 network.
Root port
Displays the port of the device from which the path leads to the current CIST root bridge of the
whole Layer 2 network.
Possible values:
no Port
The device currently has the role of the root bridge.
<Port number>
The path to the current CIST root bridge of the whole Layer 2 network leads over this port.
Root path cost
Displays the path cost for the path that leads from the regional root bridge of the MST region to the
current CIST root bridge of the whole Layer 2 network.
Possible values:
0..200000000
If the value 0 is specified, then the regional root bridge simultaneously has the role of the CIST
root bridge.
For the devices within an MST region, the Root path cost values are identical.
If you do not use MSTP, then the Root path cost values are identical to the root path costs of
Spanning Tree or Rapid Spanning Tree. In this case, every device considers itself as an own
region.
Internal root path cost
Displays the internal path cost for the path that leads from the root port of the device to the current
regional root bridge of the MST region.
Possible values:
0..200000000
If the value 0 is specified, then the local bridge simultaneously has the role of the current
regional root bridge.
Table
MSTI
Displays the instance number of the local MST instance.
Attached VLANs
Displays the IDs of the VLANs that are allocated to this local MST instance.
314
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Spanning Tree > MSTP ]
Priority
Specifies the bridge priority of the local MST instance.
Possible values:
0..61440 in steps of 4096 (default setting: 32768)
Assign the lowest numeric priority in this local MST instance to the device to make this device the
root bridge.
Bridge ID
Displays the bridge ID.
The device with the numerically lowest bridge ID takes over the role of the MSTI (regional) root
bridge in the instance.
Possible values:
<Bridge priority + Number of the instance> / <MAC address>
Sum of the value in the fields Priority and MSTI / MAC address of the device
Time since topology change
Displays the time that has elapsed since the last topology change within this instance.
Topology changes
Displays how many times the device has put a port into the forwarding status using the Spanning
Tree function since the Spanning Tree instance was started.
Topology change
Displays whether the device has detected a topology change within the instance.
Possible values:
true
The device has detected a topology change.
false
The device has not detected a topology change.
Root ID
Displays the bridge ID of the current root bridge in this instance.
Possible values:
<Bridge ID> / <MAC address>
Root path cost
Displays the path cost for the path that leads from the root port of the device to the root bridge of
the instance.
Possible values:
0..200000000
If the value 0 is specified, then the bridge is simultaneously the root bridge of the instance.
RM GUI RSP
Release 8.1 12/2019
315
Switching
[ Switching > L2-Redundancy > Spanning Tree > MSTP ]
Root port
Displays the port of the device from which the current path leads to the root bridge of the instance.
Possible values:
no Port
The device currently has the role of the root bridge.
<Port number>
The path to the current root bridge of the instance leads over this port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Adds a new table entry.
The device supports up to local 16 instances.
Configure VLANs
Opens the Configure VLANs dialog to allocate VLANs to the local MST instance which is highlighted
in the table.
316
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]
5.9.6.3 Spanning Tree Port
[ Switching > L2-Redundancy > Spanning Tree > Port ]
In this dialog, you activate the Spanning Tree function on the ports, specify edge ports, and specify
the settings for various protection functions.
The dialog contains the following tabs:
[CIST]
[Guards]
[MSTI <MSTI>]
[CIST]
In this tab, you have the option to activate the Spanning Tree function on the ports individually,
specify the settings for edge ports, and view the current values. The abbreviation CIST stands for
Common and Internal Spanning Tree.
Note: Deactivate the Spanning Tree function on the ports that are participating in other Layer 2
redundancy protocols. Otherwise, it is possible that the redundancy protocols operate differently
than intended. This can cause loops.
Table
Port
Displays the port number.
STP active
Activates/deactivates the Spanning Tree function on the port.
Possible values:
marked (default setting)
unmarked
If the Spanning Tree function is enabled in the device and disabled on the port, then the port does
not send STP-BPDUs and drops any STP-BPDUs received.
Port state
Displays the transmission status of the port.
Possible values:
discarding
The port is blocked and forwards only STP-BPDUs.
learning
The port is blocked, but it learns the MAC addresses of received data packets.
forwarding
The port forwards data packets.
RM GUI RSP
Release 8.1 12/2019
317
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]
disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.
manualFwd
The Spanning Tree function is disabled on the port. The port forwards STP-BPDUs.
notParticipate
The port is not participating in STP.
Port role
Displays the current role of the port in CIST.
Possible values:
root
Port with the cheapest path to the root bridge.
alternate
Port with the alternative path to the root bridge (currently blocking).
designated
Port for the side of the tree averted from the root bridge (currently blocking).
backup
Port receives STP-BPDUs from its own device.
master
Port with the cheapest path to the CIST. The port is the CIST root port of the CIST Regional
Root. The port is unique in an MST region.
disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.
Port path cost
Specifies the path costs of the port.
Possible values:
0..200000000
(default setting: 0)
When the value is 0, the device automatically calculates the path costs depending on the data rate
of the port.
Port priority
Specifies the priority of the port.
Possible values:
16..240 in steps of 16
(default setting: 128)
This value represents the first 4 bits of the port ID.
Received bridge ID
Displays the bridge ID of the device from which this port last received an STP-BPDU.
318
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]
Possible values:
For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
For the alternate, backup, master, and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
If a port has no connection or if it did not receive any STP-BDPUs yet, then the device displays
the values that the port can send with the designated role.
Received port ID
Displays the port ID of the device from which this port last received an STP-BPDU.
Possible values:
For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
For the alternate, backup, master, and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
If a port has no connection or if it did not receive any STP-BDPUs yet, then the device displays
the values that the port can send with the designated role.
Received path cost
Displays the path cost that the higher-level bridge has from its root port to the root bridge.
Possible values:
For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
For the alternate, backup, master, and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
If a port has no connection or if it did not receive any STP-BDPUs yet, then the device displays
the values that the port can send with the designated role.
Received path cost
Displays the path cost that the higher-level bridge has from its root port in the local MST instance
to the root bridge.
Admin edge port
Activates/deactivates the Admin edge port mode. If the port is connected to an end device, then use
the Admin edge port mode. This setting lets the edge port change faster to the forwarding state after
linkup and thus a faster accessibility of the end device.
RM GUI RSP
Release 8.1 12/2019
319
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]
Possible values:
marked
The Admin edge port mode is active.
The port is connected to an end device.
– After the connection is set up, the port changes to the forwarding status without changing
to the learning status beforehand.
– If the port receives an STP-BPDU and the BPDU Guard function is active, then the device
deactivates the port. See the Switching > L2-Redundancy > Spanning Tree > Global dialog.
unmarked (default setting)
The Admin edge port mode is inactive.
The port is connected to another STP bridge.
After the connection is set up, the port changes to the learning status before changing to the
forwarding status, if applicable.
Auto edge port
Activates/deactivates the automatic detection of whether you connect an end device to the port.
The prerequisite is that the checkbox in the Admin edge port column is unmarked.
Possible values:
marked (default setting)
The automatic detection is active.
After the installation of the connection and after 1.5 × Hello time [s], the device sets the port to
the forwarding status (default setting 1.5 × 2 s) if the port did not receive any STP-BPDUs
during this time.
unmarked
The automatic detection is inactive.
After the installation of the connection, and after Max age the device sets the port to the
forwarding status.
(default setting: 20 s)
Oper edge port
Displays whether an end device or an STP bridge is connected to the port.
Possible values:
marked
An end device is connected to the port. The port does not receive any STP-BPDUs.
unmarked
An STP bridge is connected to the port. The port receives STP-BPDUs.
Oper PointToPoint
Displays whether the port is connected to an STP device via a direct full-duplex link.
Possible values:
true
The port is connected directly to an STP device via a full-duplex link. The direct, decentralized
communication between 2 bridges enables short reconfiguration times.
false
The port is connected in another way, for example via a half-duplex link or via a hub.
Port BPDU filter
Activates/deactivates the filtering of STP-BPDUs on the port explicitly.
320
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]
The prerequisite is that the port is a manually specified edge port. For these ports, the checkbox in
the Admin edge port column is marked.
Possible values:
marked
The BPDU filter is active on the port.
The function excludes the port from Spanning Tree operations.
– The device does not send STP-BPDUs on the port.
– The device drops any STP-BPDUs received on the port.
unmarked (default setting)
The BPDU filter is inactive on the port.
You have the option to globally activate the BPDU filter for every edge port. See the Switching >
L2-Redundancy > Spanning Tree > Global dialog, Bridge configuration frame.
If the BPDU filter (all admin edge ports) checkbox is marked, then the BPDU filter is still active on
the port.
BPDU filter status
Displays whether or not the BPDU filter is active on the port.
Possible values:
marked
The BPDU filter is active on the port as a result of the following settings:
– The checkbox in the Port BPDU filter column is marked.
and/or
– The checkbox in the BPDU filter (all admin edge ports) column is marked. See the Switching >
L2-Redundancy > Spanning Tree > Global dialog, Bridge configuration frame.
unmarked
The BPDU filter is inactive on the port.
BPDU flood
Activates/deactivates the BPDU flood mode on the port even if the Spanning Tree function is inactive
on the port. The prerequisite is that the BPDU flood mode is also active for these ports.
Possible values:
marked
The BPDU flood mode is active.
The device floods STP-BPDUs received on the port to the ports for which the Spanning Tree
function is inactive.
unmarked (default setting)
The BPDU flood mode is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
321
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]
[Guards]
This tab lets you specify the settings for various protection functions on the ports.
Table
Port
Displays the port number.
Root guard
Activates/deactivates the monitoring of STP-BPDUs on the port. The prerequisite is that the Loop
guard function is inactive.
With this setting the device helps you protect your network from incorrect configurations or attacks
with STP-BPDUs that try to change the topology. This setting is relevant only for ports with the STP
role designated.
Possible values:
marked
The monitoring of STP-BPDUs is active.
– If the port receives an STP-BPDU with better path information to the root bridge, then the
device discards the STP-BPDU and sets the status of the port to the value discarding
instead of root.
– If there are no STP-BPDUs with better path information to the root bridge, then the device
resets the status of the port after 2 × Hello time [s].
unmarked (default setting)
The monitoring of STP-BPDUs is inactive.
TCN guard
Activates/deactivates the monitoring of "Topology Change Notifications" on the port. With this
setting the device helps you protect your network from attacks with STP-BPDUs that try to change
the topology.
Possible values:
marked
The monitoring of "Topology Change Notifications" is enabled.
– The port ignores the Topology Change flag in received STP-BPDUs.
– If the received BPDU contains other information that causes a topology change, then the
device processes the BPDU even if the TCN guard is enabled.
Example: The device receives better path information for the root bridge.
unmarked (default setting)
The monitoring of "Topology Change Notifications" is disabled.
If the device receives STP-BPDUs with a Topology Change flag, then the device deletes the
address table of the port and forwards the Topology Change Notifications.
Loop guard
Activates/deactivates the monitoring of loops on the port. The prerequisite is that the Root guard
function is inactive.
With this setting the device helps prevent loops if the port does not receive any more STP-BPDUs.
Use this setting only for ports with the STP role alternate, backup or root.
322
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]
Possible values:
marked
The monitoring of loops is active. This helps prevent loops for example, if you disable the
Spanning Tree function on the remote device or if the connection is interrupted only in the
receiving direction.
– If the port does not receive any STP-BPDUs for a while, then the device sets the status of
the port to the value discarding and the value in the Loop state column to true.
– If the port receives STP-BPDUs again, then the device sets the status of the port to a value
according to Port role and the value in the Loop state column to false.
unmarked (default setting)
The monitoring of loops is inactive.
If the port does not receive any STP-BPDUs for a while, then the device sets the status of the
port to the value forwarding.
Loop state
Displays whether the loop state of the port is inconsistent.
Possible values:
true
The loop state of the port is inconsistent:
– The port is not receiving any STP-BPDUs and the Loop guard function is enabled.
– The device sets the state of the port to the value discarding. The device thus helps prevent
any potential loops.
false
The loop state of the port is consistent. The port receives STP-BPDUs.
Trans. into loop
Displays how many times the device has set the value in the Loop state column from false to true.
Trans. out of loop
Displays how many times the device has set the value in the Loop state column from true to false.
BPDU guard effect
Displays whether the port received an STP-BPDU as an edge port.
Prerequisite:
• The port is a manually specified edge port. In the Port dialog, the checkbox for this port in the
Admin edge port column is marked.
• In the Switching > L2-Redundancy > Spanning Tree > Global dialog, the BPDU Guard function is
active.
Possible values:
marked
The port is an edge port and received an STP-BPDU.
The device deactivates the port. For this port, in the Basic Settings > Port dialog, Configuration tab
the checkbox in the Port on column is unmarked.
unmarked
The port is an edge port and has not received any STP-BPDUs, or the port is not an edge port.
RM GUI RSP
Release 8.1 12/2019
323
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]
To reset the status of the port to the value forwarding, you proceed as follows:
If the port is still receiving BPDUs, then:
– In the CIST tab, unmark the checkbox in the Admin edge port column.
or
– In the Switching > L2-Redundancy > Spanning Tree > Global dialog, unmark the BPDU guard
checkbox.
To activate the port, proceed as follows:
– Open the Basic Settings > Port dialog, Configuration tab.
– Mark the checkbox in the Port on column.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[MSTI <MSTI>]
This tab lets you specify the settings on the ports for path costs and priority in the local MST
instance, and to view current values.
Table
Port
Displays the port number.
Port state
Displays the transmission status of the port.
Possible values:
discarding
The port is blocked and forwards only STP-BPDUs.
learning
The port is blocked, but it learns the MAC addresses of received data packets.
forwarding
The port forwards data packets.
disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.
manualFwd
The Spanning Tree function is disabled on the port.
The port forwards STP-BPDUs.
notParticipate
The port is not participating in STP.
Port role
Specifies the current role of the port in the local instance.
324
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]
Possible values:
root
Port with the cheapest path to the root bridge.
alternate
Port with the alternative path to the root bridge (currently interrupted).
designated
Port for the side of the tree averted from the root bridge.
backup
Port which receives STP-BPDUs from its own device.
master
Port with the cheapest path to the CIST. The port is the CIST root port of the CIST Regional
Root. The port is unique in an MST region.
disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.
Port path cost
Specifies the path costs of the port in the local instance.
Possible values:
0..200000000 (default setting: 0)
When the value is 0, the device automatically calculates the path costs depending on the data
rate of the port.
Port priority
Specifies the priority of the port in the local instance.
Possible values:
16..240 in steps of 16
(default setting: 128)
Received bridge ID
Displays the bridge ID of the device from which this port last received an STP-BPDU in the local
instance.
Received port ID
Displays the port ID of the device from which this port last received an STP-BPDU.
Possible values:
For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
For the alternate, backup, master, and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
If a port has no connection or if it did not receive any STP-BDPUs yet, then the device displays
the values that the port can send with the designated role.
Received path cost
Displays the path cost that the higher-level bridge has from its root port to the root bridge.
RM GUI RSP
Release 8.1 12/2019
325
Switching
[ Switching > L2-Redundancy > Link Aggregation ]
Possible values:
For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
For the alternate, backup, master, and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
If a port has no connection or if it did not receive any STP-BDPUs yet, then the device displays
the values that the port can send with the designated role.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
5.9.7
Link Aggregation
[ Switching > L2-Redundancy > Link Aggregation ]
The Link Aggregation function lets you aggregate multiple parallel links. The prerequisite is that the
links have the same speed and are full duplex. The advantages compared to conventional
connections using a single line are higher availability and a higher transmission bandwidth.
The criteria for distributing the load to the parallel links are based on the Hashing option function.
The Link Aggregation Control Protocol (LACP) makes it possible to monitor the packet-based
continuous link status on the physical ports. LACP also helps ensure that the link partners meet the
aggregation prerequisites.
If the remote side does not support the Link Aggregation Control Protocol (LACP), then you can
use the Static link aggregation function. In this case, the device aggregates the links based on the
link, link speed and duplex setting.
Configuration
Hashing option
Specifies which information the device uses to distribute the packets to the physical ports of the
LAG interface. The device transmits packets containing the same distribution-relevant information
over the same physical port to keep the packet order.
This setting overwrites the value specified in the Hashing option column for the port.
Possible values:
sourceMacVlan
The device uses the fields Source MAC address, VLAN ID, EtherType of the packet, and the
physical ingress port.
destMacVlan
The device uses the fields Destination MAC address, VLAN ID, EtherType of the packet, and
the physical ingress port.
326
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Link Aggregation ]
sourceDestMacVlan (default setting)
The device uses the fields Source MAC address, Destination MAC address, VLAN ID,
EtherType of the packet, and the physical ingress port.
sourceIPsourcePort
The device uses the fields Source IP address and Source TCP/UDP port of the packet.
destIPdestPort
The device uses the fields Destination IP address and Destination TCP/UDP port of the
packet.
sourceDestIPPort
The device uses the fields Source IP address, Destination IP address, Source TCP/UDP
port and Destination TCP/UDP port of the packet.
Table
Trunk port
Displays the LAG interface number.
Name
Specifies the name of the LAG interface.
Possible values:
Alphanumeric ASCII character string with 1..15 characters
Link/Status
Displays the current operating state of the LAG interface and the physical ports.
Possible values:
up (lag/… row)
The LAG interface is operational.
The prerequisites are:
– The Static link aggregation function is active on this LAG interface.
or
– LACP is active on the physical ports assigned to the LAG interface, see the LACP active
column.
and
The key specified for the LAG interface in the LACP admin key column matches the keys
specified for the physical ports in the LACP port actor admin key column.
and
The number of operational physical ports assigned to the LAG interface is greater than or
equal to the value specified in the Active ports (min.) column.
up
The physical port is operational.
down (lag/… row)
The LAG interface is down.
down
The physical port is disabled.
or
No cable connected or no active link.
RM GUI RSP
Release 8.1 12/2019
327
Switching
[ Switching > L2-Redundancy > Link Aggregation ]
Active
Activates/deactivates the LAG interface.
Possible values:
marked (default setting)
The LAG interface is active.
Consider that the following protocols do not work properly on the physical ports when you
activate the LAG interface:
– PTP
unmarked
The LAG interface is inactive.
STP active
Activates/deactivates the Spanning Tree protocol on this LAG interface. The prerequisite is that you
enable the Spanning Tree function globally in the Switching > L2-Redundancy > Spanning Tree > Global
dialog.
You can also activate/deactivate the Spanning Tree protocol on the LAG interfaces in the Switching >
L2-Redundancy > Spanning Tree > Port dialog.
Possible values:
marked (default setting)
The Spanning Tree protocol is active on this LAG interface.
unmarked
The Spanning Tree protocol is inactive on this LAG interface.
Static link aggregation
Activates/deactivates the Static link aggregation function on the LAG interface. The device
aggregates the assigned physical ports to the LAG interface, even if the remote site does not
support LACP.
Possible values:
marked
The Static link aggregation function is active on this LAG interface. The device aggregates an
assigned physical port to the LAG interface as soon as the physical port gets a link. The device
does not send LACPDUs and discards received LACPDUs.
unmarked (default setting)
The Static link aggregation function is inactive on this LAG interface. If the connection was
successfully negotiated using LACP, then the device aggregates an assigned physical port to
the LAG interface.
Hashing option
Specifies which information the device uses to distribute the packets to the individual physical ports
of the LAG interface. This setting has priority over the value selected from the Configuration frame,
Hashing option drop-down list.
For further information on the values, see the description of the Hashing option drop-down list the
Configuration frame.
MTU
Specifies the maximum allowed size of Ethernet packets on the LAG interface in bytes. Any present
VLAN tag is not taken into account.
328
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Link Aggregation ]
This setting lets you increase the size of the Ethernet packets for specific applications.
Possible values:
1518..12288 (default setting: 1518)
With the value 1518, the LAG interface transmits the Ethernet packets up to the following size:
– 1518 bytes without VLAN tag
(1514 bytes + 4 bytes CRC)
– 1522 bytes with VLAN tag
(1518 bytes + 4 bytes CRC)
Active ports (min.)
Specifies the minimum number of physical ports to be active for the LAG interface to stay active. If
the number of active physical ports is lower than the specified value, then the device deactivates
the LAG interface.
If a redundancy function like Spanning Tree or MRP over LAG is active in the device, then you use
this function to force the device to switch automatically to the redundant line.
Possible values:
1 (default setting)
2
Depending on the hardware:
4
8
32
Type
Displays whether the LAG interface is based on the Static link aggregation function or on LACP.
Possible values:
static
The LAG interface is based on the Static link aggregation function.
dynamic
The LAG interface is based on LACP.
Send trap (Link up/down)
Activates/deactivates the sending of SNMP traps when the device detects changes in the link up/
down status for this interface.
Possible values:
marked (default setting)
The sending of SNMP traps is active.
If the device detects a link up/down status change, then the device sends an SNMP trap.
unmarked
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status
Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
LACP admin key
Specifies the LAG interface key. The device uses this key to identify the ports that can be
aggregated to the LAG interface.
RM GUI RSP
Release 8.1 12/2019
329
Switching
[ Switching > L2-Redundancy > Link Aggregation ]
Possible values:
0..65535
You specify the corresponding value for the physical ports in the LACP port actor admin key
column.
Port
Displays the physical ports number assigned to the LAG interface.
Aggregation port status
Displays whether the LAG interface aggregates the physical port.
Possible values:
active
The LAG interface aggregates the physical port.
inactive
The LAG interface does not aggregate the physical port.
LACP active
Activates/deactivates LACP on the physical port.
Possible values:
marked (default setting)
LACP is active on the physical port.
unmarked
LACP is inactive on the physical port.
LACP port actor admin key
Specifies the physical port key. The device uses this key to identify the ports that can be aggregated
to the LAG interface.
Possible values:
0
The device ignores the key on this physical port when deciding to aggregate the port into the
LAG interface.
1..65535
If this value matches the value of the LAG interface specified in the LACP admin key column, then
the device only aggregates this physical port to the LAG interface.
LACP actor admin state
Specifies the actor state values that the LAG interface transmits in the LACPDUs. This lets you
control the LACPDU parameters.
The device lets you mix the values. In the drop-down list, select one or more values.
330
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Link Aggregation ]
Possible values:
ACT
(LACP_Activity state)
When selected, the link transmits the LACPDUs cyclically, otherwise when requested.
STO
(LACP_Timeout state)
When selected, the link transmits the LACPDUs cyclically using the short timeout, otherwise
using the long timeout.
AGG
(Aggregation state)
When selected, the device interprets the link as a candidate for aggregation, otherwise as an
individual link.
For further information on the values, see the standard IEEE 802.1AX-2014.
LACP actor oper state
Displays the actor state values that the LAG interface transmits in the LACPDUs.
Possible values:
ACT
(LACP_Activity state)
When visible, the link transmits the LACPDUs cyclically, otherwise when requested.
STO
(LACP_Timeout state)
When visible, the link transmits the LACPDUs cyclically using the short timeout, otherwise using
the long timeout.
AGG
(Aggregation state)
When visible, the device interprets the link as a candidate for aggregation, otherwise as an
individual link.
SYN
(Synchronization state)
When visible, the device interprets the link as IN_SYNC, otherwise as OUT_OF_SYNC.
COL
(Collecting state)
When visible, collection of incoming frames is enabled on this link, otherwise disabled.
DST
(Distributing state)
When visible, distribution of outgoing frames is enabled on this link, otherwise disabled.
DFT
(Defaulted state)
When visible, the link uses defaulted operational information, administratively specified for the
Partner. Otherwise the link uses the operational information received from a LACPDU.
EXP
(Expired state)
When visible, the link receiver is in the EXPIRED state.
LACP partner oper SysID
Displays the MAC address of the remote device connected to this physical port.
The LAG interface has received this information in a LACPDU from the partner.
RM GUI RSP
Release 8.1 12/2019
331
Switching
[ Switching > L2-Redundancy > Link Aggregation ]
LACP partner oper port
Displays the port number of the remote device connected to this physical port.
The LAG interface has received this information in a LACPDU from the partner.
LACP partner oper port state
Displays the partner state values that the LAG interface receives in the LACPDUs.
Possible values:
ACT
STO
AGG
SYN
COL
DST
DFT
EXP
For further information on the values, see the description of the LACP actor oper state column and
the standard IEEE 802.1AX-2014.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new LAG interface entry to the table or to assign a physical port
to a LAG interface.
In the Trunk port drop-down list, you select the LAG interface number.
In the Port drop-down list, you select the number of a physical port to assign to the LAG interface.
After you create a LAG interface, the device adds the LAG interface to the table in the Basic
Settings > Port dialog, Statisticstab.
332
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > Link Backup ]
5.9.8
Link Backup
[ Switching > L2-Redundancy > Link Backup ]
With Link Backup, you configure pairs of redundant links. Each pair has a primary port and a
backup port. The primary port forwards traffic until the device detects an error. If the device detects
an error on the primary port, then the Link Backup function transfers traffic over to the backup port.
The dialog also lets you set a fail back option. If you enable the fail back function and the primary
port returns to normal operation, then the device first blocks traffic on the backup port and then
forwards traffic on the primary port. This process helps protect the device from causing loops in the
network.
Operation
Operation
Enables/disables the Link Backup function globally in the device.
Possible values:
On
Enables the Link Backup function.
Off (default setting)
Disables the Link Backup function.
Table
Primary port
Displays the primary port of the interface pair. When you enable the Link Backup function, this port
is responsible for forwarding traffic.
Possible values:
Physical ports
Backup port
Displays the backup port on which the device forwards traffic if the device detects an error on the
primary port.
Possible values:
Physical ports except for the port you set as the primary port.
Description
Specifies the Link Backup pair. Enter a name to identify the Backup pair.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
RM GUI RSP
Release 8.1 12/2019
333
Switching
[ Switching > L2-Redundancy > Link Backup ]
Primary port status
Displays the status of the primary port for this Link Backup pair.
Possible values:
forwarding
The link is up, no shutdown, and forwarding traffic.
blocking
The link is up, no shutdown, and blocking traffic.
down
The port is either link down, cable unplugged, or disabled in software, shutdown.
unknown
The Link Backup feature is globally disabled, or the port pair is inactive. Therefore, the device
ignores the port pair settings.
Backup port status
Displays the status of the Backup port for this Link Backup pair.
Possible values:
forwarding
The link is up, no shutdown, and forwarding traffic.
blocking
The link is up, no shutdown, and blocking traffic.
down
The port is either link down, cable unplugged, or disabled in the software, shutdown.
unknown
The Link Backup feature is globally disabled, or the port pair is inactive. Therefore, the device
ignores the port pair settings.
Fail back
Activates/deactivates the automatic fail back.
Possible values:
marked (default setting)
The automatic fail back is active.
After the delay timer expires, the backup port changes to blocking and the primary port
changes to forwarding.
unmarked
The automatic fail back is inactive.
The backup port continues forwarding traffic even after the primary port re-establishes a link or
you manually change the admin status of the primary port from shutdown to no shutdown.
Fail back delay [s]
Specifies the delay time in seconds that the device waits after the primary port re-establishes a link.
Furthermore, this timer also applies when you manually set the admin status of the primary port
from shutdown to no shutdown. After the delay timer expires, the backup port changes to blocking
and the primary port changes to forwarding.
334
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > FuseNet ]
Possible values:
0..3600 (default setting: 30)
When set to 0, immediately after the primary port re-establishes a link, the backup port changes
to blocking and the primary port changes to forwarding. Furthermore, immediately after you
manually set the admin status of from shutdown to no shutdown, the backup port changes to
blocking and the primary port changes to forwarding.
Active
Activates/deactivates the Link Back up pair configuration.
Possible values:
marked
The Link Backup pair is active. The device senses the link and administration status and
forwards traffic according to the pair configuration.
unmarked (default setting)
The Link Backup pair is inactive. The ports forward traffic according to standard switching.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Create
Primary port
Specifies the primary port of the backup interface pair. During normal operation this port is
responsible for forwarding the traffic.
Possible values:
Physical ports
Backup port
Specifies the backup port to which the device transfers the traffic to if the device detects an error
on the primary port.
Possible values:
Physical ports except for the port you set as the primary port.
5.9.9
FuseNet
[ Switching > L2-Redundancy > FuseNet ]
The FuseNet protocols let you couple rings that are operating with one of the following redundancy
protocols:
MRP
Fast MRP (depends on hardware)
RM GUI RSP
Release 8.1 12/2019
335
Switching
[ Switching > L2-Redundancy > FuseNet ]
HIPER Ring
DLR (depends on hardware)
RSTP
Note: If you use the Ring/Network Coupling protocol to couple networks, then verify that the networks
only contain Hirschmann devices.
Use the following table to select the FuseNet coupling protocol to be used in your network:
Main Ring
Connected Network
MRP
RSTP
HIPER Ring
Fast MRP 2)
DLR 2)
MRP
Sub Ring1)
Redundant
Coupling
Protocol
Ring/Network
Coupling
Redundant
Coupling
Protocol
Ring/Network
Coupling
Ring/Network
Coupling
Redundant
Coupling
Protocol
Ring/Network
Coupling
Fast MRP 2)
Sub Ring1)
Redundant
Coupling
Protocol
Ring/Network
Coupling
Redundant
Coupling
Protocol
Ring/Network
Coupling
Ring/Network
Coupling
Ring/Network
Coupling
HIPER Ring
Sub Ring
Redundant
Coupling
Protocol
Ring/Network
Coupling
Ring/Network
Coupling
Redundant
Coupling
Protocol
Ring/Network
Coupling
Redundant
Coupling
Protocol
Ring/Network
Coupling
DLR 2)
Sub Ring
Redundant
Coupling
Protocol
Redundant
Coupling
Protocol
Redundant
Coupling
Protocol
–
–
RSTP
Redundant
Coupling
Protocol
–
Redundant
Coupling
Protocol
Redundant
Coupling
Protocol
Redundant
Coupling
Protocol
Explanation:
–
no suitable coupling protocol
1)
with MRP configured on different VLANs
2)
depending on the device configuration
The menu contains the following dialogs:
Sub Ring
Ring/Network Coupling
Redundant Coupling Protocol
336
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > FuseNet > Sub Ring ]
5.9.9.1 Sub Ring
[ Switching > L2-Redundancy > FuseNet > Sub Ring ]
This dialog lets you set up the device as a subring manager.
The Sub Ring function enables you to easily couple network segments to existing redundancy rings.
The subring manager (SRM) couples a subring to an existing ring (base ring).
In the subring you can use any devices that support MRP as ring participants. These devices do
not require a subring manager function.
When setting up subrings, remember the following rules:
The device supports Link Aggregation in the subring
No spanning tree on subring ports
Same MRP domain on devices within a subring
Different VLANs for base ring and subring
Specify the VLAN settings as follows:
VLAN X for base ring
– on the ring ports of the base ring participants
– on the base ring ports of the subring manager
VLAN Y for subring
– on the ring ports of the subring participants
– on the subring ports of the subring manager
Note: To help avoid loops, only close the redundant line when the settings are specified in every
device participating in the ring.
Operation
Operation
Enables/disables the Sub Ring function.
Possible values:
On
The Sub Ring function is enabled.
Off (default setting)
The Sub Ring function is disabled.
Information
Table entries (max.)
Displays the maximum number of subrings supported by the device.
RM GUI RSP
Release 8.1 12/2019
337
Switching
[ Switching > L2-Redundancy > FuseNet > Sub Ring ]
Table
Sub ring ID
Displays the unique identifier of this subring.
Possible values:
1..8
Name
Specifies the optional name of the subring.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Active
Activates/deactivates the subring.
Activate the subring when the configuration of every subring device is complete. Close the subring
only after activating the Sub Ring function.
Possible values:
marked
The subring is active.
unmarked (default setting)
The subring is inactive.
Configuration status
Displays the operational state of the subring configuration.
Possible values:
noError
The device detects an acceptable subring configuration.
ringPortLinkError
– The ring port has no link.
– One of the subring lines is connected to one more port of the device. But the subring line is
not connected to one of the ring ports of the device.
multipleSRM
The subring manager receives packets from more than one subring manager in the subring.
noPartnerManager
The subring manager receives its own frames.
concurrentVLAN
The MRP protocol in the base ring uses the VLAN of the subring manager domain.
concurrentPort
One more redundancy protocol uses the ring port of the subring manager domain.
concurrentRedundancy
The subring manager domain is inactive because of one more active redundancy protocol.
338
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > FuseNet > Sub Ring ]
trunkMember
The ring port of the subring manager domain is member of a Link Aggregation connection.
sharedVLAN
The subring manager domain is inactive because shared VLAN is active and the main ring also
uses the MRP protocol.
Redundancy available
Displays the operational state of the ring redundancy in the subring.
Possible values:
redGuaranteed
Redundancy reserve is available.
redNotGuaranteed
Loss of redundancy reserve.
Port
Specifies the port that connects the device to the subring.
Possible values:
<Port number>
SRM mode
Specifies the mode of the subring manager.
A subring has 2 managers simultaneously that couple the subring to the base ring. As long as the
subring is physically closed, 1 manager blocks its subring port.
Possible values:
manager (default setting)
The subring port forwards data packets.
When this value is set on both devices that couple the subring to the base ring, the device with
the higher MAC address functions as the redundantManager.
redundantManager
The subring port is blocked while the subring is physically closed. If the subring is interrupted,
then the subring port transmits the data packets.
When this value is set on both devices that couple the subring to the base ring, the device with
the higher MAC address functions as the redundantManager.
singleManager
Use this value when the subring is coupled to the base ring via one single device. The
prerequisite is that there are 2 instances of the subring in the table. Assign this value to both
instances. The subring port of the instance with the higher port number is blocked while the
subring is physically closed.
SRM status
Displays the current mode of the subring manager.
RM GUI RSP
Release 8.1 12/2019
339
Switching
[ Switching > L2-Redundancy > FuseNet > Sub Ring ]
Possible values:
manager
The subring port forwards data packets.
redundantManager
The subring port is blocked while the subring is physically closed. If the subring is interrupted,
then the subring port transmits the data packets.
singleManager
The subring is coupled to the base ring via one single device. The subring port of the instance
with the higher port number is blocked while the subring is physically closed.
disabled
The subring is inactive.
Port status
Displays the connection status of the subring port.
Possible values:
forwarding
The port is passing frames according to the forwarding behavior of IEEE 802.1D.
disabled
The port is dropping every frame.
blocked
The port is dropping every frame with the exception of the following cases:
– The port passes frames used by the selected ring protocol specified to pass blocked ports.
– The port passes frames from other protocols specified to pass blocked ports.
not-connected
The port link is down.
VLAN
Specifies the VLAN to which this subring is assigned. If no VLAN exists under the VLAN ID entered,
then the device automatically creates it.
Possible values:
Available configured VLANs (default setting: 0)
If you do not want to use a separate VLAN for this subring, then you leave the entry as 0.
Partner MAC
Displays the MAC address of the subring manager at the other end of the subring.
MRP domain
Specifies the MRP domain of the subring manager. Assign the same MRP domain name to every
member of a subring. If you only use Hirschmann devices, then you use the default value for the
MRP domain; otherwise adjust this value if necessary. With multiple subrings, the function lets you
use the same MRP domain name for the subrings.
Possible values:
Permitted MRP domain names (default setting:
255.255.255.255.255.255.255.255.255.255.255.255.255.255.255.255)
Protocol
Specifies the protocol.
340
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > FuseNet > Sub Ring ]
Possible values:
iec-62439-mrp
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
341
Switching
[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]
5.9.9.2 Ring/Network Coupling
[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]
You use the Ring/Network Coupling function to redundantly couple an existing HIPER ring, MRP ring,
or Fast HIPER ring to another network or another ring. Verify that the coupling partners are
Hirschmann devices.
Note: With two-switch coupling, verify that you have configured a HIPER ring, MRP ring, or Fast
HIPER ring before configuring the Ring/Network Coupling function.
In the Ring/Network Coupling dialog, you can perform the following tasks:
display an overview of the existing Ring/Network Coupling
configure a Ring/Network Coupling
create a new Ring/Network Coupling
delete Ring/Network Coupling
enable/disable Ring/Network Coupling
When configuring the coupling ports, specify the following settings in the Basic Settings > Port dialog:
Port type
Bit rate
Automatic
configuration
Port on
Manual configuration
TX
100 Mbit/s
TX
Optical
Optical
1 Gbit/s
100 Mbit/s
1 Gbit/s
unmarked
–
unmarked
–
marked
marked
marked
marked
100 Mbit/s FDX
–
100 Mbit/s FDX
–
Note: The operating modes of the port actually available depend on the device configuration.
If you configured VLANs, then note the VLAN configuration of the coupling and partner coupling
ports. In the Ring/Network Coupling configuration, select the following values for the coupling and
partner coupling ports:
VLAN ID 1 and Ingress filtering disabled in the port table
VLAN membership T in the VLAN Configuration table
Independently of the VLAN settings, the device sends the ring coupling frames with VLAN ID 1 and
priority 7. Verify that the device sends VLAN 1 frames tagged in the local ring and in the connected
network. Tagging the VLAN frames maintains the priority of the ring coupling frames.
The Ring/Network Coupling function operates with test packets. The devices send their test packets
VLAN-tagged, including the VLAN ID 1 and the highest VLAN priority 7. If the forwarding port is an
untagged member in VLAN 1, then the device also sends test packets.
Operation
Operation
Enables/disables the Ring/Network Coupling function.
342
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]
Possible values:
On
The Ring/Network Coupling function is enabled.
Off (default setting)
The Ring/Network Coupling function is disabled.
Mode
Type
Specifies the method used to couple the networks together.
Possible values:
one-switch coupling
Lets you specify the port settings in the Coupling port and Partner coupling port frames.
two-switch coupling, master
Lets you specify the port settings in the Coupling port frame.
two-switch coupling, slave
Lets you specify the port settings in the Coupling port frame.
two-switch coupling with control line, master
Lets you specify the port settings in the Coupling port and Control port frames.
two-switch coupling with control line, slave
Lets you specify the port settings in the Coupling port and Control port frames.
Coupling port
Port
Specifies the port to which you connect the redundant link.
Possible values:
No port selected.
<Port number>
If you also have configured ring ports, then specify the coupling and ring ports on different ports.
To help prevent continuous loops, the device disables the coupling port in the following cases:
disabling the function
changing the configuration while the connections are operating on the ports
When the device has disabled the coupling port, the Port on checkbox is unmarked in the Basic
Settings > Port dialog, Configuration tab.
State
Displays the status of the selected port.
RM GUI RSP
Release 8.1 12/2019
343
Switching
[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]
Possible values:
active
The port is active.
standby
The port is in stand-by mode.
not-connected
The port is not connected.
not-applicable
The port is incompatible with the configured control mode.
Partner coupling port
Port
Specifies the port on which you connect the partner port.
Possible values:
No port selected.
<Port number>
If you also have configured ring ports, then specify the coupling and ring ports on different ports.
State
Displays the status of the selected port.
Possible values:
active
The port is active.
standby
The port is in stand-by mode.
not-connected
The port is not connected.
not-applicable
The port is incompatible with the configured control mode.
IP address
Displays the IP address of the partner, when the devices are connected.
The prerequisite is that you select a two-switch coupling method and enable the partner in the
network.
Control port
Port
Displays the port on which you connect the control line.
344
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]
Possible values:
No port selected.
<Port number>
State
Displays the status of the selected port.
Possible values:
active
The port is active.
standby
The port is in stand-by mode.
not-connected
The port is not connected.
not-applicable
The port is incompatible with the configured control mode.
Configuration
Redundancy mode
Enables/disables the device to respond to a failure in the remote ring or network.
Possible values:
redundant ring/network coupling
Either the main line or the redundant line is active. Both lines are not active simultaneously. If
the device detects that the link is down between the devices in the connected network, then the
standby device keeps the redundant port in the standby mode.
extended redundancy
The main line and the redundant line are active simultaneously. If the device detects a problem
in the connection between the devices in the connected network, then the standby device
forwards data on the redundant port. With the setting you can maintain continuity in the remote
network.
Note: During the reconfiguration period, package duplications can occur. Therefore, if your
application is able to detect package duplications, then you can select this setting.
Coupling mode
The settings in this frame allow you to couple a specific type of network.
RM GUI RSP
Release 8.1 12/2019
345
Switching
[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]
Possible values:
ring coupling
The device couples redundant rings. The device lets you couple rings that use the following
redundancy protocols:
– HIPER ring
– Fast HIPER ring
– MRP ring
network coupling
The device couples network segments. The function lets you couple mesh and bus networks
together.
Information
Redundancy available
Displays whether or not the redundancy is available.
When a component of the ring is down, the redundant line takes over its function.
Possible values:
redGuaranteed
The redundancy is available.
redNotGuaranteed
The redundancy is unavailable.
Configuration failure
You have configured the function incorrectly, or there is no ring port connection.
Possible values:
noError
slaveCouplingLinkError
The coupling line is not connected to the coupling port of the slave device. Instead, the coupling
line is connected to another port of the slave device.
slaveControlLinkError
The control port of the slave device has no data link.
masterControlLinkError
The control line is not connected to the control port of the master device. Instead, the control
line is connected to another port of the master device.
twoSlaves
The control line connects two slave devices.
localPartnerLinkError
The partner coupling line is not connected to the partner coupling port of the slave device.
Instead, the partner coupling line is connected to another port of the slave device in one-switch
coupling mode.
localInvalidCouplingPort
In one-switch coupling mode, the coupling line is not connected on the same device as the
partner line. Instead, the coupling line is connected to another device.
couplingPortNotAvailable
The coupling port is not available because the module to which the port refers is not available
or the port does not exist on this module.
346
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]
controlPortNotAvailable
The control port is not available because the module to which the port refers is not available or
the port does not exist on this module.
partnerPortNotAvailable
The partner coupling port is not available because the module to which the port refers is not
available or the port does not exist on this module.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Disables the redundancy function and resets the parameters in the dialog to the default setting.
RM GUI RSP
Release 8.1 12/2019
347
Switching
[ Switching > L2-Redundancy > FuseNet > RCP ]
5.9.9.3 Redundant Coupling Protocol
[ Switching > L2-Redundancy > FuseNet > RCP ]
A ring topology provides short transition times with a minimal use of resources. However, to couple
these rings redundantly to a higher-level network is more of a challenge.
When you want to use a standard protocol such as MRP for the ring redundancy and RSTP to
couple the rings together, the Redundant Coupling Protocol helps provide options for you.
Do not use the following redundancy procedures and settings together on the ports of the RCP
primary and secondary ring:
Sub Ring
Ring/Network Coupling
Operation
Operation
Enables/disables the RCP function.
Possible values:
On
The RCP function is enabled.
Off (default setting)
The RCP function is disabled.
Primary ring/network / Secondary ring/network
If the device operates as slave (value in the Role field is slave), then do not activate the Static query
port mode for the ports on the secondary ring/network.
Inner port
Specifies the inner port number in the primary ring. The port is directly connected to the partner
bridge.
Possible values:
- (default setting)
No port selected.
<Port number>
Outer port
Specifies the outer port number in the primary ring.
Possible values:
- (default setting)
No port selected.
<Port number>
348
RM GUI RSP
Release 8.1 12/2019
Switching
[ Switching > L2-Redundancy > FuseNet > RCP ]
Coupler configuration
Role
Specifies the role of the local device.
Possible values:
master
The device operates as master.
slave
The device operates as slave.
auto (default setting)
The device automatically selects its role as master or slave.
Current role
Displays the current role of the local device. The value can be different from the configured role:
If you configured both partner bridges as auto, then the partner bridge that is currently coupling
the instances takes the master role. The other partner bridge takes the slave role.
If both partner bridges are configured as master or both as slave, then the partner bridge with
the smaller Basis MAC address takes the master role.
The other partner bridge takes the slave role.
If the protocol is started and the partner bridge cannot be found for a bridge in the configured
role master, slave or auto, then the bridge sets its own role to listening.
If the device detects a configuration problem for example, the inner ring ports are connected
crosswise, then the device sets its role to error.
Timeout [ms]
Specifies the maximum time, in milliseconds, during which the slave device waits for test packets
from the master device on the outer ports before the slave device takes over the coupling. This only
applies in the state in which both inner ports of the slave device have lost the connection to the
master device.
Configure the timeout longer than the longest assumable interruption time for the redundancy
protocol of the faster instance. Otherwise, loops can occur.
Possible values:
5..60000 (default setting: 250 )
Partner MAC address
Displays the basic MAC address of the partner device.
Partner IP address
Displays the IP address of the partner device.
Coupling state
Displays the coupling state of the local device.
RM GUI RSP
Release 8.1 12/2019
349
Switching
[ Switching > L2-Redundancy > FuseNet > RCP ]
Possible values:
forwarding
The coupling state of the port is forwarding.
blocking
The coupling state of the port is blocking.
Redundancy state
Displays whether or not the redundancy is available.
For a master-slave configuration, both bridges display this information.
Possible values:
redAvailable
The redundancy is available.
redNotAvailable
The redundancy is unavailable.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
350
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Global ]
6 Routing
The menu contains the following dialogs:
Routing Global
Routing Interfaces
ARP
Router Discovery
RIP
Open Shortest Path First
Routing Table
Tracking
L3 Relay
Loopback Interface
Multicast Routing
L3-Redundancy
NAT
6.1
Routing Global
[ Routing > Global ]
The Routing menu lets you specify the Routing functions settings for transmitting data on Layer 3 of
the ISO/OSI layer model.
For security reasons, the following functions are permanently disabled in the device:
ICMP Redirects
ICMP redirect data packets are able to modify the routing table. The device generally ignores
received ICMP redirect data packets. The settings in the Routing > Interfaces > Configuration
dialog, column ICMP redirects, have an effect only on the sending of ICMP redirect data packets.
In accordance with RFC 2644, the device does not exchange any broadcast data packets from
external networks in a local network. This behavior supports you in protecting the devices in the
local network against overloading, for example due to so-called smurf attacks.
This dialog lets you enable the routing function in the device and to specify further settings.
Operation
Operation
Enables/disables the Routing function in the device.
Possible values:
On
The Routing function is enabled.
Also activate the routing function on the router interfaces. See the Routing > Interfaces >
Configuration dialog.
Off (default setting)
The Routing function is disabled.
RM GUI RSP
Release 8.1 12/2019
351
Routing
[ Routing > Global ]
Routing profile
In the Routing profile frame, you have the option of selecting a routing profile containing specific
router settings.
Next routing profile
Specifies the routing profile that the device loads and applies upon the next restart.
A routing profile contains association settings for the internal resources (unicast routes, multicast
routes, next-hop table / ARP table). By selecting a preset routing profile you have the option of
operating the router with settings especially adapted to your intended use.
Possible values:
default
Sets the preset value for the device.
ipv4RoutingDefault (default setting)
ipv4RoutingUnicast
When you position the mouse pointer over one of the values, a bubble help displays the association
settings used in the routing profile.
Current routing profile
Displays the routing profile that the device loaded during the last restart and is currently applied.
ICMP filter
In the ICMP filter frame, you have the option of limiting the transmission of ICMP messages on the
set up router interfaces. A limitation is meaningful for several reasons:
• A large number of “ICMP Error” messages influences the router performance and reduces the
available network bandwidth.
• Malicious senders use “ICMP Redirect” messages to perform man-in-the-middle attacks or to
divert data packets through “black hole” for the purpose of supervision or denial-of-service
(DoS).
• “ICMP Echo Reply” messages are ping responses which can be misused to discover vulnerable
devices and routers in the network.
Send echo reply
Activates/deactivates the responding to pings on the router interfaces.
Possible values:
marked (default setting)
Responding to pings is active.
The device reacts to received “IPv4 Echo Requests” and responds with an “ICMP Echo Reply”
message.
unmarked
Responding to pings is inactive.
Send redirects
Activates/deactivates the sending of “ICMP Redirect” messages on the router interfaces.
352
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Global ]
Possible values:
marked (default setting)
The sending of “ICMP Redirect” messages is active.
In the Routing > Interfaces > Configuration dialog, you have the option of individually activating the
sending on every router interface. See the ICMP redirects function.
unmarked
The sending of “ICMP Redirect” messages is inactive.
This setting helps prevent the multiplication of data packets, if both hardware and software
functions of the device forward a copy of the same data packet.
Rate limit interval [ms]
Specifies the time window in milliseconds in which the device sends the number of “ICMP error
message” type data packets specified in the Rate limit burst size field.
Possible values:
0..2147483647 (default setting: 1000)
Rate limit burst size
Specifies the number of “ICMP Error” messages that the device sends in the time window specified
in the Rate limit interval [ms] field.
The limitation contains every “ICMP Error” message on the router interfaces that are set up.
Possible values:
1..200 (default setting: 100)
The device lets you specify the limitation for a time window of any size desired. In the default
setting, the device sends 100 data packets per 1000 ms. You obtain the same result but with a finer
granularity using the following settings:
• Rate limit interval [ms]=100
Rate limit burst size=10
or
• Rate limit interval [ms]=10
Rate limit burst size=1
Configuration
File transfer source interface
Specifies the interface whose IP address the device uses as source IP address for the following file
transfers:
• FTP
• SCP
• SFTP
• TFTP
Possible values:
none (default setting)
<Port number>
RM GUI RSP
Release 8.1 12/2019
353
Routing
[ Routing > Interfaces ]
Source routing
Activates/deactivates the Source routing function.
The Source routing function lets the sender of a data packet determine its route through the network.
This can lead to an unavoidable security issue. If a sniffer inserts its IP address into the data
packets, then he can redirect the data packets to his host.
Possible values:
marked
The Source routing function is active.
The device forwards packets which contain Source routing information. If the device is the
receiver specified in a packet, the device accepts the packet.
unmarked (default setting)
The Source routing function is inactive.
The device neither forwards nor accepts packets which contain Source routing information.
Information
Default TTL
Displays the fixed TTL value 64 which the device adds to IP packets that the device management
sends.
TTL (Time To Live, also known as “Hop Count”) identifies the maximum number of steps an IP
packet is allowed to perform on the way from the sender to the receiver. Every router on the
transmission path reduces the value in the IP packet by 1. If a router receives a data packet with
the TTL value 1, then the router discards the IP packet. The router reports to the source that it has
discarded the IP packet.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
6.2
Routing Interfaces
[ Routing > Interfaces ]
This menu lets you specify the settings for the router interfaces.
The menu contains the following dialogs:
Routing Interfaces Configuration
354
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Interfaces > Configuration ]
6.2.1
Routing Interfaces Configuration
[ Routing > Interfaces > Configuration ]
This dialog lets you specify the settings for the router interfaces.
To set up a port-based router interface, edit the table entries. To set up a VLAN-based router
interface, use the Wizard window.
Table
Port
Displays the number of the port or VLAN belonging to the router interface.
Name
Name of the port.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
The following characters are allowed:
– <space>
– 0..9
– a..z
– A..Z
– !#$%&'()*+,-./:;<=>?@[\\]^_`{}~
Port on
Activates/deactivates the port.
Possible values:
marked (default setting)
The port is active.
unmarked
The port is inactive. The port does not send or receive any data.
Port status
Displays the operating state of the port.
Possible values:
marked
The port is enabled.
unmarked
The port is disabled.
IP address
Specifies the IP address for the router interface.
RM GUI RSP
Release 8.1 12/2019
355
Routing
[ Routing > Interfaces > Configuration ]
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Verify that the IP subnet of the router interface is not overlapping with any subnet connected to
another interface of the device:
• management port
• router interface
• loopback interface
Netmask
Specifies the netmask for the router interface.
Possible values:
Valid IPv4 netmask (default setting: 0.0.0.0)
Routing
Activates/deactivates the Routing function on the router interface.
Possible values:
marked
The Routing function is active.
– With port-based routing, the device transforms the port into a router interface.
Enabling the Routing function removes the port from the VLANs in which it was previously a
member. Disabling the Routing function does NOT reestablish the assignment; the port is not
a member of any VLAN.
– With VLAN-based routing, the device forwards the data packets in the related VLAN.
unmarked (default setting)
The Routing function is inactive.
With VLAN-based routing, the device is still reachable through the router interface if the IP
address and netmask have been configured for the router interface.
Proxy ARP
Activates/deactivates the Proxy ARP function on the router interface. This feature lets you connect
devices from other networks as if these devices could be reached in the same network.
Possible values:
marked
The Proxy ARP function is active.
The device responds to ARP requests from end devices that are located in other networks.
unmarked (default setting)
The Proxy ARP function is inactive.
Netdirected broadcasts
Activates/deactivates the forwarding of netdirected broadcasts to the connected subnet on the
router interface.
356
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Interfaces > Configuration ]
Possible values:
marked
Forwarding is active.
The router interface forwards netdirected broadcasts to the connected subnet. If the subnet has
a direct connection to the Internet, then this setting increases the vulnerability to Denial of
Service (DoS) attacks.
unmarked (default setting)
Forwarding is inactive.
MTU value
Specifies the maximum allowed size of IP packets on the router interface in bytes.
Possible values:
0
Restores the default value (1500).
68..12266 (default setting: 1500)
The prerequisite is that on the ports belonging to the router interface you specify the maximum
allowed size of Ethernet packets at least 18 bytes larger than specified here. See the Basic
Settings > Port dialog, MTU column.
ICMP unreachables
Activates/deactivates the sending of “ICMP Destination Unreachable” messages on the router
interface.
Possible values:
marked (default setting)
The router interface sends “ICMP Destination Unreachable” messages.
unmarked
The router interface does not send “ICMP Destination Unreachable” messages.
ICMP redirects
Activates/deactivates the sending of “ICMP Redirect” messages on the router interface.
Possible values:
marked (default setting)
The router interface sends “ICMP Redirect” messages.
The prerequisite is that you activate the Send redirects function in the device. See the Routing >
Global dialog.
unmarked
The router interface does not send “ICMP Redirect” messages.
RM GUI RSP
Release 8.1 12/2019
357
Routing
[ Routing > Interfaces > Configuration ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the VLAN ID field, you specify the ID of the VLAN.
[Configure VLAN router interface (Wizard)]
This Wizard window lets you set up a VLAN-based router interface.
To set up a router interface from a VLAN already set up, highlight a VLAN in the table.
To set up a router interface from a new VLAN, specify at the bottom of the VLAN ID field the ID
of the new VLAN.
After closing the Wizard window, click the
button to save your settings.
[Configure VLAN router interface (Wizard) – Create or select VLAN]
Table
VLAN ID
Displays the ID of the VLANs set up in the device.
Name
Displays the name of the VLANs set up in the device.
Area under the table
VLAN ID
Specifies the ID of a VLAN that the Wizard window specifies for you.
Possible values:
1..4042
358
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Interfaces > Configuration ]
[Configure VLAN router interface (Wizard) – Setup VLAN]
Area above the table
VLAN ID
Displays the ID of the VLAN that you have marked or specified on the Create or select VLAN page.
Name
Specifies the name of the VLAN.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
(0x20..0x7E) including space characters
This setting overwrites the setting specified for the port in the Switching > VLAN > Configuration dialog.
Table
Port
Displays the port number.
Member
Activates/deactivates the VLAN membership of the port.
As a VLAN member the port belongs to router interface to be set up. This setting overwrites the
setting for the port specified in the Switching > VLAN > Configuration dialog.
Possible values:
marked
The port is a member of the VLAN.
unmarked
The port is not a member of the VLAN.
Untagged
Activates/deactivates the transmission of data packets with a VLAN tag on the port. This setting
overwrites the setting for the port specified in the Switching > VLAN > Configuration dialog.
Possible values:
marked
The port transmits the data packets without a VLAN tag.
Use this setting if the connected device does not evaluate any VLAN tags, for example on end
ports.
unmarked
The port transmits the data packets with a VLAN tag.
RM GUI RSP
Release 8.1 12/2019
359
Routing
[ Routing > ARP ]
Port-VLAN ID
Specifies the ID of the VLAN which the devices assigns to data packets without a VLAN tag. This
setting overwrites the setting for the port specified in the Switching > VLAN > Port dialog, column PortVLAN ID.
Possible values:
ID of a VLAN you set up (default setting: 1)
[Configure VLAN router interface (Wizard) – Setup virtual router port]
When you assign ports to the router interface that already transmit data packets in other VLANs,
the device displays a message upon closing the Wizard window:
If you click the Yes button, then the related ports transmit the data packets from now on only in
the router VLAN.
In the Switching > VLAN > Configuration dialog, the related ports in the row of the router VLAN have
the value U or T, in the rows of other VLANs the value –.
If you click the No button, then the related ports transmit the data packets in the router VLAN
and in other VLANs. This setting possibly causes undesired behavior.
Primary address
Address
Specifies the primary IP address for the router interface.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Netmask
Specifies the primary netmask for the router interface.
Possible values:
Valid IPv4 netmask (default setting: 0.0.0.0)
6.3
ARP
[ Routing > ARP ]
The Address Resolution Protocol (ARP) learns the MAC address that belongs to an IP address.
The menu contains the following dialogs:
ARP Global
ARP Current
ARP Static
360
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > ARP > Global ]
6.3.1
ARP Global
[ Routing > ARP > Global ]
This dialog lets you set the ARP parameters and view statistical values.
Configuration
Aging time [s]
Specifies the time in seconds, after which the device removes an entry from the ARP table.
When there is data exchange with the associated device within this time period, the time measuring
begins from the start again.
Possible values:
15..21600 (default setting: 1200)
Response timeout [s]
Specifies the time in seconds, that the device waits for a response before the query is seen as a
failure.
Possible values:
1..10 (default setting: 1)
Retries
Specifies how many times the device repeats a failed query before it discards the query to this
address.
Possible values:
0..10 (default setting: 4)
Dynamic renew
Activates/deactivates the query to a device if the aging time is exceeded.
Possible values:
marked
The query is activated.
The device sends a new query to a device when its entry has exceeded the aging time. When
the query remains unanswered, the device removes the entry from the ARP table.
unmarked (default setting)
The query is deactivated.
Selective learning
Activates or deactivates the learning of the IP/MAC address assignment of the sender.
RM GUI RSP
Release 8.1 12/2019
361
Routing
[ Routing > ARP > Global ]
Possible values:
marked (default setting)
Learning is activated.
The device learns the IP/MAC address assignment of transmitting equipment only if the ARP
query was addressed to the address of the device itself.
unmarked
Learning is deactivated.
The device learns the IP/MAC address assignment of transmitting devices by evaluating the
received ARP queries.
This does away with time-consuming ARP queries before the device forwards data packets to
unknown devices.
On the other hand, the device is vulnerable to “ARP cache poisoning” and also learns
unnecessary ARP entries, such as from devices that communicate only in the local network.
Information
Current entries total
Displays the number of entries that the ARP table currently contains.
Entries (max.)
Displays how many entries the ARP table can contain at a maximum.
Total entry peaks
Displays how many entries the ARP table has already contained at a maximum.
When you reset the ARP table, the counter is reset to the value 0. See the Reset ARP table button
in the Routing > ARP > Current dialog.
Current static entries
Displays the number of statically configured entries the ARP table currently contains. See the
Routing > ARP > Static dialog.
Static entries (max.)
Displays the number of statically configured entries the ARP table can contain at a maximum.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
362
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > ARP > Current ]
6.3.2
ARP Current
[ Routing > ARP > Current ]
This dialog lets you view the ARP table and delete the dynamically configured entries.
Table
Port
Displays the router interface on which the device has learned the IP/MAC address assignment.
IP address
Displays the IP address of the device that responded to an ARP query on this router interface.
MAC address
Displays the MAC address of the device that responded to an ARP query on this router interface.
Last updated
Displays the time in seconds since the current settings of the entry were registered in the ARP
table.
Type
Displays the way in which the ARP entry was set up.
Possible values:
dynamic
Dynamically configured entry.
When no traffic with the associated device takes place by the end of the aging time, the device
removes this entry from the ARP table.
You specify the aging time in the Routing > ARP > Global dialog, field Aging time [s].
static
Statically configured entry.
When you remove the dynamically configured addresses from the ARP table using the Reset
ARP table button, the entry remains.
local
Identifies the IP/MAC address assignment of the router interface.
invalid
Invalid entry.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset ARP table
Removes the dynamically set up addresses from the ARP table.
RM GUI RSP
Release 8.1 12/2019
363
Routing
[ Routing > ARP > Static ]
6.3.3
ARP Static
[ Routing > ARP > Static ]
This dialog lets you add to the ARP table IP/MAC address assignments that you have specified
yourself.
Table
IP address
Displays the IP address that the device assigns to the adjacent MAC address.
MAC address
Displays the MAC address that the device assigns to the adjacent IP address.
Port
Displays the router interface to which the device applies the IP/MAC address assignment.
Possible values:
<Router interface>
The device applies the IP/MAC address assignment to this router interface.
no port
The IP/MAC address assignment is currently not assigned to a router interface.
Active
Displays whether the IP/MAC address assignment is active or inactive.
Possible values:
marked
The IP/MAC address assignment is active. The ARP table of the device contains the IP/MAC
address assignment as a static entry.
unmarked (default setting)
The IP/MAC address assignment is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the IP address field, you specify the IP address that the device assigns to the adjacent MAC
address.
364
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Router Discovery ]
[ARP (Wizard)]
The Wizard window lets you add to the ARP table IP/MAC address assignments that you have
specified yourself. The prerequisite is that at least one router interface is set up.
[ARP (Wizard) – Edit ARP table ]
In the fields under the table, specify the IP address and the associated MAC address.
To insert the IP/MAC address assignment into the table on the top, click the Add button.
After closing the Wizard window, specify in the Port column the router interface. Then enable in
the Active column the IP/MAC address assignment.
After closing the Wizard window, click the
button to save your settings.
Table
IP address
Specifies the IP address.
Possible values:
Valid IPv4 address
MAC address
Specifies the MAC address.
Possible values:
Valid MAC address
6.4
Router Discovery
[ Routing > Router Discovery ]
The ICMP Router Discovery Protocol (IRDP), described in RFC 1256, lets end devices determine
the addresses of the routers available in a subnet.
The router sends advertisements to identify itself as a router to the end devices.
End devices that support IRDP update their routing table after receiving an advertisement. If a
standard gateway was previously entered, then the address learned with the advertisement has a
lower priority in the routing table.
RM GUI RSP
Release 8.1 12/2019
365
Routing
[ Routing > Router Discovery ]
Table
Port
Displays the router interface to which the setting applies.
Advertise mode
Activates/deactivates the router discovery function on the router interface.
Possible values:
marked
The router discovery function is active. The device sends advertisements on the router interface.
unmarked (default setting)
The router discovery function is inactive.
Advertise address
Specifies the destination to which the device sends advertisements.
Possible values:
Broadcast
The device sends advertisements to the broadcast address 255.255.255.255.
Multicast (default setting)
The device sends advertisements to the multicast address 224.0.0.1.
Min. advertisement interval [s]
Specifies the minimum period in seconds after which the device sends another advertisement.
Possible values:
3..1800 (default setting: 450)
Max. advertisement interval [s]
Specifies the maximum period in seconds after which the device sends another advertisement. The
prerequisite is that the value is greater than or equal to the value specified in the Min. advertisement
interval [s] column.
Possible values:
4..1800 (default setting: 600)
Advertisement lifetime [s]
Specifies the validity period for the advertisements in seconds. The prerequisite is that the value is
greater than or equal to the value specified in the Max. advertisement interval [s] column.
Possible values:
4..9000 (default setting: 1800)
Preference level
Specifies the key figure that an end device uses to decide which gateway to the destination network
to use when multiple routers in the subnet identify themselves through IRDP.
366
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Router Discovery ]
Possible values:
0..2147483647 (default setting: 0)
The higher the specified value, the greater the probability that an end device will use the device
as a gateway.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
367
Routing
[ Routing > RIP ]
6.5
RIP
[ Routing > RIP ]
The Routing Information Protocol (RIP) as specified in RFC 2453 is a routing protocol based on the
distance vector algorithm using a hop count as the metric to determine the path from source to
destination. You use RIP for the dynamic creation of the routing table.
RIP uses 2 types of packets to communicate with its neighbor, request packets and response
packets. When you first start RIP, the router transmits a request packet out of the RIP enabled
interfaces. Routers on which RIP is active transmit response packets back to the request originator.
The response packets contain the routing table of each router. The routes transmitted in the
response packets include the network address and metric.
RIP uses routing by rumor to update the routing tables. Routing by rumor means that the router only
exchanges routing information with its neighbors.
The dialog contains the following tabs:
[Configuration]
[Route redistribution]
[Statistics]
[Configuration]
In this tab, you enter both general settings and settings for each port for the routing information
protocol.
Operation
Operation
Enables/disables the RIP function on this router.
Possible values:
On
The RIP function is enabled.
Off (default setting)
The RIP function is disabled.
Configuration
Auto-summary mode
Activates/deactivates the auto summary mode.
368
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > RIP ]
Possible values:
marked (default setting)
The device combines or summarizes, routes advertised by a RIP router whenever possible into
aggregates. Summarizing the routes reduces the amount of routing information in the routing
table.
unmarked
The function is inactive.
Host routes accept mode
Activates/deactivates the host routes accept mode. When you activate the function, RIP lets you
specify the host routes.
Possible values:
marked (default setting)
The device enters (learns) the host routes with a 32-bit netmask advertised to this RIP router
into its routing table.
unmarked
The function is inactive.
Advertise default route
Activates/deactivates the propagation of the default routes learned from other protocols.
Possible values:
marked
The device advertises the default routes learned from other protocols to its neighbors.
unmarked (default setting)
The function is inactive.
Split horizon
Activates/deactivates the split horizon mode. You use the split horizon mode to help avoid the
count-to-infinity issue.
Possible values:
none
Disables split horizon.
simple (default setting)
Simple split horizon omits the entries known by a neighbor when sending the routing table to
this neighbor.
poisonReverse
The Poison Reverse split horizon sends the routing table to a neighbor with the entries known
by this neighbor, but denotes these entries with the infinity metric.
Default metric
Specifies the default metric of redistributed routes.
Possible values:
0 (default setting)
No default metric. RIP propagates the route with metric 1.
1..15
RM GUI RSP
Release 8.1 12/2019
369
Routing
[ Routing > RIP ]
Update interval [s]
Specifies the time interval at which the router transfers the entire content of the routing table to the
RIP neighbors.
The router sets other RIP timers accordingly:
• Timeout
6 x update interval
• Garbage Collection
10 x update interval
Possible values:
0..1000 (default setting: 30)
Values below 10 seconds cause an increased network load in larger networks.
Preference
Specifies the "administrative distance" of the route.
The device uses this value instead of the metric, when the metric of the routes is incomparable.
Possible values:
1..254 (default setting: 120)
In routing decisions, the device gives preference to the route with the smallest value.
255
In routing decisions, the device ignores the route.
Table
Port
Displays the router interface number.
Active
Activates/deactivates RIP on this router interface.
Send version
Specifies the RIP version that the router uses on this router interface to send RIP information.
Possible values:
doNotSend
RIP does not send any routing information.
ripVersion1
RIP sends information with version 1 as a broadcast.
rip1Compatible
RIP sends information with version 2 as a broadcast.
ripVersion2 (default setting)
RIP sends information with version 2 as a multicast.
370
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > RIP ]
Receive version
Specifies the RIP version that the device accepts on the receiver side.
Possible values:
rip1
RIP accepts RIP V1 packets.
rip2
RIP accepts RIP V2 packets.
rip1OrRip2 (default setting)
RIP accepts RIP V1 and V2 packets.
doNotRecieve
The device rejects RIP information.
Authentication
Specifies the type of authentication used on this interface.
Possible values:
noAuthentication (default setting)
The routers exchange RIP information without authentication.
simplePassword
The routers exchange RIP information with plain text password authentication.
MD5
The routers exchange RIP information with password authentication, whereby the devices
transfer the password with md5 encryption.
Key
Specifies the password for authentication. For communication purposes, the port on the other end
requires the same authentication settings.
The prerequisite is that, in the Authentication column, you specify the value simplePassword or MD5.
Possible values:
0..16 (octets in a string)
If you supply a string shorter than 16 octets, then RIP left-justifies and pads the string, on the
right with nulls (0x00), to 16 octets.
Key identifier
Specifies the password identification number for authentication. For communication purposes, the
port at the other end requires the same key ID.
The prerequisite for changing the value is that, in the Authentication column, you specify the value
MD5.
Possible values:
0..255
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
371
Routing
[ Routing > RIP ]
[Route redistribution]
Route distribution describes how RIP propagates routes that RIP transferred from other protocols
to other RIP routers.
Table
Source
Displays the source from which RIP takes over routing information:
Possible values:
connected
The route points to networks of local router interfaces where RIP is not enabled.
static
The route is in the static routing table.
ospf
The route is from OSPF.
Active
Activates/deactivates route-redistribution for a particular source protocol.
Possible values:
marked
The router redistributes routes received with this protocol.
unmarked (default setting)
The device blocks redistribution.
Metric
Specifies the metric that RIP assigns to the routes from the source.
Possible values:
0 (default setting)
RIP uses the value specified in the Default metric field.
1..15
Match internal
Enables/disables the router to process internal OSPF routes.
Possible values:
Enabled (default setting)
RIP adopts OSPF Intra and OSPF Inter routes.
Disabled
RIP rejects OSPF Intra and OSPF Inter routes.
Match external 1
Enables/disables the router to process external OSPF routes of metric type 1.
372
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > RIP ]
Possible values:
Enabled
RIP adopts OSPF Ext T1 routes.
Disabled (default setting)
RIP rejects OSPF Ext T1 routes.
Match external 2
Enables/disables the router to process external OSPF routes of metric type 2.
Possible values:
Enabled
RIP adopts OSPF Ext T2 routes.
Disabled (default setting)
RIP rejects OSPF Ext T2 Inter routes.
Match NSSAExternal 1
Enables/disables the router to process external OSPF routes of metric type 1.
Possible values:
Enabled
RIP adopts OSPF Intra and OSPF Inter routes.
Disabled (default setting)
RIP rejects OSPF Intra and OSPF Inter routes.
Match NSSAExternal 2
Enables/disables the router to process external OSPF routes of metric type 2.
Possible values:
Enabled
RIP adopts NSSA (Not so Stubby Area) routes.
Disabled (default setting)
RIP rejects NSSA (Not so Stubby Area) routes.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
373
Routing
[ Routing > OSPF ]
[Statistics]
The RIP statistics tab displays counters that count events relevant to routing.
Information
Global route changes
Displays the number of route changes to the IP Route Database by RIP in the routing table
Global queries
Displays the number of responses sent to queries from other systems.
Table
Port
Displays the port number.
Receive bad packets
Displays the number of received routing data packets that the router rejected for various reasons,
such as different protocol version, or unknown command type.
Receive bad routes
Displays the number of routing information messages received, which the router ignored because
the input format was invalid.
Sent updates
Displays the number of routing tables sent with changed routing entries.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
6.6
Open Shortest Path First
[ Routing > OSPF ]
Open Shortest Path First (OSPF) version 2, is a routing protocol described in RFC 2328, which is
applicable to networks with many routers.
374
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF ]
In contrast to the hop count based distance-vector routing protocols such as RIP, OSPF provides
a link state algorithm. OSPF bases its link state algorithm on link cost meaning that the criteria for
the routing decisions are the path costs instead of hop counts. The path cost is calculated as
(100 Mbit/s) / (bandwidth in Mbit/s). OSPF also supports Variable Length Subnet Masking (VLSM)
or Classless Inter-Domain Routing (CIDR) networks.
OSPF convergence of the entire network is slow. However, after implementation the protocol is
quick in reacting to topology changes. The convergence time for OSPF is 5 to 15 seconds,
depending on the size of the network.
OSPF supports networks grouped to "Areas" and thus reduces the administrative effort when
maintaining the overall network (OSPF domain). The routers participating in the network know and
only manage their own "Area" by flooding Link State Advertisements (LSAs) into the area. Using
the LSAs each router builds its own topology database.
The Area Border Routers (ABR) flood LSAs in an "Area" informing the local networks about
destinations in other areas within the OSPF domain. The Designated Routers (DR) transmit
LSAs informing about destinations in other areas.
With Hello packets, neighboring routers periodically identify themselves and signal their
availability. If a router misses the Hello packets of another router, then after the expiration of the
dead-interval timer, the router considers this router as unreachable.
The device lets you use the md5 algorithm for data transmission. If you use the md5 mode, then
specify the same values in the devices in the same area. Specify the area relevant values
connected to the ABRs and ASBRs.
OSPF divides routers into the following roles:
Designated Router (DR)
Backup Designated Router (BDR)
Area Border Router (ABR)
Autonomous System Boundary Router (ASBR)
The menu contains the following dialogs:
OSPF Global
OSPF Areas
OSPF Stub Areas
OSPF Not So Stubby Areas
OSPF Interfaces
OSPF Virtual Links
OSPF Ranges
OSPF Diagnostics
RM GUI RSP
Release 8.1 12/2019
375
Routing
[ Routing > OSPF > Global ]
6.6.1
OSPF Global
[ Routing > OSPF > Global ]
This dialog lets you specify the basic OSPF settings.
The menu contains the following dialogs:
[General]
[Configuration]
[Redistribution]
[General]
This tab lets you enable OSPF in the device and to specify network parameters.
Operation
Operation
Enables/disables the OSPF function in the device.
Possible values:
On
The OSPF function is enabled.
Off (default setting)
The OSPF function is disabled.
Configuration
Router ID
Specifies the unique identifier for the router in the Autonomous System (AS). It influences the
election of the Designated Router (DR) and the Backup Designated Router (BDR). Ideally, you use
the IP address of a router interface in the device.
Possible values:
<IP address of an interface> (default setting: 0.0.0.0)
External LSDB limit
Specifies the maximum number of entries, non-default AS-external-LSAs, that the device saves in
the link state database. When this limit is reached, the router enters the overflow state.
Possible values:
-1 (default setting)
The router continues to save entries until the memory is full.
0..2147483647
The device saves up to the specified number of entries.
Specify the same value in the routers on the OSPF backbone and in any regular OSPF area.
376
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Global ]
External LSAs
Displays the current number of entries, non-default AS-external-LSAs, that the device currently
holds in the link state database.
Autocost reference bandwidth
Specifies a reference for router interface bandwidth calculations, in Mbps. You use this value for
metric calculations.
Possible values:
1..4294967 (default setting: 100)
Paths (max.)
Displays the maximum number of ECMP routes that OSPF adds to the routing table when multiple
routes exist for a subnet with same path costs, but different next hops.
Default metric
Specifies the default metric value for OSPF.
Possible values:
0 (default setting)
OSPF automatically assigns a cost of 20 for routes learned from external sources (static or
directly connected).
1..16777214
Send trap
Activates/deactivates the sending of SNMP traps when the device detects a OSPF parameter
change.
Possible values:
marked
The sending of SNMP traps is active.
If the device detects changes in the OSPF parameters, then the device sends an SNMP trap.
unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status
Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Shortest path first
Delay time [s]
Specifies the delay time, in seconds, between when the router receives a topology change and
when it starts an SPF calculation.
Possible values:
0..65535 (default setting: 5)
The value 0 means that the router immediately begins the SPF calculation after receiving the
topology change.
RM GUI RSP
Release 8.1 12/2019
377
Routing
[ Routing > OSPF > Global ]
Hold time [s]
Specifies the minimum time, in seconds, between consecutive SPF calculations.
Possible values:
0..65535 (default setting: 10)
The value 0 means that after the router completes an SPF calculation it immediately begins the
next consecutive SPF calculation.
Exit overflow interval [s]
Specifies the number of seconds, after entering the overflow state, that a router attempts to leave
the overflow state. When the router leaves the overflow state, the router transmits new non-default
AS-external-LSAs.
Possible values:
0..2147483647 (default setting: 0)
The value 0 means that the router remains in the Overflow-State until restarted.
Information
ASBR status
Displays whether the device operates as an Autonomous System Boundary Router (ASBR).
Possible values:
marked
The router is an ASBR.
unmarked
The router functions in a role other than the role of an ASBR.
ABR status
Displays whether the device operates as an Area Border Router (ABR).
Possible values:
marked
The router is a ABR.
unmarked
The router functions in a role other than the role of an ABR.
External LSA checksum
Displays the link state checksums of the external LSAs contained in the link state database. This
value helps to determine when changes occur in a link state database of the router, and to compare
the link state database to other routers.
New LSA originated
Displays the number of new link state advertisements originated on this router. The router
increments this number each time it originates a new Link State Advertisement (LSA).
378
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Global ]
LSAs received
Displays the number of LSAs received that the router determined to be new instances. This number
also excludes newer instances of self-originated LSAs.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Configuration]
This dialog lets you specify the following settings:
the manner in which the device calculates the path costs
how OSPF handles default routes
the type of route OSPF uses for the path-cost calculation
RFC 1583 compatibility
The Network Working Group is continually developing the OSPF function improving and adding
parameters. This router provides parameters in accordance with RFC 2328. With parameters in
this dialog, you make the router compatible with routers developed under RFC 1583. Activating the
compatibility function lets you install this device in a network containing routers developed under
RFC 1583.
RFC 1583 compatibility
Enables/disabled the device to be compatible with routers developed under RFC 1583.
In order to minimize the chance of routing loops, set this function to the same value on the OSPF
enabled routers in an OSPF domain.
Possible values:
On (default setting)
Enable the function when routers are present in the domain without software containing the
external path preference functionality described in RFC 2328.
Off
Disable the function when every router present in the domain has software containing the
external path preference functionality described in RFC 2328.
Preferences
The preferences in this dialog are metrics values which the device uses as a tie breaker between
identical routes with different distance types. For example, when a route is inside the local area
(intra-area) and the other is outside the local area (inter-area or external). If the metric values are
the same for intra, inter and external, then the order of preference is intra, inter then external.
OSPF considers routes specified with a preference value of 255 as unreachable.
RM GUI RSP
Release 8.1 12/2019
379
Routing
[ Routing > OSPF > Global ]
Preference (intra)
Specifies the "administrative distance" between routers within the same area (intra-area OSPF
routes).
Possible values:
1..255 (default setting: 110)
Preference (inter)
Specifies the "administrative distance" between routers in different areas (inter-area OSPF routes).
Possible values:
1..255 (default setting: 110)
Preference (external)
Specifies the "administrative distance" between routers external to the areas (external OSPF
routes).
Possible values:
1..255 (default setting: 110)
Default route
Advertise
Activates/deactivates OSPF advertisements of default routes learned from other protocols.
For example, area border routers of stub areas advertise a default route into the stub area through
summary link advertisements. When you configure the router as an AS boundary router, it
advertises the default route in AS external link advertisements.
Possible values:
marked
The router advertises default routes.
unmarked (default setting)
The router suppresses advertisements of default routes.
Advertise always
Displays whether the router constantly advertises 0.0.0.0/0 as the default route.
When routers forward an IP packet, the router constantly forwards the packet to the best matching
destination address. A default route with a destination address of 0.0.0.0 and a mask of 0.0.0.0
is a match for every IP destination address. Matching every IP destination address lets an AS
boundary router operate as a gateway for destinations outside of the AS.
Possible values:
marked
The router constantly advertises 0.0.0.0/0 as the default route.
unmarked (default setting)
The device uses the settings specified in the Advertise parameter.
380
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Global ]
Metric
Specifies the metric of the default route, which OSPF advertises when learned from other protocols.
Possible values:
0
The device uses the value specified in the Default metric field.
1..16777214
Metric type
Displays the metric type of the default route which OSPF advertises when learned from another
protocol.
Possible values:
externalType1
Includes both the external path cost from the ABR to the ASBR that originated the route plus the
internal path cost to the ABR that advertised the route in the local area.
externalType2 (default setting)
Includes only the external path cost.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Redistribution]
A router with a disabled OSPF function on a routed interface does not propagate the network of this
interface on its other interfaces. Thus, the network cannot be reached. To propagate such
networks, enable the Redistribution for "connected" networks.
Redistribution is helpful in cases where multiple network administrators manage different
departments, or in multi-vendor networks with multiple protocols. OSPF redistribution lets you
convert route information such as cost and distance to a destination from other protocols into
OSPF.
To help prevent routes from double redistribution and thus preventing a possible loop, use the Tag
function. This function marks the routes redistributed from other protocols into OSPF. Then on the
other routers in the network, create an ACL active to deny the tagged number. To specify exactly
which routes the device distributes in OSPF, create ACL permit rules.
The number of routes that the device learns through OSPF is limited to the size of the routing table.
Table
Source
Displays the source protocol, from which OSPF redistributes routes. This object also acts as the
identifier for the table entry.
RM GUI RSP
Release 8.1 12/2019
381
Routing
[ Routing > OSPF > Global ]
Activating a row lets the device redistribute routes from the specific source protocol into OSPF.
Possible values:
connected
The router is directly connected to the route.
static
A network administrator has specified the route in the router.
rip
The router has learned the route using the RIP protocol.
Active
Activates/deactivates route redistribution from the source protocol into OSPF.
Possible values:
marked
Redistribution of routes learned from the source protocol is active.
unmarked (default setting)
OSPF route redistribution is inactive.
Metric
Specifies the metric value for routes redistributed from this protocol.
Possible values:
0 (default setting)
The device uses the value specified in the Default metric field.
1..16777214
Metric type
Specifies the route metric type which OSPF redistributes from other source protocols.
Possible values:
externalType1
This metric type includes both the external path cost from the ABR to the ASBR that originated
the route plus the internal path cost to the ABR that advertised the route in the local area.
externalType2 (default setting)
This metric type is only that of the external path cost.
Tag
Specifies a tag for routes redistributed into OSPF.
When you set a route tag, OSPF assigns the value to every redistributed route from this source
protocol. This function is useful when 2 or more border routers connect an autonomous system to
an external network. To help prevent double redistribution, specify the same value in every border
router when redistributing the same protocol.
Possible values:
0..4294967295 (default setting: 0)
Subnets
Activates/deactivates subnet route redistribution into OSPF.
382
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Global ]
OSPF only redistributes classful routes into the OSPF domain. In order to redistribute subnet routes
into OSPF activate the subnet parameter.
Possible values:
marked (default setting)
The router redistributes classful and subnet routes into OSPF.
unmarked
The router redistributes only classful routes into OSPF.
ACL group name
Specifies the name of the Access Control List created to filter routes received from the specified
source protocol.
To help prevent double redistribution and eventual loops, create an access list denying
redistribution of routes originating in another protocol. Specify the access list ID, then activate the
function in the ACL active column. When filtering redistributed routes, the device uses the source
address.
Possible values:
- (default setting)
No Access Control List assigned.
<Group name> (IPv4)
You specify the Access Control Lists in the Network Security > ACL > IPv4 Rule dialog.
ACL active
Activates/deactivates Access Control List filtering for this source protocol.
Possible values:
marked
The router filters redistribution of routes according to the specified Access Control List.
unmarked (default setting)
The router ignores Access Control List filtering for this source protocol.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
383
Routing
[ Routing > OSPF > Areas ]
6.6.2
OSPF Areas
[ Routing > OSPF > Areas ]
OSPF supports networks divided into "Areas" and thus reduces the administrative effort when
maintaining the network. The routers participating in the network know and only manage their own
"Area" by flooding Link State Advertisements (LSAs) into the area. Using the LSAs each router
builds its own topology database.
The device lets you specify up to a total of 15 OSPF Areas.
Table
Area ID
Displays the area ID.
Area type
Specifies the import policy of AS external LSAs for the area which determines the Area Type.
OSPF import policies apply to external routes only. An external route is a route that is outside the
OSPF autonomous system.
Possible values:
area (default setting)
The router imports type 5 AS external LSAs into the area.
stub area
The router ignores type 5 AS external LSAs.
nssa
The router translates type 7AS external LSAs into type 5 NSSA summary LSAs and imports
them into the area.
SPF runs
Displays the number of times that the router calculated the intra-area routing table using the link
state database of this area. The router uses Dijkstra's algorithm for route calculation.
Area border router
Displays the total number of ABRs reachable within this area. The number of reachable routers is
initially 0. OSPF calculates the number in each SPF Pass.
AS boundary router
Displays the total number of ASBRs reachable within this area. The number of reachable ASBRs
is initially 0. OSPF calculates the number in each SPF Pass.
Area LSAs
Displays the total number of link state advertisements in the link state database of this area,
excluding AS External LSAs.
384
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Areas ]
Area LSA checksum
Displays the total number of LS checksums contained in the LS database of this area. This sum
excludes type 5 external LSAs. You use the sum to determine if there has been a change in an LS
database of a router, and to compare the LS database to other routers.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Area ID field you specify the area ID for the new table entry.
Possible values:
– Octet value displayed like an IPv4 address
RM GUI RSP
Release 8.1 12/2019
385
Routing
[ Routing > OSPF > Stub Areas ]
6.6.3
OSPF Stub Areas
[ Routing > OSPF > Stub Areas ]
OSPF lets you specify certain areas as stub areas. The Area Border Router (ABR) of a stub area
enters the information learned from AS external LSAs in its database without flooding the AS
external LSAs across the stub area. The ABR instead sends a summary LSA into the stub area
advertising a default route. The default route advertised in the summary LSA pertains only to the
particular stub area. When forwarding data to AS external destinations, the routers in a stub area
use the default ABR only. Sending a summary LSA containing the default route instead of AS
external LSAs reduces the link state database size, and therefore the memory requirements for an
internal router of a stub area.
The device gives you the following options for creating a Stub Area:
Converting an Area to a Stub Area
In the Routing > OSPF > Areas dialog, change the value in the Area type column to Stub Area.
Creating a new Stub Area
In the Routing > OSPF > Areas dialog, create an entry in the table.
Change the value in the Area type column to stub area.
Table
Area ID
Displays the area ID for the stub area.
Default cost
Specifies the external metric value for the metric type.
Possible values:
0..16777215
The router sets the default value to equal the lower cost within the area for the metric type.
Metric type
Specifies the type of metric used for the default route advertised into the area.
The border router of a stub area advertises a default route as a network summary LSA.
Possible values:
OSPF metric (default setting)
The ABR advertises the metric as OSPF internal, which is the cost of an intra-area route to the
ABR.
External type 1
The ABR advertises the metric as External type 1, which is the cost of the OSPF internal
metric plus external metric to the ASBR.
External type 2
The ABR advertises the metric as External type 2, which is the cost of the external metric to
the ASBR. You use this value for NSSAs.
Totally stub
Activates/deactivates the import of summary LSAs into stub areas.
386
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Stub Areas ]
Possible values:
marked (default setting)
The router does not import area summaries. The stub area relies entirely on the default route.
This makes the default route a Totally Stub Area.
unmarked
The router both summarizes and propagates summary LSAs into the stub area.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
387
Routing
[ Routing > OSPF > NSSA ]
6.6.4
OSPF Not So Stubby Areas
[ Routing > OSPF > NSSA ]
NSSAs are similar to the OSPF stub area. However, NSSAs have the additional capability of
importing limited AS external routes. The ABR sends external routes out of the NSSA by converting
type 7 AS external LSAs into type 5 AS external LSAs. The ASBR in an NSSA originates type 7
LSAs. The only difference between the type 5 and type 7 LSAs is that the router sets the “N“ bit for
NSSAs. Both NSSA neighbors have the "N" bit set. This forms the OSPF neighbor adjacency.
Beside the internal data traffic, NSSAs act like transit areas by transport data coming from external
sources to other areas within the OSPF domain.
The device gives you the following options for creating an NSSA:
Converting an Area to an NSSA
In the Routing > OSPF > Areas dialog, change the value in the Area type column to nssa.
Creating a new NSSA
In the Routing > OSPF > Areas dialog, create an entry in the table.
Change the value in the Area type column to nssa.
Table
Area ID
Displays the area ID to which the table entries apply.
Redistribute
Activates/deactivates external route redistribution into the NSSA.
Possible values:
marked (default setting)
The NSSA ASBRs suppress external route redistribution into the NSSA. Furthermore, the ASBR
stops to create type 7 external LSAs for external routes.
unmarked
The NSSA ASBRs redistribute external routes into the NSSA.
Originate default info
Activates/deactivates the creation of type 7 default LSAs.
The prerequisite for the creation of type 7 default LSAs is that the router is an NSSA ABR or ASBR.
Possible values:
marked
The router creates type 7 default LSAs and sends then into the NSSA.
unmarked (default setting)
The router suppresses type 7 default LSAs.
Default metric
Specifies the metric value advertised in the type 7 default LSA.
388
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > NSSA ]
Possible values:
1..16777214 (default setting: 10)
Default metric type
Specifies the metric type advertised in the type 7 default LSA.
Possible values:
ospfMetric
The router advertises the metric as OSPF internal, which is the cost of an intra-area route to the
ABR.
comparable
The router advertises the metric as external type 1, which is the cost of the OSPF internal metric
plus external metric to the ASBR.
nonComparable
The router advertises the metric as external type 2, which is the cost of the external metric to
the ASBR.
Translator role
Specifies the ability of an NSSA border router to perform translation of type-7 LSAs into type-5
LSAs.
NSSA Area Border Routers receive type-5 LSAs containing information about external routes. The
NSSA border routers block the type-5 LSAs from entering into the NSSA. However, using type-7
LSAs the border routers inform each other about external routes. The ABRs then translate the type7 LSAs to type-5 external LSAs and flood the information to the rest of the OSPF network.
Possible values:
always
The router translates type-7 LSAs to type-5 LSAs.
When the router receives a type-5 LSAs from another router with a router ID higher then its own,
it flushes its type-5 LSAs.
candidate (default setting)
The router translates type-7 LSAs to type-5 LSAs.
To help prevent routing loops, OSPF performs a translator election. When multiple candidates
exist, OSPF elects the router with the higher router ID as the translator.
Translator status
Displays if and how the router is translating type-7 LSAs into type-5 LSAs.
Possible values:
enabled
The Translator role of the router is set to always.
elected
As a candidate, the NSSA Border router is translating type-7 LSAs into type-5.
disabled
Another NSSA border router is translating type-7 LSAs into type-5 LSAs.
Translator stability interval [s]
Specifies the number of seconds after the router loses a translation election that it continues to
translate type-7 LSAs into type-5 LSAs.
RM GUI RSP
Release 8.1 12/2019
389
Routing
[ Routing > OSPF > NSSA ]
Possible values:
0..65535 (default setting: 40)
Translator events
Displays the number of translator status changes that have occurred since the last boot-up.
Discontinuities in the value of this counter occur while OSPF is disabled and can occur during reinitialization of the management system.
Totally NSSA
Activates/deactivates importation of summary routes into the NSSA as type 3 summary LSAs.
Possible values:
marked (default setting)
The router suppresses summary route importation making the area a Totally NSSA.
unmarked
The router imports summary routes into the NSSA as type 3 summary LSAs.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
390
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Interfaces ]
6.6.5
OSPF Interfaces
[ Routing > OSPF > Interfaces ]
This dialog lets you specify, activate, and display OSPF parameters on the router interfaces.
The device uses the OSPF routing protocol to exchange reachability information between the
routers. The device uses routing information learned from peers to determine the next hop towards
the destination. To route traffic correctly, the router authenticates OSPF protocol exchanges to help
prevent malicious or incorrect routing information from getting introduced into the routing table.
OSPF supports multiple types of authentication. You configure the type of authentication in use on
a per interface basis. The cryptographic authentication option md5, helps protect your network
against passive attacks and helps provide significant protection against active attacks. When using
the cryptographic authentication option, each router appends a "message digest" to its transmitted
OSPF packets. Receivers then use the shared secret key and received digest to verify that each
received OSPF packet is authentic.
Table
Port
Displays the interface to which the table entry applies.
IP address
Displays the IP address of this OSPF interface.
Active
Activates/deactivates the OSPF administrative status of the interface.
Possible values:
marked
The router advertises the values specified on the interface, and the interface as an OSPF
internal route.
unmarked (default setting)
The interface is external to OSPF.
Area ID
Specifies the area ID of the domain to which the interface connects.
Possible values:
<Area ID>
You specify the area IDs in the Routing > OSPF > Areas dialog.
Priority
Specifies the priority of this interface.
In multi-access networks, the router uses the value in the Designated Router election algorithm.
When a tie occurs, the routers use their router ID as a tie breaker. The highest router ID wins.
RM GUI RSP
Release 8.1 12/2019
391
Routing
[ Routing > OSPF > Interfaces ]
Possible values:
0
The router is unable to become the Designated Router on this particular network.
1..255 (default setting: 1)
Transmit delay [s]
Specifies the estimated number of seconds it takes to transmit a link state update packet over this
interface.
This setting is useful for low speed links. The timer increases the age of the LS updates to
compensate for estimated delays on the interface. Increasing the packet age too much results in a
reply that is younger than the original packet.
Possible values:
0..3600 (default setting: 1)
Retrans interval [s]
Specifies the number of seconds between link state advertisement retransmissions for adjacencies
belonging to this interface.
You also use this value when retransmitting database description and link state request packets.
Possible values:
0..3600 (default setting: 5)
Hello interval [s]
Specifies the number of seconds between Hello packet transmissions on the interface.
Set this value the same for the routers attached to a common network. Verify that every router in
an area has the same value.
Possible values:
1..65535 (default setting: 10)
Dead interval [s]
Specifies the number of seconds between received Hello packets before a router declares the
neighbor router down.
Specify the value to a multiple of the Hello interval [s]. Specify the same value for the router interfaces
within the same area.
Possible values:
1..65535 (default setting: 40)
Specify a lower value to get a faster detection of a neighbor in a down state.
Note: Lower values are prone to interoperability issues.
Status
Displays the OSPF interface state.
392
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Interfaces ]
Possible values:
down (default setting)
The interface is in the initial state and is blocking traffic.
loopback
The interface is a loopback interface of the device. Although packets are not sent out on the
loopback interface, the router LSAs continue to advertise the interface address.
waiting
Applies only to interfaces connected to broadcast and Non-broadcast Multi-access (NBMA)
network types. While in this state, the router attempts to identify the state of the network DR and
BDR by sending and receiving Hello packets. The wait timer causes the interface to exit the
waiting state and select a DR. The period of this timer is the same as the value in the Dead
interval [s] field.
pointToPoint
Applies only to interfaces connected to point-to-point, point-to-multipoint, and virtual link
network types. While in this state the interface sends Hello packets every Hello interval [s] and
establishes an adjacency with its neighbor.
designatedRouter
The router is the DR for the multi-access network and establishes adjacencies with the other
network routers.
backupDesignatedRouter
The router is the BDR for the multi-access network and establishes adjacencies with the other
network routers.
otherDesignatedRouter
The router is only a network participant. The router establishes adjacencies only with the DR
and BDR and tracks its network neighbors.
Designated router
Displays the IP address of the Designated Router.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Backup designated router
Displays the IP address of the Backup Designated Router.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Events
Displays the number of times this OSPF interface changed its state, or the router detected an error.
Network type
Specifies the OSPF network type of the autonomous system.
Possible values:
broadcast
Use this value for broadcast networks, such as Ethernet and IEEE 802.5. OSPF performs a DR
and BDR election with which the non-designated routers form an adjacency.
nbma
Use this value for non-broadcast multi-access networks such as X.25 and similar technologies.
OSPF performs a DR and BDR election to limit the number of adjacencies formed.
RM GUI RSP
Release 8.1 12/2019
393
Routing
[ Routing > OSPF > Interfaces ]
pointToPoint
Use this value for networks that link only 2 interfaces.
pointToMultipoint
Use this value when you collect several point-to-point links into a non-broadcast network. Every
router in the network transmits Hello packets to other routers in the network, but without having
a DR and BDR election.
Auth type
Specifies the authentication type for an interface.
If you specify simple or MD5, then this router requires other routers to pass an authentication
process before this router accepts the other routers as neighbors.
If you use authentication to help protect your network, then use the same type and key for every
router in your autonomous system.
Possible values:
none (default setting)
Network authentication is inactive.
simple
The router uses clear text authentication. In this case, routers transmit the passwords as clear
text.
MD5
The router uses the message-digest algorithm MD5 authentication. This type of authentication
helps make your network more secure.
Auth key
Specifies the authentication key.
After entering the field displays ***** (asterisk) instead of the authentication key.
Possible values:
Alphanumeric ASCII character string
– with 8 characters if in the Auth type drop-down list the value simple is selected
– with 16 characters if in the Auth type drop-down list the value MD5 is selected
If you specify a shorter authentication key, then the device fills in the remaining characters
with 0.
Auth key ID
Specifies the MD5 authentication key ID value.
The cryptographic authentication option MD5, helps protect your network against passive attacks
and helps provide significant protection against active attacks.
The prerequisite for changing the value is that, in the Auth type column, you specify the value MD5.
Possible values:
0..255 (default setting: 0)
Cost
Specifies the internal metric.
394
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Interfaces ]
OSPF uses link cost as the metric. OSPF also uses the cost of a link to calculate the SPF routes.
OSPF prefers the route with the smaller value.
The formula to calculate cost is reference bandwidth divided by interface bandwidth. Reference
bandwidth is specified in the Autocost reference bandwidth field and is set to 100 Mbit/s by default.
See the Routing > OSPF > Global dialog, General tab.
Example:
The interface bandwidth is 10 Mbit/s.
The metric is 100 Mbit/s divided by 10 Mbit/s = 10.
Possible values:
auto (default setting)
OSPF calculates the metric and automatically adjusts the value when the interface bandwidth
changes.
1..65535
OSPF uses the value specified here as metric.
Calculated cost
Displays the metric value which OSPF currently uses for this interface.
MTU ignore
Activates/deactivates the IP maximum transmission unit (MTU) mismatch detection on this OSPF
interface.
Possible values:
marked
Disables the IP MTU check and makes adjacencies possible when the MTU value differs on the
interfaces.
unmarked (default setting)
The router checks if neighbors are using the same MTU value on the interfaces.
Fast Hello mode
Activates/deactivates the Fast Hello mode on the port. For a ring that contains 8 devices, the
function makes it possible for the recovery time to be less than 1.5 seconds for a detected link or
router failure.
The prerequisite is that you specify a value of 1 second for the following parameters:
• Dead interval [s] column
• Delay time [s] column in the Routing > OSPF > Global dialog, Shortest path first frame
Possible values:
marked
The device sends the Hello packets every 250 ms, and ignores the value specified in the Hello
interval [s] column.
unmarked (default setting)
The device sends the Hello packets according to the value specified in the Hello interval [s]
column.
RM GUI RSP
Release 8.1 12/2019
395
Routing
[ Routing > OSPF > Interfaces ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
396
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Virtual Links ]
6.6.6
OSPF Virtual Links
[ Routing > OSPF > Virtual Links ]
OSPF requires that you link every area to the backbone area. The physical location of routers often
prohibits a direct link to the backbone. Virtual links allow you to connect physically separated areas
to the backbone through a transit area. You specify both routers on the endpoints of a virtual link
as ABRs on a point-to-point link.
To enter a virtual link in the table, click the
button.
Table
Area ID
Displays the area ID for the transit area that the virtual link traverses.
Neighbor ID
Displays the router ID of the virtual neighbor.
The router learns this value from Hello packets received from the virtual neighbor. The value is a
static value for virtual adjacencies.
Transmit delay [s]
Specifies the estimated number of seconds it takes to transmit an LS update packet over this
interface.
This setting is useful for low speed links. The timer increases the age of the LS updates to
compensate for estimated delays on the interface. Increasing the packet age too much results in a
reply that is younger than the original packet.
Possible values:
0..3600 (default setting: 1)
Retrans interval [s]
Specifies the number of seconds between the LS advertisement retransmissions for adjacencies
belonging to this interface.
You also use this value when retransmitting Database Description (DD) and LS Request packets.
Possible values:
0..3600 (default setting: 5)
Dead interval [s]
Specifies the number of seconds between received Hello packets before a router declares the
neighbor router down.
Specify the value to a multiple of the Hello interval [s]. Specify the same value for the router interfaces
within the same area.
RM GUI RSP
Release 8.1 12/2019
397
Routing
[ Routing > OSPF > Virtual Links ]
Possible values:
1..65535 (default setting: 40)
Specify a lower value to get a faster detection of a neighbor in a down state.
Note: Lower values are prone to interoperability issues.
Hello interval [s]
Specifies the number of seconds between Hello packet transmissions on the interface.
Set this value the same for the routers attached to a common network.
Possible values:
1..65535 (default setting: 10)
Status
Displays the OSPF virtual interface state.
Possible values:
down (default setting)
The interface is in the initial state and is blocking traffic.
pointToPoint
Applies only to interfaces connected to point-to-point, point-to-multipoint, and virtual link
network types. While in this state the interface sends Hello packets every Hello interval [s] and
establishes an adjacency with its neighbor.
Events
Displays the number of times this interface changed its state due to a received event.
Auth type
Specifies the authentication type for a virtual link.
If you specify simple or MD5, then this router requires other routers to pass an authentication
process before this router accepts the other routers as neighbors.
If you use authentication to help protect your network, then use the same type and key for every
router in your autonomous system.
Possible values:
none (default setting)
Network authentication is inactive.
simple
The router uses clear text authentication. In this case, routers transmit the passwords as clear
text.
MD5
The router uses the message-digest algorithm MD5 authentication. This type of authentication
helps make your network more secure.
Auth key
Specifies the authentication key.
After entering the field displays ***** (asterisk) instead of the authentication key.
398
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Virtual Links ]
Possible values:
Alphanumeric ASCII character string
– with 8 characters if in the Auth type drop-down list the value simple is selected
– with 16 characters if in the Auth type drop-down list the value MD5 is selected
If you specify a shorter authentication key, then the device fills in the remaining characters
with 0.
Auth key ID
Specifies the MD5 authentication key ID value.
The cryptographic authentication option md5, helps protect your network against passive attacks
and helps provide significant protection against active attacks.
The prerequisite for specifying this value is that you specify in the Auth type column the value MD5.
Possible values:
0..255 (default setting: 0)
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Area ID drop-down list you select the area ID for the new table entry.
In the Neighbor ID field you specify the router ID of the virtual neighbor.
RM GUI RSP
Release 8.1 12/2019
399
Routing
[ Routing > OSPF > Ranges ]
6.6.7
OSPF Ranges
[ Routing > OSPF > Ranges ]
In large areas, OSPF messages flooded across the network reduce available bandwidth and
increase the size of the routing table. A large routing table increases the amount of CPU processing
that the router requires to enter the information into the routing table. A large routing table also
reduces available memory. To decrease the number of OSPF messages flooded across the
network, OSPF lets you create several smaller subnets within a large area.
In order to summarize routing information into and out of a subnet, the Area Border Router (ABR)
specifies the subnet as a single address range. The ABR advertises each address range as a single
route to the external area. The IP address that the ABR advertises for the subnet is an address and
mask pair. Unadvertised ranges allow you to hide the existence of subnets from other areas.
The router specifies cost of the advertised route as the greater cost in the set component subnets.
To enter an address range into the table, click the
button.
Table
Area ID
Displays the area ID of the address range.
LSDB type
Displays the route information aggregated by the address range.
Possible values:
summaryLink
The area range aggregates type 5 route information.
nssaExternalLink
The area range aggregates type 7 route information.
Network
Displays the IP address of the subnet of the range.
Netmask
Displays the netmask of the subnet of the range.
Effect
Specifies the external advertisement of the subnet ranges.
Possible values:
advertiseMatching (default setting)
The router advertises the range in other areas.
doNotAdvertiseMatching
The router withholds range advertisement to other external areas.
400
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Ranges ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Area ID drop-down list you select the area ID of the address range.
In the LSDB type drop-down list you select the route information aggregated by the address
range.
Possible values:
– summaryLink
The area range aggregates type 5 route information.
– nssaExternalLink
The area range aggregates type 7 route information.
In the Network field you specify the IP address for the area subnet.
In the Netmask field you specify the netmask for the area subnet.
RM GUI RSP
Release 8.1 12/2019
401
Routing
[ Routing > OSPF > Diagnostics ]
6.6.8
OSPF Diagnostics
[ Routing > OSPF > Diagnostics ]
To function properly, OSPF relies on 2 basic processes.
forming adjacencies
after forming adjacencies, the neighboring routers exchange information and update their
routing table
The statistics displayed in the tabs help you to analyze the OSPF processes.
The dialog contains the following tabs:
[Statistics]
[Link state database]
[Neighbors]
[Virtual neighbors]
[External link state database]
[Route]
[Statistics]
In order to accomplish the 2 basic processes, OSPF routers send and receive various messages
containing information to form adjacencies, and update routing tables. The counters in the tab
indicate the amount of message traffic transmitted and received on the OSPF interfaces.
Link State Acknowledgments (LSAcks) provide a response to a Link State Update (LS update)
request as part of the link state exchange process.
The Hello messages allow a router to discover other OSPF routers in the area and to establish
adjacencies between the neighboring devices. After establishing adjacencies, the routers
advertise their credentials for establishing a role as either a Designated Router (DR), a Backup
Designated Router (BDR), or only as a participant in the OSPF network. The routers then use
the Hello messages to exchange information about the OSPF configuration in the Autonomous
System (AS).
Database Description (DD) messages contain descriptions of the AS or area topology. The
messages also propagate the contents of the link state database for the AS or area from a router
to other routers in the area.
Link State Requests (LS Request) messages provide a means of requesting updated
information about a portion of the Link State Database (LSDB). The message specifies the link
or links for which the requesting router requires current information.
LS Update messages contain updated information about the state of certain links on the LSDB.
The router sends the updates as a response to an LS Request message. The router also
broadcast or multicast messages periodically. The router uses the message contents to update
the information in the LSDBs of routers that receive them.
LSAs contain the local routing information for the OSPF area. The router transmits the LSAs to
other routers in an OSPF area and only on interfaces connecting the router to the specific OSPF
area.
Type 1 LSAs are router LSAs. Each router in an area originates a router-LSA. A single router
LSA describes the state and cost of every link in the area. The router floods type 1 LSAs only
across its own area.
Type 2 LSAs are network LSAs. The DR creates a network LSA from information received in the
type 1 LSAs. The DR originates in its own area a network LSA for each broadcast and NBMA
network it is connected to. The LSA describes every router attached to the network, including
the DR itself. The router floods type 2 LSAs only across its own area.
402
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Diagnostics ]
Type 3 LSAs are network summary LSAs. An Area Border Router (ABR) creates a single
network summary LSA from information contained in the type 1 and type 2 LSAs received from
the DRs. The ABR transmits network summary LSAs describing inter-area destinations. The
router floods type 3 LSAs across every area connected to it. Except this is the area for which it
generated the Type 3 LSA.
Type 4 LSAs are Autonomous System Boundary Router (ASBR) summary LSAs. An ABR
creates a single ASBR summary LSA from information contained in the type 1 and type 2 LSAs
received from the DRs. The ABR transmits type 4 LSAs to areas different than the area it resides
in, to describe the ASBRs from which the ABR received type 5 LSAs. The router floods type 4
LSAs across every area connected to it. Except this is the area for which it generated the Type
4 LSA.
Type 5 LSAs are AS external LSAs. The AS boundary routers create the AS external LSAs
describing destinations external to the AS. The type 5 LSAs contain information redistributed
into OSPF from other routing processes. The router floods type 5 LSAs to every area except
stub and NSSA areas.
Global
LSA retransmitted
Displays the total number of LSAs retransmitted since resetting the counters. When the router
transmits the same LSA to multiple neighbors, the router increments the count for each neighbor.
Hello packets received
Displays the total number of OSPFv2 Hello packets received since resetting the counters.
Hello packets transmitted
Displays the total number of OSPFv2 Hello packets transmitted since resetting the counters.
DB description packets received
Displays the total number of OSPFv2 Database Description packets received since resetting the
counters.
DB description packets transmitted
Displays the total number of OSPFv2 Database Description packets transmitted since resetting the
counters.
LS request packets received
Displays the total number of OSPFv2 Link State Request packets received since resetting the
counters.
LS request packets transmitted
Displays the total number of OSPFv2 Link State Request packets transmitted since resetting the
counters.
LS update packets received
Displays the total number of OSPFv2 LS Update packets received since resetting the counters.
RM GUI RSP
Release 8.1 12/2019
403
Routing
[ Routing > OSPF > Diagnostics ]
LS update packets transmitted
Displays the total number of OSPFv2 LS Update packets transmitted since resetting the counters.
LS ack update packets received
Displays the total number of OSPFv2 LS Acknowledgement packets received since resetting the
counters.
LS ack update packets transmitted
Displays the total number of OSPFv2 LS Acknowledgement packets transmitted since resetting the
counters.
Max. rate of LSU received in any 5sec
Displays the maximum rate of OSPFv2 LS Update packets received over any 5-second interval
since resetting the counters. The field displays the rate in packets per second. For example, the
number of packets received during the 5-second interval, divided by 5.
Max. rate of LSU transmitted in any 5sec
Displays the maximum rate of OSPFv2 LS Update packets transmitted over any 5-second interval
since resetting the counters. The field displays the rate in packets per second. For example, the
number of packets transmitted during the 5-second interval, divided by 5.
Type-1 (Router) LSAs received
Displays the number of type 1 router LSAs received since resetting the counters.
Type-2 (Network) LSAs received
Displays the number of type 2 network LSAs received since resetting the counters.
Type-3 (Summary) LSAs received
Displays the number of type 3 network summary LSAs received since resetting the counters.
Type-4 (ASBR) LSAs received
Displays the number of type 4 ASBR summary LSAs received since resetting the counters.
Type-5 (External) LSAs received
Displays the number of type 5 external LSAs received since resetting the counters.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
404
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Diagnostics ]
[Link state database]
A router maintains a separate link state database for every area to which it belongs.
The router adds LSAs to the database in the following cases:
When the router receives an LSA, for example during the flooding process.
When the router originates the LSA.
When a router deletes an LSA from the database, it also removes the LSA from the link state
retransmission lists of the other routers in the network. A router deletes an LSA from its database
in the following cases:
A newer instance overwrites the LSA during the flooding process.
The router originates a newer instance of a self-originated LSA.
The LSA ages out and the router flushes the LSA from the routing domain.
Table
Area ID
Displays the area ID from which router received the LSA.
Type
Displays the type of the LSAs received.
Each LSA type has a separate advertisement format.
Possible values:
routerLink
The router received the information from another router in the same area. Routers announce
their existence and list the links to other routers within the same area using a type 1 LSA. The
link state ID is the originating router ID.
networkLink
The router received the information from a DR on a broadcast segment using a type 2 LSA. The
DR compiles the information received in type 1 LSAs and lists the routers linked together by the
segment. The link state ID is the IP interface address of the DR.
summaryLink
The router received the information from an ABR using a type 3 LSA describing routes to
networks. ABRs compile information learned from type 1 and type 2 LSAs received from the
attached areas before sending the routing information to the other areas. The link state ID is the
destination network number which is the results of the summarization process.
asSummaryLink
The router received the information from an ABR using a type 4 LSA describing routes to
ASBRs. ABRs compile information learned from type 1 and type 2 LSAs received from the
attached areas before sending the routing information to the other areas. The link state ID is the
destination network number.
asExternalLink
The router received the information from an ASBR using a type 5 LSA describing routes to
another AS. The link state ID is the router id of the ASBR.
nssaExternalLink
The router received the information from a router in a NSSA using a type 7 LSA.
RM GUI RSP
Release 8.1 12/2019
405
Routing
[ Routing > OSPF > Diagnostics ]
LSID
Displays the Link State ID (LSID) value received in the LSA.
The LSID is a field located in the LSA header. The field contains either a router ID or an IP address
according to the LSA type.
Possible values:
<Router ID>
Valid IPv4 address
Router ID
Displays the router ID uniquely identifying the originating router.
Sequence
Displays the value of the sequence field in an LSA.
The router examines the contents or the LS checksum field whenever the LS sequence number
field indicates that 2 instances of an LSA are the same. When there is a difference, the router
considers the instance with the larger LS checksum to be most recent.
Age
Displays the age of the link state advertisement in seconds.
When the router creates the LSA, the router sets the LS age to the value 0. As the routers transmit
the LSA across the network they increment the value by the value specified in the Transmit delay [s]
column.
If a router receives 2 LSAs for the same segment having identical LS sequence numbers and LS
checksums, then the router examines the age of the LSAs.
• The router immediately discards LSA with MaxAge.
• Otherwise, the router discards the LSA with the smaller age.
Checksum
Displays the contents of the checksum.
The field is a checksum of the complete contents of the LSA, except for the age field. The age field
of the advertisement increases as the routers transmit the message across the network. Excluding
the age field lets routers transmit the message without needing to update the checksum field.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
406
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Diagnostics ]
[Neighbors]
The Hello Protocol is responsible for neighbor acquisition, maintenance, and for 2-way
communication between neighbors.
During the acquisition process, the routers on a segment compare their configurations for
compatibility. If the routers are compatible, then the routers form adjacencies. The routers discover
their master or slave status using information provided in the Hello packets.
After the routers discover their roles, they exchange routing information to synchronize their routing
databases. When the routers finish updating their databases, the neighbors are fully adjacent and
the LSA lists the adjacency.
Table
Neighbor ID
Displays the router ID of the neighboring router.
The router learns this value from Hello packets received from the neighbor. The value is a static
value for virtual adjacencies.
IP address
Displays the IP address of the neighboring router interface attached to the port.
When sending unicast protocol packets on this adjacency, the router uses the value as the
destination IP address. When the neighboring router is the DR, the router is also used in router
LSAs as the link ID for the attached network. The router learns the neighbor IP address when it
receives Hello packets from the neighbor. For virtual links, the router learns the neighbor IP address
while building the routing table.
Interface
Displays the interface to which the entries in this row refer.
Status
Displays the state of the relationship with the neighbor listed in this instance.
An event invokes each state change, such as a received Hello packet. This event produces
different effects, depending on the current state of the neighbor. Also, depending on the state of
neighbor change, the routers initiate a DR election.
Possible values:
down (default setting)
The initial state of a neighbor conversation or a router terminated the conversation due to
expiration of the Dead interval [s] timer.
attempt
The state is only valid for neighbors attached to NBMA networks. The information from the
neighbor remains unresolved. The router actively attempts to contact the neighbor by sending
the neighbor Hello packets in the interval specified in Hello interval [s].
RM GUI RSP
Release 8.1 12/2019
407
Routing
[ Routing > OSPF > Diagnostics ]
init
The router has recently seen a Hello packet from the neighbor. However, the router has only
established uni-directional communication with the neighbor. For example, the router ID of this
router is missing from the Hello packet of the neighbor. When sending Hello packets, the
associated interface lists neighbors in this state or higher.
twoWay
Communication between the 2 routers is bidirectional. The router verifies the operation by
examining the contents of the Hello packet. The routers elect a DR and BDR from the set of
neighbors while in or after the 2-way state.
exchangeStart
The first step in creating an adjacency between the 2 neighboring routers. The goal of this step
is to decide which router is the master and to decide upon the initial Sequence number.
exchange
The router is announcing its entire link state database by sending Database Description (DD)
packets to the neighbor. The router explicitly acknowledges each DD packet. Each packet has
a sequence number. The adjacencies only allow 1 DD packet to be outstanding at any time. In
this state, the router sends LS Request packets asking for up-to-date database information. The
adjacencies are fully capable of transmitting and receiving OSPF routing protocol packets.
loading
The router sends LS Request packets to the neighbor inquiring about the outstanding database
updates sent in the exchange state.
full
The neighboring routers are fully adjacent. The adjacencies now appear in router LSAs and
network LSAs.
Dead time
Displays the amount of time remaining before the router declares the neighbor status as down. The
timer initiates the count down after the router receives a Hello packet.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Virtual neighbors]
OSPF requires a continuous connection of the Autonomous System backbone area. OSPF also
requires that every area has a connection to the backbone area. The physical location of routers
often prohibits an area from directly connecting to the backbone area. Virtual links allow you to
connect physically separated areas to the backbone area.
The ABRs of the backbone area and the physically separated area form a point-to-point link through
a transit area. When the ABRs establish an adjacency, the backbone router LSAs include the link
and OSPF packets flow over the virtual link. Furthermore, the routing database of each endpoint
router includes the link state information of the other endpoint router.
Note: The OSPF lets you specify virtual links through every type of area except for stub areas.
408
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Diagnostics ]
Table
Area ID
Displays the transit area ID of the virtual link.
Router ID
Displays the router ID of the other virtual endpoint ABR.
After virtual adjacencies form, the virtual link carries OSPF packets such as Hello packets and LS
update packets containing database information. The prerequisite is that the LSAs of the neighbor
router contain the router ID of the local router.
IP address
Displays the IP address of the virtual neighbor.
The router uses the IP address to send OSPF packets across the transit network to the virtual
neighbor.
Options
Displays the information contained in the options field of the LSA. This value indicates the
capabilities of virtual neighbor.
The options field used in the Hello packets allow routers to identify their optional capabilities, and
to communicate the capabilities to other routers. This mechanism lets you mix routers of different
capabilities within a routing domain.
The router supports 4 options by setting the following bits in the options field either high or low
depending on the capabilities of the router. The field displays the value by adding the following
option bits together. You read the fields from least significant bit to most significant bit.
• The routers advertise the ability to process TOS 0 in AS external routes when it sets the E-bit
high. The E-bit is the second bit in the options field and represents the value 2^1 or 2.
• The routers advertise the ability to process multicast routes when it sets the MC-bit high. The
MC-bit is the third bit in the options field and represents the value 2^2 or 4.
• The routers advertise the ability to process AS external routes in an NSSA summary with type
7 LSAs when it sets the N/P-bit high. The N/P-bit is the fourth bit in the options field and
represents the value 2^3 or 8.
• The routers advertise the ability to process demand circuits when it sets the DC-bit high. The
DC-bit is the sixth bit in the options field and represents the value 25 or 32.
In a special case, the router sets the E-bit low.
•
The routers advertise the ability to process TOS metrics other than TOS 0 when it sets the E-bit
low. The E-bit is the second bit in the options field and when set low, the bit represents the value
0.
Possible values:
2,6,10,14,34,38,42,46
The values indicate that the virtual neighbor supports Type of Service metric (TOS) 0 in AS
external LSAs.
0,4,8,12,32,36,40,44
The values indicate that the virtual neighbor supports TOS metrics other than TOS 0.
RM GUI RSP
Release 8.1 12/2019
409
Routing
[ Routing > OSPF > Diagnostics ]
4,6,12,14,36,38,44,46
The values indicate that the virtual neighbor supports multicast routing.
8,10,12,14,40,42,44,46
The values indicate that the virtual neighbor supports type 7 LSAs.
32,34,36,38,40,42,44,46
The values indicate that the virtual neighbor supports demand circuits.
Status
Displays the state of the relationship with the neighbor listed in this instance.
An event invokes each state change, such as a received Hello packet. This event produces
different effects, depending on the current state of the neighbor. Also, depending on the state of
neighbor change, the routers initiate a DR election.
Possible values:
down (default setting)
The initial state of a neighbor conversation or a router terminated the conversation due to
expiration of the Dead interval [s] timer.
attempt
The state is only valid for neighbors attached to NBMA networks. Information from the neighbor
remains unresolved. The router actively attempts to contact the neighbor by sending the
neighbor Hello packets in the interval specified in Hello interval [s].
init
The router has recently seen a Hello packet from the neighbor. However, the router has only
established uni-directional communication with the neighbor. For example, the router ID of this
router is missing from the Hello packet of the neighbor. When sending Hello packets, the
associated interface lists neighbors in this state or higher.
twoWay
Communication between the 2 routers is bidirectional. The router verifies the operation by
examining the contents of the Hello packet. The routers elect a DR and BDR from the set of
neighbors while in or after the 2-way state.
exchangeStart
The first step in creating an adjacency between the 2 neighboring routers. The goal of this step
is to decide which router is the master and to decide upon the initial Sequence number.
exchange
The router is announcing its entire link state database by sending Database Description (DD)
packets to the neighbor. The router explicitly acknowledges each DD packet. Each packet has
a sequence number. The adjacencies only allow 1 DD packet to be outstanding at any time. In
this state, the router sends LS Request packets asking for up-to-date database information. The
adjacencies are fully capable of transmitting and receiving OSPF routing protocol packets.
loading
The router sends LS Request packets to the neighbor inquiring about the outstanding database
updates sent in the exchange state.
full
The neighboring routers are fully adjacent. The adjacencies now appear in router LSAs and
network LSAs.
Events
Displays the number of times this interface changed its state due to a received event such as
HelloReceived or 2-way.
410
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > OSPF > Diagnostics ]
Length of retransmission queue
Displays the length of the retransmission list.
In order to flood LSAs out of an interface to the neighbor, the router places the LSAs on the link
state retransmission list of the adjacency. To validate LSA flooding, the router retransmits the LSAs
until the neighbor acknowledges the LSA reception. You configure the length of time between
retransmissions in the Routing > OSPF > Interfaces dialog in the Retrans interval [s] column.
Suppressed Hellos
Displays whether the router is suppressing Hello packets to the neighbor.
Suppressing Hello packet transmission to the neighbor lets demand circuits close, on point-to-point
links, during periods of inactivity. In NBMA networks, the periodic transmission of LSAs causes the
circuit to remain open.
Possible values:
marked
The router suppresses Hello packets.
unmarked
The router transmits Hello packets.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[External link state database]
The table displays the contents of the external link state database, with an entry for each unique
link state ID. External links allow the area to connect to destinations outside of the autonomous
system. Routers pass information about the external links throughout the network as link state
updates.
Table
Type
Displays the type of the link state advertisement. When the router detects an external link state
advertisement, the router enters the information in the table.
Possible values:
asExternalLink
LSID
Displays the Link State ID is an LS type-specific field containing either a router ID or an IP address.
The value identifies the routing domain described in the advertisement.
RM GUI RSP
Release 8.1 12/2019
411
Routing
[ Routing > OSPF > Diagnostics ]
Router ID
Displays the router ID uniquely identifying the originating router.
Sequence
Displays the value of the sequence field in an LSA.
The router examines the contents or the LS checksum field whenever the LS sequence number
field indicates that 2 instances of an LSA are the same. When there is a difference, the router
considers the instance with the larger LS checksum to be most recent.
Age
Displays the age of the link state advertisement in seconds.
When the router creates the LSA, the router sets the LS age to the value 0. As the routers transmit
the LSA across the network they increment the value by the value specified in the Transmit delay [s]
column.
If a router receives 2 LSAs for the same segment having identical LS sequence numbers and LS
checksums, then the router examines the age of the LSAs.
•
•
The router immediately discards LSA with MaxAge.
Otherwise, the router discards the LSA with the smaller age.
Checksum
Displays the contents of the checksum.
The field is a checksum of the complete contents of the LSA, except for the age field. The age field
of the advertisement increases as the routers transmit the message across the network. Excluding
the age field lets routers transmit the message without needing to update the checksum field.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Route]
The dialog displays the OSPF route information learned from the Link State Advertisements (LSA).
Table
IP address
Displays the IP address of the network or subnet for the route.
Netmask
Displays the netmask for the network or subnet.
412
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Routing Table ]
Metric
Displays the route cost, calculated in the SPF algorithm, to reach the network.
Type
Displays the type of route that was learned from OSPF.
Possible values:
intra
Entry for routes from the OSPF protocol within an area.
inter
Entry for routes from the OSPF protocol between areas.
ext-type1
These routes were imported from an Autonomous System Boundary Router (ASBR) into the
OSPF area. These routes use the costs relating to the connection between the ASBR and the
route costs includes this device.
ext-type2
These routes were imported from an Autonomous System Boundary Router (ASBR) into the
OSPF area. These routes do not use the costs relating to the connection between the ASBR
and the route costs includes this device.
nssa-type1
These routes were imported from an Autonomous System Boundary Router (ASBR) into the
Not-So-Stub Area. These routes use the costs relating to the connection between the ASBR and
the route costs includes this device.
nssa-type2
These routes were imported from an Autonomous System Boundary Router (ASBR) into the
Not-So-Stub Area. These routes do not use the costs relating to the connection between the
ASBR and the route costs includes this device.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
6.7
Routing Table
[ Routing > Routing Table ]
This dialog displays the routing table with the routes configured in the device. Using the routing
table, the device learns the router interface through which it transfers IP packets that are addressed
to recipients in a different network.
Configuration
Preference
Specifies the preference number that the device assigns by default to the newly configured, static
routes.
RM GUI RSP
Release 8.1 12/2019
413
Routing
[ Routing > Routing Table ]
Possible values:
1..255 (default setting: 1)
Routes with a value of 255 will be ignored by the device in the routing decision.
Table
Port
Displays the router interface through which the device is currently transmitting IP packets
addressed to the destination network.
Possible values:
<Router interface>
The device uses this router interface to transfer IP packets addressed to the destination
network.
no port
The static route is currently not assigned to a router interface.
Network address
Displays the address of the destination network.
Netmask
Displays the netmask.
Next hop IP address
Displays the IP address of the next router on the path to the destination network.
Type
Displays the type of the route.
Possible values:
local
The router interface is directly connected to the destination network.
remote
The router interface is connected to the destination network through a router (Next hop IP
address).
reject
The device discards IP packets addressed to the destination network and informs the sender.
other
The route is inactive. See the Active checkbox.
Protocol
Displays the origin of this route.
414
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Routing Table ]
Possible values:
local
The device created this route when setting up the router interface. See the Routing > Interfaces >
Configuration dialog.
netmgmt
A user created this static route with the
button.
ospf
The OSPF function created this route. See the Routing > OSPF dialog.
rip
The RIP function created this route. See the Routing > RIP dialog.
Preference
Specifies the "administrative distance" of the route.
The device uses this value instead of the metric, when the metric of the routes is incomparable.
Possible values:
0
Reserved for routes that the device creates when setting up the router interfaces. These routes
have the value local in the Protocol column.
1..254
In routing decisions, the device gives preference to the route with the smallest value.
255
In routing decisions, the device ignores the route.
The "administrative distance" can be set for static routes created using the
button.
Metric
Displays the metric of the route.
The device transmits the data packets using the route with the smallest value.
Last update [s]
Displays the time in seconds, since the current settings of the route were entered in the routing
table.
Track name
Specifies the tracking object with which the device links the route.
The device automatically activates or deactivates static routes – depending on the link status of an
interface or the reachability of a remote router or end device.
You set up tracking objects in the Routing > Tracking > Configuration dialog.
Possible values:
Name of the tracking object, made up of Type and Track ID.
–
No tracking object selected.
This function is used only for static routes. (Column Protocol = netmgmt)
RM GUI RSP
Release 8.1 12/2019
415
Routing
[ Routing > Routing Table ]
Active
Displays whether the route is active or inactive.
Possible values:
marked
The route is active; the device uses the route.
unmarked
The route is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create dialog to create a static route.
In the Network address field, you specify the address of the destination network.
Possible values:
– Valid IPv4 address
If you specify a default route (0.0.0.0), then you specify a default gateway in the Next hop IP
address field. This setting takes precendence over the setting in the following dialog:
– Basic Settings > Network dialog, Gateway address field
In the Netmask field, you specify the netmask that identifies the network prefix in the address of
the destination network.
Possible values:
– Valid IPv4 netmask
In the Next hop IP address field, you specify the IP address of the next router on the path to the
destination network.
Possible values:
– Valid IPv4 address
To make a reject type route, specify the value 0.0.0.0 in this field. With this route, the
device discards IP packets addressed to the destination network and informs the sender.
In the Preference field, you specify the preference number that the device uses to decide which
of several existing routes to the destination network it will use.
Possible values:
– 1..255
In routing decisions, the device gives preference to the route with the smallest value. The
default setting is the value specified in the Configuration frame, field Preference.
In the Track name field, you specify the tracking object with which the device links the route.
Possible values:
– –
No tracking object selected.
– Name of the tracking object, made up of Type and Track ID.
416
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Tracking ]
6.8
Tracking
[ Routing > Tracking ]
The tracking function lets you monitor what are known as tracking objects. Examples of monitored
tracking objects are the link status of an interface or the reachability of a remote router or end
device.
The device forwards status changes of the tracking objects to the registered applications, for
example to the routing table or to a VRRP instance. The applications then react to the status
changes:
• In the routing table, the device activates/deactivates the route linked to the tracking object.
• The VRRP instance linked to the tracking object reduces the priority of the virtual router so that
a backup router takes over the role of the master.
If you set up the tracking objects in the Tracking Configuration dialog, then you can link applications
with the tracking objects:
• You link static routes with a tracking object in the Routing > Routing Table dialog, Track name
column.
• You link virtual routers with a tracking object in the Routing > L3-Redundancy > VRRP > Tracking
dialog. Click the
button to open the Create window and select the tracking object in the Track
name drop-down list.
The menu contains the following dialogs:
Tracking Configuration
Tracking Applications
RM GUI RSP
Release 8.1 12/2019
417
Routing
[ Routing > Tracking > Configuration ]
6.8.1
Tracking Configuration
[ Routing > Tracking > Configuration ]
In this dialog, you set up the tracking objects.
Table
Type
Specifies the type of the tracking object.
Possible values:
interface
The device monitors the link status of its physical ports or of its link aggregation, LRE or VLAN
router interface.
ping
The device monitors the route to a remote router or end device by means of periodic ping
requests.
logical
The device monitors tracking objects logically linked to each other and thus enables complex
monitoring tasks.
Track ID
Specifies the identification number of the tracking object.
Possible values:
1..256
This range is available to every type (interface, ping and logical).
Track name
Displays the name of the tracking object made up of Type and Track ID.
Active
Activates/deactivates the monitoring of the tracking object.
Possible values:
marked
Monitoring is active. The device monitors the tracking object.
unmarked (default setting)
Monitoring is inactive.
Description
Specifies the description.
Here you describe what the device uses the tracking object for.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
418
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Tracking > Configuration ]
Status
Displays the monitoring result of the tracking object.
Possible values:
up
The monitoring result is positive:
– The link status is active.
or
– The remote router or end device is reachable.
or
– The result of the logical link is TRUE.
down
The monitoring result is negative:
– The link status is inactive.
or
– The remote router or end device is not reachable.
or
– The result of the logical link is FALSE.
notReady
The monitoring of the tracking object is inactive. You activate the monitoring in the Active
column.
Changes
Displays the number of status changes since the tracking object has been activated.
Last changed
Displays the time of the last status change.
Send trap
Activates/deactivates the sending of an SNMP trap when someone activates or deactivates the
tracking object.
Possible values:
marked
If someone activates or deactivates the tracking object in the Active column, then the device
sends an SNMP trap.
unmarked (default setting)
The device does not send an SNMP trap.
Port
Specifies the interface to be monitored for tracking objects of the interface type.
Possible values:
<Interface number>
Number of the physical ports or of the link aggregation, LRE or VLAN router interface.
no Port
No tracking object of the interface type.
RM GUI RSP
Release 8.1 12/2019
419
Routing
[ Routing > Tracking > Configuration ]
Link up delay [s]
Specifies the period in seconds after which the device evaluates the monitoring result as positive.
If the link has been active on the interface for longer than the period specified here, then the Status
column displays the value up.
Possible values:
0..255
–
No tracking object of the logical type.
Link down delay [s]
Specifies the period in seconds after which the device evaluates the monitoring result as negative.
If the link has been inactive on the interface for longer than the period specified here, then the Status
column displays the value down.
Possible values:
0..255
–
No tracking object of the interface type.
If the link to every aggregated port is interrupted, then Link aggregation, LRE and VLAN router
interfaces have a negative monitoring result.
If the link to every physical port and link-aggregation interface which is a member of the VLAN is
interrupted, then a VLAN router interface has a negative monitoring result.
Ping port
Specifies the router interface for tracking objects of the ping type through which the device sends
the ping request packets.
Possible values:
<Interface number>
Number of the router interface.
noName
No router interface assigned.
–
No tracking object of the ping type.
IP address
Specifies the IP address of the remote router or end device to be monitored.
Possible values:
Valid IPv4 address
–
No tracking object of the ping type.
Ping interval [ms]
Specifies the interval in milliseconds at which the device periodically sends ping request packets.
420
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Tracking > Configuration ]
Possible values:
100..20000 (default setting: 1000)
If you specify a value <1000, then you can set up a maximum of 16 tracking objects of the ping
type.
–
No tracking object of the ping type.
Ping replies to lose
Specifies the number of missed responses from the device after which the device evaluates the
monitoring result as negative. If the device does not receive a response to its sent ping request
packets for the number of times specified here in a row, then the Status column displays the value
down.
Possible values:
1..10 (default setting: 3)
–
No tracking object of the ping type.
Ping replies to receive
Specifies the number of received responses from the device after which the device evaluates the
monitoring result as positive. If the device receives a response to its sent ping request packets for
the number of times specified here in a row, then the Status column displays the value up.
Possible values:
1..10 (default setting: 2)
–
No tracking object of the ping type.
Ping timeout [ms]
Specifies the period in milliseconds for which the device waits for a response. If the device does
not receive a response within this period, then the device evaluates this as a missed response. See
the Ping replies to lose column.
Possible values:
10..10000 (default setting: 100)
If a large number of ping tracking objects is set up in the device, then specify a sufficiently large
value. If more than 100 instances are present, then specify at least 200 ms.
–
No tracking object of the ping type.
Ping TTL
Specifies the TTL value in the IP header with which the device sends the ping request packets.
TTL (Time To Live, also known as “Hop Count”) identifies the maximum number of steps an IP
packet is allowed to perform on the way from the sender to the receiver.
Possible values:
–
No tracking object of the ping type.
1..255 (default setting: 128)
RM GUI RSP
Release 8.1 12/2019
421
Routing
[ Routing > Tracking > Configuration ]
Best route
Displays the number of the router interface through which the best route leads to the monitoring
router or end device.
Possible values:
<Port number>
Number of the router interface.
no Port
No route exists.
–
No tracking object of the ping type.
Logical operand A
Specifies the first operand of the logical link for tracking objects of the logical type.
Possible values:
Tracking objects set up
–
No tracking object of the logical type.
Logical operand B
Specifies the second operand of the logical link for tracking objects of the logical type.
Possible values:
Tracking objects set up
–
No tracking object of the logical type.
Operator
Links the tracking objects specified in the Logical operand A and Logical operand B fields.
Possible values:
and
Logical AND link
or
Logical OR link
–
No tracking object of the logical type.
422
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Tracking > Configuration ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Type field, you specify the type of the tracking object.
Possible values:
– interface
The device monitors the link status of its physical ports or of its link aggregation, LRE or
VLAN router interface.
– ping
The device monitors the route to a remote router or end device by means of periodic ping
requests.
– logical
The device monitors tracking objects logically linked to each other and thus enables complex
monitoring tasks.
In the Track ID field, you specify the identification number of the tracking object.
Possible values:
– 1..2147483647
RM GUI RSP
Release 8.1 12/2019
423
Routing
[ Routing > Tracking > Applications ]
6.8.2
Tracking Applications
[ Routing > Tracking > Applications ]
In this dialog, you see which applications are linked with the tracking objects.
The following applications can be linked with tracking objects:
• You link static routes with a tracking object in the Routing > Routing Table dialog, Track name
column.
• You link virtual routers with a tracking object in the Routing > L3-Redundancy > VRRP > Tracking
dialog. Click the
button top open the Create window and select the tracking object in the Track
name drop-down list.
Table
Type
Displays the type of the tracking object.
Track ID
Displays the identification number of the tracking object.
Application
Displays the name of the application that is linked with the tracking object.
Possible values:
Tracking objects of the logical type
Static routes
Virtual router of a VRRP instance
Track name
Displays the name of the tracking object made up of Type and Track ID.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
424
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > L3 Relay ]
6.9
L3 Relay
[ Routing > L3 Relay ]
Clients in a subnet send BOOTP/DHCP broadcasts messages to DHCP servers requesting
configuration information such as IP addresses. Routers provide a border for broadcast domains
so that BOOTP/DHCP requests remain in the local subnet. The Layer 3 Relay (L3 Relay) function
acts as a proxy for clients that require information from a BOOTP/DHCP server in another network.
When you configure this device to retrieve IP addresses from a DHCP server located in another
subnet, the L3 Relay function lets you forward requests across multiple hops to a server located in
another network.
Using IP helper addresses and UDP helper ports the L3 Relay forwards DHCP packets between
the clients and servers. The IP helper address is the DHCP server IP address. Clients use the UDP
helper port to request a type of information such as DNS information on UDP port 53, or DHCP
information on UDP port 67.
The L3 Relay function provides you the follow advantages over the standard BOOTP/DHCP function:
redundancy, when you specify multiple severs to process client requests.
load balancing, when you specify multiple interfaces to relay broadcast packets from the client
to the servers.
central management, useful in large networks. The administrator saves the device
configurations on a centrally located server which responds to client requests in multiple
subnets.
diversity, this function lets you specify up to 512 entries.
Operation
Operation
Enables/disables the L3 Relay function.
Possible values:
On
The L3 Relay function is globally enabled.
Off (default setting)
The L3 Relay function is globally disabled.
Configuration
Circuit ID
Activates/deactivates the BOOTP/DHCP Circuit ID Option Mode.
The device sends circuit ID suboption information, identifying the local agent, to the DHCP server.
The DHCP server uses the suboption information to send responses back to the proper agent.
RM GUI RSP
Release 8.1 12/2019
425
Routing
[ Routing > L3 Relay ]
Possible values:
marked
The device adds the circuit ID of the DHCP relay agent to the suboptions for client requests.
unmarked (default setting)
The device removes the DHCP relay agent circuit ID suboptions from client requests.
BOOTP/DHCP wait time (min.)
Specifies the minimum amount of time that the device delays forwarding the BOOTP/DHCP
request.
The end devices send broadcast request on the local network. This setting lest a local server
respond to the client request before the router forwards the client request through the interfaces.
Possible values:
0..100 (default setting: 0)
If a local server is absent from the network, then set the value to 0.
BOOTP/DHCP hops (max.)
Specifies the maximum number of cascaded devices allowed to forward the BOOTP/DHCP
request.
If the hop count exceeds the maximum number of hops specified in this field, then the device drops
BOOTP requests.
Possible values:
0..16 (default setting: 4)
Information
DHCP client messages received
Displays the number of DHCP requests received from the clients.
DHCP client messages relayed
Displays the number of DHCP requests forwarded to the servers specified in the table.
DHCP server messages received
Displays the number of DHCP offers received from the servers specified in the table.
DHCP server messages relayed
Displays the number of DHCP offers forwarded to the clients from the servers specified in the table.
UDP messages received
Displays the number of UDP requests received from the clients.
426
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > L3 Relay ]
UDP messages relayed
Displays the number of UDP requests forwarded to the servers specified in the table.
Packets with expired TTL
Displays the number of UDP packets received with an expired TTL value.
Discarded packets
Displays the number of UDP packets that device discarded, because the packet matched an active
table entry.
Table
Port
Displays the interface to which the table entry applies.
UDP port
Displays the UDP port for client messages received on this interface for this table entry. The device
forwards client DHCP messages matching the UDP port criteria to the IP helper address specified
in this table entry.
IP address
Displays the IP helper address associated with this table entry.
Hits
Displays the current number of packets that the interface forwards for the specified UDP port in this
table entry.
Active
Activates/deactivates the table entry.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset statistics
Resets the table statistics.
Create
Port
Specifies the interface to which the entry applies.
RM GUI RSP
Release 8.1 12/2019
427
Routing
[ Routing > L3 Relay ]
Interface configurations take priority over global configurations. If the destination UDP port for a
packet matches any entry on an ingress interface, then the device handles the packet according to
the interface configuration. If none of the interface entries match the packet, then the device
handles the packet according to the global configuration.
Possible values:
All (default setting)
Relay entries with this port value specify a global configuration.
<available interfaces>
Used to specify interface configurations.
UDP port
Specifies the helper UDP port criteria for packets received on this interface for this entry. When
active, the device forwards packets received with this destination UDP port value to the IP address
specified in this entry.
Possible values:
default (default setting)
Equal to UDP port 0.
An entry with a UDP port specified as 0 enables the dhcp, time, nameserver, tacacs, dns, tftp,
netbios-ns, and netbios-dgm entries.
dhcp
Equal to UDP port 67.
The device forwards DHCP requests for IP address assignment and networking parameters.
domain
Equal to UDP port 53.
The device forwards DNS requests for host name to IP address conversion.
isakmp
Equal to UDP port 500.
The device forwards Internet Security Association and Key Management Protocol requests. The
requests specifies procedures and packet formats which establish, negotiate, modify and delete
Security Associations.
mobile-ip
Equal to UDP port 434.
The device forwards Home Agent Registration requests. Use this value when you install the
device in a network other than the home network.
nameserver
Equal to UDP port 42.
The device forwards Windows Internet Name Service requests. You use the port to copy the
NetBIOS name table from 1 Windows server to another.
netbios-dgm
Equal to UDP port 138.
The device forwards NetBIOS Datagram Service requests. The datagram service provides the
ability to send a message to a unique name or to a group name.
netbios-ns
Equal to UDP port 137.
The device forwards NetBIOS Name Service requests for name registration and resolution.
ntp
Equal to UDP port 123.
The device forwards Network Time Protocol requests. Use this value for peer-to-peer
synchronization where both peers consider the other to be a time source.
428
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > L3 Relay ]
pim-auto-rp
Equal to UDP port 496.
The device forwards Protocol Independent Multicast-Automatic-Rendezvous Point requests.
The Rendezvous Point (RP) serves as the root of the shared multicast delivery tree and is
responsible for gathering multicast data from different sources, then forwarding the data to the
clients.
rip
Equal to UDP port 520.
The device forwards RIP requests and RIP response messages.
tacacs
Equal to UDP port 49.
The device forwards TACACS Login Host Protocol requests for remote authentication and
related services for networked access control through a centralized server.
tftp
Equal to UDP port 69.
The device forwards Trivial File Transfer Protocol requests and responses.
time
Equal to UDP port 37.
The device forwards Time Protocol requests. The device forwards client requests to a server
that supports the time protocol. The server then responds with a message containing an integer
representing the number of seconds since 00:00 1 January, 1900 GMT, and closes the data link.
0..65535
When you know the UDP port number, the device lets you specify the port number directly.
IP address
Specifies the IP helper address for packets received on this interface.
Possible values:
Valid IP address
An address of 0.0.0.0 identifies the entry as a discard entry. The device drops packets that
match a discard entry. You specify discard entries only on the interfaces.
RM GUI RSP
Release 8.1 12/2019
429
Routing
[ Routing > Loopback Interface ]
6.10
Loopback Interface
[ Routing > Loopback Interface ]
A loopback interface is a virtual network interface without reference to a physical port. Loopback
interfaces are constantly available while the device is in operation.
The device lets you create router interfaces on the basis of loopback interfaces. Using such a router
interface, the device is constantly available, even during periods of inactivity of individual router
interfaces.
Up to 2 loopback interfaces can be set up in the device.
Table
Index
Displays the number that uniquely identifies the loopback interface.
Port
Displays the name of the loopback interface.
IP address
Specifies the IP address for the loopback interface.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Subnet mask
Specifies the netmask for the loopback interface.
Possible values:
Valid IPv4 netmask (default setting: 0.0.0.0)
Example: 255.255.255.255
Active
Displays whether the loopback interface is active or inactive.
Possible values:
marked (default setting)
The loopback interface is active.
When sending SNMP traps, the device uses the IP address of the first loopback interface as the
sender.
unmarked
The loopback interface is inactive.
430
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Loopback Interface ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create dialog to create a loopback interface.
In the Index field, you specify the number that uniquely identifies the loopback interface.
Possible values:
– 1..2
RM GUI RSP
Release 8.1 12/2019
431
Routing
[ Routing > Multicast Routing ]
6.11
Multicast Routing
[ Routing > Multicast Routing ]
The menu contains the following dialogs:
Multicast Routing Global
Multicast Routing Boundary Configuration
Multicast Routing Static
IGMP
432
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Multicast Routing > Global ]
6.11.1
Multicast Routing Global
[ Routing > Multicast Routing > Global ]
IP multicast routing is the distribution of IP data packets to multiple participants simultaneously
under one IP address.
The menu lets you specify and display global settings and static counters of the Multicast Routing
function. Here you also display and specify parameters for the IGMP, IGMP Proxy, DVMRP and
PIM-SM/PIM-DM protocols.
The dialog contains the following tabs:
[Configuration]
[Statistics]
[Configuration]
This tab lets you enable IP multicast routing and specify and display global parameters for the
function.
Operation
Operation
Enables/disables the Multicast Routing function.
Possible values:
On
The Multicast Routing function is enabled.
Off (default setting)
The Multicast Routing function is disabled.
Configuration
DSCP
Specifies the DSCP value that the device writes in routed multicast data packets.
The DSCP value (Differentiated Services Code Point) corresponds to bits 0 to 5 of the TOS field of
a IP data packet. The TOS field (Type of Service) is used to prioritize data packets.
Possible values:
0..64 (default setting: 48)
The value 64 means that the device leaves the DSCP value of received data packets
unchanged.
RM GUI RSP
Release 8.1 12/2019
433
Routing
[ Routing > Multicast Routing > Global ]
Information
Multicast routing entries
Displays the maximum number of entries in the IP multicast routing table.
IGMP proxy active
Displays whether the IGMP proxy function (Internet Group Management Protocol) is active.
Possible values:
marked
IGMP proxy is active.
unmarked
IGMP proxy is inactive.
Table
Port
Displays the number of the router interface to which the table entry relates.
TTL
Specifies the TTL value (Time to Live) for this router interface. The device discards IP multicast
data packets whose TTL value is below the specified value.
The TTL value is an 8-bit field in the IP data packet. With each hop (the next router on the path to
the destination network) the multicast router reduces the TTL value by 1.
Possible values:
0
The device forwards every multicast data packet received on this router interface.
1..255 (default setting: 1)
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
434
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Multicast Routing > Global ]
[Statistics]
This tab lets you display the statistic counters of the multicast routing function.
Table
Multicast group address
Displays the IP address of the multicast group to which the table entry relates.
Possible values:
Valid IPv4 address
Multicast source address
Displays the IP address of the multicast source to which the table entry relates. The device
identifies the multicast source in combination with the related netmask.
Possible values:
Valid IPv4 address
Upstream neighbor
Displays the IP address of the upstream neighbor from which the device receives IP data packets
sent to this multicast address.
The upstream neighbor for the device is the next participating neighbor in the upstream direction
(in the direction of the source of the multicast stream).
For example, the device uses the RPF algorithm (Reverse Path Forwarding) to calculate the
multicast route and to determine the upstream neighbor.
Possible values:
Valid IPv4 address
The value 0.0.0.0 means that the upstream neighbor is unknown.
Port
Displays the port number.
Outgoing interfaces
Displays a list of the outgoing interfaces.
Uptime
Displays the time that has elapsed since the multicast router last modified the table entry for the
port.
RM GUI RSP
Release 8.1 12/2019
435
Routing
[ Routing > Multicast Routing > Global ]
Timeout
Displays the time remaining until the multicast router deletes the entry for the participant from the
group table when the participant is inactive.
The value 0 means that there is no time limit for the entry.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
436
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Multicast Routing > Boundary Configuration ]
6.11.2
Multicast Routing Boundary Configuration
[ Routing > Multicast Routing > Boundary Configuration ]
The multicast boundary function lets you reject selectively IP multicast streams.
This dialog lets you specify and display the parameters for restricting the IP multicast streams on
specific ports. This restriction includes incoming as well as outgoing data packets.
Table
Port
Displays the port number.
On this port the device discards multicast data packets whose address is in the range specified in
the fields IP address and Netmask.
You specify the value in the Create dialog.
IP address
Displays the IP address of the multicast group to which this restriction applies.
The IP address of the multicast group combined with the associated Netmask specify the range for
the multicast restriction. The device discards multicast data packets from this range.
You specify the value in the Create dialog.
Possible values:
239.0.0.0.. 239.255.255.255
Netmask
Displays the netmask of the multicast group to which this restriction applies.
The IP address of the multicast group combined with the associated Netmask specify the range for
the multicast restriction. The device discards multicast data packets from this range.
You specify the value in the Create dialog.
Status
Specifies the status for processing this table entry.
This value determines the procedure the router uses to create new table entries or delete certain
entries from the table.
RM GUI RSP
Release 8.1 12/2019
437
Routing
[ Routing > Multicast Routing > Boundary Configuration ]
Possible values:
active
The table entry for the multicast routing restriction is active on this port.
The table entry exists and is available for the router to use.
notInService (default setting)
The table entry for the multicast routing restriction is inactive on this port.
The table entry exists, but is unavailable for the router to use.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens a Create window to add a new entry to the table.
In the Port field, you specify the port to which the device applies the multicast restriction.
In the IP address field, you specify the IP address for the multicast source.
In the Netmask field, you specify the netmask for the multicast source.
438
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Multicast Routing > Static ]
6.11.3
Multicast Routing Static
[ Routing > Multicast Routing > Static ]
The Multicast static routing function lets you specify the route of the multicast data traffic in the
network. The device uses the Reverse Path Forwarding (RPF) algorithm to define the path of the
multicast data traffic through the multicast routers. The RPF algorithm uses the static entries to
calculate the path of the multicast data traffic.
This dialog lets you specify and display the parameters for the static multicast routing function.
IP address and netmask of the multicast data source
RPF address (upstream neighbor of the device)
Priority of the static multicast routing entry
Table
IP address
Displays the IP address of the multicast data source.
You specify the value in the Create dialog.
Netmask
Displays the associated netmask for the IP address of the multicast data source.
You specify the value in the Create dialog.
RPF address
Specifies the IP address of the neighbor multicast router in the upstream direction (in the direction
of the source of the multicast stream) that the RPF algorithm uses. The upstream neighbor for the
device is the next participating neighbor in the upstream direction.
Specifying a valid IP address is the prerequisite for having the option of activating the static
multicast routing entry.
Preference
Specifies the priority of this static multicast routing entry with which the device considers this route
when selecting the best route.
The lower the value, the higher the priority. The value 255 means “not accessible”, the device
ignores this route for the transmission of the multicast data traffic.
Specifying a valid priority is the prerequisite for having the option of activating the static multicast
routing entry.
Possible values:
1..255 (default setting: 1)
Status
Activates/deactivates the static multicast routing entry.
RM GUI RSP
Release 8.1 12/2019
439
Routing
[ Routing > Multicast Routing > IGMP ]
The prerequisite for activating the static multicast routing entry is that you specified valid values in
the fields RPF address and Preference.
Possible values:
active
The table entry for the static multicast routing is active on this router interface
The table entry exists and is available for the router to use.
notInService (default setting)
The table entry for the static multicast routing is inactive on this port.
The table entry exists, but is unavailable for the router to use.
If the table entry is unavailable for the router due to missing information or to interruption, then the
router displays this value:
notReady
The device detected unfulfilled conditions on the port or device level.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens a Create window to add a new entry to the table.
In the IP address field, you specify the IP address for the multicast data source.
In the Netmask field, you specify the netmask for the multicast data source.
6.11.4
IGMP
[ Routing > Multicast Routing > IGMP ]
The Internet Group Management Protocol (IGMP) enables IPv4 multicasting (group
communication), that means the distribution of data packets to multiple participants simultaneously
using one IP address. IGMP enables multicast groups to be managed dynamically. The
management is carried out by local routers. The participants of a multicast group are connected
directly to the local routers.
The menu contains the following dialogs:
IGMP Configuration
IGMP Proxy Configuration
IGMP Proxy Database
440
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Multicast Routing > IGMP > Configuration ]
6.11.4.1 IGMP Configuration
[ Routing > Multicast Routing > IGMP > Configuration ]
The Internet Group Management Protocol (IGMP) lets you manage IP multicast groups
dynamically. The participants (hosts) of a multicast use IGMP for logging on and off the multicast
router (querier).
The device supports the versions IGMPv1, IGMPv2, and IGMPv3. The IGMPv1 and IGMPv2
versions are backward compatible.
IGMPv1
Lets participants join a multicast group. In case of inactivity, the multicast router removes the
participant from the multicast group after expiration of the timeout.
IGMPv2
In addition to IGMPv1, IGMPv2 provides the participant with the opportunity to log off from the
multicast group (Leave message).
IGMPv3
In addition to IGMPv1 and IGMPv2, IGMPv3 provides the participant with the opportunity to
specify the source from which it wishes to receive the multicast stream:
– Receive only data packets from certain source addresses
– Discard data packets from certain source addresses
The multicast routers send queries (periodic requests) to the participants.
IGMPv1 and IGMPv2
The participants respond to these queries for one multicast group in each case. The router
enters the address of the multicast group into the database.
IGMPv3
Participants respond to these queries for one or more multicast groups. The router enters into
the database the addresses of the multicast groups as well as the desired source addresses for
a multicast stream.
IGMP routing uses the following message types to manage multicast groups:
Membership Query
Queries of the router regarding membership in a group (general queries, queries to groups,
queries to groups and to specific source addresses)
Membership Report
The participant’s responses regarding membership in a group
Leave Group
Messages from the participant when logging off from a group
Operation
The dialog contains the following tabs:
[Port]
[Cache information]
[Interface membership]
Operation
Enables/disables the IGMP function in the device.
RM GUI RSP
Release 8.1 12/2019
441
Routing
[ Routing > Multicast Routing > IGMP > Configuration ]
Possible values:
On
The IGMP function is enabled.
Off (default setting)
The IGMP function is disabled.
[Port]
This tab lets you set and monitor the parameters for IGMP routing.
Table
Port
Displays the router interface number.
Configure at least one multicast router interface before viewing or configuring parameters for an
IGMP-enabled router interface. Otherwise, the device displays a detected error.
Querier
Displays the IP address of the multicast router (IGMP querier) in the IP subnet to which the selected
router interface belongs.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Query interval
Specifies the time interval in seconds that the device uses to send IGMP host queries (queries to
the IGMP-enabled participants) from this router interface
The IGMP-capable network devices in the network respond to the queries with report messages.
Possible values:
1..3600 (default setting: 125)
Status
Activates/deactivates the IGMP routing function.
Possible values:
active
The IGMP routing function is active on this router interface.
notInService (default setting)
The IGMP routing function is inactive on this router interface.
Version
Specifies the IGMP version used for this router interface.
442
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Multicast Routing > IGMP > Configuration ]
Activate IGMP routing on this router interface before you configure the entry in the Version column.
Possible values:
1
Specifies version IGMPv1 for this router interface.
2
Specifies version IGMPv2 for this router interface.
3 (default setting)
Specifies version IGMPv3 for this router interface.
Max. response time
Specifies the maximum query response time in tenths of a second for this router interface for
IGMPv2 and IGMPv3.
If the router interface responds to the query of the multicast router within this time, then the router
interface remains a member of the multicast group.
Possible values:
0..255 (default setting: 100)
Robustness
Specifies the value for the IGMP robustness for this router interface.
The robustness lets you adjust the router interface to the expected packet loss in the subnet.
The IGMP routing function behaves in a robust manner in regard to the following number of packet
losses in the subnet: Robustness minus 1.
Possible values:
1..255 (default setting: 2)
Use high values for the robustness if you expect a large number of packet losses in a subnet.
Last member query interval
Specifies the IGMP Last member query interval in tenths of a second, for IGMPv2, IGMPv3.
To log off from a multicast group, the participant sends a message to the multicast router (a Leave
Group Message). Then the multicast router sends a query to the participant.
The value of the parameter specifies the maximum allowable response time to this query for the
participant. In addition, this value specifies the time interval between the group-specific queries of
the multicast router.
Possible values:
0..255 (default setting: 10)
Last member queries
Displays the number of queries that the multicast router sends if it receives a report for logging off
from a multicast group (Leave Group Report).
Possible values:
1..20 (default setting: 2)
RM GUI RSP
Release 8.1 12/2019
443
Routing
[ Routing > Multicast Routing > IGMP > Configuration ]
Startup queries
Displays the number of startup queries (queries in the start-up phase) which the multicast router
sends.
The intervals between the queries are specified in the Startup query interval column.
Possible values:
1..20 (default setting: 2)
Startup query interval
Displays the time in seconds between successive startup queries (queries in the startup phase) of
the multicast router.
The number of periodic queries are specified by Startup queries.
Possible values:
1..300 (default setting: 31)
Querier uptime
Displays the time that has elapsed since the multicast router last modified the table entry for the
port.
Querier expiry time
Displays the remaining time until the multicast router deletes the entry for the port from the multicast
group table.
If the device itself is the querier (multicast router), then the Querier expiry time parameter has the
value of 0.
Wrong version queries
Displays how many times participants attempted to access the port with an IGMP protocol version
detected to be incorrect.
The prerequisite is that the IGMP routing function is active for this port.
You specify the same IGMP version for every router within the network. If the device receives
queries with other IGMP versions, then the device reports a detected configuration error.
Joins
Displays how many IGMP membership reports for a multicast group this router interface has
received. The value of the parameter is related to the frequency with which a multicast router adds
entries for this router interface to the cache table. The parameter indicates IGMP activity on this
router interface.
The prerequisite is that the IGMP function is enabled for this router interface.
Groups
Displays how many multicast groups the cache table currently contains for the multicast router for
this router interface.
444
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Multicast Routing > IGMP > Configuration ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Cache information]
This tab lets you monitor the parameters from the cache table of the IGMP multicast router.
Table
Port
Displays the router interface number.
The prerequisite is that the IGMP routing function is active for this router interface.
Address
Displays the IP address of the multicast group to which the table entry relates.
The prerequisite is that the IGMP routing function is active on this router interface and that the
router interface receives IGMP membership reports.
Possible values:
Valid IPv4 address
Last reporter
Displays the source IP address from which the device last received an IGMP membership report
(report for membership of a multicast group) for this router interface.
Possible values:
Valid IPv4 address
Uptime
Displays the time in [hh:mm:ss] that has elapsed since the multicast router created the table entry
for this participant.
Expiry time
Displays the value of the cache timer (time limiter) in [hh:mm:ss]. After this time has elapsed, the
multicast router deletes the entry from the cache table. When the device receives an IGMP
membership report for this multicast group on this router interface, the device resets the value of
this timer.
RM GUI RSP
Release 8.1 12/2019
445
Routing
[ Routing > Multicast Routing > IGMP > Configuration ]
V1 host timer
Displays the value of the host present timer (time limiter) in [hh:mm:ss] for IGMPv1 participants.
This is the time remaining until the local multicast router assumes that none of the participants in
the IP subnet connected through this port are active any more. When the multicast router receives
IGMP membership reports again (reports on the membership of multicast groups), it resets the
value of this timer.
As long as the value is greater than null, the multicast router ignores IGMPv2 and IGMPv3 Leave
Group messages that it receives on this router interface.
V2 host timer
Displays the value of the host present timer (time limiter) in [hh:mm:ss] for IGMPv2 participants.
This is the time remaining until the local multicast router assumes that none of the stations in the
IP subnet connected through this port are active any more. When the multicast router receives
IGMP membership reports again (reports on the membership of multicast groups), it resets the
value of this timer.
As long as the value is greater than null, the multicast router ignores IGMPv3 Leave Group
messages that it receives on this router interface.
Source filter mode
Displays the filter mode provided in the IGMPv3 report for source IP addresses for the multicast
group.
Possible values:
include
The participant receives the multicast stream only from specific source IP addresses.
exclude
The participant receives the multicast stream without specific source IP addresses.
NA (default setting)
The filter mode for source IP addresses is inactive. The field remains empty.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
446
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Multicast Routing > IGMP > Configuration ]
[Interface membership]
The table in this tab displays detailed information on the source addresses included in an IGMP
multicast group. This information is provided in the IGMPv3 membership reports.
Table
Port
Displays the port number.
The prerequisite is that the IGMP function is active for this port.
Address
Displays the IP address of the multicast group for which the router has received an IGMPv3
membership report on this router interface.
The prerequisite is that the IGMP function is active on this port and that the port receives IGMP
membership reports.
Possible values:
Valid IPv4 address
Host address
Displays the source IP addresses of this multicast group.
Possible values:
Valid IPv4 address
Expire
Displays the value of the time limiter in [hh:mm:ss] for this multicast group. This is the time
remaining until the multicast router deletes the multicast group entry. When the multicast router
receives IGMP membership reports for this source specific multicast again, it resets the value of
this timer.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
447
Routing
[ Routing > Multicast Routing > IGMP > Proxy Configuration ]
6.11.4.2 IGMP Proxy Configuration
[ Routing > Multicast Routing > IGMP > Proxy Configuration ]
This dialog lets you configure and monitor the parameters for the IGMP proxy router interface.
The multicast router learns information about membership of multicast groups through the IGMP
router interface (downstream interface). In this direction, the device operates as a querier. On the
IGMP proxy router interface (upstream interface) the device operates as a host and sends IGMP
membership reports for the registered multicast groups from the downstream router interfaces.
Table
Port
Displays the number of the upstream router interface on which the IGMP proxy function is active.
The prerequisite is that this router interface is not an IGMP downstream router interface.
Querier
Displays the IP address of the multicast router (IGMP querier) in the IP subnet to which the
upstream interface belongs.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
V1 querier timer
Displays the remaining time in seconds until the device assumes that no IGMPv1 querier is active
on the upstream router interfaces.
V2 querier timer
Displays the remaining time in seconds until the device assumes that no IGMPv2 querier is active
on the upstream router interfaces.
Version
Specifies the IGMP version used for this router interface.
Disable IGMP globally before you configure the entry in the Version column.
Possible values:
1
Specifies version IGMPv1 for this upstream router interface.
2
Specifies version IGMPv2 for this upstream router interface.
3 (default setting)
Specifies version IGMPv3 for this upstream router interface.
Robustness
Specifies the value for the IGMP robustness for this upstream router interface.
448
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Multicast Routing > IGMP > Proxy Configuration ]
The robustness lets you adjust the port to the expected packet loss in the subnet.
The IGMP routing function behaves in a robust manner in regard to the following number of packet
losses in the subnet: Robustness minus 1.
The host repeats the transfer of the status report Robustness minus 1 times.
Possible values:
1..255 (default setting: 2)
Use high values if you expect a large number of packet losses in a subnet.
Unsolicited report interval
Specifies the interval in seconds in which the device sends unsolicited reports to the multicast
router on the upstream interface.
Possible values:
1..260 (default setting: 1)
Groups
Displays the number of multicast groups for which the upstream router interface sends IGMP
membership reports.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Port field, you specify the number of the port on which the IGMP proxy function is active.
RM GUI RSP
Release 8.1 12/2019
449
Routing
[ Routing > Multicast Routing > IGMP > Proxy Database ]
6.11.4.3 IGMP Proxy Database
[ Routing > Multicast Routing > IGMP > Proxy Database ]
This dialog lets you monitor the parameters for membership of multicast groups and the source list.
When registering or de-registering Multicast members on downstream interfaces, the IGMP Proxy
device updates the database entries and sends IGMP Membership reports and Leave Group
messages. The proxy interface sends this information in the upstream direction. Upon request, the
device sends IGMP Membership reports to the upstream interfaces.
The dialog contains the following tabs:
[Groups]
[Source list]
[Groups]
Table
Port
Displays the port number to which the table entry relates.
IP multicast group address
Displays the IP address of the registered multicast group.
Possible values:
Valid IPv4 multicast address
Creation time
Displays the time in seconds that has elapsed since the multicast router created the table entry.
Last reporter
Displays the source IP address of the IGMP proxy router interface from which the device last sent
an IGMP membership report in the upstream direction.
Possible values:
Valid IPv4 multicast address
Filter mode
Displays the filter mode for source IP addresses for the multicast groups.
450
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > Multicast Routing > IGMP > Proxy Database ]
Possible values:
include
The participant gets the multicast stream only from specific source IP addresses.
exclude
The participant discards the multicast stream from specific source IP addresses.
None (default setting)
The filter mode for source IP addresses is inactive. The field remains empty.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Source list]
Table
Port
Displays the router interface number to which the table entry relates.
IP address
Displays the IP address of the multicast group.
Possible values:
Valid IPv4 multicast address
Host address
Displays the source IP addresses of this multicast group.
Possible values:
Valid IPv4 address
Expiry time
Displays the value of the time limiter for this multicast group entry. This is the time remaining until
the device deletes the entry for this multicast group when the participants of the IGMP router
interface are inactive.
When the parameter has the value null, the device deletes the entry.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
451
Routing
[ Routing > L3-Redundancy ]
6.12
L3-Redundancy
[ Routing > L3-Redundancy ]
The menu contains the following dialogs:
VRRP
6.12.1
VRRP
[ Routing > L3-Redundancy > VRRP ]
The Virtual Router Redundancy Protocol (VRRP) is a procedure that lets the system react to the
failure of a router.
You use VRRP in networks with end devices that support 1 entry for the default gateway. If the
default gateway fails, then VRRP helps ensure that the end devices find a redundant gateway.
Hirschmann has further developed VRRP into the Hirschmann Virtual Router Redundancy Protocol
(HiVRRP). With the appropriate configuration, this protocol provides switching times of less than
400 ms.
Note: You find detailed information on VRRP in the “Configuration” user manual.
The menu contains the following dialogs:
VRRP Configuration
VRRP Domains
VRRP Statistics
VRRP Tracking
452
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
6.12.1.1 VRRP Configuration
[ Routing > L3-Redundancy > VRRP > Configuration ]
This dialog lets you specify the following settings:
up to 8 virtual routers per router interface
1 address per virtual router
up to 16 virtual routers per physical router with HiVRRP
Operation
Operation
Enables/disables the VRRP redundancy in the device.
Possible values:
On
The VRRP function is enabled.
Off (default setting)
The VRRP function is disabled.
Information + Configuration
Version
Specifies the VRRP version.
Send trap (VRRP master)
Activates/deactivates the sending of SNMP traps when the device is the VRRP master.
Possible values:
marked
The sending of SNMP traps is active.
If the device is the VRRP master, then the device sends an SNMP trap.
unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status
Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Send trap (VRRP authentication failure)
Activates/deactivates the sending of SNMP traps when the device receives a VRRP packet
including authentication information.
Note: The device supports only VRRP packets without authentication information. In order for the
device to operate in conjunction with other devices that support VRRP authentication, verify that on
those devices the VRRP authentication is not applied.
RM GUI RSP
Release 8.1 12/2019
453
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
Possible values:
marked
The sending of SNMP traps is active.
If the device receives a VRRP packet including authentication information, then the device
sends an SNMP trap.
unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status
Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Table
Port
Displays the port number to which the table entry relates.
VRID
Displays the Virtual Router IDentifier.
Active
Activates/deactivates the VRRP instance specified in this row.
Possible values:
marked
The VRRP instance is active.
unmarked (default setting)
The VRRP instance is inactive.
Oper status
Specifies the row status. The operational state of the related virtual router controls the row status
of a currently active row in the table.
Possible values:
active
The instance is available for use.
notInService
The instance exists in the device, but necessary information is missing and it is unavailable for
use.
notReady
The instance exists in the device, but necessary information is missing and it is unavailable for
use.
State
Displays the VRRP state.
454
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
Possible values:
initialize
VRRP is in the initialization phase, the function is inactive, or the master router is still unnamed.
backup
The router sees the possibility of becoming the master router.
master
The router is the master router.
Base priority
Specifies the priority of the virtual router. The value differs from Priority if tracked objects are down
or the virtual router is the IP address owner.
Possible values:
1..254 (default setting: 100)
When you configure multiple VRRP routers in a single instance, distribute the priority values
uniformly on the routers. For example, assign the priority value of 50 to the primary router, the value
of 100 to the next router. Repeat the steps with the value 150, and so on.
Priority
Specifies the VRRP priority value.
The router with the higher priority value takes over the master router role. If the virtual router IP
address is the same as an IP address of a router interface, then the router is the “owner” of the IP
address. If an IP address owner exists, then VRRP assigns the IP address owner the VRRP priority
255 and declares the router as the master router.
Possible values:
1..255 (default setting: 100)
When you plan to remove a master router from the network, lower the priority number to force an
election, thus reducing the black hole period.
Virtual IP address
Displays the virtual IP address in the subnet of the primary IP address on the interface. If no match
is found, then the device returns an unspecified virtual address. If no virtual address is configured,
then 0.0.0.0 is returned.
Possible values:
Valid IPv4 address
VRRP advert interval [ms]
Specifies the interval for sending out messages (advertisements) as the master router.
Possible values:
1000..255000 (default setting: 1000)
Interval for VRRP
100..900 (default setting: 100)
Interval for HiVRRP
RM GUI RSP
Release 8.1 12/2019
455
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
VRRP advert address
Specifies the IP address to which the virtual router sends advertisements.
Possible values:
Valid IPv4 address (default setting: 224.0.0.18)
Link-down notify address
Specifies the IP address to which the local router sends notifications when changes on the link
occur. Sending the notifications informs the back up router that a link on the master router is down
reducing failover times.
If the virtual router consists of only 2 routers, routers A and B for example, then specify the IP
address of the interface on the backup router that is linked to the opposite virtual router interface.
For example, when specifying the link down notification address for interface 1/2 on router A,
specify the IP address of interface 1/1 on router B.
If the virtual router consists of more than 2 routers, then specify the IP address of the interface with
the second highest priority that is linked to the other virtual router interface. For example, when
specifying the link down notification address for interface 1/2 on router A, specify the IP address of
interface 1/1 on router C.
Possible values:
Valid IP address (default setting: 0.0.0.0)
The value 0.0.0.0 suppresses notifications.
Preempt mode
Activates/deactivates the preempt mode. This setting specifies whether this router, as a backup
router, takes over the master router role when the master router has a lower VRRP priority.
Possible values:
marked (default setting)
When you enable the preempt mode, this router takes the master router role from a router with
a lower VRRP priority without waiting for an election.
unmarked
When you disable the Preempt mode, this router assumes the role of a backup router and listens
for master router advertisements. After the master down interval expires, without receiving
advertisements from the master router, this router participates in the master router election
process.
Preempt delay [s]
Specifies the pre-empt delay time in seconds.
456
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
With the pre-empt mode activated and in collaboration with VRRP tracking, a reassignment of the
master router role is possible. However, dynamic routing procedures take a certain amount of time
to react to route changes and to refill routing tables. To help avoid the loss of packets during this
time, the device lets you specify a pre-empt delay. The delay lets the dynamic routing procedure fill
the routing tables before reassignment of the master router role.
Possible values:
0..65535 (default setting: 0)
Domain ID
Specifies the virtual domain in which the router participates.
VRRP domains bundle a set of VRRP instances together. The supervisor router sends
advertisement packets. The members follow the supervisor. If the loss of a single instance within a
domain is likely, then configure the device to send advertisements to the member.
Possible values:
0 (default setting)
No domain specified.
1..8
Domain role
Specifies the role of this router in the virtual domain.
Possible values:
none (default setting: 0)
The router is currently not a domain member.
member
The router copies the behavior of the supervisor.
supervisor
The router determines the behavior of the domain.
VRRP master candidate
Specifies the primary virtual router IP address.
When the interface has several specified IP addresses, the parameter lets the user select an IP
address as the Master IP address.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
The default setting 0.0.0.0 indicates that the router is using the lower IP address as the Master
IP address.
Master IP address
Displays the current master router interface IP address.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
RM GUI RSP
Release 8.1 12/2019
457
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
Ping answer
Activates/deactivates the ping answer function on the virtual router. You use the VRRP ping for
connectivity analyses.
The prerequisite for allowing the device to answer ping requests from the interfaces is that you
activate the function globally. In the Routing > Global dialog, ICMP filter frame, mark the Send echo
reply checkbox.
Possible values:
marked (default setting)
The device answers ICMP ping requests.
unmarked
The device ignores ICMP ping requests.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Port field, you specify the router interface.
In the VRID field, you specify the Virtual Route Identifier (VRID).
Setting up the VRRP router instance
The device lets you set up to 8 virtual routers per router interface.
Before you set up a VRRP instance, verify that network routing functions properly and set the IP
addresses on the router interfaces used for the VRRP instances.
Perform the following steps:
In the Routing > L3-Redundancy > VRRP > Configuration dialog, open the Wizard window.
In the Wizard window, open the Create or select entry page.
– Select a router interface from the Port drop-down list.
– Specify the Virtual Router IDentifier in the VRID column.
In the Wizard window, open the Edit entry page.
– In the Configuration frame, specify the values for the following parameters:
Priority
Preempt mode
Advertisement interval [s]
Ping answer
Select the VRRP master candidate IP address from the drop-down list.
Open the HiVRRP tab.
The HiVRRP tab helps you to set up the following parameters:
– failover times of less than 3 s,
– the routers to use Unicasts to communicate with each other
– to set up domains or
– to send link-down notifications
458
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
In the Configuration frame, specify the values for the following parameters:
– VRRP advert address (IP address of the partner HiVRRP router)
– VRRP advert interval [ms]
– Link-down notify address (IP address of the second router to which the device sends link-down
notifications)
You use this function when the virtual router consists of 2 VRRP routers.
– Domain ID
– Domain role
To transfer the settings to the VRRP router interface table, click the Finish button.
In the Routing > L3-Redundancy > VRRP > Configuration dialog, select the On radio button in the
Operation frame. Then click the
button.
Editing an existing VRRP router instance
In the Routing > L3-Redundancy > VRRP > Configuration dialog, highlight a row in the table and click
the
button to edit it.
As an alternative, double-click a field in the table and edit the entry directly. Or right-click a field
and select a value.
Deleting a VRRP router instance
In the Routing > L3-Redundancy > VRRP > Configuration dialog, highlight a row and click the
button.
[VRRP configuration (Wizard)]
The Wizard window helps you to create a VRRP router instance.
Prerequisites:
Network routing is functioning correctly.
On the interfaces used in the VRRP instance the IP addresses are specified.
After closing the Wizard window, click the
button to save your settings.
[VRRP configuration (Wizard) – Create or select entry]
Table
Port
Displays the router interface number to which the table entry relates.
VRID
Displays the Virtual Router IDentifier.
RM GUI RSP
Release 8.1 12/2019
459
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
IP address
Displays the primary IP address of the router interface.
You specify this address in the Routing > Interfaces > Configuration dialog.
Netmask
Displays the netmask of primary IP address.
You specify this subnet mask in the Routing > Interfaces > Configuration dialog.
Area under the table
Port
Specifies the router interface number to which the table entry relates.
Possible values:
<Available router interfaces>
VRID
Specifies the Virtual Router IDentifier.
A virtual router uses 00-00-5E-00-01-XX as its MAC address. The value specified here replaces
the last octet (XX) in the MAC address. Assign a unique value to every physical router within a virtual
router instance. The device changes the effective priority value to 255 for a physical router with the
same IP address as the virtual router.
Possible values:
1..255
[VRRP configuration (Wizard) – Edit entry – VRRP]
Operation
Operation
Enables/disables the VRRP redundancy in the device.
Possible values:
On
The VRRP function is enabled.
Off (default setting)
The VRRP function is disabled.
460
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
Information
Port
Displays the router interface number to which the table entry relates.
VRID
Displays the Virtual Router IDentifier.
Configuration
Base priority
Specifies the priority of the virtual router. The value differs from Priority if tracked objects are down
or the virtual router is the IP address owner.
Possible values:
1..254 (default setting: 100)
When you configure multiple VRRP routers in a single instance, distribute the priority values
uniformly on the routers. For example, assign the priority value of 50 to the primary router, the value
of 100 to the next router. Repeat the steps with the value 150, and so on.
Priority
Specifies the VRRP priority value.
The router with the higher priority value takes over the master router role. If the virtual router IP
address is the same as an IP address of a router interface, then the router is the “owner” of the IP
address. If an IP address owner exists, then the VRRP function assigns the IP address owner the
priority value 255 and declares the router as the master router.
Possible values:
1..255 (default setting: 100)
Disabling or removing an VRRP router, which is in the master role, forces the instance to send an
advertisement with priority value 0. This lets the other backup routers know that the master is not
participating. Sending a priority value 0 forces a new election.
Preempt mode
Activates/deactivates the preempt mode. This setting specifies whether this router, as a backup
router, takes over the master router role when the master router has a lower VRRP priority.
Possible values:
marked (default setting)
When you enable the Preempt mode, this router takes the master router role from a router with a
lower VRRP priority without waiting for an election.
unmarked
When you disable the Preempt mode, this router assumes the role of a backup router and listens
for master router advertisements. After the master down interval expires, without receiving
advertisements from the master router, this router participates in the master router election
process.
RM GUI RSP
Release 8.1 12/2019
461
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
Advertisement interval [s]
Specifies the interval between master router advertisements in seconds.
Possible values:
1..255 (default setting: 1)
Note: The longer the advertisement interval, the longer the time for which backup routers wait for
a message from the master router before starting a new election process (master down interval).
Also, specify the same value on every participant in a given virtual router instance.
Ping answer
Activates/deactivates the ping answer function in the device. You use the VRRP ping for
connectivity analyses.
The prerequisite for allowing the device to answer ping requests from the interfaces is that you
activate the Send echo reply function globally. In the Routing > Global dialog, ICMP filter frame, mark
the Send echo reply checkbox.
Possible values:
marked (default setting)
The Ping answer function in the device is active.
The device answers ICMP ping requests.
unmarked
The Ping answer function in the device is inactive.
The device ignores ICMP ping requests.
VRRP master candidate
Primary virtual router IP address.
Physical routers within a virtual router instance use the VRRP IP address to communication with
themselves. If the virtual router IP address is the same as an IP address of a router interface, then
the router is the “owner” of the IP address and the master router.
Possible values:
Valid IP address (default setting: 0.0.0.0)
[VRRP configuration (Wizard) – Edit entry – HiVRRP ]
Information
Port
Specifies the router interface number to which the table entry relates.
Possible values:
<Available router interfaces>
462
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
VRID
Specifies the Virtual Router IDentifier.
A virtual router uses 00-00-5E-00-01-XX as its MAC address. The value specified here replaces
the last octet (XX) in the MAC address. Assign a unique value to every physical router within a virtual
router instance. The device changes the effective priority value to 255 for a physical router with the
same IP address as the virtual router.
Possible values:
1..255
Configuration
VRRP advert address
Specifies the IP address to which the virtual router sends advertisements.
Possible values:
Valid IPv4 address (default setting: 224.0.0.18)
VRRP advert interval [ms]
Specifies the interval for sending out messages (advertisements) as the master router.
The devices lets you specify up to 16 instances with advertisement intervals between 100 ms and
1000 ms.
Possible values:
100..255000 (default setting: 1000)
Link-down notify address
Specifies the management IP address to which the virtual router sends notifications when changes
occur within the virtual router.
Possible values:
Valid IP address (default setting: 0.0.0.0)
Domain ID
Specifies the virtual domain in which the router participates.
VRRP domains bundle a set of VRRP instances together. The supervisor router sends
advertisement packets. The members follow the supervisor. If the loss of a single instance within a
domain is likely, then configure the device to send advertisements to the members.
Possible values:
0..8 (default setting: 0)
The value 0 means „no domain“.
Domain role
Specifies the role of this router in the virtual domain.
RM GUI RSP
Release 8.1 12/2019
463
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
Possible values:
none (default setting: 0)
The router is currently not a domain member.
member
The router copies the behavior of the supervisor.
supervisor
The router determines the behavior of the domain.
[VRRP configuration (Wizard) – Tracking]
Current track entries
Type
Displays the type of the tracking object.
Possible values:
interface
The device monitors the link status of its physical ports or of its link aggregation, LRE or VLAN
router interface.
ping
The device monitors the route to a remote router or end device by means of periodic ping
requests.
logical
The device monitors tracking objects logically linked to each other and thus enables complex
monitoring tasks.
Track ID
Displays the identification number of the tracking object.
Track name
Displays the name of the tracking object made up of Type and Track ID.
Assigned track entries
Track name
Displays the name of the tracking object to which the virtual router is linked.
If the result for a tracking object is negative, then the VRRP instance reduces the priority of the
virtual router. The tracking object is negative for example, if the monitored interface is inactive or
the monitored router cannot be reached.
464
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
Possible values:
Name of the tracking object, made up of Type and Track ID.
Logical trackers, which combine multiple trackers
–
No tracking object selected.
You set up tracking objects in the Routing > Tracking > Configuration dialog.
Decrement
Specifies the value by which the VRRP instance reduces the priority of the virtual router when the
monitoring result is negative.
Possible values:
1..253 (default setting: 20)
Note: If in the Routing > L3-Redundancy > VRRP > Configuration dialog the value in the Priority column
is 255, then the virtual router is the owner of the IP address. In this case the priority of the virtual
router remains unchanged.
[VRRP configuration (Wizard) – Virtual IP addresses]
The device lets you specify up to 8 virtual routers per router interface
Each virtual router supports 1 address.
Information
IP address
Displays the primary IP address of the router interface.
Multinetting
Additional IP address
Displays the secondary IP addresses of the router interface.
The device lets you specify 1 primary and 1 secondary multinetting addresses per router interface.
Additional netmask
Displays the subnet mask of the secondary IP addresses.
RM GUI RSP
Release 8.1 12/2019
465
Routing
[ Routing > L3-Redundancy > VRRP > Configuration ]
Virtual IP addresses
IP address
Displays the assigned IP address of the master router within a virtual router.
Virtual IP addresses
Specifies the virtual IP address to be assigned.
To insert the IP address in the IP address table, click the Add button.
466
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > L3-Redundancy > VRRP > Domains ]
6.12.1.2 VRRP Domains
[ Routing > L3-Redundancy > VRRP > Domains ]
HiVRRP provides various mechanisms to decrease the failover time or reduce the number of
multicasts. In an HiVRRP domain, you combine multiple HiVRRP instances of a router into 1
administrative unit. You nominate 1 HiVRRP instance as the supervisor of the HiVRRP domain.
This supervisor regulates the behavior of the HiVRRP instances in its domain.
The router supports up to 8 domains.
If you divide domain instances (members) among different physical router interfaces, then by
default, the router monitors supervisor advertisements for interruptions. The checkbox Redundancy
check per member is unmarked.
You also have the option of monitoring the other data links within the domain for interruptions. If the
supervisor is unresponsive, then the other members of the domain start sending HiVRRP
messages.
In the Redundancy check per member column, you enable the function for a selected domain. With
this function, you allow every member of the domain to send HiVRRP messages when detecting
data link interruptions.
Note: If there is a low probability of a data link interruption, then select a long HiVRRP message
interval to minimize the network load.
Table
Domain ID
Displays the virtual domain in which the router participates.
VRRP domains bundle a set of VRRP instances together. The supervisor router sends
advertisement packets. The members follow the supervisor. If the loss of a single instance within a
domain is likely, then configure the device to send advertisements to the members.
Possible values:
0..8 (default setting: 0)
The value 0 means „no domain“.
Status
Displays the status of the domain supervisor.
Possible values:
noError
The routers supervisor function is active.
supervisorDown
The routers supervisor function is inactive.
noSupervisor (default setting)
The supervisor function is undefined.
Supervisor port
Displays the supervisor router interface for a VRRP instance.
RM GUI RSP
Release 8.1 12/2019
467
Routing
[ Routing > L3-Redundancy > VRRP > Domains ]
Possible values:
Available ports
Supervisor VRID
Displays the VRID of the supervisor.
Supervisor status
Displays the status of the supervisor.
Possible values:
initialize
VRRP is in the initialization phase. No master has been named yet.
backup
The router sees the possibility of becoming master.
master
The router is master.
unknown
no supervisor.
Current priority
Displays the current VRRP priority of the domain supervisor.
Possible values:
1..255
Redundancy check per member
Activates the function for the selected domain.
Possible values:
marked
The device sends advertisement packets even when a virtual router is in the member role.
unmarked (default setting)
The supervisor of the domain only sends advertisement packets.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
468
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > L3-Redundancy > VRRP > Statistics ]
6.12.1.3 VRRP Statistics
[ Routing > L3-Redundancy > VRRP > Statistics ]
This dialog displays the number of counters that count events relevant to the VRRP function.
Information
Checksum errors
Displays the number of VRRP messages received with the wrong checksum.
Version errors
Displays the number of VRRP messages received with an unknown or unsupported version
number.
VRID errors
Displays the number of VRRP messages received with an invalid Virtual Router IDentifier for this
virtual router.
Table
Port
Displays the router interface number to which the table entry relates.
VRID
Displays the Virtual Router IDentifier.
Become master
Displays the number of times that the device has taken the master role. This entry helps you to
analyze the network. When this number is low, your network is relatively stable.
Advertise received
Displays the number of VRRP advertisements received.
Advertise interval errors
Displays the number of VRRP advertisements received by the router outside the advertisement
interval. The value lets you determine if the routers have the same advertise interval specified
across the virtual router instance.
Authentication failures
Displays the number of VRRP advertisements received with authentication errors.
RM GUI RSP
Release 8.1 12/2019
469
Routing
[ Routing > L3-Redundancy > VRRP > Statistics ]
IP TTL errors
Displays the number of VRRP advertisements received with an IP TTL not equal to 255.
Priority zero packets received
Displays the number of VRRP advertisements received with priority 0.
Priority zero packets sent
Displays the number of VRRP advertisements that the device sent with priority 0.
Invalid type packets received
Displays the number of VRRP advertisements received with an invalid type.
Address list errors
Displays the number of VRRP advertisements received for which the address list does not match
the address list configured locally for the virtual router.
Invalid authentication type
Displays the number of VRRP advertisements received with an invalid authentication type.
Authentication type mismatch
Displays the number of VRRP advertisements received with an incorrect authentication type.
Packet length errors
Displays the number of VRRP advertisements received with an incorrect packet length.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
470
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > L3-Redundancy > VRRP > Tracking ]
6.12.1.4 VRRP Tracking
[ Routing > L3-Redundancy > VRRP > Tracking ]
VRRP tracking lets you follow the operation of specific object and react to a change in the object
status. The function is periodically notified about the tracked object and displays the changes in the
table. The table displays the object statuses as either up, down or notReady.
To enter a track object in the table, click the
button.
Table
Port
Displays the router interface number of the virtual router.
VRID
Displays the virtual router ID for this virtual router.
Track name
Displays the name of the tracking object to which the virtual router is linked.
If the result for a tracking object is negative, then the VRRP instance reduces the priority of the
virtual router. The tracking object is negative for example, if the monitored interface is inactive or
the monitored router cannot be reached.
Possible values:
Name of the tracking object, made up of Type and Track ID.
Logical trackers, which combine multiple trackers
–
No tracking object selected.
You set up tracking objects in the Routing > Tracking > Configuration dialog.
Decrement
Specifies the value by which the VRRP instance reduces the priority of the virtual router when the
monitoring result is negative.
Possible values:
1..253 (default setting: 20)
Note: If in the Routing > L3-Redundancy > VRRP > Configuration dialog the value in the Priority column
is 255, then the virtual router is the owner of the IP address. In this case the priority of the virtual
router remains unchanged.
Status
Displays the monitoring result of the tracking object.
RM GUI RSP
Release 8.1 12/2019
471
Routing
[ Routing > NAT ]
Possible values:
notReady
The tracking object is not operating.
up
The monitoring result is positive:
– The link status is active.
or
– The remote router or end device is reachable.
down
The monitoring result is negative:
– The link status is inactive.
or
– The remote router or end device is not reachable.
A combination of the up and down trackers.
Active
Displays whether the monitoring of the tracking object is active or inactive.
Possible values:
active
The monitoring of the tracking object is active.
notReady
The monitoring of the tracking object is inactive. You activate the monitoring in the Routing >
Tracking > Configuration dialog, Active column.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Port VRID drop-down list, you select the interface and router ID of a virtual router that has
been set up.
In the Track name drop-down list, you select the tracking object with which the device links the
virtual router.
6.13
NAT
[ Routing > NAT ]
The menu contains the following dialogs:
1:1 NAT
472
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > NAT > 1:1 NAT ]
6.13.1
1:1 NAT
[ Routing > NAT > 1:1 NAT ]
The 1:1 NAT function lets you establish communication links within a local network to devices that
are located in other networks. The NAT router virtually “shifts” the devices into the public network.
To do this, the NAT router replaces the virtual with the actual IP address in the data packet while
sending it. A typical application is connecting some identically structured production cells with the
same IP address to a server farm.
To use the NAT function, set up a router interface for each network and turn on the routing
function in the device.
The 1:1 NAT function has the following restrictions:
Only supports IPv4 unicasts.
Only supports full-duplex mode.
Only supported on ports operating with 100 Mbit/s .
Note: If you enable the VRRP function and use the same VRID value on multiple VLAN router
interfaces, then the 1:1 NAT function is ineffective on these VLAN router interfaces.
Note: The NAT function is available for devices with an FPGA (hardware for extended functions).
The product code indicates whether your device supports the NAT function. In order to use the
functions, load the device software supporting NAT.
The menu contains the following dialogs:
1:1 NAT Rule
RM GUI RSP
Release 8.1 12/2019
473
Routing
[ Routing > NAT > 1:1 NAT > Rule ]
6.13.1.1 1:1 NAT Rule
[ Routing > NAT > 1:1 NAT > Rule ]
In this dialog, you generate, edit and activate the 1:1 NAT rules. The dialog also lets you specify a
filter for FTP, ICMP error messages and a public interface.
Configuration
Application-level gateway
Specifies the type of filter used in the application-level gateway for the 1:1 NAT rules. The device
supports translation for the control and data protocols of the application-layer.
Possible values:
none
The device does not translates IP addresses.
ftp
The device translates IP addresses present in the FTP header of the FTP control packets (TCP
port 21).
icmp
The device translates IP addresses present in the ICMP header.
ftp/icmp (default setting)
The device translates IP addresses present in the FTP header of the FTP control packets and
IP addresses present in the ICMP header.
Public interface
Specifies the public interface.
The device applies the 1:1 NAT rules to packets which are addressed to the public interface or which
are sent using the public interface.
Information
1:1 NAT rules (max.)
Displays how many rules can be configured in the device for the 1:1 NAT function.
1:1 NAT rules
Displays the number of current 1:1 NAT rules specified in the device.
Table
Index
Displays the index number to which the table entry relates.
474
RM GUI RSP
Release 8.1 12/2019
Routing
[ Routing > NAT > 1:1 NAT > Rule ]
Possible values:
1..255
Rule name
Displays the name of the 1:1 NAT rule. To change the name, click the relevant field.
Possible values:
Alphanumeric ASCII character string with 0..32 characters
Destination address
Specifies the destination address of the data packets to which the device applies the 1:1 NAT rule.
The device sends data packets with this destination address to the destination address specified in
the New destination address column.
Possible values:
Valid IPv4 address
The device applies the 1:1 NAT rule only to data packets containing the destination address
specified here.
Valid IPv4 address and netmask in CIDR notation
The device applies the 1:1 NAT rule only to data packets containing a destination address in the
subnet specified here.
New destination address
Specifies the actual IP address of the destination device. The device sends data packets to the
destination address specified here.
Possible values:
Valid IPv4 address
The device replaces the destination address in the data packet with this new destination
address.
Valid IPv4 address and netmask in CIDR notation
The device replaces the destination address in the data packet with a destination address in the
subnet specified here.
Active
Activates/deactivates the 1:1 NAT rule.
Possible values:
marked
The rule is active.
unmarked (default setting)
The rule is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
475
Diagnostics
[ Diagnostics > Status Configuration ]
7 Diagnostics
The menu contains the following dialogs:
Status Configuration
System
Email Notification
Syslog
Ports
LLDP
SFlow
Report
7.1
Status Configuration
[ Diagnostics > Status Configuration ]
The menu contains the following dialogs:
Device Status
Security Status
Signal Contact
MAC Notification
Alarms (Traps)
476
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Status Configuration > Device Status ]
7.1.1
Device Status
[ Diagnostics > Status Configuration > Device Status ]
The device status provides an overview of the overall condition of the device. Many process
visualization systems record the device status for a device in order to present its condition in
graphic form.
The device displays its current status as error or ok in the Device status frame. The device
determines this status from the individual monitoring results.
The device displays detected faults in the Status tab and also in the Basic Settings > System dialog,
Device Status frame.
The dialog contains the following tabs:
[Global]
[Port]
[Status]
[Global]
Device status
Device status
Displays the current status of the device. The device determines the status from the individual
monitored parameters.
Possible values:
error
The device displays this value to indicate a detected error in one of the monitored parameters.
ok
Traps
Send trap
Activates/deactivates the sending of SNMP traps when the device detects changes in the
monitored functions.
Possible values:
marked
The sending of SNMP traps is active.
If the device detects a change in the monitored functions, then the device sends an SNMP trap.
unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status
Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
RM GUI RSP
Release 8.1 12/2019
477
Diagnostics
[ Diagnostics > Status Configuration > Device Status ]
Table
Temperature
Activates/deactivates the monitoring of the temperature in the device.
Possible values:
marked (default setting)
Monitoring is active.
If the temperature exceeds or falls below the specified limit, then in the Device status frame, the
value changes to error.
unmarked
Monitoring is inactive.
You specify the temperature thresholds in the Basic Settings > System dialog, Upper temp. limit [°C]
field and Lower temp. limit [°C] field.
Ring redundancy
Activates/deactivates the monitoring of the ring redundancy.
Possible values:
marked
Monitoring is active.
In the Device status frame, the value changes to error in the following situations:
– The redundancy function becomes active (loss of redundancy reserve).
– The device is a normal ring participant and detects an error in its settings.
unmarked (default setting)
Monitoring is inactive.
Connection errors
Activates/deactivates the monitoring of the link status of the port/interface.
Possible values:
marked
Monitoring is active.
If the link interrupts on a monitored port/interface, then in the Device status frame, the value
changes to error.
In the Port tab, you have the option of selecting the ports/interfaces to be monitored individually.
unmarked (default setting)
Monitoring is inactive.
External memory removal
Activates/deactivates the monitoring of the active external memory.
Possible values:
marked
Monitoring is active.
If you remove the active external memory from the device, then in the Device status frame, the
value changes to error.
unmarked (default setting)
Monitoring is inactive.
478
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Status Configuration > Device Status ]
External memory not in sync
Activates/deactivates the monitoring of the configuration profile in the device and in the external
memory.
Possible values:
marked
Monitoring is active.
In the Device status frame, the value changes to error in the following situations:
– The configuration profile only exists in the device.
– The configuration profile in the device differs from the configuration profile in the external
memory.
unmarked (default setting)
Monitoring is inactive.
Power supply
Activates/deactivates the monitoring of the power supply unit.
Possible values:
marked (default setting)
Monitoring is active.
If the device has a detected power supply fault, then in the Device status frame, the value
changes to error.
unmarked
Monitoring is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Port]
Table
Port
Displays the port number.
Propagate connection error
Activates/deactivates the monitoring of the link on the port/interface.
RM GUI RSP
Release 8.1 12/2019
479
Diagnostics
[ Diagnostics > Status Configuration > Device Status ]
Possible values:
marked
Monitoring is active.
If the link on the selected port/interface is interrupted, then in the Device status frame, the value
changes to error.
unmarked (default setting)
Monitoring is inactive.
This setting takes effect when you mark the Connection errors checkbox in the Global tab.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Status]
Table
Timestamp
Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM.
Cause
Displays the event which caused the SNMP trap.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
480
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]
7.1.2
Security Status
[ Diagnostics > Status Configuration > Security Status ]
This dialog gives you an overview of the status of the safety-relevant settings in the device.
The device displays its current status as error or ok in the Security status frame. The device
determines this status from the individual monitoring results.
The device displays detected faults in the Status tab and also in the Basic Settings > System dialog,
Security status frame.
The dialog contains the following tabs:
[Global]
[Port]
[Status]
[Global]
Security status
Security status
Displays the current status of the security-relevant settings in the device. The device determines
the status from the individual monitored parameters.
Possible values:
error
The device displays this value to indicate a detected error in one of the monitored parameters.
ok
Traps
Send trap
Activates/deactivates the sending of SNMP traps when the device detects changes in the
monitored functions.
Possible values:
marked
The sending of SNMP traps is active.
If the device detects a change in the monitored functions, then the device sends an SNMP trap.
unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status
Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
RM GUI RSP
Release 8.1 12/2019
481
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]
Table
Password default settings unchanged
Activates/deactivates the monitoring of the password for the locally set up user accounts user and
admin.
Possible values:
marked (default setting)
Monitoring is active.
If the password is set to the default setting for the user or admin user accounts, then in the
Security status frame, the value changes to error.
unmarked
Monitoring is inactive.
You set the password in the Device Security > User Management dialog.
Min. password length < 8
Activates/deactivates the monitoring of the Min. password length policy.
Possible values:
marked (default setting)
Monitoring is active.
If the value for the Min. password length policy is less than 8, then in the Security status frame, the
value changes to error.
unmarked
Monitoring is inactive.
You specify the Min. password length policy in the Device Security > User Management dialog in the
Configuration frame.
Password policy settings deactivated
Activates/deactivates the monitoring of the Password policies settings.
Possible values:
marked (default setting)
Monitoring is active.
If the value for at least one of the following policies is less than 1, then in the Security status frame,
the value changes to error.
– Upper-case characters (min.)
– Lower-case characters (min.)
– Digits (min.)
– Special characters (min.)
unmarked
Monitoring is inactive.
You specify the policy settings in the Device Security > User Management dialog in the Password policy
frame.
User account password policy check deactivated
Activates/deactivates the monitoring of the Policy check function.
482
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]
Possible values:
marked
Monitoring is active.
If the Policy check function is inactive for at least 1 user account, then in the Security status frame,
the value changes to error.
unmarked (default setting)
Monitoring is inactive.
You activate the Policy check function in the Device Security > User Management dialog.
Telnet server active
Activates/deactivates the monitoring of the Telnet server.
Possible values:
marked (default setting)
Monitoring is active.
If you enable the Telnet server, then in the Security status frame, the value changes to error.
unmarked
Monitoring is inactive.
You enable/disable the Telnet server in the Device Security > Management Access > Server dialog,
Telnet tab.
HTTP server active
Activates/deactivates the monitoring of the HTTP server.
Possible values:
marked (default setting)
Monitoring is active.
If you enable the HTTP server, then in the Security status frame, the value changes to error.
unmarked
Monitoring is inactive.
You enable/disable the HTTP server in the Device Security > Management Access > Server dialog,
HTTP tab.
SNMP unencrypted
Activates/deactivates the monitoring of the SNMP server.
RM GUI RSP
Release 8.1 12/2019
483
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]
Possible values:
marked (default setting)
Monitoring is active.
If at least one of the following conditions applies, then in the Security status frame, the value
changes to error:
– The SNMPv1 function is enabled.
– The SNMPv2 function is enabled.
– The encryption for SNMPv3 is disabled.
You enable the encryption in the Device Security > User Management dialog, in the SNMP
encryption type column.
unmarked
Monitoring is inactive.
You specify the settings for the SNMP agent in the Device Security > Management Access > Server
dialog, SNMP tab.
Access to system monitor with serial interface possible
Activates/deactivates the monitoring of the system monitor.
When the system monitor is activated, the user has the possibility to change to the system monitor
via a serial connection.
Possible values:
marked
Monitoring is active.
If you activate the system monitor, then in the Security status frame, the value changes to error.
unmarked (default setting)
Monitoring is inactive.
You activate/deactivate the system monitor in the Diagnostics > System > Selftest dialog.
Saving the configuration profile on the external memory possible
Activates/deactivates the monitoring of the configuration profile in the external memory.
Possible values:
marked
Monitoring is active.
If you activate the saving of the configuration profile in the external memory, then in the Security
status frame, the value changes to error.
unmarked (default setting)
Monitoring is inactive.
You activate/deactivate the saving of the configuration profile in the external memory in the Basic
Settings > External Memory dialog.
Load unencrypted config from external memory
Activates/deactivates the monitoring of loading unencrypted configuration profiles from the external
memory.
484
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]
Possible values:
marked (default setting)
Monitoring is active.
If the settings allow the device to load an unencrypted configuration profile from the external
memory, then in the Security status frame, the value changes to error.
If the following preconditions are fulfilled, then the Security status frame in the Basic Settings >
System dialog, displays an alarm.
– The configuration profile stored in the external memory is unencrypted.
and
– The Config priority column in the Basic Settings > External Memory dialog has the value first.
unmarked
Monitoring is inactive.
Link interrupted on enabled device ports
Activates/deactivates the monitoring of the link on the active ports.
Possible values:
marked
Monitoring is active.
If the link interrupts on an active port, then in the Security status frame, the value changes to
error. In the Port tab, you have the option of selecting the ports to be monitored individually.
unmarked (default setting)
Monitoring is inactive.
Access with HiDiscovery possible
Activates/deactivates the monitoring of the HiDiscovery function.
Possible values:
marked (default setting)
Monitoring is active.
If you enable the HiDiscovery function, then in the Security status frame, the value changes to
error.
unmarked
Monitoring is inactive.
You enable/disable the HiDiscovery function in the Basic Settings > Network dialog.
IEC61850-MMS active
Activates/deactivates the monitoring of the IEC61850-MMS function.
Possible values:
marked (default setting)
Monitoring is active.
If you enable the IEC61850-MMS function, then in the Security status frame, the value changes to
error.
unmarked
Monitoring is inactive.
You enable/disable the IEC61850-MMS function in the Industrial Protocols > IEC61850-MMS dialog,
Operation frame.
RM GUI RSP
Release 8.1 12/2019
485
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]
Modbus TCP active
Activates/deactivates the monitoring of the Modbus TCP function.
Possible values:
marked (default setting)
Monitoring is active.
If you enable the Modbus TCP function, then in the Security status frame, the value changes to
error.
unmarked
Monitoring is inactive.
You enable/disable the Modbus TCP function in the Advanced > Industrial Protocols > Modbus TCP
dialog, Operation frame.
EtherNet/IP active
Activates/deactivates the monitoring of the EtherNet/IP function.
Possible values:
marked (default setting)
Monitoring is active.
If you enable the EtherNet/IP function, then in the Security status frame, the value changes to
error.
unmarked
Monitoring is inactive.
You enable/disable the EtherNet/IP function in the Advanced > Industrial Protocols > EtherNet/IP dialog,
Operation frame.
PROFINET active
Activates/deactivates the monitoring of the PROFINET function.
Possible values:
marked (default setting)
Monitoring is active.
If you enable the PROFINET function, then in the Security status frame, the value changes to
error.
unmarked
Monitoring is inactive.
You enable/disable the PROFINET function in the Advanced > Industrial Protocols > PROFINET dialog,
Operation frame.
Self-signed HTTPS certificate present
Activates/deactivates the monitoring of the HTTPS certificate.
Possible values:
marked (default setting)
Monitoring is active.
If the HTTPS server uses a self-created digital certificate, then in the Security status frame, the
value changes to error.
unmarked
Monitoring is inactive.
486
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Port]
Table
Port
Displays the port number.
Link interrupted on enabled device ports
Activates/deactivates the monitoring of the link on the active ports.
Possible values:
marked
Monitoring is active.
If the port is enabled (Basic Settings > Port dialog, Configuration tab, Port on checkbox is marked)
and the link is down on the port, then in the Security status frame, the value changes to error.
unmarked (default setting)
Monitoring is inactive.
This setting takes effect when you mark the Link interrupted on enabled device ports checkbox in the
Diagnostics > Status Configuration > Security Status dialog, Global tab.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Status]
Table
Timestamp
Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM.
Cause
Displays the event which caused the SNMP trap.
RM GUI RSP
Release 8.1 12/2019
487
Diagnostics
[ Diagnostics > Status Configuration > Signal Contact ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
7.1.3
Signal Contact
[ Diagnostics > Status Configuration > Signal Contact ]
The signal contact is a potential-free relay contact. The device thus lets you perform remote
diagnosis. The device uses the relay contact to signal the occurrence of events by opening the relay
contact and interrupting the closed circuit.
Note: The device can contain several signal contacts. Each contact contains the same monitoring
functions. Several contacts allow you to group various functions together providing flexibility in
system monitoring.
The menu contains the following dialogs:
Signal Contact 1 / Signal Contact 2
488
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ]
7.1.3.1 Signal Contact 1 / Signal Contact 2
[ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ]
In this dialog you specify the trigger conditions for the signal contact.
The signal contact gives you the following options:
Monitoring the correct operation of the device.
Signaling the device status of the device.
Signaling the security status of the device.
Controlling external devices by manually setting the signal contacts.
The device displays detected faults in the Status tab and also in the Basic Settings > System dialog,
Signal contact status frame.
The dialog contains the following tabs:
[Global]
[Port]
[Status]
[Global]
Configuration
Mode
Specifies which events the signal contact indicates.
Possible values:
Manual setting (default setting for Signal Contact 2, if present)
You use this setting to manually open or close the signal contact, for example to turn on or off
a remote device. See the Contact option list.
Monitoring correct operation (default setting)
Using this setting the signal contact indicates the status of the parameters specified in the table
below.
Device status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Device Status dialog. In addition, you can read the status in the
Signal contact status frame.
Security status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Security Status dialog. In addition, you can read the status in
the Signal contact status frame.
Device/Security status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Device Status and the Diagnostics > Status Configuration >
Security Status dialog. In addition, you can read the status in the Signal contact status frame.
Contact
Toggles the signal contact manually. The prerequisite is that you select in the Mode drop-down list
the value Manual setting.
RM GUI RSP
Release 8.1 12/2019
489
Diagnostics
[ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ]
Possible values:
open
The signal contact is opened.
close
The signal contact is closed.
Signal contact status
Signal contact status
Displays the current status of the signal contact.
Possible values:
Opened (error)
The signal contact is opened. The circuit is interrupted.
Closed (ok)
The signal contact is closed. The circuit is closed.
Trap configuration
Send trap
Activates/deactivates the sending of SNMP traps when the device detects changes in the
monitored functions.
Possible values:
marked
The sending of SNMP traps is active.
If the device detects a change in the monitored functions, then the device sends an SNMP trap.
unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status
Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Monitoring correct operation
In the table you specify the parameters that the device monitors. The device signals the occurrence
of an event by opening the signal contact.
Temperature
Activates/deactivates the monitoring of the temperature in the device.
490
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ]
Possible values:
marked (default setting)
Monitoring is active.
If the temperature exceeds / falls below the threshold values, then the signal contact opens.
unmarked
Monitoring is inactive.
You specify the temperature thresholds in the Basic Settings > System dialog, Upper temp. limit [°C]
field and Lower temp. limit [°C] field.
Ring redundancy
Activates/deactivates the monitoring of the ring redundancy.
Possible values:
marked
Monitoring is active.
The signal contact opens in the following situations:
– The redundancy function becomes active (loss of redundancy reserve).
– The device is a normal ring participant and detects an error in its settings.
unmarked (default setting)
Monitoring is inactive.
Connection errors
Activates/deactivates the monitoring of the link status of the port/interface.
Possible values:
marked
Monitoring is active.
If the link interrupts on a monitored port/interface, then the signal contact opens.
In the Port tab, you have the option of selecting the ports/interfaces to be monitored individually.
unmarked (default setting)
Monitoring is inactive.
External memory removed
Activates/deactivates the monitoring of the active external memory.
Possible values:
marked
Monitoring is active.
If you remove the active external memory from the device, then the signal contact opens.
unmarked (default setting)
Monitoring is inactive.
External memory not in sync with NVM
Activates/deactivates the monitoring of the configuration profile in the device and in the external
memory.
RM GUI RSP
Release 8.1 12/2019
491
Diagnostics
[ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ]
Possible values:
marked
Monitoring is active.
The signal contact opens in the following situations:
– The configuration profile only exists in the device.
– The configuration profile in the device differs from the configuration profile in the external
memory.
unmarked (default setting)
Monitoring is inactive.
Power supply
Activates/deactivates the monitoring of the power supply unit.
Possible values:
marked (default setting)
Monitoring is active.
If the device has a detected power supply fault, then the signal contact opens.
unmarked
Monitoring is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Port]
Table
Port
Displays the port number.
Propagate connection error
Activates/deactivates the monitoring of the link on the port/interface.
Possible values:
marked
Monitoring is active.
If the link interrupts on the selected port/interface, then the signal contact opens.
unmarked (default setting)
Monitoring is inactive.
This setting takes effect when you mark the Connection errors checkbox in the Global tab.
492
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Status Configuration > MAC Notification ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Status]
Table
Timestamp
Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM.
Cause
Displays the event which caused the SNMP trap.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
7.1.4
MAC Notification
[ Diagnostics > Status Configuration > MAC Notification ]
The device lets you track changes in the network using the MAC address of the devices in the
network. The device saves the combination of port and MAC address in its MAC address table. If
the device (un)learns the MAC address of a (dis)connected device, then the device sends an SNMP
trap.
This function is intended for ports to which you connect end devices and thus the MAC address
changes infrequently.
Operation
Operation
Enables/disables the MAC Notification function in the device.
Possible values:
On
The MAC Notification function is enabled.
Off (default setting)
The MAC Notification function is disabled.
RM GUI RSP
Release 8.1 12/2019
493
Diagnostics
[ Diagnostics > Status Configuration > MAC Notification ]
Configuration
Interval [s]
Specifies the send interval in seconds. If the device (un)learns the MAC address of a
(dis)connected device, then the device sends an SNMP trap after this time.
Possible values:
0..2147483647 (default setting: 30)
Before sending an SNMP trap, the device registers up to 20 MAC addresses. If the device detects
a high number of changes, then the device sends the SNMP trap before the send interval expires.
Table
Port
Displays the port number.
Active
Activates/deactivates the MAC Notification function on the port.
Possible values:
marked
The MAC Notification function is active on the port.
The device sends an SNMP trap in case of one of the following events:
– The device learns the MAC address of a newly connected device.
– The device unlearns the MAC address of a disconnected device.
unmarked (default setting)
The MAC Notification function is inactive on the port.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status
Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Last MAC address
Displays the MAC address of the device last connected on or disconnected from the port.
The device detects the MAC addresses of devices which are connected as follows:
• directly connected to the port
• connected to the port through other devices in the network
Last MAC status
Displays the status of the Last MAC address value on this port.
494
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Status Configuration > MAC Notification ]
Possible values:
added
The device detected that another device was connected at the port.
removed
The device detected that the connected device was removed from the port.
other
The device did not detect a status.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
495
Diagnostics
[ Diagnostics > Status Configuration > Alarms (Traps) ]
7.1.5
Alarms (Traps)
[ Diagnostics > Status Configuration > Alarms (Traps) ]
The device lets you send an SNMP trap as a reaction to specific events. In this dialog, you specify
the trap destinations to which the device sends the SNMP traps.
The events for which the device triggers an SNMP trap, you specify, for example, in the following
dialogs:
in the Diagnostics > Status Configuration > Device Status dialog
in the Diagnostics > Status Configuration > Security Status dialog
in the Diagnostics > Status Configuration > MAC Notification dialog
When loopback interfaces are set up, the device uses the IP address of the 1st loopback interface
as the source of the SNMP traps. Otherwise, the device uses the address of the device
management.
Operation
Operation
Enables/disables the sending of SNMP traps to the trap destinations.
Possible values:
On (default setting)
The sending of SNMP traps is enabled.
Off
The sending of SNMP traps is disabled.
Table
Name
Specifies the name of the trap destination.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
Address
Specifies the IP address and the port number of the trap destination.
Possible values:
<Valid IPv4 address>:<port number>
Active
Activates/deactivates the sending of SNMP traps to this trap destination.
496
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Status Configuration > Alarms (Traps) ]
Possible values:
marked (default setting)
The sending of SNMP traps to this trap destination is active.
unmarked
The sending of SNMP traps to this trap destination is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Opens the Create window to add a new entry to the table.
In the Name field you specify a name for the trap destination.
In the Address field you specify the IP address and the port number of the trap destination.
If you choose not to enter a port number, then the device automatically adds the port number
162.
RM GUI RSP
Release 8.1 12/2019
497
Diagnostics
[ Diagnostics > System ]
7.2
System
[ Diagnostics > System ]
The menu contains the following dialogs:
System Information
Hardware State
Configuration Check
IP Address Conflict Detection
ARP
Selftest
498
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > System > System Information ]
7.2.1
System Information
[ Diagnostics > System > System Information ]
This dialog displays the current operating condition of individual components in the device. The
displayed values are a snapshot; they represent the operating condition at the time the dialog was
loaded to the page.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Save system information
Opens the HTML page in a new web browser window or tab. You can save the HTML page on your
PC using the appropriate web bowser command.
RM GUI RSP
Release 8.1 12/2019
499
Diagnostics
[ Diagnostics > System > Hardware State ]
7.2.2
Hardware State
[ Diagnostics > System > Hardware State ]
This dialog provides information about the distribution and state of the flash memory of the device.
Information
Uptime
Displays the total operating time of the device since it was delivered.
Possible values:
..d ..h ..m ..s
Day(s) Hour(s) Minute(s) Second(s)
Table
Flash region
Displays the name of the respective memory area.
Description
Displays a description of what the device uses the memory area for.
Flash sectors
Displays how many sectors are assigned to the memory area.
Sector erase operations
Displays how many times the device has overwritten the sectors of the memory area.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
500
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > System > Configuration Check ]
7.2.3
Configuration Check
[ Diagnostics > System > Configuration Check ]
The device lets you compare the settings in the device with the settings in its neighboring devices.
For this purpose, the device uses the information that it received from its neighboring devices
through topology recognition (LLDP).
The dialog lists the deviations detected, which affect the performance of the communication
between the device and the recognized neighboring devices.
You update the content of the table by clicking the
button. When the table remains empty, the
configuration check was successful and the settings in the device are compatible with the settings
in the detected neighboring devices.
If you have set up more than 39 VLANs in the device, then the dialog constantly displays a warning.
The reason is the limited number of possible VLAN data sets in LLDP packets with a maximum
length. The device compares the first 39 VLANs automatically. If you have set up 40 or more
VLANs in the device, then check the congruence of the further VLANs manually, if necessary.
Note: A neighboring device without LLDP support, which forwards LLDP packets, can be the cause
of equivocal messages in the dialog. This occurs if the neighboring device is a hub or a switch
without management, which ignores the IEEE 802.1D-2004 standard. In this case, the dialog
displays the devices recognized and connected to the neighboring device as connected to the
device itself, even though they are connected to the neighboring device.
Summary
You also find this information when you position the mouse pointer over the
Toolbar in the top part of the Navigation area.
button in the
Error
Displays the number of errors that the device detected during the configuration check.
Warning
Displays the number of warnings that the device detected during the configuration check.
Information
Displays the amount of information that the device detected during the configuration check.
Table
When you highlight a row in the table, the device displays additional information in the area beneath
it.
ID
Displays the rule ID of the deviations having occurred. The dialog combines several deviations with
the same rule ID under one rule ID.
RM GUI RSP
Release 8.1 12/2019
501
Diagnostics
[ Diagnostics > System > Configuration Check ]
Level
Displays the level of deviation between the settings in this device and the settings in the detected
neighboring devices.
The device differentiates between the following access statuses:
INFORMATION
The performance of the communication between the two devices is not impaired.
WARNING
The performance of the communication between the two devices is possibly impaired.
ERROR
The communication between the two devices is impaired.
Message
Displays the information, warnings and errors having occurred more precisely.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
502
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > System > IP Address Conflict Detection ]
7.2.4
IP Address Conflict Detection
[ Diagnostics > System > IP Address Conflict Detection ]
Using the IP Address Conflict Detection function the device verifies that its IP address is unique in the
network. For this purpose, the device analyzes received ARP packets.
In this dialog you specify the procedure with which the device detects address conflicts and specify
the required settings for this.
The device displays detected address conflicts in the table in the Management tab.
When the device detects an address conflicts on its router interfaces, the device displays the most
recent address conflict in the Routing tab.
When the device detects an address conflict, the status LED of the device flashes red 4 times.
The dialog contains the following tabs:
[Management]
[Routing]
[Management]
Operation
Operation
Enables/disables the IP Address Conflict Detection function.
Possible values:
On (default setting)
The IP Address Conflict Detection function is enabled.
The device verifies that its IP address is unique in the network.
Off
The IP Address Conflict Detection function is disabled.
Configuration
Detection mode
Specifies the procedure with which the device detects address conflicts.
RM GUI RSP
Release 8.1 12/2019
503
Diagnostics
[ Diagnostics > System > IP Address Conflict Detection ]
Possible values:
active and passive (default setting)
The device uses active and passive address conflict detection.
active
Active address conflict detection. The device actively helps avoid communicating with an IP
address that already exists in the network. The address conflict detection begins as soon as you
connect the device to the network or change its IP parameters.
– The device sends 4 ARP probe data packets at the interval specified in the Detection delay
[ms] field. If the device receives a response to these data packets, then there is an address
conflict.
– If the device does not detect an address conflict, then it sends 2 gratuitous ARP data packets
as an announcement. The device also sends these data packets when the address conflict
detection is disabled.
– If the IP address already exists in the network, then the device changes back to the
previously used IP parameters (if possible).
If the device receives its IP parameters from a DHCP server, then it sends a DHCPDECLINE
message back to the DHCP server.
– After the period specified in the Release delay [s] field, the device checks if the address conflict
still exists. When the device detects 10 address conflicts one after the other, the device
extends the waiting time to 60 s for the next check.
– When the device resolves the address conflict, the device management returns to the
network again.
passive
Passive address conflict detection. The device analyzes the data traffic in the network. If another
device in the network is using the same IP address, then the device initially “defends” its IP
address. The device stops sending if the other device keeps sending with the same IP address.
– As a “defence” the device sends gratuitous ARP data packets. The device repeats this
procedure for the number of times specified in the Address protections field.
– If the other device continues sending with the same IP address, then after the period
specified in the Release delay [s] field, the device periodically checks if the address conflict still
exists.
– When the device resolves the address conflict, the device management returns to the
network again.
Send periodic ARP probes
Activates/deactivates the periodic address conflict detection.
Possible values:
marked (default setting)
The periodic address conflict detection is active.
– The device periodically sends an ARP probe data packet every 90 to 150 seconds and waits
for the time specified in the Detection delay [ms] field for a response.
– If the device detects an address conflict, then the device applies the passive detection mode
function. If the Send trap function is active, then the device sends an SNMP trap.
unmarked
The periodic address conflict detection is inactive.
Detection delay [ms]
Specifies the period in milliseconds for which the device waits for a response after sending a ARP
data packets.
Possible values:
20..500 (default setting: 200)
504
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > System > IP Address Conflict Detection ]
Release delay [s]
Specifies the period in seconds after which the device checks again whether the address conflict
still exists.
Possible values:
3..3600 (default setting: 15)
Address protections
Specifies how many times the device sends gratuitous ARP data packets in the passive detection
mode to “defend” its IP address.
Possible values:
0..100 (default setting: 3)
Protection interval [ms]
Specifies the period in milliseconds after which the device sends gratuitous ARP data packets
again in the passive detection mode to “defend” its IP address.
Possible values:
20..5000 (default setting: 200)
Send trap
Activates/deactivates the sending of SNMP traps when the device detects address conflicts.
Possible values:
marked
The sending of SNMP traps is active.
If the device detects an address conflict, then the device sends an SNMP trap.
unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status
Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Information
Conflict detected
Displays whether an address conflict currently exists.
Possible values:
marked
The device detects an address conflict.
unmarked
The device does not detect an address conflict.
RM GUI RSP
Release 8.1 12/2019
505
Diagnostics
[ Diagnostics > System > IP Address Conflict Detection ]
Table
Timestamp
Displays the time at which the device detected an address conflict.
Port
Displays the number of the port on which the device detected the address conflict.
IP address
Displays the IP address that is causing the address conflict.
MAC address
Displays the MAC address of the device with which the address conflict exists.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Routing]
Configuration
Send trap
Activates/deactivates the sending of SNMP traps if address conflicts are detected.
Possible values:
marked
If the device detects an address conflict, then the device sends an SNMP trap.
unmarked (default setting)
The sending of SNMP traps is deactivated.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status
Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Information
The device continues to display the information in this frame, even if the last address conflict that
the device has detected is no longer present. To reset the values, click the
Reset routing statistics item.
button and then the
IP address conflict detected
Displays whether the device has detected an address conflict.
506
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > System > IP Address Conflict Detection ]
Possible values:
marked
The device has detected an address conflict.
unmarked
The device has not detected an address conflict.
IP address
Displays the IP address that has caused the address conflict.
MAC address
Displays the MAC address of the device that has caused the address conflict.
Time since last conflict
Displays the time that has elapsed since the device has detected the address conflict.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset routing statistics
Resets the values in the Information frame.
Run routing conflict detection
Starts the detection on its router interfaces.
The device sends a broadcast on the router interfaces. The device then analyzes the received ARP
packets.
RM GUI RSP
Release 8.1 12/2019
507
Diagnostics
[ Diagnostics > System > ARP ]
7.2.5
ARP
[ Diagnostics > System > ARP ]
This dialog displays the MAC and IP addresses of the neighboring devices connected to the device
management.
Table
Port
Displays the port number.
IP address
Displays the IP address of a device that responded to an ARP query to this device.
MAC address
Displays the MAC address of a device that responded to an ARP query to this device.
Last updated
Displays the time in seconds since the current settings of the entry were registered in the ARP
table.
Type
Displays the type of the ARP entry.
Possible values:
static
Static ARP entry. When the ARP table is deleted, the device keeps the ARP entry.
dynamic
Dynamic ARP entry. When the Aging time [s] has been exceeded and the device does not receive
any data from this device during this time, the device deletes the ARP entry.
local
IP and MAC address of the device management.
Active
Displays that the ARP table contains the IP/MAC address assignment as an active entry.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset ARP table
Removes the dynamically set up addresses from the ARP table.
508
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > System > Selftest ]
7.2.6
Selftest
[ Diagnostics > System > Selftest ]
This dialog lets you do the following:
Activate/deactivate the RAM test when the device is being started.
Enable/disable the option of entering the system monitor upon the system start.
Specify how the device behaves in the case of an error.
Configuration
If the device does not detect any readable configuration profile when restarting, then the following
settings block your access to the device permanently.
SysMon1 is available checkbox is unmarked.
Load default config on error checkbox is unmarked.
This is the case, for example, if the password of the configuration profile that you are loading differs
from the password set in the device. To have the device unlocked again, contact your sales partner.
RAM test
Activates/deactivates the RAM memory check during the restart.
Possible values:
marked (default setting)
The RAM memory check is activated. During the restart, the device checks the RAM memory.
unmarked
The RAM memory check is deactivated. This shortens the start time for the device.
SysMon1 is available
Activates/deactivates the access to the system monitor during the restart.
Possible values:
marked (default setting)
The device lets you open the system monitor during the restart.
unmarked
The device starts without the option of opening to the system monitor.
Among other things, the system monitor lets you update the device software and to delete saved
configuration profiles.
Load default config on error
Activates/deactivates the loading of the default settings if the device does not detect any readable
configuration profile when restarting.
RM GUI RSP
Release 8.1 12/2019
509
Diagnostics
[ Diagnostics > System > Selftest ]
Possible values:
marked (default setting)
The device loads the default settings.
unmarked
The device interrupts the restart and stops. The access to the device management is possible
only using the Command Line Interface through the serial interface.
To regain the access to the device through the network, open the system monitor and reset the
settings. Upon restart, the device loads the default settings.
Table
In this table you specify how the device behaves in the case of an error.
Cause
Error causes to which the device reacts.
Possible values:
task
The device detects errors in the applications executed, for example if a task terminates or is not
available.
resource
The device detects errors in the resources available, for example if the memory is becoming
scarce.
software
The device detects software errors, for example error in the consistency check.
hardware
The device detects hardware errors, for example in the chip set.
Action
Specifies how the device behaves if the adjacent event occurs.
Possible values:
reboot (default setting)
The device triggers a restart.
logOnly
The device registers the detected error in the log file. See the Diagnostics > Report > System Log
dialog.
sendTrap
The device sends an SNMP trap.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
510
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Email Notification ]
7.3
Email Notification
[ Diagnostics > Email Notification ]
The device lets you inform multiple recipients by email about events that have occurred.
The device sends the emails immediately or periodically depending on the event severity. Usually
you specify events with a high severity to be sent immediately.
You can specify multiple recipients to which the device sends the emails either immediately or
periodically.
The menu contains the following dialogs:
Email Notification Global
Email Notification Recipients
Email Notification Mail Server
RM GUI RSP
Release 8.1 12/2019
511
Diagnostics
[ Diagnostics > Email Notification > Global ]
7.3.1
Email Notification Global
[ Diagnostics > Email Notification > Global ]
In this dialog, you specify the sender settings. Also, you specify for which event severities the
device sends the emails immediately and for which periodically.
Operation
Operation
Enables/disables the sending of emails:
Possible values:
On
The sending of emails is enabled.
Off (default setting)
The sending of emails is disabled.
Certificate
The device can send messages to a server over unsecured networks. To help deny a “man in the
middle” attack, request that the Certificate Authority creates a certificate for the server. Configure
the server to use the certificate. Transfer the certificate onto the device.
If you specify the settings for the mail servers, then use the IP address or DNS name provided as
Common Name or Subject Alternative Name in the certificate. Otherwise the certificate validation
will fail.
URL
Specifies the path and file name of the certificate.
The device accepts certificates with the following properties:
• X.509 format
• .PEM file name extension
• Base64-coded, enclosed by
-----BEGIN CERTIFICATE----and
-----END CERTIFICATE----For security reason, we recommend to constantly use a certificate which is signed by a certification
authority.
The device gives you the following options for copying the certificate to the device:
Import from the PC
When the certificate is located on your PC or on a network drive, drag and drop the certificate
in the
area. Alternatively click in the area to select the certificate.
Import from an FTP server
When the certificate is on a FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<path>/<file name>
512
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Email Notification > Global ]
Import from a TFTP server
When the certificate is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Import from an SCP or SFTP server
When the certificate is on an SCP or SFTP server, you specify the URL for the file in the
following form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you enter
User name and Password, to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start
Copies the certificate specified in the URL field to the device.
Sender
Address
Specifies the email address of the device.
The device sends the emails using this email address as the sender.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
(default setting: [email protected])
Notification immediate
Here you specify the settings for emails which the device sends immediately.
Severity
Specifies the minimum severity of events for which the device immediately sends an email. If an
event of this severity occurs, or of a more urgent severity, then the device sends an email to the
recipients.
Possible values:
emergency
alert (default setting)
critical
error
warning
notice
informational
debug
Subject
Specifies the subject of the email.
RM GUI RSP
Release 8.1 12/2019
513
Diagnostics
[ Diagnostics > Email Notification > Global ]
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Notification periodic
Here you specify the settings for emails which the device sends periodically.
Severity
Specifies the minimum severity of events for which the device periodically sends an email. If an
event of this severity occurs, or of a more urgent severity, then the device registers the event in the
buffer. The device sends the buffer content periodically or when the buffer overflows.
If an event of a less urgent severity occurs, then the device does not register the event in the buffer.
Possible values:
emergency
alert
critical
error
warning (default setting)
notice
informational
debug
Subject
Specifies the subject of the email.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Sending interval [min]
Specifies the send interval in minutes.
If the device has registered at least 1 event, then the device sends an email with the log file after
the time expires.
Possible values:
30..1440 (default setting: 30)
Send
Sends an email immediately with the buffer content and clears the buffer.
514
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Email Notification > Global ]
Information
Sent messages
Displays how many times the device has successfully sent an email to the mail server.
Undeliverable messages
Displays how many times the device has unsuccessfully tried to send an email to the mail server.
Time of the last messages sent
Displays the date and time at which the device has last sent an email to the mail server.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Clear email notification statistics
Resets the counters in the Information frame to 0.
Meaning of the event severities
Severity
Meaning
emergency
Device not ready for operation
critical
Critical status
warning
Warning
alert
Immediate user intervention required
error
Error status
notice
Significant, normal status
debug
Debug message
informational Informal message
RM GUI RSP
Release 8.1 12/2019
515
Diagnostics
[ Diagnostics > Email Notification > Recipients ]
7.3.2
Email Notification Recipients
[ Diagnostics > Email Notification > Recipients ]
In this dialog, you specify the recipients to which the device sends the emails. The device lets you
specify up to 10 recipients.
Table
Index
Displays the index number to which the table entry relates.
Notification type
Specifies whether the device sends the emails to this recipient immediately or periodically.
Possible values:
immediate
The device sends the emails to this recipient immediately.
periodic
The device sends the emails to this recipient periodically.
Address
Specifies the email address of the recipient.
Possible values:
Valid email address with up to 255 characters
Active
Activates/deactivates the informing of the recipient.
Possible values:
marked (default setting)
The informing of the recipient is active.
unmarked
The informing of the recipient is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
516
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Email Notification > Mail Server ]
7.3.3
Email Notification Mail Server
[ Diagnostics > Email Notification > Mail Server ]
In this dialog, you specify the settings for the mail servers. The device supports encrypted and
unencrypted connections to the mail server.
Table
Index
Displays the index number to which the table entry relates.
Description
Specifies the name of the server.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
IP address
Specifies the IP address or the DNS name of the server.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
DNS name in the format domain.tld or host.domain.tld
If you specify a DNS name, then also enable the Client function in the Advanced > DNS > Client >
Global dialog.
If you establish encrypted connections using the certificate, then verify that the DNS name is
equal to the server DNS name mentioned in the certificate.
Destination TCP port
Specifies the TCP port of the server.
Possible values:
1..65535 (default setting: 25)
Exception: Port 2222 is reserved for internal functions.
Frequently used TCP-Ports:
• SMTP 25
• Message Submission 587
Encryption
Specifies the protocol which encrypts the connection between the device and the mail server.
Possible values:
none (default setting)
The device establishes an an unencrypted connection to the server.
tlsv1
The device establishes an encrypted connection to the server using the startTLS extension.
RM GUI RSP
Release 8.1 12/2019
517
Diagnostics
[ Diagnostics > Email Notification > Mail Server ]
User name
Specifies the user name of the account which the device uses to authenticate on the mail server.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Password
Specifies the password of the account which the device uses to authenticate on the mail server.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Timeout [s]
Specifies the time in seconds after which the device sends an email again. The prerequisite is that
the device has failed to send the complete email due to a connection error.
Possible values:
1..15 (default setting: 3)
Active
Activates/deactivates the use of the mail server.
Possible values:
marked
The mail server is active.
The device sends emails to this mail server.
unmarked (default setting)
The mail server is inactive.
The device does not send emails to this mail server.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Connection test
Opens the Connection test dialog to send a test email.
If the mail server settings are correct, then the selected recipients receive a test email.
In the Recipient field, you specify to which recipients the device sends the test email:
– immediate
The device sends the test email to the recipients to which the device sends emails
immediately.
– periodic
The device sends the test email to the recipients to which the device sends emails
periodically.
In the Message text field, you specify the text of the test email.
518
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Syslog ]
7.4
Syslog
[ Diagnostics > Syslog ]
The device lets you report selected events, independent of the severity of the event, to different
syslog servers. In this dialog, you specify the settings for this function and manage up to 8 syslog
servers.
Operation
Operation
Enables/disables the sending of events to the syslog servers.
Possible values:
On
The sending of events is enabled.
The device sends the events specified in the table to the specified syslog servers.
Off (default setting)
The sending of events is disabled.
Certificate
The device can send messages to a server over unsecured networks. To help deny a “man in the
middle” attack, request that the Certificate Authority creates a certificate for the server. Configure
the server to use the certificate. Transfer the certificate onto the device.
If you specify the parameters on the server, then verify that you specify the IP address and DNS
name provided in the certificate as the Common Name or Subject Alternative Name. Otherwise the
certificate validation will fail.
Note: In order for the changes to take effect after loading a new certificate, restart the Syslog
function.
URL
Specifies the path and file name of the certificate.
The device accepts certificates with the following properties:
• X.509 format
• .PEM file name extension
• Base64-coded, enclosed by
-----BEGIN CERTIFICATE----and
-----END CERTIFICATE----For security reason, we recommend to constantly use a certificate which is signed by a certification
authority.
RM GUI RSP
Release 8.1 12/2019
519
Diagnostics
[ Diagnostics > Syslog ]
The device gives you the following options for copying the certificate to the device:
Import from the PC
When the certificate is located on your PC or on a network drive, drag and drop the certificate
in the
area. Alternatively click in the area to select the certificate.
Import from an FTP server
When the certificate is on a FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<path>/<file name>
Import from a TFTP server
When the certificate is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Import from an SCP or SFTP server
When the certificate is on an SCP or SFTP server, you specify the URL for the file in the
following form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you enter
User name and Password, to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start
Copies the certificate specified in the URL field to the device.
Table
Index
Displays the index number to which the table entry relates.
When you delete a table entry, this leaves a gap in the numbering. When you create a new table
entry, the device fills the first gap.
Possible values:
1..8
IP address
Specifies the IP address of the syslog server.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Destination UDP port
Specifies the TCP or UDP port on which the syslog server expects the log entries.
Possible values:
1..65535 (default setting: 514)
Transport type
Specifies the transport type the device uses to send the events to the syslog server.
520
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Syslog ]
Possible values:
udp (default setting)
The device sends the events over the UDP port specified in the Destination UDP port column.
tls
The device sends the events over TLS on the TCP port specified in the Destination UDP port
column.
Min. severity
Specifies the minimum severity of the events. The device sends a log entry for events with this
severity and with more urgent severities to the syslog server.
Possible values:
emergency
alert
critical
error
warning (default setting)
notice
informational
debug
Type
Specifies the type of the log entry transmitted by the device.
Possible values:
systemlog (default setting)
audittrail
Active
Activates/deactivates the transmission of events to the syslog server:
marked
The device sends events to the syslog server.
unmarked (default setting)
The transmission of events to the syslog server is deactivated.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
521
Diagnostics
[ Diagnostics > Ports ]
7.5
Ports
[ Diagnostics > Ports ]
The menu contains the following dialogs:
SFP
TP cable diagnosis
Port Monitor
Auto-Disable
Port Mirroring
522
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Ports > SFP ]
7.5.1
SFP
[ Diagnostics > Ports > SFP ]
This dialog lets you look at the SFP transceivers currently connected to the device and their
properties.
Table
The table displays valid values if the device is equipped with SFP transceivers.
Port
Displays the port number.
Module type
Type of the SFP transceiver, for example M-SFP-SX/LC.
Serial number
Displays the serial number of the SFP transceiver.
Connector type
Displays the connector type.
Supported
Displays whether the device supports the SFP transceiver.
Temperature [°C]
Operating temperature of the SFP transceiver in °Celsius.
Tx power [mW]
Transmission power of the SFP transceiver in mW.
Rx power [mW]
Receiving power of the SFP transceiver in mW.
Tx power [dBm]
Transmission power of the SFP transceiver in dBm.
Rx power [dBm]
Receiving power of the SFP transceiver in dBm.
RM GUI RSP
Release 8.1 12/2019
523
Diagnostics
[ Diagnostics > Ports > SFP ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
524
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Ports > TP cable diagnosis ]
7.5.2
TP cable diagnosis
[ Diagnostics > Ports > TP cable diagnosis ]
This feature tests the cable attached to an interface for short or open circuit. The table displays the
cable status and estimated length. The device also displays the individual cable pairs connected to
the port. When the device detects a short circuit or an open circuit in the cable, it also displays the
estimated distance to the problem.
Note: This test interrupts traffic on the port.
Information
Port
Displays the port number.
Status
Status of the Virtual Cable Tester.
Possible values:
active
Cable testing is in progress.
To start the test, click the
button and then the Start cable diagnosis... item. This action opens
the Select port dialog.
success
The device displays this entry after performing a successful test.
failure
The device displays this entry after an interruption in the test.
uninitialized
The device displays this entry while in standby.
Table
Cable pair
Displays the cable pair to which this entry relates. The device uses the first PHY index supported
to display the values.
Result
Displays the results of the cable test.
Possible values:
normal
The cable is functioning properly.
open
There is a break in the cable causing an interruption.
RM GUI RSP
Release 8.1 12/2019
525
Diagnostics
[ Diagnostics > Ports > TP cable diagnosis ]
short
Wires in the cable are touching together causing a short circuit.
unknown
The device displays this value for untested cable pairs.
The device displays different values than expected in the following cases:
• If no cable is connected to the port, then the device displays the value unknown instead of open.
• If the port is deactivated, then the device displays the value short.
Min. length
Displays the minimum estimated length of the cable in meters.
If the cable length is unknown or in the Information frame the Status field displays the value active,
failure or uninitialized, then the device displays the value 0.
Max. length
Displays the maximum estimated length of the cable in meters.
If the cable length is unknown or in the Information frame the Status field displays the value active,
failure or uninitialized, then the device displays the value0.
Distance [m]
Displays the estimated distance in meters from the end of the cable to the failure location.
If the cable length is unknown or in the Information frame the Status field displays the value active,
failure or uninitialized, then the device displays the value 0.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Start cable diagnosis...
Opens the Select port dialog.
In the Port drop-down list you select the port to be tested. Use for copper-based ports only.
To initiate the cable test on the selected port, click the Ok button.
526
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Ports > Port Monitor ]
7.5.3
Port Monitor
[ Diagnostics > Ports > Port Monitor ]
The Port Monitor function monitors the adherence to the specified parameters on the ports. If the Port
Monitor function detects that the parameters are being exceeded, then the device performs an
action.
To apply the Port Monitor function, proceed as follows:
Global tab
Enable the Operation function in the Port Monitor frame.
Activate for each port those parameters that you want the Port Monitor function to monitor.
Link flap, CRC/Fragments and Overload detection tabs
Specify the threshold values for the parameters for each port.
Link speed/Duplex mode detection tab
Activate the allowed combinations of speed and duplex mode for each port.
Global tab
Specify for each port an action that the device carries out if the Port Monitor function detects
that the parameters have been exceeded.
Auto-disable tab
Mark the Auto-disable checkbox for the monitored parameters if you have specified the autodisable action at least once.
The dialog contains the following tabs:
[Global]
[Auto-disable]
[Link flap]
[CRC/Fragments]
[Overload detection]
[Link speed/Duplex mode detection]
[Global]
In this tab, you enable the Port Monitor function and specify the parameters that the Port Monitor
function is monitoring. Also specify the action that the device carries out if the Port Monitor function
detects that the parameters have been exceeded.
Operation
Operation
Enables/disables the Port Monitor function globally.
Possible values:
On
The Port Monitor function is enabled.
Off (default setting)
The Port Monitor function is disabled.
RM GUI RSP
Release 8.1 12/2019
527
Diagnostics
[ Diagnostics > Ports > Port Monitor ]
Table
Port
Displays the port number.
Link flap on
Activates/deactivates the monitoring of link flaps on the port.
Possible values:
marked
Monitoring is active.
– The Port Monitor function monitors link flaps on the port.
– If the device detects too many link flaps, then the device executes the action specified in the
Action column.
– On the Link flap tab, specify the parameters to be monitored.
unmarked (default setting)
Monitoring is inactive.
CRC/Fragments on
Activates/deactivates the monitoring of CRC/fragment errors on the port.
Possible values:
marked
Monitoring is active.
– The Port Monitor function monitors CRC/fragment errors on the port.
– If the device detects too many CRC/fragment errors, then the device executes the action
specified in the Action column.
– On the CRC/Fragments tab, specify the parameters to be monitored.
unmarked (default setting)
Monitoring is inactive.
Duplex mismatch detection active
Activates/deactivates the monitoring of duplex mismatches on the port.
Possible values:
marked
Monitoring is active.
– The Port Monitor function monitors duplex mismatches on the port.
– If the device detects a duplex mismatch, then the device executes the action specified in the
Action column.
unmarked (default setting)
Monitoring is inactive.
Overload detection on
Activates/deactivates the overload detection on the port.
528
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Ports > Port Monitor ]
Possible values:
marked
Monitoring is active.
– The Port Monitor function monitors the data load on the port.
– If the device detects a data overload on the port, then the device executes the action
specified in the Action column.
– On the Overload detection tab, specify the parameters to be monitored.
unmarked (default setting)
Monitoring is inactive.
Link speed/Duplex mode detection on
Activates/deactivates the monitoring of the link speed and duplex mode on the port.
Possible values:
marked
Monitoring is active.
– The Port Monitor function monitors the link speed and duplex mode on the port.
– If the device detects an unpermitted combination of link speed and duplex mode, then the
device executes the action specified in the Action column.
– On the Link speed/Duplex mode detection tab, specify the parameters to be monitored.
unmarked (default setting)
Monitoring is inactive.
Active condition
Displays the monitored parameter that led to the action on the port.
Possible values:
No monitored parameter.
The device does not carry out any action.
Link flap
Too many link changes in the observed period.
CRC/Fragments
Too many CRC/fragment errors in the observed period.
Duplex mismatch
Duplex mismatch detected.
Overload detection
Overload detected in the observed period.
Link speed/Duplex mode detection
Impermissible combination of speed and duplex mode detected.
Action
Specifies the action that the device carries out if the Port Monitor function detects that the
parameters have been exceeded.
RM GUI RSP
Release 8.1 12/2019
529
Diagnostics
[ Diagnostics > Ports > Port Monitor ]
Possible values:
disable port
The device disables the port and sends an SNMP trap.
The “Link status” LED for the port flashes 3× per period.
– To re-enable the port, highlight the port and click the
button and then the Reset item.
– If the parameters are no longer being exceeded, then the Auto-Disable function enables the
relevant port again after the specified waiting period. The prerequisite is that on the Autodisable tab the checkbox for the monitored parameter is marked.
send trap
The device sends an SNMP trap.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
auto-disable (default setting)
The device disables the port and sends an SNMP trap.
The “Link status” LED for the port flashes 3× per period.
The prerequisite is that on the Auto-disable tab the checkbox for the monitored parameter is
marked.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently disabled due
to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the relevant port in
the Reset timer [s] column.
Port status
Displays the operating state of the port.
Possible values:
up
The port is enabled.
down
The port is disabled.
notPresent
Physical port unavailable.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
530
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Ports > Port Monitor ]
[Auto-disable]
In this tab, you activate the Auto-Disable function for the parameters monitored by the Port Monitor
function.
Table
Reason
Displays the parameters monitored by the Port Monitor function.
Mark the adjacent checkbox so that the Port Monitor function carries out the auto-disable action if
it detects that the monitored parameters have been exceeded.
Auto-disable
Activates/deactivates the Auto-Disable function for the adjacent parameters.
Possible values:
marked
The Auto-Disable function for the adjacent parameters is active.
If the adjacent parameters are exceeded and the value auto-disable is specified in the Action
column, then the device carries out the Auto-Disable function.
unmarked (default setting)
The Auto-Disable function for the adjacent parameters is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
[Link flap]
In this tab, you specify individually for every port the following settings:
The number of link changes.
The period during which the Port Monitor function monitors a parameter to detect discrepancies.
RM GUI RSP
Release 8.1 12/2019
531
Diagnostics
[ Diagnostics > Ports > Port Monitor ]
You also see how many link changes the Port Monitor function has detected up to now.
The Port Monitor function monitors those ports for which the checkbox in the Link flap on column is
marked on the Global tab.
Table
Port
Displays the port number.
Sampling interval [s]
Specifies in seconds, the period during which the Port Monitor function monitors a parameter to
detect discrepancies.
Possible values:
1..180 (default setting: 10)
Link flaps
Specifies the number of link changes.
If the Port Monitor function detects this number of link changes in the monitored period, then the
device performs the specified action.
Possible values:
1..100 (default setting: 5)
Last sampling interval
Displays the number of errors that the device has detected during the period that has elapsed.
Total
Displays the total number of errors that the device has detected since the port was enabled.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
532
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Ports > Port Monitor ]
[CRC/Fragments]
In this tab, you specify individually for every port the following settings:
The fragment error rate.
The period during which the Port Monitor function monitors a parameter to detect discrepancies.
You also see the fragment error rate that the device has detected up to now.
The Port Monitor function monitors those ports for which the checkbox in the CRC/Fragments on
column is marked on the Global tab.
Table
Port
Displays the port number.
Sampling interval [s]
Specifies in seconds, the period during which the Port Monitor function monitors a parameter to
detect discrepancies.
Possible values:
5..180 (default setting: 10)
CRC/Fragments count [ppm]
Specifies the fragment error rate (in parts per million).
If the Port Monitor function detects this fragment error rate in the monitored period, then the device
performs the specified action.
Possible values:
1..1000000 (default setting: 1000)
Last active interval [ppm]
Displays the fragment error rate that the device has detected during the period that has elapsed.
Total [ppm]
Displays the fragment error rate that the device has detected since the port was enabled.
RM GUI RSP
Release 8.1 12/2019
533
Diagnostics
[ Diagnostics > Ports > Port Monitor ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
[Overload detection]
In this tab, you specify individually for every port the following settings:
The load threshold values.
The period during which the Port Monitor function monitors a parameter to detect discrepancies.
You also see the number of data packets that the device has detected up to now.
The Port Monitor function monitors those ports for which the checkbox in the Overload detection on
column is marked on the Global tab.
The Port Monitor function does not monitor any ports that are members of a link aggregation group
or PRP/HSR subscribers.
Table
Port
Displays the port number.
Traffic type
Specifies the type of data packets that the device considers when monitoring the load on the port.
Possible values:
all
The Port Monitor function monitors Broadcast, Multicast and Unicast packets.
bc (default setting)
The Port Monitor function monitors only Broadcast packets.
bc-mc
The Port Monitor function monitors only Broadcast and Multicast packets.
Threshold type
Specifies the unit for the data rate.
534
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Ports > Port Monitor ]
Possible values:
pps (default setting)
packets per second
kbps
kbit per second
The prerequisite is that the value in the Traffic type column = all.
Lower threshold
Specifies the lower threshold value for the data rate.
The Auto-Disable function enables the port again only when the load on the port is lower than the
value specified here.
Possible values:
0..10000000 (default setting: 0)
Upper threshold
Specifies the upper threshold value for the data rate.
If the Port Monitor function detects this load in the monitored period, then the device performs the
specified action.
Possible values:
0..10000000 (default setting: 0))
Interval [s]
Specifies in seconds, the period that the Port Monitor function observes a parameter to detect that
a parameter is being exceeded.
Possible values:
1..20 (default setting: 1)
Packets
Displays the number of Broadcast, Multicast and Unicast packets that the device has detected
during the period that has elapsed.
Broadcast packets
Displays the number of Broadcast packets that the device has detected during the period that has
elapsed.
Multicast packets
Displays the number of Multicast packets that the device has detected during the period that has
elapsed.
Kbit/s
Displays the data rate in Kbits per second that the device has detected during the period that has
elapsed.
RM GUI RSP
Release 8.1 12/2019
535
Diagnostics
[ Diagnostics > Ports > Port Monitor ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
[Link speed/Duplex mode detection]
In this tab, you activate the allowed combinations of speed and duplex mode for each port.
The Port Monitor function monitors those ports for which the checkbox in the Link speed/Duplex mode
detection on column is marked on the Global tab.
The Port Monitor function monitors only enabled physical ports.
Table
Port
Displays the port number.
10 Mbit/s HDX
Activates/deactivates the port monitor to accept a half-duplex and 10 Mbit/s data rate combination
on the port.
Possible values:
marked
The port monitor takes into consideration the speed and duplex combination.
unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
10 Mbit/s FDX
Activates/deactivates the port monitor to accept a full-duplex and 10 Mbit/s data rate combination
on the port.
536
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Ports > Port Monitor ]
Possible values:
marked
The port monitor takes into consideration the speed and duplex combination.
unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
100 Mbit/s HDX
Activates/deactivates the port monitor to accept a half-duplex and 100 Mbit/s data rate combination
on the port.
Possible values:
marked
The port monitor takes into consideration the speed and duplex combination.
unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
100 Mbit/s FDX
Activates/deactivates the port monitor to accept a full-duplex and 100 Mbit/s data rate combination
on the port.
Possible values:
marked
The port monitor takes into consideration the speed and duplex combination.
unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
1,000 Mbit/s FDX
Activates/deactivates the port monitor to accept a full-duplex and 1 Gbit/s data rate combination on
the port.
Possible values:
marked
The port monitor takes into consideration the speed and duplex combination.
unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
RM GUI RSP
Release 8.1 12/2019
537
Diagnostics
[ Diagnostics > Ports > Port Monitor ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
538
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Ports > Auto-Disable ]
7.5.4
Auto-Disable
[ Diagnostics > Ports > Auto-Disable ]
The Auto-Disable function lets you disable monitored ports automatically and enable them again as
you desire.
For example, the Port Monitor function and selected functions in the Network Security menu use the
Auto-Disable function to disable ports if monitored parameters are exceeded.
If the parameters are no longer being exceeded, then the Auto-Disable function enables the relevant
port again after the specified waiting period.
The dialog contains the following tabs:
[Port]
[Status]
[Port]
This tab displays which ports are currently disabled due to the parameters being exceeded. If the
parameters are no longer being exceeded and you specify a waiting period in the Reset timer [s]
column, then the Auto-Disable function automatically enables the relevant port again.
Table
Port
Displays the port number.
Reset timer [s]
Specifies the waiting period in seconds, after which the Auto-Disable function enables the port again.
Possible values:
0 (default setting)
The timer is inactive. The port remains disabled.
30..4294967295
If the parameters are no longer being exceeded, then the Auto-Disable function enables the port
again after the waiting period specified here.
Error time
Displays when the device disabled the port due to the parameters being exceeded.
Remaining time [s]
Displays the remaining time in seconds, until the Auto-Disable function enables the port again.
Component
Displays the software component in the device that disabled the port.
RM GUI RSP
Release 8.1 12/2019
539
Diagnostics
[ Diagnostics > Ports > Auto-Disable ]
Possible values:
PORT_MON
Port Monitor
See the Diagnostics > Ports > Port Monitor dialog.
PORT_ML
Port Security
See the Network Security > Port Security dialog.
DHCP_SNP
DHCP Snooping
See the Network Security > DHCP Snooping dialog.
DOT1S
BPDU guard
See the Switching > L2-Redundancy > Spanning Tree > Global dialog.
DAI
Dynamic ARP Inspection
See the Network Security > Dynamic ARP Inspection dialog.
Reason
Displays the monitored parameter that led to the port being disabled.
Possible values:
none
No monitored parameter.
The port is enabled.
link-flap
Too many link changes. See the Diagnostics > Ports > Port Monitor dialog, Link flap tab.
crc-error
Too many CRC/fragment errors. See the Diagnostics > Ports > Port Monitor dialog, CRC/Fragments
tab.
duplex-mismatch
Duplex mismatch detected. See the Diagnostics > Ports > Port Monitor dialog, Global tab.
dhcp-snooping
Too many DHCP packages from untrusted sources. See the Network Security > DHCP Snooping >
Configuration dialog, Port tab.
arp-rate
Too many ARP packages from untrusted sources. See the Network Security > Dynamic ARP
Inspection > Configuration dialog, Port tab.
bpdu-rate
STP-BPDUs received. See the Switching > L2-Redundancy > Spanning Tree > Global dialog.
mac-based-port-security
Too many data packets from undesired senders. See the Network Security > Port Security dialog.
overload-detection
Overload. See the Diagnostics > Ports > Port Monitor dialog, Overload detection tab.
speed-duplex
Impermissible combination of speed and duplex mode detected. See the Diagnostics > Ports >
Port Monitor dialog, Link speed/Duplex mode detection tab.
Active
Displays whether the port is currently disabled due to the parameters being exceeded.
540
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Ports > Auto-Disable ]
Possible values:
marked
The port is currently disabled.
unmarked
The port is enabled.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Status]
This tab displays the monitored parameters for which the Auto-Disable function is activated.
Table
Reason
Displays the parameters that the device monitors.
Mark the adjacent checkbox so that the Auto-Disable function disables and, when applicable,
enables the port again if the monitored parameters are exceeded.
Category
Displays which function the adjacent parameter belongs to.
Possible values:
port-monitor
The parameter belongs to the Port Monitor function. See the Diagnostics > Port > Port Monitor
dialog.
network-security
The parameter belongs to the functions in the Network Security menu.
l2-redundancy
The parameter belongs to the L2-Redundancy functions. See the Switching > L2-Redundancy
dialog.
Auto-disable
Displays whether the Auto-Disable function is activated/deactivated for the adjacent parameter.
Possible values:
marked
The Auto-Disable function for the adjacent parameters is active.
The Auto-Disable function disables and, when applicable, enables the relevant port again if the
monitored parameters are exceeded.
unmarked (default setting)
The Auto-Disable function for the adjacent parameters is inactive.
RM GUI RSP
Release 8.1 12/2019
541
Diagnostics
[ Diagnostics > Ports > Auto-Disable ]
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
542
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Ports > Port Mirroring ]
7.5.5
Port Mirroring
[ Diagnostics > Ports > Port Mirroring ]
The Port Mirroring function lets you copy received and sent data packets from selected ports to a
destination port. You can watch and process the data stream using an analyzer or an RMON probe,
connected to the destination port. The data packets remain unmodified on the source port.
Note: To enable the access to the device management using the destination port, mark the
checkbox Allow management in the Destination port frame before you enable the Port Mirroring function.
Operation
Operation
Enables/disables the Port Mirroring function.
Possible values:
On
The Port Mirroring function is enabled.
The device copies the data packets from the selected source ports to the destination port.
Off (default setting)
The Port Mirroring function is disabled.
Destination port
Primary port
Specifies the destination port.
Suitable ports are those ports that are not used for the following purposes:
• Source port
• L2 redundancy protocols
• Port-based router interface
Possible values:
no Port (default setting)
No destination port selected.
<Port number>
Number of the destination port. The device copies the data packets from the source ports to this
port.
On the destination port, the device adds a VLAN tag to the data packets that the source port
transmits. The destination port transmits unmodified the data packets that the source port receives.
Note: The destination port needs sufficient bandwidth to absorb the data stream. If the copied data
stream exceeds the bandwidth of the destination port, then the device discards surplus data
packets on the destination port.
RM GUI RSP
Release 8.1 12/2019
543
Diagnostics
[ Diagnostics > Ports > Port Mirroring ]
Allow management
Activates/deactivates the access to the device management using the destination port.
Possible values:
marked
The access to the device management using the destination port is active.
The device lets users have access to the device management using the destination port without
interrupting the active Port Mirroring session.
– The device duplicates multicasts, broadcasts and unknown unicasts on the destination port.
– The VLAN settings on the destination port remain unchanged. The prerequisite for access to
the device management using the destination port is that the destination port is not a member
of the VLAN of the device management.
unmarked (default setting)
The access to the device management using the destination port is inactive.
The device prohibits the access to the device management using the destination port.
VLAN mirroring
The VLAN mirroring function lets you copy ingress data packets in a specific VLAN to the selected
destination port. The device forwards the data stream out of the specified destination port.
Note: The VLAN mirroring function is only available on the primary port.
Source VLAN ID
Specifies the VLAN from which the device mirrors data to the destination port.
Possible values:
0 (default setting)
Disables the VLAN mirroring function.
2..4042
The device lets you specify a VLAN only if no source port is specified.
RSPAN
The RSPAN (Remote Switched Port Analyzer) function extends the mirroring function by allowing
the device to forward the monitored data across multiple devices, on a specific VLAN, to a single
destination.
Note: If you use the device on the path between the source and destination device, then specify in
the VLAN ID field the VLAN needed to use the RSPAN function. For this, the Port Mirroring function
is not required and remains disabled.
Note: The RSPAN function is only available on the primary port.
Source VLAN ID
Specifies the source VLAN from which the device mirrors data to the destination VLAN.
544
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Ports > Port Mirroring ]
Possible values:
0 (default setting: 0)
The source VLAN is inactive.
2..4042
Mirrored ports cannot be members of the RSPAN VLAN.
VLAN ID
Specifies the VLAN that the device uses to tag and forward mirrored data.
Possible values:
0 (default setting: 0)
The RSPAN VLAN is inactive.
2..4042
The device uses the value to tag and forward mirrored data.
Destination VLAN ID
Specifies the VLAN that the device uses to forward the network traffic to the destination device.
Possible values:
0 (default setting: 0)
The destination VLAN is inactive.
2..4042
The device uses this value to tag data and to forward the network traffic to the destination
device.
Table
Source port
Specifies the port number.
Possible values:
<Port number>
Enabled
Activates/deactivates the copying of the data packets from this source port to the destination port.
RM GUI RSP
Release 8.1 12/2019
545
Diagnostics
[ Diagnostics > Ports > Port Mirroring ]
Possible values:
marked
The copying of the data packets is active.
The port is specified as a source port.
unmarked (default setting)
The copying of the data packets is inactive.
(Grayed-out display)
It is not possible to copy the data packets for this port.
Possible causes:
– The port is already specified as a destination port.
– The port is a logical port, not a physical port.
Note: The device lets you activate every physical port as source port except for the destination port.
Type
Specifies which data packets the device copies to the destination port.
Possible values:
none (default setting)
No data packets.
tx
Data packets that the source port transmits.
rx
Data packets that the source port receives.
txrx
Data packets that the source port transmits and receives.
Note: With the txrx setting the device copies transmitted and received data packets. The
destination ports needs at least a bandwidth that corresponds to the sum of the send and receive
channel of the source ports. For example, for similar ports the destination port is at 100 % capacity
when the send and receive channel of a source port are at 50 % capacity respectively.
On the destination port, the device adds a VLAN tag to the data packets that the source port
transmits. The destination port transmits unmodified the data packets that the source port receives.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset config
Resets the settings in the dialog to the default settings and transfers the changes to the volatile
memory of the device (RAM).
546
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > LLDP ]
7.6
LLDP
[ Diagnostics > LLDP ]
The device lets you gather information about neighboring devices. For this, the device uses the Link
Layer Discovery Protocol (LLDP). This information enables a network management station to map
the structure of your network.
This menu lets you configure the topology discovery and to display the information received in table
form.
The menu contains the following dialogs:
LLDP Configuration
LLDP Topology Discovery
RM GUI RSP
Release 8.1 12/2019
547
Diagnostics
[ Diagnostics > LLDP > Configuration ]
7.6.1
LLDP Configuration
[ Diagnostics > LLDP > Configuration ]
This dialog lets you configure the topology discovery for every port.
Operation
Operation
Enables/disables the LLDP function.
Possible values:
On (default setting)
The LLDP function is enabled.
The topology discovery using LLDP is active in the device.
Off
The LLDP function is disabled.
Configuration
Transmit interval [s]
Specifies the interval in seconds at which the device transmits LLDP data packets.
Possible values:
5..32768 (default setting: 30)
Transmit interval multiplier
Specifies the factor for determining the time-to-live value for the LLDP data packets.
Possible values:
2..10 (default setting: 4)
The time-to-live value coded in the LLDP header results from multiplying this value with the value
in the Transmit interval [s] field.
Reinit delay [s]
Specifies the delay in seconds for the reinitialization of a port.
Possible values:
1..10 (default setting: 2)
If in the Operation column the value Off is specified, then the device tries to reinitialize the port after
the time specified here has elapsed.
548
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > LLDP > Configuration ]
Transmit delay [s]
Specifies the delay in seconds for transmitting successive LLDP data packets after configuration
changes in the device occur.
Possible values:
1..8192 (default setting: 2)
The recommended value is between a minimum of 1 and a maximum of a quarter of the value in
the Transmit interval [s] field.
Notification interval [s]
Specifies the interval in seconds for transmitting LLDP notifications.
Possible values:
5..3600 (default setting: 5)
After transmitting a notification trap, the device waits for a minimum of the time specified here
before transmitting the next notification trap.
Table
Port
Displays the port number.
Operation
Specifies whether the port transmits and receives LLDP data packets.
Possible values:
transmit
The port transmits LLDP data packets but does not save any information about neighboring
devices.
receive
The port receives LLDP data packets but does not transmit any information to neighboring
devices.
receive and transmit (default setting)
The port transmits LLDP data packets and saves information about neighboring devices.
disabled
The port does not transmit LLDP data packets and does not save information about neighboring
devices.
Notification
Activates/deactivates the LLDP notifications on the port.
Possible values:
marked
LLDP notifications are active on the port.
unmarked (default setting)
LLDP notifications are inactive on the port.
RM GUI RSP
Release 8.1 12/2019
549
Diagnostics
[ Diagnostics > LLDP > Configuration ]
Transmit port description
Activates/deactivates the transmitting of a TLV (Type Length Value) with the port description.
Possible values:
marked (default setting)
The transmitting of the TLV is active.
The device transmits the TLV with the port description.
unmarked
The transmitting of the TLV is inactive.
The device does not transmit a TLV with the port description.
Transmit system name
Activates/deactivates the transmitting of a TLV (Type Length Value) with the device name.
Possible values:
marked (default setting)
The transmitting of the TLV is active.
The device transmits the TLV with the device name.
unmarked
The transmitting of the TLV is inactive.
The device does not transmit a TLV with the device name.
Transmit system description
Activates/deactivates the transmitting of the TLV (Type Length Value) with the system description.
Possible values:
marked (default setting)
The transmitting of the TLV is active.
The device transmits the TLV with the system description.
unmarked
The transmitting of the TLV is inactive.
The device does not transmit a TLV with the system description.
Transmit system capabilities
Activates/deactivates the transmitting of the TLV (Type Length Value) with the system capabilities.
Possible values:
marked (default setting)
The transmitting of the TLV is active.
The device transmits the TLV with the system capabilities.
unmarked
The transmitting of the TLV is inactive.
The device does not transmit a TLV with the system capabilities.
Neighbors (max.)
Limits the number of neighboring devices to be recorded for this port.
Possible values:
1..50 (default setting: 10)
550
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > LLDP > Configuration ]
FDB mode
Specifies which function the device uses to record neighboring devices on this port.
Possible values:
lldpOnly
The device uses only LLDP data packets to record neighboring devices on this port.
macOnly
The device uses learned MAC addresses to record neighboring devices on this port. The device
uses the MAC address only if there is no other entry in the address table (FDB, Forwarding
Database) for this port.
both
The device uses LLDP data packets and learned MAC addresses to record neighboring devices
on this port.
autoDetect (default setting)
If the device receives LLDP data packets at this port, then the device operates the same as with
the lldpOnly setting. Otherwise, the device operates the same as with the macOnly setting.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
551
Diagnostics
[ Diagnostics > LLDP > Topology Discovery ]
7.6.2
LLDP Topology Discovery
[ Diagnostics > LLDP > Topology Discovery ]
Devices in networks send notifications in the form of packets which are also known as "LLDPDU"
(LLDP data units). The data that is sent and received via LLDPDU are useful for many reasons.
Thus the device detects which devices in the network are neighbors and via which ports they are
connected.
The dialog lets you display the network and to detect the connected devices along with their specific
features.
The dialog contains the following tabs:
[LLDP]
[LLDP-MED]
[LLDP]
This tab displays the collected LLDP information for the neighboring devices. This information
enables a network management station to map the structure of your network.
When devices both with and without an active topology discovery function are connected to a port,
the topology table hides the devices without active topology discovery.
When only devices without active topology discovery are connected to a port, the table contains
one line for this port to represent every device. This line contains the number of connected devices.
The Forwarding Database (FDB) address table contains MAC addresses of devices that the
topology table hides for the sake of clarity.
When you use 1 port to connect several devices, for example via a hub, the table contains 1 line
for each connected device.
Table
Port
Displays the port number.
Neighbor identifier
Displays the chassis ID of the neighboring device. This can be the basis MAC address of the
neighboring device, for example.
FDB
Displays whether or not the connected device has active LLDP support.
552
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > LLDP > Topology Discovery ]
Possible values:
marked
The connected device does not have active LLDP support.
The device uses information from its address table (FDB, Forwarding Database)
unmarked (default setting)
The connected device has active LLDP support.
Neighbor IP address
Displays the IP address with which the access to the neighboring device management is possible.
Neighbor port description
Displays a description for the port of the neighboring device.
Neighbor system name
Displays the device name of the neighboring device.
Neighbor system description
Displays a description for the neighboring device.
Port ID
Displays the ID of the port through which the neighboring device is connected to the device.
Autonegotiation supported
Displays whether the port of the neighboring device supports autonegotiation.
Autonegotiation
Displays whether autonegotiation is enabled on the port of the neighboring device.
PoE supported
Displays whether the port of the neighboring device supports Power over Ethernet (PoE).
PoE enabled
Displays whether Power over Ethernet (PoE) is enabled on the port of the neighboring device.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
553
Diagnostics
[ Diagnostics > LLDP > Topology Discovery ]
[LLDP-MED]
LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between
endpoint devices and network devices. It specifically provides support for VoIP applications. In this
support rule, it provides an additional set of common advertisement, Type Length Value (TLV),
messages. The device uses the TLVs for capabilities discovery such as network policy, Power over
Ethernet, inventory management and location information.
Table
Port
Displays the port number.
Device class
Displays the device class of the remotely connected device.
A value of notDefined indicates that the device has capabilities not covered by any of the LLDPMED classes.
A value of endpointClass1..3 indicates that the device has "endpoint class 1..3" capabilities.
A value of networkConnectivity indicates that the device has network connectivity device
capabilities.
VLAN ID
Displays the extension of the VLAN Identifier for the remote system connected to this port, as
defined in IEEE 802.3.
The device uses a value from 1 through 4042 to specify a valid Port VLAN ID.
The device displays the value 0 for priority tagged packets. This means that only the 802.1D
priority is significant and the device uses the default VLAN ID of the ingress port.
Priority
Displays the value of the 802.1D priority which is associated with the remote system connected to
the port.
DSCP
Displays the value of the Differentiated Service Code Point (DSCP) which is associated with the
remote system connected to the port.
Unknown bit status
Displays the unknown bit status of incoming traffic.
A value of true indicates that the network policy for the specified application type is currently
unknown. In this case, the VLAN ID ignores the Layer 2 priority and value of the DSCP field.
A value of false indicates a specified network policy.
554
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > SFlow ]
Tagged bit status
Displays the tagged bit status.
A value of true indicates that the application uses a tagged VLAN.
A value of false indicates that for the specific application the device uses untagged VLAN
operation. In this case, the device ignores both the VLAN ID and the Layer 2 priority fields. The
DSCP value, however, is relevant.
Hardware revision
Displays the vendor-specific hardware revision string as advertised by the remote endpoint.
Firmware revision
Displays the vendor-specific firmware revision string as advertised by the remote endpoint.
Software revision
Displays the vendor-specific software revision string as advertised by the remote endpoint.
Serial number
Displays the vendor-specific serial number as advertised by the remote endpoint.
Manufacturer name
Displays the vendor-specific manufacturer name as advertised by the remote endpoint.
Model name
Displays the vendor-specific model name as advertised by the remote endpoint.
Asset ID
Displays the vendor-specific asset tracking identifier as advertised by the remote endpoint.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
7.7
SFlow
[ Diagnostics > SFlow ]
sFlow is a standard protocol for monitoring networks. The device contains the sFlow feature which
gives you visibility into network activity, allowing for effective management and control of network
resources.
RM GUI RSP
Release 8.1 12/2019
555
Diagnostics
[ Diagnostics > SFlow ]
The sFlow monitoring system consists of an sFlow agent and a central sFlow collector. The agent
uses the following forms of sampling:
statistical packet-based sampling of packet flows
time-based sampling of counters
The device combines both types of samples into datagrams. sFlow uses the datagrams to forward
the sampled traffic statistics to an sFlow collector for analysis.
In order to perform packet flow sampling, you configure an instance with a sampling rate. You then
configure the instance with a polling interval for counter sampling.
The menu contains the following dialogs:
SFlow Configuration
SFlow Receiver
556
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > SFlow > Configuration ]
7.7.1
SFlow Configuration
[ Diagnostics > SFlow > Configuration ]
This dialog displays device parameters and lets you set up sFlow instances.
The dialog contains the following tabs:
[Global]
[Sampler]
[Poller]
[Global]
Information
Version
Displays the MIB version, the organization responsible for agent implementation, and the device
software revision.
IP address
Displays the IP address associated with the agent providing SNMP connectivity.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Sampler]
Table
Port
Displays the physical source of data for the sampler.
Receiver
Displays the receiver index associated with the sampler.
Sampling rate
Specifies the static sampling rate for the sampling of the packets from this source.
RM GUI RSP
Release 8.1 12/2019
557
Diagnostics
[ Diagnostics > SFlow > Configuration ]
Possible values:
0 (default setting)
Deactivates the sampling.
256..65535
When the ports receive data, the device increments to the set value and then samples the data.
Max. header size [byte]
Specifies the maximum header size in bytes copied from a sampled packet.
Possible values:
20..256 (default setting: 128)
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[Poller]
Table
Port
Displays the physical source of data for the poller counter.
Receiver
Displays the receiver index associated with the query counter.
Possible values:
0..8 (default setting: 0)
Interval [s]
Specifies the maximum number of seconds between successive samples of the counters which are
associated with this data source.
Possible values:
0..86400 (default setting: 0)
A sampling interval with the value 0 deactivates the sampling of the counters.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
558
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > SFlow > Receiver ]
7.7.2
SFlow Receiver
[ Diagnostics > SFlow > Receiver ]
In order to help avoid a condition where 2 persons or organizations attempt to assume control of
the same sampler, the person or organization sets both the Name and Timeout [s] parameters in the
same SNMP set request.
When releasing a sampler, the controlling person or organization deletes the value in the Name
column. The controlling person or organization also restores the other parameters in this row to
their default settings.
Table
Index
Displays the index number to which the table entry relates.
Name
Specifies the name of the person or company which uses the entry. An empty field indicates that
the entry is currently unused. Edit this field before making changes to other sampler parameters.
Possible values:
Alphanumeric ASCII character string with 0..127 characters
Timeout [s]
Displays the time, in seconds, remaining before the sampler is released and stops sampling.
Datagram size [byte]
Specifies the maximum number of data bytes that are sent in one sample datagram.
Possible values:
200..3996 (default setting: 1400)
IP address
Specifies the IP address of the sFlow collector.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Destination UDP port
Specifies the number of the UDP port for sFlow datagrams.
Possible values:
1..65535 (default setting: 6343)
Exception: Port 2222 is reserved for internal functions.
RM GUI RSP
Release 8.1 12/2019
559
Diagnostics
[ Diagnostics > Report ]
Datagram version
Displays the version of sFlow datagrams requested.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
7.8
Report
[ Diagnostics > Report ]
The menu contains the following dialogs:
Report Global
Persistent Logging
System Log
Audit Trail
560
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Report > Global ]
7.8.1
Report Global
[ Diagnostics > Report > Global ]
The device lets you log specific events using the following outputs:
on the console
on one or more syslog servers
on a connection to the Command Line Interface set up using SSH
on a connection to the Command Line Interface set up using Telnet
In this dialog, you specify the required settings. By assigning the severity you specify which events
the device registers.
The dialog lets you save a ZIP archive with system information on your PC.
Console logging
Operation
Enables/disables the Console logging function.
Possible values:
On
The Console logging function is enabled.
The device logs the events on the console.
Off (default setting)
The Console logging function is disabled.
Severity
Specifies the minimum severity for the events. The device logs events with this severity and with
more urgent severities.
The device outputs the messages on the serial interface.
Possible values:
emergency
alert
critical
error
warning (default setting)
notice
informational
debug
RM GUI RSP
Release 8.1 12/2019
561
Diagnostics
[ Diagnostics > Report > Global ]
Buffered logging
The device buffers logged events in 2 separate storage areas so that the log entries for urgent
events are kept.
This dialog lets you specify the minimum severity for events that the device buffers in the storage
area with a higher priority.
Severity
Specifies the minimum severity for the events. The device buffers log entries for events with this
severity and with more urgent severities in the storage area with a higher priority.
Possible values:
emergency
alert
critical
error
warning (default setting)
notice
informational
debug
SNMP logging
When you enable the logging of SNMP requests, the device sends these as events with the preset
severity notice to the list of syslog servers. The preset minimum severity for a syslog server entry
is critical.
To send SNMP requests to a syslog server, you have a number of options to change the default
settings. Select the ones that meet your requirements best.
Set the severity for which the device creates SNMP requests as events to warning or error and
change the minimum severity for a syslog entry for one or more syslog servers to the same
value.
You also have the option of creating a separate syslog server entry for this.
When you set the severity for SNMP requests to critical or higher. The device then sends
SNMP requests as events with the severity critical or higher to the syslog servers.
When you set the minimum severity for one or more syslog server entries to notice or lower.
Then it is possible that the device sends many events to the syslog servers.
Log SNMP get request
Enables/disables the logging of SNMP Get requests.
Possible values:
On
The logging is enabled.
The device registers SNMP Get requests as events in the syslog.
In the Severity get request drop-down list, you select the severity for this event.
Off (default setting)
The logging is disabled.
562
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Report > Global ]
Log SNMP set request
Enables/disables the logging of SNMP Set requests.
Possible values:
On
The logging is enabled.
The device registers SNMP Set requests as events in the syslog.
In the Severity set request drop-down list, you select the severity for this event.
Off (default setting)
The logging is disabled.
Severity get request
Specifies the severity of the event that the device registers for SNMP Get requests.
Possible values:
emergency
alert
critical
error
warning
notice (default setting)
informational
debug
Severity set request
Specifies the severity of the event that the device registers for SNMP Set requests.
Possible values:
emergency
alert
critical
error
warning
notice (default setting)
informational
debug
CLI logging
Operation
Enables/disables the CLI logging function.
RM GUI RSP
Release 8.1 12/2019
563
Diagnostics
[ Diagnostics > Report > Global ]
Possible values:
On
The CLI logging function is enabled.
The device logs every command received using the Command Line Interface.
Off (default setting)
The CLI logging function is disabled.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Download support information
Generates a ZIP archive which the web browser lets you download from the device.
The ZIP archive contains system information about the device. You will find an explanation of the
files contained in the ZIP archive in the following section.
Support Information: Files contained in ZIP archive
File name
Format
Comments
audittrail.html
HTML
defaultconfig.xml
script
XML
TEXT
runningconfig.xml
XML
supportinfo.html
systeminfo.html
TEXT
HTML
systemlog.html
HTML
Contains the chronological recording of the system events and
saved user changes in the Audit Trail.
Contains the configuration profile with the default settings.
Contains the output of the command show running-config
script.
Contains the configuration profile with the current operating
settings.
Contains device internal service information.
Contains information about the current settings and operating
parameters.
Contains the logged events in the Log file. See the Diagnostics >
Report > System Log dialog.
Meaning of the event severities
Severity
Meaning
emergency
Device not ready for operation
critical
Critical status
warning
Warning
alert
Immediate user intervention required
error
Error status
notice
Significant, normal status
debug
Debug message
informational Informal message
564
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Report > Persistent Logging ]
7.8.2
Persistent Logging
[ Diagnostics > Report > Persistent Logging ]
The device lets you save log entries permanently in a file in the external memory. Therefore, even
after the device is restarted you have access to the log entries.
In this dialog, you limit the size of the log file and specify the minimum severity for the events to be
saved. When the log file reaches the specified size, the device archives this file and saves the
following log entries in a newly created file.
In the table the device displays you the log files held in the external memory. As soon as the
specified maximum number of files has been attained, the device deletes the oldest file and
renames the remaining files. This helps ensure that there is enough memory space in the external
memory.
Note: Verify that an external memory is connected. To verify if an external memory is connected,
see the Status column in the Basic Settings > External Memory dialog. We recommend to monitor the
external memory connection using the Device Status function, see the External memory removal
parameter in the Diagnostics > Status Configuration > Device Status dialog.
Operation
Operation
Enables/disables the Persistent Logging function.
Only activate this function if the external memory is available in the device.
Possible values:
On (default setting)
The Persistent Logging function is enabled.
The device saves the log entries in a file in the external memory.
Off
The Persistent Logging function is disabled.
Configuration
Max. file size [kbyte]
Specifies the maximum size of the log file in KBytes. When the log file reaches the specified size,
the device archives this file and saves the following log entries in a newly created file.
Possible values:
0..4096 (default setting: 1024)
The value 0 deactivates saving of log entries in the log file.
Files (max.)
Specifies the number of log files that the device keeps in the external memory.
RM GUI RSP
Release 8.1 12/2019
565
Diagnostics
[ Diagnostics > Report > Persistent Logging ]
As soon as the specified maximum number of files has been attained, the device deletes the oldest
file and renames the remaining files.
Possible values:
0..25 (default setting: 4)
The value 0 deactivates saving of log entries in the log file.
Severity
Specifies the minimum severity of the events. The device saves the log entry for events with this
severity and with more urgent severities in the log file in the external memory.
Possible values:
emergency
alert
critical
error
warning (default setting)
notice
informational
debug
Log file target
Specifies the external memory device for logging.
Possible values:
sd
External SD memory (ACA31)
Table
Index
Displays the index number to which the table entry relates.
Possible values:
1..25
The device automatically assigns this number.
File name
Displays the file name of the log file in the external memory.
Possible values:
messages
messages.X
566
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Report > Persistent Logging ]
File size [byte]
Displays the size of the log file in the external memory in bytes.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Delete persistent log file
Removes the log files from the external memory.
RM GUI RSP
Release 8.1 12/2019
567
Diagnostics
[ Diagnostics > Report > System Log ]
7.8.3
System Log
[ Diagnostics > Report > System Log ]
The device logs device-internal events in a log file (System Log).
This dialog displays the log file (System Log). The dialog lets you save the log file in HTML format
on your PC.
In order to search the log file for search terms, use the search function of your web browser.
The log file is kept until a restart is performed in the device. After the restart the device creates the
file again.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Save log file
Opens the HTML page in a new web browser window or tab. You can save the HTML page on your
PC using the appropriate web bowser command.
Delete log file
Removes the logged events from the log file.
568
RM GUI RSP
Release 8.1 12/2019
Diagnostics
[ Diagnostics > Report > Audit Trail ]
7.8.4
Audit Trail
[ Diagnostics > Report > Audit Trail ]
This dialog displays the log file (Audit Trail). The dialog lets you save the log file as an HTML file
on your PC.
In order to search the log file for search terms, use the search function of your web browser.
The device logs system events and writing user actions in the device. This lets you keep track of
WHO changes WHAT in the device and WHEN. The prerequisite is that the user role auditor or
administrator is assigned to your user account.
The device logs the following user actions, among others:
A user logging on via Command Line Interface (local or remote)
A user logging off manually
Automatic logging off of a user in the Command Line Interface after a specified period of
inactivity
Device restart
Locking of a user account due to too many unsuccessful logon attempts
Locking of the access to the device management due to unsuccessful logon attempts
Commands executed in the Command Line Interface, apart from show commands
Changes to configuration variables
Changes to the system time
File transfer operations, including firmware updates
Configuration changes via HiDiscovery
Firmware updates and automatic configuration of the device via the external memory
Opening and closing of SNMP via an HTTPS tunnel
The device does not log passwords. The logged entries are write-protected and remain saved in
the device after a restart.
Note: During the restart, access to the system monitor is possible using the default settings of the
device. If an attacker gains physical access to the device, then he is able to reset the device settings
to its default values using the system monitor. After this, the device and log file are accessible using
the standard password. Take appropriate measures to restrict physical access to the device.
Otherwise, deactivate access to the system monitor. See the Diagnostics > System > Selftest dialog,
SysMon1 is available checkbox.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Save audit trail file
Opens the HTML page in a new web browser window or tab. You can save the HTML page on your
PC using the appropriate web bowser command.
RM GUI RSP
Release 8.1 12/2019
569
Advanced
[ Advanced > DHCP L2 Relay ]
8 Advanced
The menu contains the following dialogs:
DHCP L2 Relay
DHCP Server
DNS
Industrial Protocols
Command Line Interface
8.1
DHCP L2 Relay
[ Advanced > DHCP L2 Relay ]
A network administrator uses the DHCP L2 Relay Agent to add DHCP client information. L3 Relay
Agents and DHCP servers need the DHCP client information to assign an IP address and a
configuration to the clients.
When active, the relay adds Option 82 information configured in this dialog to the packets before it
relays DHCP requests from the clients to the server. The Option 82 fields provide unique
information about the client and relay. This unique identifier consists of a Circuit ID for the client and
a Remote ID for the relay.
In addition to the type, length, and multicast fields, the Circuit ID includes the VLAN ID, unit number,
slot number, and port number for the connected client.
The Remote ID consists of a type and length field and either a MAC address, IP address, client
identifier, or a user-defined device description. A client identifier is the user-defined system name
for the device.
The menu contains the following dialogs:
DHCP L2 Relay Configuration
DHCP L2 Relay Statistics
570
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > DHCP L2 Relay > Configuration ]
8.1.1
DHCP L2 Relay Configuration
[ Advanced > DHCP L2 Relay > Configuration ]
This dialog lets you activate the relay function on an interface and VLAN. When you activate this
function on a port, the device either relays the Option 82 information or drops the information on
untrusted ports. Furthermore, the device lets you specify the remote identifier.
The dialog contains the following tabs:
[Interface]
[VLAN ID]
Operation
Operation
Enables/disables the DHCP L2 Relay function of the device globally.
Possible values:
On
Enables the DHCP Layer 2 Relay function of the device.
Off (default setting)
Disables the DHCP Layer 2 Relay function of the device.
[Interface]
Table
Port
Displays the port number.
Active
Activates/deactivates the DHCP L2 Relay function on the port.
The prerequisite is that you enable the function globally.
Possible values:
marked
The DHCP L2 Relay function is active.
unmarked (default setting)
The DHCP L2 Relay function is inactive.
Trusted port
Activates/deactivates the secure DHCP L2 Relay mode for the corresponding port.
RM GUI RSP
Release 8.1 12/2019
571
Advanced
[ Advanced > DHCP L2 Relay > Configuration ]
Possible values:
marked
The device accepts DHCP packets with Option 82 information.
unmarked (default setting)
The device discards DHCP packets received on non-secure ports that contain Option 82
information.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
[VLAN ID]
Table
VLAN ID
VLAN to which the table entry relates.
Active
Activates/deactivates the DHCP Layer 2 Relay function on the VLAN.
The prerequisite is that you enable the function globally.
Possible values:
marked
The DHCP Layer 2 Relay function is active.
unmarked (default setting)
The DHCP Layer 2 Relay function is inactive.
Circuit ID
Activates or deactivates the addition of the Circuit ID to the Option 82 information.
Possible values:
marked (default setting)
Enables Circuit ID and Remote ID to be sent together.
unmarked
The device sends only the Remote ID.
Remote ID type
Specifies the components of the Remote ID for this VLAN.
572
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > DHCP L2 Relay > Configuration ]
Possible values:
ip
Specifies the IP address of the device as Remote ID.
mac (default setting)
Specifies the MAC address of the device as Remote ID.
client-id
Specifies the system name of the device as Remote ID.
other
When you use this value, enter in the Remote ID column user-defined information.
Remote ID
Displays the Remote ID for the VLAN.
When you specify the value other in the Remote ID type column, specify the identifier.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
573
Advanced
[ Advanced > DHCP L2 Relay > Statistics ]
8.1.2
DHCP L2 Relay Statistics
[ Advanced > DHCP L2 Relay > Statistics ]
The device monitors the traffic on the ports and displays the results in tabular form.
This table is divided into various categories to aid you in traffic analysis.
Table
Port
Displays the port number.
Untrusted server messages with Option 82
Displays the number of DHCP server messages received with Option 82 information on the
untrusted interface.
Untrusted client messages with Option 82
Displays the number of DHCP client messages received with Option 82 information on the
untrusted interface.
Trusted server messages without Option 82
Displays the number of DHCP server messages received without Option 82 information on the
trusted interface.
Trusted client messages without Option 82
Displays the number of DHCP client messages received without Option 82 information on the
trusted interface.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Reset
Resets the entire table.
574
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > DHCP Server ]
8.2
DHCP Server
[ Advanced > DHCP Server ]
With the DHCP server, you manage a database of available IP addresses and configuration
information. When the device receives a request from a client, the DHCP server validates the
DHCP client network, and then leases an IP address. When activated, the DHCP server also
allocates configuration information appropriate for that client. The configuration information
specifies, for example, which IP address, DNS server and the default route a client uses.
The DHCP server assigns an IP address to a client for a user-defined interval. The DHCP client is
responsible for renewing the IP address before the interval expires. When the DHCP client is
unable to renew the address, the address returns to the pool for reassignment.
The menu contains the following dialogs:
DHCP Server Global
DHCP Server Pool
DHCP Server Lease Table
RM GUI RSP
Release 8.1 12/2019
575
Advanced
[ Advanced > DHCP Server > Global ]
8.2.1
DHCP Server Global
[ Advanced > DHCP Server > Global ]
Activate the function either globally or per port according to your requirements.
Operation
Operation
Enables/disables the DHCP server function of the device globally.
Possible values:
On
Off (default setting)
Table
Port
Displays the port number.
DHCP server active
Activates/deactivates the DHCP server function on this port.
The prerequisite is that you enable the function globally.
Possible values:
marked (default setting)
The DHCP server function is active.
unmarked
The DHCP server function is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
576
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > DHCP Server > Pool ]
8.2.2
DHCP Server Pool
[ Advanced > DHCP Server > Pool ]
Assign an IP address to an end device or switch connected to a port or included in a VLAN.
The DHCP server provides IP address pools from which it allocates IP addresses to clients. A pool
consists of a list of entries. Specify an entry as static to a specific IP address, or as dynamic to an
IP address range. The device accommodates up to 128 pools.
With static allocation, the DHCP server assigns an IP address to a specific client. The DHCP server
identifies the client using a unique hardware ID. A static address entry contains 1 IP address. You
apply this IP address to every port or to a specific port of the device. For static allocation, enter an
IP address for allocation in the IP address field, and leave the Last IP address column empty. Enter a
hardware ID with which the DHCP server uniquely identifies the client. This ID is either a MAC
address, a Client ID, a Remote ID, or a Circuit ID. When a client contacts the device with a known
hardware ID, the DHCP server allocates the static IP address.
In dynamic allocation, when a DHCP client makes contact on a port, the DHCP server assigns an
available IP address from a pool for this port. For dynamic allocation, create a pool for the ports by
assigning an IP address range. Specify the first and last IP addresses for the IP address range.
Leave the MAC address, Client ID, Remote ID and Circuit ID fields empty. You have the option of
creating multiple pool entries. This lets you create an IP address range that contains gaps.
This dialog displays the different information that is required for the assignment of an IP address
for a port or a VLAN. Use the
entry.
button to add an entry. The device adds a writable and readable
Table
Index
Displays the index number to which the table entry relates.
Active
Activates/deactivates the DHCP server function on this port.
Possible values:
marked
The DHCP server function is active.
unmarked (default setting)
The DHCP server function is inactive.
IP address
Specifies the IP address for static IP address assignment. When using dynamic IP address
assignment, this value specifies the start of the IP address range.
Possible values:
Valid IPv4 address
RM GUI RSP
Release 8.1 12/2019
577
Advanced
[ Advanced > DHCP Server > Pool ]
Last IP address
When using dynamic IP address assignment, this value specifies the end of the IP address range.
Possible values:
Valid IPv4 address
Port
Displays the port number.
VLAN ID
Displays the VLAN to which the table entry relates.
A value of 1 corresponds to the default device management VLAN.
Possible values:
1..4042
MAC address
Specifies the MAC address of the device leasing the IP address.
Possible values:
Valid Unicast MAC address
Specify the value with a colon separator, for example 00:11:22:33:44:55.
–
For the IP address assignment, the server ignores this variable.
DHCP relay
Specifies the IP address of the DHCP relay through which the clients transmit their requests to the
DHCP server. When the DHCP server receives the client's request through another DHCP relay, it
ignores this request.
Possible values:
Valid IPv4 address
IP address of the DHCP relay.
–
Between the client and the DHCP server there is no DHCP relay.
Client ID
Specifies the identification of the client device leasing the IP address.
Possible values:
1..80 bytes (format XX XX .. XX)
–
For the IP address assignment, the server ignores this variable.
Remote ID
Specifies the identification of the remote device leasing the IP address.
578
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > DHCP Server > Pool ]
Possible values:
1..80 bytes (format XX XX .. XX)
–
For the IP address assignment, the server ignores this variable.
Circuit ID
Specifies the Circuit ID of the device leasing the IP address.
Possible values:
1..80 bytes (format XX XX .. XX)
–
For the IP address assignment, the server ignores this variable.
Hirschmann device
Activates/deactivates Hirschmann multicasts.
If the device in this IP address range serves only Hirschmann devices, then activate this function.
Possible values:
marked
In this IP address range, the device serves only Hirschmann devices. Hirschmann multicasts
are activated.
unmarked (default setting)
In this IP address range, the device serves the devices of different manufacturers. Hirschmann
multicasts are deactivated.
Configuration URL
Specifies the protocol to be used as well as the name and path of the configuration file.
Possible values:
Alphanumeric ASCII character string with 0..70 characters
Example: tftp://192.9.200.1/cfg/config.xml
When you leave this field blank, the device leaves this option field blank in the DHCP message.
Lease time [s]
Specifies the lease time in seconds.
Possible values:
1..4294967294 (default setting: 86400)
4294967295
Use this value for assignments unlimited in time and for assignments via BOOTP.
Default gateway
Specifies the IP address of the default gateway.
A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.
Possible values:
Valid IPv4 address
RM GUI RSP
Release 8.1 12/2019
579
Advanced
[ Advanced > DHCP Server > Pool ]
Netmask
Specifies the mask of the network to which the client belongs.
A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.
Possible values:
Valid IPv4 netmask
WINS server
Specifies the IP address of the Windows Internet Name Server which converts NetBIOS names.
A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.
Possible values:
Valid IPv4 address
DNS server
Specifies the IP address of the DNS server.
A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.
Possible values:
Valid IPv4 address
Hostname
Specifies the hostname.
When you leave this field blank, the device leaves this option field blank in the DHCP message.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
580
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > DHCP Server > Lease Table ]
8.2.3
DHCP Server Lease Table
[ Advanced > DHCP Server > Lease Table ]
This dialog displays the status of IP address leasing on a per port basis.
Table
Port
Displays the port number to which the address is currently being leased.
IP address
Displays the leased IP address to which the entry refers.
Status
Displays the lease phase.
According to the standard for DHCP operations, there are 4 phases to leasing an IP address:
Discovery, Offer, Request, and Acknowledgement.
Possible values:
bootp
A DHCP client is attempting to discover a DHCP server for IP address allocation.
offering
The DHCP server is validating that the IP address is suitable for the client.
requesting
A DHCP client is acquiring the offered IP address.
bound
The DHCP server is leasing the IP address to a client.
renewing
The DHCP client is requesting an extension to the lease.
rebinding
The DHCP server is assigning the IP address to the client after a successful renewal.
declined
The DHCP server denied the request for the IP address.
released
The IP address is available for other clients.
Remaining lifetime
Displays the time remaining on the leased IP address.
Leased MAC address
Displays the MAC address of the device leasing the IP address.
Gateway
Displays the Gateway IP address of the device leasing the IP address.
RM GUI RSP
Release 8.1 12/2019
581
Advanced
[ Advanced > DNS ]
Client ID
Displays the client identifier of the device leasing the IP address.
Remote ID
Displays the remote identifier of the device leasing the IP address.
Circuit ID
Displays the Circuit ID of the device leasing the IP address.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
8.3
DNS
[ Advanced > DNS ]
The menu contains the following dialogs:
DNS Client
8.3.1
DNS Client
[ Advanced > DNS > Client ]
DNS (Domain Name System) is a service in the network that translates host names into IP
addresses. This name resolution lets you contact other devices using their host names instead of
their IP addresses.
The Client function enables the device to send requests for resolving hostnames in IP addresses to
a DNS server.
The menu contains the following dialogs:
DNS Client Global
DNS Client Current
DNS Client Static
DNS Client Static Hosts
582
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > DNS > Client > Global ]
8.3.1.1 DNS Client Global
[ Advanced > DNS > Client > Global ]
In this dialog, you enable the Client function and the Cache function.
Operation
Operation
Enables/disables the Client function.
Possible values:
On
The Client function is enabled.
The device sends requests for resolving hostnames in IP addresses to a DNS server.
Off (default setting)
The Client function is disabled.
Cache
Cache
Enables/disables the Cache function.
Possible values:
On (default setting)
The Cache function is enabled.
The device temporarily saves up to 128 DNS server responses (hostname and corresponding
IP address) in the cache. When the cache contains a matching entry, the host name of a new
request the device resolves itself. This makes sending a new query to the DNS server
unnecessary.
Off
The Cache function is disabled.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Flush cache
Removes every entry from the DNS cache.
RM GUI RSP
Release 8.1 12/2019
583
Advanced
[ Advanced > DNS > Client > Current ]
8.3.1.2 DNS Client Current
[ Advanced > DNS > Client > Current ]
This dialog displays to which DNS servers the device sends requests for resolving hostnames in IP
addresses.
Table
Index
Displays the sequential number of the DNS server.
Address
Displays the IP address of the DNS server. The device forwards requests for resolving host names
in IP addresses to the DNS server with this IP address.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
584
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > DNS > Client > Static ]
8.3.1.3 DNS Client Static
[ Advanced > DNS > Client > Static ]
In this dialog, you specify the DNS servers to which the device forwards requests for resolving host
names in IP addresses. The device lets you specify up to 4 IP addresses yourself or to transfer the
IP addresses from a DHCP server.
Configuration
Configuration source
Specifies the source from which the device obtains the IP address of DNS servers to which the
device addresses requests.
Possible values:
user
The device uses the IP addresses specified in the table.
mgmt-dhcp (default setting)
The device uses the IP addresses which the DHCP server delivers to the device.
Domain name
Specifies the domain name according to RFC1034 which the device adds to hostnames without a
domain suffix.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Request timeout [s]
Specifies the time interval in seconds for sending again a request to the server.
Possible values:
0
Deactivates the function. The device does not send a request to the server again.
1..3600 (default setting: 3)
Request retransmits
Specifies, how many times the device retransmits a request.
The prerequisite is that, in the Request timeout [s] field, you specify a value >0.
Possible values:
0..100 (default setting: 2)
RM GUI RSP
Release 8.1 12/2019
585
Advanced
[ Advanced > DNS > Client > Static ]
Table
Index
Displays the sequential number of the DNS server.
The device lets you specify up to 4 DNS servers.
Address
Specifies the IP address of the DNS server.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Active
Activates/deactivates the table entry.
The device sends requests to the DNS server configured in the first active table entry. When the
device does not receive a response from this server, it sends requests to the DNS server configured
in the next active table entry.
Possible values:
marked
The DNS client sends requests to this DNS server.
Prerequisites:
Enable the DNS-client function in the Advanced > DNS > Global dialog.
Select in the Configuration frame, Configuration source drop-down-list the value user.
unmarked (default setting)
The device does not send requests to this DNS server.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
586
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > DNS > Client > Static Hosts ]
8.3.1.4 DNS Client Static Hosts
[ Advanced > DNS > Client > Static Hosts ]
This dialog lets you specify up to 64 hostnames which you link with one IP address each. Upon a
request for resolving hostnames in IP addresses, the device searches this table for a corresponding
entry. When the device does not find a corresponding entry, it forwards the request.
Table
Index
Displays the index number to which the table entry relates.
Possible values:
1..64
Name
Specifies the hostname.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
IP address
Specifies the IP address under which the host is reachable.
Possible values:
Valid IPv4 address
Active
Activates/deactivates the table entry.
Possible values:
marked
The device resolves a request for the host name for this entry.
unmarked
After receiving a request for this host name, the device sends a request to one of the configured
name servers for resolution.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
587
Advanced
[ Advanced > Industrial Protocols ]
8.4
Industrial Protocols
[ Advanced > Industrial Protocols ]
The menu contains the following dialogs:
IEC61850-MMS
Modbus TCP
EtherNet/IP
PROFINET
588
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > Industrial Protocols > IEC61850-MMS ]
8.4.1
IEC61850-MMS
[ Advanced > Industrial Protocols > IEC61850-MMS ]
The IEC61850-MMS is a standardized industrial communication protocol from the International
Electrotechnical Commission (IEC). For example, automatic switching equipment uses this
protocol when communicating with power station equipment.
The packet orientated protocol defines a uniform communication language based on the transport
protocol, TCP/IP. The protocol uses a Manufacturing Message Specification (MMS) server for
client server communications. The protocol includes functions for SCADA, Intelligent Electronic
Device (IED) and the network control systems.
Note: IEC61850/MMS does not provide any authentication mechanisms. If the write access for
IEC61850/MMS is activated, then every client that can access the device using TCP/IP is capable
of changing the settings of the device. This in turn can result in an incorrect configuration of the
device and to failures in the network.
Activate the write access only if you have taken additional measures (for example Firewall, VPN,
etc.) to reduce possible unauthorized access.
This dialog lets you specify the following MMS server settings:
Activates/deactivates the MMS server.
Activates/deactivates the write access to the MMS server.
The MMS server TCP Port.
The maximum number of MMS server sessions.
Operation
Operation
Enables/disables the IEC61850-MMS server.
Possible values:
On
The IEC61850-MMS server is enabled.
Off (default setting)
The IEC61850-MMS server is disabled.
The IEC61850 MIBs stay accessible.
Configuration
Write access
Activates/deactivates the write access to the MMS server.
RM GUI RSP
Release 8.1 12/2019
589
Advanced
[ Advanced > Industrial Protocols > IEC61850-MMS ]
Possible values:
marked
The write access to the MMS server is activated. This setting lets you change the device settings
using the IEC 61850 MMS protocol.
unmarked (default setting)
The write access to the MMS server is deactivated. The MMS server is accessible as read-only.
Technical key
Specifies the IED name.
The IED name is eligible independently of the system name.
Possible values:
Alphanumeric ASCII character string with 0..32 characters
The following characters are allowed:
– _
– 0..9
– a..z
– A..Z (default setting: KEY)
To get the MMS server to use the IED name, click the
connection to connected clients is then interrupted.
button and restart the MMS server. The
TCP port
Specifies TCP port for MMS server access.
Possible values:
1..65535 (default setting: 102)
Exception: Port 2222 is reserved for internal functions.
Note: The server restarts automatically after you change the port. In the process, the device
terminates open connections to the server.
Sessions (max.)
Specifies the maximum number of MMS server connections.
Possible values:
1..15 (default setting: 5)
Information
Status
Displays the current IEC61850-MMS server status.
Possible values:
unavailable
starting
running
590
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > Industrial Protocols > IEC61850-MMS ]
stopping
halted
error
Active sessions
Displays the number of active MMS server connections.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Download
Copies the ICD file to your PC.
RM GUI RSP
Release 8.1 12/2019
591
Advanced
[ Advanced > Industrial Protocols > Modbus TCP ]
8.4.2
Modbus TCP
[ Advanced > Industrial Protocols > Modbus TCP ]
Modbus TCP is a protocol used for Supervisory Control and Data Acquisition (SCADA) system
integration. Modbus TCP is a vendor-neutral protocol used to monitor and control industrial
automation equipment such as Programmable Logic Controllers (PLC), sensors and meters.
This dialog lets you specify the parameters of the protocol. To monitor and control the parameters
of the device, you need Human-Machine Interface (HMI) software and the memory mapping table.
Refer to the tables located in the Industrial Protocol user manual for the supported objects and
memory mapping.
The dialog lets you enable the function, activate the write access, control which TCP port the
Human-Machine Interface (HMI) polls for data. You can also specify the number of sessions
allowed to be open at the same time.
Note: Activating the Modbus TCP write-access can cause an unavoidable security risk, because the
protocol does not authenticate user access.
To help minimize the unavoidable security risks, specify the IP address range located in the Device
Security > Management Access dialog. Enter only the IP addresses assigned to your devices before
enabling the function. Furthermore, the default setting for monitoring function activation in the
Diagnostics > Status Configuration > Security Status dialog, Global tab, is active.
Operation
Operation
Enables/disables the Modbus TCP server in the device.
Possible values:
On
The Modbus TCP server is enabled.
Off (default setting)
The Modbus TCP server is disabled.
Configuration
Write access
Activates/deactivates the write access to the Modbus TCP parameters.
Note: Activating the Modbus TCP write-access can cause an unavoidable security risk, because the
protocol does not authenticate user access.
592
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > Industrial Protocols > Modbus TCP ]
Possible values:
marked (default setting)
The Modbus TCP server read/write access is active. This lets you change the device
configuration using the Modbus TCP protocol.
unmarked
The Modbus TCP server read-only access is active.
TCP port
Specifies the TCP port number that the Modbus TCP server uses for communication.
Possible values:
<TCP Port number> (default setting: 502)
Specifying 0 is not allowed.
Sessions (max.)
Specifies the maximum number of concurrent sessions that the Modbus TCP server maintains.
Possible values:
1..5 (default setting: 5)
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
RM GUI RSP
Release 8.1 12/2019
593
Advanced
[ Advanced > Industrial Protocols > PROFINET ]
8.4.3
PROFINET
[ Advanced > Industrial Protocols > PROFINET ]
This dialog lets you configure the PROFINET protocol on this device used in conjunction with
PROFINET Controllers and PROFINET devices. The device bases the PROFINET function on the
Siemens V2.2 PROFINET stack for common Ethernet controllers. The PROFINET protocol
implemented in the device conforms to Class B for real time responses according to IEC 61158.
Functions that directly affect the PROFINET function require the following default values to be
changed. If you have obtained the device as a specially available PROFINET variant, then these
values are already predefined:
PROFINET
Advanced > Industrial Protocols > PROFINET dialog
• Operation frame
Operation = On
• Configuration frame
Name of station field = <empty>
Network
Basic Settings > Network dialog
• Management interface frame
IP address assignment radio button = Local
• HiDiscovery protocol v1/v2 frame
Access drop-down list = readOnly
• IP parameter frame
IP address field = 0.0.0.0
Netmask field = 0.0.0.0
Gateway address field = 0.0.0.0
VLAN
Switching > Global dialog
• Configuration frame
VLAN unaware mode checkbox = marked
LLDP
Diagnostics > LLDP > Configuration dialog
• Configuration frame
Transmit interval [s] field = 5
Transmit delay [s] field = 1
Operation
Operation
Enables/disables the PROFINET function in the device.
594
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > Industrial Protocols > PROFINET ]
Possible values:
On
The PROFINET function is enabled.
Off (default setting)
The PROFINET function is disabled.
Configuration
Name of station
Specifies the name of the device.
Possible values:
Alphanumeric ASCII character string with 0..240 characters
The device prohibits you from using a number as the first character.
Information
Active application relations
Displays how many application relations are active.
Table
Port
Displays the port number.
DCP mode
Specifies the data stream direction on the port to monitor for DCP packets.
The Programmable Logic Controller (PLC) detects PROFINET devices using the Discovery and
Configuration Protocol (DCP).
RM GUI RSP
Release 8.1 12/2019
595
Advanced
[ Advanced > Industrial Protocols > PROFINET ]
The DCP identify request packets are multicast, the responses from the agents are unicast.
Regardless of the settings, the device forwards the received DCP packets to other ports whose
setting is either egress or both.
Management
Management
none
none
DCP
none
DCP
ingress
ingress
egress
DCP
Management
Management
none
ingress
none
egress
DCP
DCP
DCP
egress
both
both
egress
ingress
both
DCP
both
ingress
egress
both
DCP
Possible values:
none
The agent does not respond to packets received on this port. The port does not forward packets
received on other ports.
ingress
The agent responds to packets received on this port. The port does not forward packets
received on other ports.
egress
The agent does not respond to packets received on this port. The port forwards packets
received on other ports.
both (default setting)
The agent responds to packets received on this port. The port forwards packets received on
other ports.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Download GSDML file
Copies the GSDML file onto your PC.
596
RM GUI RSP
Release 8.1 12/2019
Advanced
[ Advanced > Industrial Protocols > EtherNet/IP ]
8.4.4
EtherNet/IP
[ Advanced > Industrial Protocols > EtherNet/IP ]
This dialog lets you activate the EtherNet/IP protocol, to change the SET/GET capability and to
download the EDS file from the device.
Operation
Operation
Enables/disables the EtherNet/IP function in the device.
Possible values:
On
The EtherNet/IP function is enabled.
Off (default setting)
The EtherNet/IP function is disabled. The device continues to read the EtherNet/IP data.
Configuration
Write access
Activates/deactivates the read/write capability of the EtherNet/IP protocol.
Possible values:
marked
The EtherNet/IP protocol accepts set/get requests.
unmarked (default setting)
The EtherNet/IP protocol accepts only get requests.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Download EDS file
Copies the following information in a zip file onto your PC:
Electronic Data Sheet (EDS) with device related information
device icon
RM GUI RSP
Release 8.1 12/2019
597
Advanced
[ Advanced > CLI ]
8.5
Command Line Interface
[ Advanced > CLI ]
This dialog lets you access the device using the Command Line Interface.
The prerequisites are:
In the device, enable the SSH server in the Device Security > Management Access > Server dialog,
tab SSH.
On your workstation, install a SSH-capable client application which registers a handler for URLs
starting with ssh:// in your operating system.
Buttons
You find the description of the standard buttons in section “Buttons” on page 15.
Open SSH connection
Opens the SSH-capable client application.
When you click the button, the web application passes the URL of the device starting with ssh://
and the user name of the currently logged on user.
If the web browser finds a SSH-capable client application, then the SSH-capable client establishes
a connection to the device using the SSH protocol.
598
RM GUI RSP
Release 8.1 12/2019
Index
A Index
0-9
1to1 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
802.1D/p mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87, 129
A
Access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Access restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Address conflict detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23, 503
Aging time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198, 508
Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356, 360, 503
ARP inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360, 508
Audit trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Authentication history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Authentication list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Auto disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124, 162, 172, 174, 308, 530, 531, 539
Auto summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
B
Boundary clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
C
Cable diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19, 39, 91, 108, 109, 486, 512, 519
CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Command line interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Community names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Configuration check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Configuration profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14, 29
Context menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Counter reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Count-to-infinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
D
Daylight saving time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Device software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Device software backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Device status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17, 477
DHCP L2 relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
DHCP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Distance vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
DLR (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
DNS cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
DNS client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Domain name system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
DSCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Dynamic ARP inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
RM GUI RSP
Release 8.1 12/2019
599
Index
E
EAPOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Egress rate limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Email notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
ENVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27, 29, 34, 40, 478, 484, 491, 566
EtherNet/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486, 597
Event severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515, 564
External memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27, 29, 34, 40, 566
F
FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Fast MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276, 335
FDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Filter MAC addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104, 108
Flash memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27, 500
Flow control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
G
GARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
229
230
322
232
H
Hardware clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Hardware state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
HiDiscovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22, 485, 569
HIPER ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
HiVRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452, 453, 467
Host key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Host routes accept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
HSR (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499, 568
HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
HTTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
I
IAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87, 145
ICMP redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351, 357
IEC61850-MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485, 589
IEEE 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Industrial HiVision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10, 100
Ingress filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Ingress rate limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Integrated authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87, 145
IP access restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
IP address conflict detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
IP DSCP mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
IPv4 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
600
RM GUI RSP
Release 8.1 12/2019
Index
L
L2 relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
L3 relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Link aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Link backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Load/save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51, 568
Login banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117, 120
Loopback interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
M
MAC Address Conflict Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
MAC address table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
MAC flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
MAC rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
MAC spoof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Mail notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Management access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22, 111
Management VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Manufacturing message specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Media redundancy protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
MMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Modbus TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486, 592
MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
MRP-IEEE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
MSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Multicast routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
MVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
N
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Network load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
NVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13, 14, 21, 27, 34
O
OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
RM GUI RSP
Release 8.1 12/2019
601
Index
P
Parallel redundancy protocol (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83, 482
Password length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83, 482
Persistent logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
Port clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Port configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133, 235
Port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Port monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Port priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Port VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Port-based access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Power supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19, 479, 492
Pre-Login banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Priority queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
PROFINET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486, 594
Proxy ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
PRP (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Q
Queue management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
R
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87, 146
RAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
RAM test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Rate limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
RCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Redundant coupling protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425, 570
Request interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Ring structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Ring/Network coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
RIP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
RNC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Root bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Route distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Router discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Router interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263, 355
Routing information protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Routing profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Routing table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
RSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304, 305
602
RM GUI RSP
Release 8.1 12/2019
Index
S
Secure shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Security status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18, 481
Self-test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Serial interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515, 564
sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
SFP module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Signal contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18, 488
SNMP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100, 483
SNMP traps . . . . . . . . . . . . . 46, 125, 305, 329, 377, 419, 453, 477, 481, 490, 496, 505, 506, 530
SNMPv1/v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
SNTP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
SNTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Software backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Software update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Spanning tree protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
SSH server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Subring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Switch dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
System information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
System log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
System monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
System time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
T
Technical questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Telnet server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101, 483
Temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20, 478, 490
Threshold values network load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Time profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Time to live . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Topology discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417, 471
Training courses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Transparent clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Trap destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Traps . . . . . . . . . . . . . . . . . . 46, 125, 305, 329, 377, 419, 453, 477, 481, 490, 496, 505, 506, 530
Trust mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
TTL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Twisted pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
U
Unaware mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
User administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
RM GUI RSP
Release 8.1 12/2019
603
Index
V
Virtual local area network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Virtual router redundancy protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22, 260
VLAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
VLAN ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
VLAN unaware mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
VRRP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
VRRP tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
W
Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29, 33
Web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106, 107
Z
ZIP archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
604
RM GUI RSP
Release 8.1 12/2019
Further support
B Further support
Technical questions
For technical questions, please contact any Hirschmann dealer in your area or Hirschmann directly.
You find the addresses of our partners on the Internet at www.hirschmann.com.
A list of local telephone numbers and email addresses for technical support directly from
Hirschmann is available at hirschmann-support.belden.com.
This site also includes a free of charge knowledge base and a software download section.
Technical Documents
The current manuals and operating instructions for Hirschmann products are available at
doc.hirschmann.com.
Hirschmann Competence Center
The Hirschmann Competence Center is ahead of its competitors on three counts with its complete
range of innovative services:
Consulting incorporates comprehensive technical advice, from system evaluation through
network planning to project planning.
Training offers you an introduction to the basics, product briefing and user training with
certification.
You find the training courses on technology and products currently available at
www.hicomcenter.com.
Support ranges from the first installation through the standby service to maintenance concepts.
With the Hirschmann Competence Center, you decided against making any compromises. Our
client-customized package leaves you free to choose the service components you want to use.
RM GUI RSP
Release 8.1 12/2019
605
Readers’ Comments
C Readers’ Comments
What is your opinion of this manual? We are constantly striving to provide as comprehensive a
description of our product as possible, as well as important information to assist you in the operation
of this product. Your comments and suggestions help us to further improve the quality of our
documentation.
Your assessment of this manual:
Very Good
Good
Satisfactory
Mediocre
Poor
Precise description
O
O
O
O
O
Readability
O
O
O
O
O
Understandability
O
O
O
O
O
Examples
O
O
O
O
O
Structure
O
O
O
O
O
Comprehensive
O
O
O
O
O
Graphics
O
O
O
O
O
Drawings
O
O
O
O
O
Tables
O
O
O
O
O
Did you discover any errors in this manual?
If so, on what page?
Suggestions for improvement and additional information:
606
RM GUI RSP
Release 8.1 12/2019
Readers’ Comments
General comments:
Sender:
Company / Department:
Name / Telephone number:
Street:
Zip code / City:
E-mail:
Date / Signature:
Dear User,
Please fill out and return this page
as a fax to the number +49 (0)7127/14-1600 or
per mail to
Hirschmann Automation and Control GmbH
Department 01RD-NT
Stuttgarter Str. 45-51
72654 Neckartenzlingen
Germany
RM GUI RSP
Release 8.1 12/2019
607
User Manual
Configuration
Rail Switch Power
HiOS-3S
UM Config RSP
Release 8.1 12/2019
Technical support
https://hirschmann-support.belden.com
The naming of copyrighted trademarks in this manual, even when not specially indicated, should not be taken to mean that
these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may
be freely used by anyone.
© 2019 Hirschmann Automation and Control GmbH
Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into
any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation
of a backup copy of the software for your own use.
The performance features described here are binding only if they have been expressly agreed when the contract was made.
This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's
knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give
no guarantee in respect of the correctness or accuracy of the information in this document.
Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated
operating software. In addition, we refer to the conditions of use specified in the license contract.
You can get the latest version of this manual on the Internet at the Hirschmann product site (www.hirschmann.com).
Hirschmann Automation and Control GmbH
Stuttgarter Str. 45-51
72654 Neckartenzlingen
Germany
2019-12-05
UM Config RSP
Release 8.1 12/2019
Contents
Contents
Safety instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
About this Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1
1.1
1.2
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.3
1.3.1
1.3.2
User interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preparing the data connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access to the Command Line Interface using Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access to the Command Line Interface using SSH (Secure Shell) . . . . . . . . . . . . . . . . . . . . . .
Access to the Command Line Interface using the serial interface . . . . . . . . . . . . . . . . . . . . . . . .
User rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mode-based command hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Executing the commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Structure of a command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples of commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Input prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Key combinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data entry elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Service Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Functional scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Starting the System Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
15
16
16
16
19
21
23
24
27
28
30
31
33
34
35
37
40
40
40
2
2.1
2.1.1
2.1.2
2.1.3
2.2
2.3
2.3.1
2.3.2
2.4
2.5
2.6
2.7
2.7.1
Specifying the IP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP parameter basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP address (version 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Netmask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Classless Inter-Domain Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Specifying the IP parameters using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . .
Specifying the IP parameters using HiDiscovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Specifying the IP parameters using the Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . .
Specifying the IP parameters using BOOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Specifying the IP parameters using DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Management address conflict detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Active and passive detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
42
42
43
45
46
48
49
49
51
52
53
55
55
3
3.1
3.2
3.2.1
3.2.2
3.2.3
3.2.4
Access to the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
First login (Password change) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing authentication lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adjust the settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56
56
57
57
57
58
59
UM Config RSP
Release 8.1 12/2019
3
Contents
3.3
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.4
3.4.1
3.4.2
3.5
3.5.1
3.5.2
User management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Default setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Changing default passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting up a new user account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deactivating the user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adjusting policies for passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Coordination with the server administrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMPv1/v2 access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMPv3 access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
61
61
63
63
64
65
66
67
68
68
69
72
72
73
4
4.1
4.2
4.2.1
4.2.2
4.2.3
4.2.4
4.3
4.3.1
4.3.2
4.3.3
4.4
4.4.1
4.4.2
Managing configuration profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Detecting changed settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Saving the settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Saving the configuration profile in the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Saving the configuration profile in the external memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Backup the configuration profile on a remote server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exporting a configuration profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Loading settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Activating a configuration profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Loading the configuration profile from the external memory . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Importing a configuration profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reset the device to the factory defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Graphical User Interface or Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . .
Using the System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
74
74
75
75
77
77
78
80
80
81
83
85
85
85
5
5.1
5.2
5.3
5.3.1
5.3.2
5.4
Loading software updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software update from the PC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software update from a server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software update from the external memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manually—initiated by the administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automatically—initiated by the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Loading a previous software version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
87
87
88
89
89
89
91
6
6.1
6.2
6.3
6.3.1
Configuring the ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enabling/disabling the port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Selecting the operating mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Link monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
92
92
93
94
94
7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
Assistance in the protection from unauthorized access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Changing the SNMPv1/v2 community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Disabling SNMPv1/v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Disabling HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Disabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Disabling the HiDiscovery access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Activating the IP access restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Adjusting the session timeouts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4
UM Config RSP
Release 8.1 12/2019
Contents
8
8.1
8.2
8.2.1
8.2.2
8.2.3
8.2.4
8.2.5
8.3
Controlling the data traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Helping protect against unauthorized access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating and editing IPv4 rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating and configuring an IP ACL using the Command Line Interface. . . . . . . . . . . . . . . . . .
Creating and editing MAC rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating and configuring a MAC ACL using the Command Line Interface . . . . . . . . . . . . . . . .
Assigning ACLs to a port or VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MAC authentication bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
105
105
107
108
109
110
110
111
112
9
9.1
9.1.1
9.1.2
9.2
9.2.1
9.2.2
9.2.3
9.3
9.3.1
9.3.2
9.3.3
9.3.4
9.3.5
Synchronizing the system time in the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basic settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automatic daylight saving time changeover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preparation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Defining settings of the SNTP client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Specifying SNTP server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of clocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Best Master Clock algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Delay measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PTP domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using PTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
113
113
114
115
116
117
118
119
120
120
121
121
122
122
10
10.1
10.1.1
10.1.2
10.1.3
10.2
10.2.1
10.2.2
10.3
10.4
10.4.1
10.4.2
10.4.3
10.4.4
10.4.5
10.4.6
10.4.7
10.4.8
10.5
10.5.1
10.5.2
Network load control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Direct packet distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Learning MAC addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Aging of learned MAC addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Static address entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multicasts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example of a Multicast application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rate limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
QoS/Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Description of prioritization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Handling of received priority information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLAN tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP ToS (Type of Service) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Handling of traffic classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Queue management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Management prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Flow control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Halfduplex or fullduplex link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting up the Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
123
123
123
123
124
126
126
126
131
132
132
133
133
134
135
136
139
139
144
144
145
11
11.1
11.1.1
11.1.2
11.2
11.3
VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples of VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Guest VLAN / Unauthenticated VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS VLAN assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
146
147
147
150
156
158
UM Config RSP
Release 8.1 12/2019
5
Contents
11.4
11.5
11.6
11.7
11.8
Creating a Voice VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MAC based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP subnet based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protocol-based VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLAN unaware mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
159
160
161
162
163
12
12.1
12.1.1
12.1.2
12.1.3
12.2
12.2.1
12.2.2
12.2.3
12.2.4
12.2.5
12.2.6
12.3
12.3.1
12.3.2
12.4
12.4.1
12.4.2
12.4.3
12.4.4
12.4.5
12.5
12.5.1
12.5.2
12.6
12.6.1
12.6.2
12.6.3
12.6.4
12.6.5
12.7
12.7.1
12.7.2
12.7.3
12.8
12.8.1
12.8.2
12.8.3
12.8.4
12.8.5
12.8.6
12.8.7
12.8.8
12.8.9
Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Topology vs. Redundancy Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network topologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Redundancy Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Combinations of Redundancies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Media Redundancy Protocol (MRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reconfiguration time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Advanced mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Prerequisites for MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MRP over LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HIPER Ring Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLANS on the HIPER Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HIPER Ring over LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Parallel Redundancy Protocol (PRP) (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . .
Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LRE functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PRP Network Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Connecting RedBoxes and DANPs to a PRP network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
High-availability Seamless Redundancy (HSR) (depends on hardware) . . . . . . . . . . . . . . . .
Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HSR Network Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Device Level Ring (DLR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Device Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Error Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Neighbor Check process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sign On Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rules for Creating the Tree Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Rapid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Spanning Tree Priority Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fast reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
STP compatibility mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ring only mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RSTP over HSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
164
164
164
166
167
168
168
169
169
169
171
175
179
179
180
181
181
181
182
183
184
186
186
187
194
194
196
197
198
199
201
202
205
207
210
210
211
212
212
212
213
215
218
219
6
UM Config RSP
Release 8.1 12/2019
Contents
12.9
12.9.1
12.9.2
12.10
12.10.1
12.10.2
12.11
12.12
12.12.1
12.12.2
12.12.3
12.13
12.13.1
12.14
12.14.1
12.14.2
12.15
12.15.1
Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Methods of Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Link Aggregation Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Link Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fail Back Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FuseNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Subring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Subring description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Subring example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Subring example configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Subring with LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ring/Network Coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Methods of Ring/Network Coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Prepare the Ring/Network Coupling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Application example for RCP coupling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
220
220
221
222
222
222
224
225
225
227
228
230
230
234
234
235
248
250
13
13.1
13.2
13.2.1
13.2.2
13.2.3
13.3
13.3.1
13.3.2
13.3.3
13.3.4
13.4
13.4.1
13.5
13.5.1
13.5.2
13.5.3
13.5.4
13.6
13.6.1
13.6.2
13.6.3
13.6.4
13.6.5
13.7
13.7.1
13.7.2
13.7.3
13.7.4
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Routing - Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Net-directed Broadcasts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Static Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port-based Router Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLAN-based Router-Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration of a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Static route tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NAT – Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1:1 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Interface tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ping tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logical tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VRRP/HiVRRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HiVRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HiVRRP Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VRRP with load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VRRP with Multinetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Maximum Network Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General Properties of RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
253
253
254
255
257
257
259
259
261
264
267
273
274
276
276
277
278
278
286
286
289
292
296
297
298
299
300
301
301
UM Config RSP
Release 8.1 12/2019
7
Contents
13.8
13.8.1
13.8.2
13.8.3
13.8.4
13.8.5
13.8.6
13.8.7
13.9
13.9.1
13.9.2
13.10
13.10.1
13.10.2
13.10.3
13.11
OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSPF-Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General Operation of OSPF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting up the Adjacency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Synchronization of the LSDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Route Calculation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Limiting the distribution of the routes using an ACL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protocol-based VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration of the Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multicast Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multicast Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multicast Group Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Scoping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Entering the IP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
304
305
310
311
312
313
314
317
328
328
329
332
333
334
336
337
14
14.1
14.1.1
14.1.2
14.1.3
14.1.4
14.2
14.2.1
14.2.2
14.2.3
14.3
14.3.1
14.3.2
14.3.3
14.4
14.4.1
14.4.2
14.5
14.6
14.6.1
14.7
14.8
14.9
14.9.1
14.9.2
14.10
14.11
14.11.1
14.11.2
14.11.3
14.11.4
14.11.5
14.11.6
14.11.7
Operation diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sending SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
List of SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP traps for configuration activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP trap setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ICMP messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring the Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Events which can be monitored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying the Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Events which can be monitored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying the Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Out-of-Band signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Controlling the Signal contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring the Device and Security Statuses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port status indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port event counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Detecting non-matching duplex modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auto-Disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying the SFP status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Topology discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying the Topology discovery results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LLDP-Med . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Detecting loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Specify the sender address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Specify the triggering events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Change the send interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Specify the recipients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Specify the mail server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable/disable the function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Send a test email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
340
340
341
342
342
343
344
344
345
346
347
347
348
350
351
351
352
355
356
356
358
360
361
361
362
363
364
364
364
366
366
367
367
368
8
UM Config RSP
Release 8.1 12/2019
Contents
14.12
14.12.1
14.12.2
14.12.3
14.12.4
14.12.5
14.13
14.14
14.14.1
14.14.2
14.14.3
14.15
14.16
14.17
Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Global settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Syslog over TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network analysis with TCPdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring the data traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLAN mirroring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote SPAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Self-test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Copper cable test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network monitoring with sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
369
369
371
372
372
374
375
376
376
377
379
391
393
394
15
15.1
15.1.1
15.1.2
15.1.3
15.2
15.2.1
15.2.2
15.3
15.3.1
15.4
15.4.1
15.4.2
15.5
15.5.1
15.5.2
15.5.3
15.5.4
Advanced functions of the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the device as a DHCP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP Addresses assigned per port or per VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP server static IP address example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP server dynamic IP address range example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP L2 Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Circuit and Remote IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP L2 Relay configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the device as a DNS client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a DNS server example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring GMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MRP-IEEE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MRP operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MRP timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MVRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
396
396
396
397
398
399
399
400
402
403
404
404
405
406
406
406
407
408
16
16.1
16.1.1
16.1.2
16.2
16.2.1
16.2.2
16.2.3
16.3
16.3.1
16.3.2
16.4
16.4.1
16.4.2
Industry Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IEC 61850/MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switch model for IEC 61850. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integration into a Control System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modbus TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Client/Server Modbus TCP/IP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Supported Functions and Memory Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EtherNet/IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integration into a Control System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EtherNet/IP Entity Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PROFINET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integration into a Control System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PROFINET Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
411
412
412
413
415
415
415
418
420
420
422
441
442
448
A
A.1
A.2
Setting up the configuration environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Setting up a DHCP/BOOTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Setting up a DHCP server with Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
UM Config RSP
Release 8.1 12/2019
9
Contents
A.3
A.3.1
A.3.2
A.3.3
A.4
A.4.1
A.4.2
Preparing access via SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generating a key in the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Loading your own key onto the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preparing the SSH client program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HTTPS certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HTTPS certificate management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access through HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
461
461
462
462
464
465
466
B
B.1
B.2
B.3
B.4
B.5
B.6
B.7
B.8
B.9
B.10
Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Literature references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Management Information Base (MIB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
List of RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Underlying IEEE Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Underlying IEC Norms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Underlying ANSI Norms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Technical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Copyright of integrated Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Abbreviations used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
467
467
468
469
472
475
476
477
478
479
480
C
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
D
Further support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
E
Readers’ Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
10
UM Config RSP
Release 8.1 12/2019
Safety instructions
Safety instructions
WARNING
UNCONTROLLED MACHINE ACTIONS
To avoid uncontrolled machine actions caused by data loss, configure all the data transmission
devices individually.
Before you start any machine which is controlled via data transmission, be sure to complete the
configuration of all data transmission devices.
Failure to follow these instructions can result in death, serious injury, or equipment
damage.
UM Config RSP
Release 8.1 12/2019
11
About this Manual
About this Manual
The “Configuration” user manual contains the information you need to start operating the device. It
takes you step by step from the first startup operation through to the basic settings for operation in
your environment.
The “Installation” user manual contains a device description, safety instructions, a description of the
display, and the other information that you need to install the device.
The “Graphical User Interface” reference manual contains detailed information on using the
graphical user interface to operate the individual functions of the device.
The “Command Line Interface” reference manual contains detailed information on using the
Command Line Interface to operate the individual functions of the device.
The Industrial HiVision Network Management software provides you with additional options for
smooth configuration and monitoring:
Auto-topology discovery
Browser interface
Client/server structure
Event handling
Event log
Simultaneous configuration of multiple devices
Graphical user interface with network layout
SNMP/OPC gateway
12
UM Config RSP
Release 8.1 12/2019
Key
Key
The designations used in this manual have the following meanings:
List
Work step
Link
Cross-reference with link
Note:
A note emphasizes a significant fact or draws your attention to a dependency.
Courier
Representation of a CLI command or field contents in the graphical user interface
Execution in the Graphical User Interface
Execution in the Command Line Interface
UM Config RSP
Release 8.1 12/2019
13
Introduction
Introduction
The device has been developed for use in a harsh industrial environment. Accordingly, the
installation process has been kept simple. Thanks to the selected default settings, you only have
to enter a few settings before starting to operate the device.
14
UM Config RSP
Release 8.1 12/2019
User interfaces
1.1 Graphical User Interface
1 User interfaces
The device lets you specify the settings of the device using the following user interfaces.
Table 1:
1.1
User interfaces for accessing the device management
User interface
Can be reached through …
Prerequisite
Graphical User Interface
Ethernet (In-Band)
Web browser
Command Line Interface
Ethernet (In-Band)
Serial interface (Out-of-Band)
Terminal emulation software
System monitor
Serial interface (Out-of-Band)
Terminal emulation software
Graphical User Interface
System requirements
To open the Graphical User Interface, you need the desktop version of a web browser with HTML5
support.
Note: Third-party software such as web browsers validate certificates based on criteria such as
their expiration date and current cryptographic parameter recommendations. Old certificates can
cause errors for example, when they expire or cryptographic recommendations change. To solve
validation conflicts with third-party software, transfer your own up-to-date certificate onto the device
or regenerate the certificate with the latest firmware.
Starting the Graphical User Interface
The prerequisite for starting the Graphical User Interface is that the IP parameters are configured
in the device. See “Specifying the IP parameters” on page 42.
Start your web browser.
Type the IP address of the device in the address field of the web browser.
Use the following form: https://xxx.xxx.xxx.xxx
The web browser sets up the connection to the device and displays the Login page.
When you want to change the language of the Graphical User Interface, click the appropriate
link in the top right corner of the Login page.
Enter the user name.
Enter the password.
Click the Login button.
The web browser displays the Graphical User Interface.
UM Config RSP
Release 8.1 12/2019
15
User interfaces
1.2 Command Line Interface
1.2
Command Line Interface
The Command Line Interface enables you to use the functions of the device through a local or
remote connection.
The Command Line Interface provides IT specialists with a familiar environment for configuring IT
devices. As an experienced user or administrator, you have knowledge about the basics and about
using Hirschmann devices.
1.2.1
Preparing the data connection
Information for assembling and starting up your device can be found in the “Installation” user
manual.
Connect the device with the network. The prerequisite for a successful data connection is the
correct setting of the network parameters.
You can access the user interface of the Command Line Interface for example, with the freeware
program PuTTY.
This program is provided on the product CD.
Install the PuTTY program on your computer.
1.2.2
Access to the Command Line Interface using Telnet
Telnet connection using Windows
Telnet is only installed as standard in Windows versions before Windows Vista.
Proceed as follows:
Start the Command Prompt program on your computer.
Enter the command telnet <IP_address>.
Figure 1:
16
Command Prompt: Setting up the Telnet connection to the device
UM Config RSP
Release 8.1 12/2019
User interfaces
1.2 Command Line Interface
Telnet connection using PuTTY
Proceed as follows:
Start the PuTTY program on your computer.
Figure 2:
PuTTY input screen
In the Host Name (or IP address) field you enter the IP address of your device.
The IP address consists of 4 decimal numbers with values from 0 to 255. The 4 decimal numbers
are separated by points.
To select the connection type, select the Telnet radio button in the Connection type range.
Click the Open button to set up the data connection to your device.
The Command Line Interface appears on the screen with a window for entering the user name.
The device enables up to 5 users to have access to the Command Line Interface at the same
time.
Note: This device is a security-relevant product. Change the password during the first startup
procedure.
Enter the user name.
The default user name is admin.
Press the <Enter> key.
Enter the password.
The default password is private.
Press the <Enter> key.
UM Config RSP
Release 8.1 12/2019
17
User interfaces
1.2 Command Line Interface
Copyright (c) 2011-2019 Hirschmann Automation and Control GmbH
All rights reserved
RSP20 Release 8.1
(Build date 2019-02-05 19:17)
System Name
Management IP
Subnet Mask
Base MAC
System Time
:
:
:
:
:
RSP-ECE555015560
192.168.1.5
255.255.255.0
EC:E5:55:01:02:03
2019-01-01 17:39:01
NOTE: Enter '?' for Command Help. Command help displays all options
that are valid for the particular mode.
For the syntax of a particular command form, please
consult the documentation.
RSP>
Figure 3:
18
Start screen of the Command Line Interface
UM Config RSP
Release 8.1 12/2019
User interfaces
1.2 Command Line Interface
1.2.3
Access to the Command Line Interface using SSH (Secure Shell)
In the following example we use the PuTTY program. Another option to access your device using
SSH is the OpenSSH Suite.
Proceed as follows:
Start the PuTTY program on your computer.
Figure 4:
PuTTY input screen
In the Host Name (or IP address) field you enter the IP address of your device.
The IP address consists of 4 decimal numbers with values from 0 to 255. The 4 decimal numbers
are separated by points.
To specify the connection type, select the SSH radio button in the Connection type range.
After selecting and setting the required parameters, the device enables you to set up the data
connection using SSH.
UM Config RSP
Release 8.1 12/2019
19
User interfaces
1.2 Command Line Interface
Click the Open button to set up the data connection to your device.
Depending on the device and the time at which SSH was configured, setting up the connection
takes up to a minute.
When you first login to your device, towards the end of the connection setup, the PuTTY program
displays a security alert message and lets you check the fingerprint of the key.
Figure 5:
Security alert prompt for the fingerprint
Check the fingerprint.
This helps protect yourself from unwelcome guests.
When the fingerprint matches the fingerprint of the device key, click the Yes button.
The device lets you display the finger prints of the device keys with the command show ssh or in
the Device Security > Management Access > Server dialog, SSH tab.
The Command Line Interface appears on the screen with a window for entering the user name.
The device enables up to 5 users to have access to the Command Line Interface at the same
time.
Enter the user name.
The default user name is admin.
Press the <Enter> key.
Enter the password.
The default password is private.
Press the <Enter> key.
Note: This device is a security-relevant product. Change the password during the first startup
procedure.
20
UM Config RSP
Release 8.1 12/2019
User interfaces
1.2 Command Line Interface
login as: admin
[email protected]’s password:
Copyright (c) 2011-2019 Hirschmann Automation and Control GmbH
All rights reserved
RSP20 Release 8.1
(Build date 2019-02-05 19:17)
System Name
Management IP
Subnet Mask
Base MAC
System Time
:
:
:
:
:
RSP-ECE555015560
192.168.1.5
255.255.255.0
EC:E5:55:01:02:03
2019-01-01 17:39:01
NOTE: Enter '?' for Command Help. Command help displays all options
that are valid for the particular mode.
For the syntax of a particular command form, please
consult the documentation.
RSP>
Figure 6:
1.2.4
Start screen of the Command Line Interface
Access to the Command Line Interface using the serial interface
The serial interface is used to locally connect an external network management station (VT100
terminal or PC with terminal emulation). The interface lets you set up a data connection to the
Command Line Interface and to the system monitor.
VT 100 terminal settings
Speed
Data
Stopbit
Handshake
Parity
UM Config RSP
Release 8.1 12/2019
9600 bit/s
8 bit
1 bit
off
none
21
User interfaces
1.2 Command Line Interface
Proceed as follows:
Connect the device to a terminal using the serial interface. Alternatively connect the device to a
COM port of your PC using terminal emulation based on VT100 and press any key.
Alternatively you set up the serial data connection to the device with the serial interface using
the PuTTY program. Press the <Enter> key.
Figure 7:
Serial data connection with the serial interface using the PuTTY program
Press any key on your terminal keyboard a number of times until the login screen indicates the
CLI mode.
Enter the user name.
The default user name is admin.
Press the <Enter> key.
Enter the password.
The default password is private.
Press the <Enter> key.
Note: This device is a security-relevant product. Change the password during the first startup
procedure.
22
UM Config RSP
Release 8.1 12/2019
User interfaces
1.2 Command Line Interface
Copyright (c) 2011-2019 Hirschmann Automation and Control GmbH
All rights reserved
RSP20 Release 8.1
(Build date 2019-02-05 19:17)
System Name
Management IP
Subnet Mask
Base MAC
System Time
:
:
:
:
:
RSP-ECE555015560
192.168.1.5
255.255.255.0
EC:E5:55:01:02:03
2019-01-01 17:39:01
NOTE: Enter '?' for Command Help. Command help displays all options
that are valid for the particular mode.
For the syntax of a particular command form, please
consult the documentation.
RSP>
Figure 8:
1.2.5
Start screen of the Command Line Interface
User rights
The device functions available to you as a user depend on your access role. When you are logged
on to the user interface with a specific access role, the functions of the access role are available to
you.
The commands available to you as a user, also depend on the Command Line Interface mode in
which you are currently working. See “Mode-based command hierarchy” on page 24.
UM Config RSP
Release 8.1 12/2019
23
User interfaces
1.2 Command Line Interface
Access roles
The user interface offers the following access roles:
Operator
Table 2:
1.2.6
User
Auditor
Administrator
Access roles and scope of user authorizations
Access role
User authorizations
User
Users logged on with the access role User are authorized to monitor the device.
Auditor
Users logged on with the access role Auditor are authorized to monitor the device
and to save the log file in the Diagnostics > Report > Audit Trail dialog.
Operator
Users logged on with the access role Operator are authorized to monitor the
device and to change the settings – with the exception of security settings for
device access.
Administrator
Users logged on with the access role Administrator are authorized to monitor the
device and to change the settings.
Unauthorized
Unauthorized users are blocked, and the device rejects the user login. Assign this
value to temporarily lock the user account. If a detected error occurs during an
access role change, then the device assigns this access role to the user account.
Mode-based command hierarchy
In the Command Line Interface, the commands are grouped in the related modes, according to the
type of the command. Every command mode supports specific Hirschmann software commands.
The commands available to you as a user depend on your privilege level (administrator, operator,
guest, auditor). They also depend on the mode in which you are currently working. When you switch
to a specific mode, the commands of the mode are available to you.
The User Exec mode commands are an exception. The Command Line Interface enables you to
execute these commands in the Privileged Exec mode, too.
24
UM Config RSP
Release 8.1 12/2019
User interfaces
1.2 Command Line Interface
The following figure displays the modes of the Command Line Interface.
ROOT
Login
Limited
functionality
User Exec Mode
Enable
Basic functions,
basic settings
Interface
Figure 9:
Exit
Exit
Vlan
database
Global Configuration Mode
<slot/port>
Configurations
on one or
several ports
The User Exec
commands
are available in
Privileged Exec
Mode, too.
Privileged Exec Mode
Configure
Advanced
configurations
Logout
Exit
VLAN Database Mode
VLAN
configurations
Exit
Interface Range Mode
Structure of the Command Line Interface
The Command Line Interface supports, depending on the user level, the following modes:
User Exec mode
When you login to the Command Line Interface, you enter the User Exec mode. The User Exec
mode contains a limited range of commands.
Command prompt: (RSP) >
Privileged Exec mode
To access the entire range of commands, you enter the Privileged Exec mode. If you login as a
privileged user, then you are able to enter the Privileged Exec mode. In the Privileged Exec
mode, you are able to execute the User Exec mode commands, too.
Command prompt:(RSP) #
VLAN mode
The VLAN mode contains VLAN-related commands.
Command prompt: (RSP) (VLAN)#
UM Config RSP
Release 8.1 12/2019
25
User interfaces
1.2 Command Line Interface
Global Config mode
The Global Config mode lets you perform modifications to the current configuration. This mode
groups general setup commands.
Command prompt: (RSP) (config)#
Interface Range mode
The commands in the Interface Range mode affect a specific port, a selected group of multiple
ports or all port of the device. The commands modify a value or switch a function on/off on one
or more specific ports.
– All physical ports in the device
Command prompt: (RSP) ((interface) all)#
Example: When you switch from the Global Config mode to the Interface Range mode, the
command prompt changes as follows:
(RSP) (config)#interface all
(RSP) ((Interface)all)#
– A single port on one interface
Command prompt: (RSP) (interface <slot/port>)#
Example: When you switch from the Global Config mode to the Interface Range mode, the
command prompt changes as follows:
(RSP) (config)#interface 2/1
(RSP) (interface 2/1)#
– A range of ports on one interface
Command prompt: (RSP) (interface <interface range> )#
Example: When you switch from the Global Config mode to the Interface Range mode, the
command prompt changes as follows:
(RSP) (config)#interface 1/2-1/4
(RSP) ((Interface)1/2-1/4)#
– A list of single ports
Command prompt: (RSP) (interface <interface list>)#
Example: When you switch from the Global Config mode to the Interface Range mode, the
command prompt changes as follows:
(RSP) (config)#interface 1/2,1/4,1/5
(RSP) ((Interface)1/2,1/4,1/5)#
– A list of port ranges and single ports
Command prompt: (RSP) (interface <complex range>)#
Example: When you switch from the Global Config mode to the Interface Range mode, the
command prompt changes as follows:
(RSP) (config)#interface 1/2-1/4,1/6-1/9
(RSP) ((Interface)1/2-1/4,1/6-1/9)
The following table displays the command modes, the command prompts (input request
characters) visible in the corresponding mode, and the option with which you quit this mode.
Table 3:
Command modes
Command mode Access method
User Exec mode First access level. Perform basic
tasks and list system information.
Quit or start next mode
To quit you enter logout:
(RSP) >logout
Are you sure (Y/N) ?y
Privileged Exec From the User Exec mode, you enter To quit the Privileged Exec mode and
mode
the command enable:
return to the User Exec mode, you enter
exit:
(RSP) >enable
(RSP) #
26
(RSP) #exit
(RSP) >
UM Config RSP
Release 8.1 12/2019
User interfaces
1.2 Command Line Interface
Table 3:
Command modes
Command mode Access method
VLAN mode
From the Privileged Exec mode, you To end the VLAN mode and return to the
enter the command vlan database:
Privileged Exec mode, you enter exit or
press Ctrl Z.
(RSP) #vlan database
(RSP) (Vlan)#
Global Config
mode
Quit or start next mode
(RSP) (Vlan)#exit
(RSP) #
From the Privileged Exec mode, you To quit the Global Config mode and
enter the command configure:
return to the Privileged Exec mode, you
enter exit:
(RSP) #configure
(RSP) (config)#
(RSP) (config)#exit
(RSP) >enable
(RSP) #configure
(RSP) (config)#
(RSP) #exit
(RSP) >
From the User Exec mode, you enter (RSP) #
the command enable, and then in
To then quit the Privileged Exec mode
Privileged Exec mode, enter the
and return to the User Exec mode, you
command Configure:
enter exit again:
Interface Range From the Global Config mode you
mode
enter the command interface
{all|<slot/port>|<interface range>
|<interface list>|<complex range>}.
To quit the Interface Range mode and
return to the Global Config mode, you
enter exit. To return to the Privileged
Exec mode, you press Ctrl Z.
(RSP) (config)#interface <slot/port> (RSP) (interface slot/port)#exit
(RSP) (interface slot/port)#
(RSP) #
When you enter a question mark (?) after the prompt, the Command Line Interface displays a list
of the available commands and a short description of the commands.
(RSP)>
cli
enable
help
history
logout
ping
show
telnet
Set the CLI preferences.
Turn on privileged commands.
Display help for various special keys.
Show a list of previously run commands.
Exit this session.
Send ICMP echo packets to a specified IP address.
Display device options and settings.
Establish a telnet connection to a remote host.
(RSP)>
Figure 10: Commands in the User Exec mode
1.2.7
Executing the commands
Syntax analysis
When you login to the Command Line Interface, you enter the User Exec mode. The Command
Line Interface displays the prompt (RSP)> on the screen.
UM Config RSP
Release 8.1 12/2019
27
User interfaces
1.2 Command Line Interface
When you enter a command and press the <Enter> key, the Command Line Interface starts the
syntax analysis. The Command Line Interface searches the command tree for the desired
command.
When the command is outside the Command Line Interface command range, a message informs
you of the detected error.
Example:
The user wants to execute the show
the <Enter> key.
system info
command, but enters info without f and presses
The Command Line Interface then displays a message:
(RSP)>show system ino
Error: Invalid command 'ino'
Command tree
The commands in the Command Line Interface are organized in a tree structure. The commands,
and where applicable the related parameters, branch down until the command is completely
defined and therefore executable. The Command Line Interface checks the input. When you
entered the command and the parameters correctly and completely, you execute the command
with the <Enter> key.
After you entered the command and the required parameters, the other parameters entered are
treated as optional parameters. When one of the parameters is unknown, the Command Line
Interface displays a syntax message.
The command tree branches for the required parameters until the required parameters have
reached the last branch in the structure.
With optional parameters, the command tree branches until the required parameters and the
optional parameters have reached the last branch in the structure.
1.2.8
Structure of a command
This section describes the syntax, conventions and terminology, and uses examples to represent
them.
Format of commands
Most of the commands include parameters.
When the command parameter is missing, the Command Line Interface informs you about the
detection of an incorrect command syntax.
This manual displays the commands and parameters in the Courier font.
28
UM Config RSP
Release 8.1 12/2019
User interfaces
1.2 Command Line Interface
Parameters
The sequence of the parameters is relevant for the correct syntax of a command.
Parameters are required values, optional values, selections, or a combination of these things. The
representation indicates the type of the parameter.
Table 4:
Parameter and command syntax
<command>
Commands in pointed brackets (<>) are obligatory.
[command]
Commands in square brackets ([]) are optional.
<parameter>
Parameters in pointed brackets (<>) are obligatory.
[parameter]
Parameters in square brackets ([]) are optional.
...
An ellipsis (3 points in sequence without spaces) after an element
indicates that you can repeat the element.
[Choice1 | Choice2]
A vertical line enclosed in brackets indicates a selection option.
Select one value.
Elements separated by a vertical line and enclosed in square
brackets indicate an optional selection (Option1 or Option2 or no
selection).
{list}
Curved brackets ({}) indicate that a parameter is to be selected from
a list of options.
{Choice1 | Choice2}
Elements separated by a vertical line and enclosed in curved
brackets ({}) indicate an obligatory selection option (option1 or
option2).
[param1 {Choice1 |
Choice2}]
Displays an optional parameter that contains an obligatory selection.
<a.b.c.d>
Small letters are wild cards. You enter parameters with the notation
a.b.c.d with decimal points (for example IP addresses)
<cr>
You press the <Enter> key to create a line break (carriage return).
The following list displays the possible parameter values within the Command Line Interface:
Table 5:
UM Config RSP
Parameter values in the Command Line Interface
Value
Description
IP address
This parameter represents a valid IPv4 address. The address
consists of 4 decimal numbers with values from 0 to 255. The 4
decimal numbers are separated by a decimal point. The IP address
0.0.0.0 is a valid entry.
MAC address
This parameter represents a valid MAC address. The address
consists of 6 hexadecimal numbers with values from 00 to FF. The
numbers are separated by a colon, for example, 00:F6:29:B2:81:40.
string
User-defined text with a length in the specified range, for example a
maximum of 32 characters.
character string
Use double quotation marks to indicate a character string, for
example “System name with space character”.
number
Whole integer in the specified range, for example 0..999999.
date
Date in format YYYY-MM-DD.
time
Time in format HH:MM:SS.
Release 8.1 12/2019
29
User interfaces
1.2 Command Line Interface
Network addresses
Network addresses are a requirement for establishing a data connection to a remote work station,
a server, or another network. You distinguish between IP addresses and MAC addresses.
The IP address is an address allocated by the network administrator. The IP address is unique in
one network area.
The MAC addresses are assigned by the hardware manufacturer. MAC addresses are unique
worldwide.
The following table displays the representation and the range of the address types:
Table 6:
Address
Type
Format and range of network addresses
Format
IP Address nnn.nnn.nnn.nnn
MAC
Address
Range
Example
nnn: 0 to 255 (decimal)
192.168.11.110
mm:mm:mm:mm:m mm: 00 to ff (hexadecimal
m:mm
number pairs)
A7:C9:89:DD:A9:B3
Strings
A string is indicated by quotation marks. For example, “System name with space character”. Space
characters are not valid user-defined strings. You enter a space character in a parameter between
quotation marks.
Example:
*(RSP)#cli prompt Device name
Error: Invalid command 'name'
*(RSP)#cli prompt 'Device name'
*(Device name)#
1.2.9
Examples of commands
Example 1: clear arp-table-switch
Command for clearing the ARP table of the management agent (cache).
clear arp-table-switch is the command name. The command is executable without any other
parameters by pressing the <Enter> key.
Example 2: radius server timeout
Command to configure the RADIUS server timeout value.
(RSP) (config)#radius server timeout
<1..30>
Timeout in seconds (default: 5).
30
UM Config RSP
Release 8.1 12/2019
User interfaces
1.2 Command Line Interface
radius server timeout
is the command name.
The parameter is required. The value range is 1..30.
Example 3: radius server auth modify <1..8>
Command to set the parameters for RADIUS authentication server 1.
(RSP) (config)#radius server auth modify 1
[name]
RADIUS authentication server name.
[port]
RADIUS authentication server port.
(default: 1812).
[msgauth]
Enable or disable the message authenticator
attribute for this server.
[primary]
Configure the primary RADIUS server.
[status]
Enable or disable a RADIUS authentication
server entry.
[secret]
Configure the shared secret for the RADIUS
authentication server.
[encrypted]
Configure the encrypted shared secret.
<cr>
Press Enter to execute the command.
radius server auth modify
is the command name.
The parameter <1..8> (RADIUS server index) is required. The value range is 1..8 (integer).
The parameters [name], [port], [msgauth], [primary], [status], [secret] and [encrypted] are
optional.
1.2.10
Input prompt
Command mode
With the input prompt, the Command Line Interface displays which of the three modes you are in:
(RSP) >
User Exec mode
(RSP) #
Privileged Exec mode
(RSP) (config)#
Global Config mode
(RSP) (Vlan)#
VLAN Database mode
(RSP) ((Interface)all)#
Interface Range mode / All ports of the device
(RSP) ((Interface)2/1)#
Interface Range mode / A single port on one interface
(RSP) ((Interface)1/2-1/4)#
Interface Range mode / A range of ports on one interface
(RSP) ((Interface)1/2,1/4,1/5)#
Interface Range mode / A list of single ports
(RSP) ((Interface)1/1-1/2,1/4-1/6)#
Interface Range mode / A list of port ranges and single ports
UM Config RSP
Release 8.1 12/2019
31
User interfaces
1.2 Command Line Interface
Asterisk, pound sign and exclamation point
Asterisk *
An asterisk * in the first or second position of the input prompt displays you that the settings in
the volatile memory and the settings in the non-volatile memory are different. In your
configuration, the device has detected modifications which have not been saved.
*(RSP)>
Pound sign #
A pound sign # at the beginning of the input prompt displays you that the boot parameters and
the parameters during the boot phase are different.
*#(RSP)>
Exclamation point !
An exclamation point ! at the beginning of the input prompt displays: the password for the user
or admin user account corresponds with the default setting.
!(RSP)>
Wildcards
The device lets you change the command line prompt.
The Command Line Interface supports the following wildcards:
Table 7:
Using wildcards within the Command Line Interface input prompt
Wildcard
Description
%d
System date
%t
System time
%i
IP address of the device
%m
MAC address of the device
%p
Product name of the device
!(RSP)>enable
!(RSP)#cli prompt %i
!192.168.1.5#cli prompt (RSP)%d
!*(RSP)2019-01-27#cli prompt (RSP)%d%t
!*(RSP)2019-01-2715:45:41#cli prompt %m
!*AA:BB:CC:DD:EE:FF#
32
UM Config RSP
Release 8.1 12/2019
User interfaces
1.2 Command Line Interface
1.2.11
Key combinations
The following key combinations make it easier for you to work with the Command Line Interface:
Table 8:
Key combinations in the Command Line Interface
Key combination
Description
CTRL + H, Backspace
Delete previous character
CTRL + A
Go to beginning of line
CTRL + E
Go to end of line
CTRL + F
Go forward one character
CTRL + B
Go backward one character
CTRL + D
Delete current character
CTRL + U, X
Delete to beginning of line
CTRL + K
Delete to end of line
CTRL + W
Delete previous word
CTRL + P
Go to previous line in history buffer
CTRL + R
Rewrite or paste the line
CTRL + N
Go to next line in history buffer
CTRL + Z
Return to root command prompt
CTRL + G
Aborts running tcpdump session
Tab, <SPACE>
Command line completion
Exit
Go to next lower command prompt
?
List choices
The Help command displays the possible key combinations in Command Line Interface on the
screen:
UM Config RSP
Release 8.1 12/2019
33
User interfaces
1.2 Command Line Interface
(RSP) #help
HELP:
Special keys:
Ctrl-H, BkSp
Ctrl-A ....
Ctrl-E ....
Ctrl-F ....
Ctrl-B ....
Ctrl-D ....
Ctrl-U, X ..
Ctrl-K ....
Ctrl-W ....
Ctrl-P ....
Ctrl-R ....
Ctrl-N ....
Ctrl-Z ....
Ctrl-G ....
Tab, <SPACE>
Exit
....
?
....
delete previous character
go to beginning of line
go to end of line
go forward one character
go backward one character
delete current character
delete to beginning of line
delete to end of line
delete previous word
go to previous line in history buffer
rewrites or pastes the line
go to next line in history buffer
return to root command prompt
aborts running tcpdump session
command-line completion
go to next lower command prompt
list choices
(RSP) #
Figure 11: Listing the key combinations with the Help command
1.2.12
Data entry elements
Command completion
To simplify typing commands, the Command Line Interface lets you use command completion (Tab
Completion). Thus you are able to abbreviate key words.
Type in the beginning of a keyword. When the characters entered identify a keyword, the
Command Line Interface completes the keyword after you press the tab key or the space key.
When there is more than one option for completion, enter the letter or the letters necessary for
uniquely identifying the keyword. Press the tab key or the space key again. After that, the system
completes the command or parameter.
When you make a non-unique entry and press <Tab> or <Space> twice, the Command Line
Interface provides you with a list of options.
On a non-unique entry and pressing <Tab> or <Space>, the Command Line Interface completes
the command up to the end of the uniqueness. When several commands exist and you press
<Tab> or <Space> again, the Command Line Interface provides you with a list of options.
Example:
(RSP) (Config)#lo
(RSP) (Config)#log
logging logout
When you enter lo and <Tab> or <Space>, the Command Line Interface completes the
command up to the end of the uniqueness to log.
When you press <Tab> or <Space> again, the Command Line Interface provides you with a list
of options (logging logout).
34
UM Config RSP
Release 8.1 12/2019
User interfaces
1.2 Command Line Interface
Possible commands/parameters
You can obtain a list of the commands or the possible parameters by entering help or ?, for example
by entering (RSP) >show ?
When you enter the command displayed, you get a list of the parameters available for the command
show.
When you enter the command without space character in front of the question mark, the device
displays the help text for the command itself:
!*#(RSP)(Config)#show?
show
1.2.13
Display device options and settings.
Use cases
Saving the Configuration
To help ensure that your password settings and your other configuration changes are kept after the
device is reset or after an interruption of the voltage supply, you save the configuration. To save
your current configuration, you proceed as follows:
Enter enable to switch to the Privileged Exec mode.
Enter the following command:
save [profile]
Execute the command by pressing the <Enter> key.
UM Config RSP
Release 8.1 12/2019
35
User interfaces
1.2 Command Line Interface
Syntax of the „radius server auth add“ command
Use this command to add a RADIUS authentication server.
Mode: Global Config mode
Privilege Level: Administrator
Format: radius server auth add <1..8> ip <a.b.c.d>
[name <string>] [port <1..65535>]
[name]: RADIUS authentication server
[port]: RADIUS authentication server
–
–
name.
port (default: 1813).
Parameter
Meaning
Possible values
<1..8>
RADIUS server index.
1..8
<a.b.c.d>
RADIUS accounting server IP address. IP address
<string>
Enter a user-defined text, max. 32
characters.
<1..65535>
Enter port number between 1 and
65535.
1..65535
Mode and Privilege Level:
The prerequisite for executing the command: You are in the Global Config mode. See “Modebased command hierarchy” on page 24.
The prerequisite for executing the command: You have the Administrator access role.
Syntax of commands and parameters: See “Structure of a command” on page 28.
Examples for executable commands:
radius server auth add 1 ip 192.168.30.40
radius server auth add 2 ip 192.168.40.50
radius server auth add 3 ip 192.168.50.60
radius server auth add 4 ip 192.168.60.70
36
name radiusserver2
port 1813
name radiusserver4 port 1814
UM Config RSP
Release 8.1 12/2019
User interfaces
1.2 Command Line Interface
1.2.14
Service Shell
The Service Shell is for service purposes only.
The Service Shell lets users have access to internal functions of the device. When you need
assistance with your device, the service personnel use the Service Shell to monitor internal
conditions for example, the switch or CPU registers.
Do not execute internal functions without service technician instructions. Executing internal
functions such as deleting the content of the non-volatile memory (NVM) possibly leads to
inoperability of your device.
Start the Service Shell
The prerequisite is that you are in User Exec mode: (RSP)
>
Perform the following steps:
Enter enable and press the <Enter> key.
To reduce the effort when typing:
– Enter e and press the <Tab> key.
Enter serviceshell start and press the <Enter> key.
To reduce the effort when typing:
– Enter ser and press the <Tab> key.
– Enter s and press the <Tab> key.
!RSP >enable
!*RSP #serviceshell start
WARNING! The service shell offers advanced diagnostics and functions.
Proceed only when instructed by a service technician.
You can return to the previous mode using the 'exit' command.
BusyBox v1.31.0 (2019-09-05 12:17:22 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.
!/mnt/fastpath #
Working with the Service Shell
When the Service Shell is active, the timeout of the Command Line Interface is inactive. To help
prevent configuration inconsistencies, end the Service Shell before any other user starts
transferring a new configuration to the device.
UM Config RSP
Release 8.1 12/2019
37
User interfaces
1.2 Command Line Interface
Display the Service Shell commands
The prerequisite is that you already started the Service Shell.
Perform the following steps:
Enter help and press the <Enter> key.
/mnt/fastpath # help
Built-in commands:
-----------------. : [ [[ alias bg break cd chdir command continue echo eval exec
exit export false fg getopts hash help history jobs kill let
local pwd read readonly return set shift source test times trap
true type ulimit umask unalias unset wait
/mnt/fastpath #
End the Service Shell
Perform the following steps:
Enter exit and press the <Enter> key.
Deactivate the Service Shell permanently in the device
When you deactivate the Service Shell, you are still able to configure the device, but you limit the
service personnel to system diagnostics. The service technician has no possibility to access
internal functions of your device.
The deactivation is irreversible, the Service Shell remains permanently deactivated. In order to
reactivate the Service Shell, the device requires disassembly by the manufacturer.
The prerequisites are:
• The Service Shell is not started.
• You are in User Exec mode: (RSP)
>
Perform the following steps:
Enter enable and press the <Enter> key.
To reduce the effort when typing:
– Enter e and press the <Tab> key.
38
UM Config RSP
Release 8.1 12/2019
User interfaces
1.2 Command Line Interface
Enter serviceshell deactivate and press the <Enter> key.
To reduce the effort when typing:
– Enter ser and press the <Tab> key.
– Enter dea and press the <Tab> key.
This step is irreversible!
Press the <Y> key.
!RSP >enable
!*RSP #serviceshell deactivate
Notice: If you continue, then the Service Shell is permanently deactivated.
This step is irreversible!
For details, refer to the Configuration Manual.
Are you sure (Y/N) ?
UM Config RSP
Release 8.1 12/2019
39
User interfaces
1.3 System monitor
1.3
System monitor
The System Monitor lets you set basic operating parameters before starting the operating system.
1.3.1
Functional scope
In the System Monitor, you carry out the following tasks, for example:
Managing the operating system and verifying the software image
Updating the operating system
Starting the operating system
Deleting configuration profiles, resetting the device to the factory defaults
Checking boot code information
1.3.2
Starting the System Monitor
Prerequisite:
Terminal cable for connecting the device to your PC (available as an optional accessory).
PC with VT100 terminal emulation (such as the PuTTY program) or serial terminal
Perform the following steps:
Use the terminal cable to connect the serial interface of the device with the COM port of the PC.
Start the VT100 terminal emulation on the PC.
Specify the following transmission parameters:
VT 100 terminal settings
Speed
Data
Stopbit
Handshake
Parity
9600 bit/s
8 bit
1 bit
off
none
Set up a connection to the device.
Turn on the device. When the device is already on, reboot it.
The screen displays the following message after rebooting:
Press <1> to enter System Monitor 1.
Press the <1> key within 3 seconds.
The device starts the System Monitor. The screen displays the following view:
40
UM Config RSP
Release 8.1 12/2019
User interfaces
1.3 System monitor
System Monitor 1
(Selected OS: ...-8.1 (2019-02-05 19:17))
1
2
3
4
5
q
Manage operating system
Update operating system
Start selected operating system
Manage configurations
Show boot code information
End (reset and reboot)
sysMon1>
Figure 12: System Monitor 1 screen display
Select a menu item by entering the number.
To leave a submenu and return to the main menu of System Monitor 1, press the <ESC> key.
UM Config RSP
Release 8.1 12/2019
41
Specifying the IP parameters
2.1 IP parameter basics
2 Specifying the IP parameters
When you install the device for the first time, enter the IP parameters.
The device provides the following options for entering the IP parameters during the first installation:
Entry using the Command Line Interface.
When you preconfigure your device outside its operating environment, or restore the network
access (“In-Band”) to the device, choose this “Out-of-Band” method.
Entry using the HiDiscovery protocol.
When you have a previously installed network device or you have another Ethernet connection
between your PC and the device, you choose this “In-Band” method.
Configuration using the external memory.
When you are replacing a device with a device of the same type and have already saved the
configuration in the external memory, you choose this method.
Using BOOTP.
To configure the installed device using BOOTP, you choose this “In-Band” method. You need a
BOOTP server for this method. The BOOTP server assigns the configuration data to the device
using its MAC address. The DHCP mode is the default mode for the configuration data
reference.
Configuration using DHCP.
To configure the installed device using DHCP, you choose this “In-Band” method. You need a
DHCP server for this method. The DHCP server assigns the configuration data to the device
using its MAC address or its system name.
Configuration using the Graphical User Interface.
When the device already has an IP address and is reachable using the network, the Graphical
User Interface provides you with another option for configuring the IP parameters.
2.1
IP parameter basics
2.1.1
IP address (version 4)
The IP addresses consist of 4 bytes. Write these 4 bytes in decimal notation, separated by a
decimal point.
RFC 1340 written in 1992, defines 5 IP Address classes.
Table 9:
42
IP address classes
Class
Network address
Host address
Address range
A
1 Byte
3 Bytes
0.0.0.0 to 127.255.255.255
B
2 Bytes
2 Bytes
128.0.0.0 to 191.255.255.255
C
3 Bytes
1 Byte
192.0.0.0 to 223.255.255.255
D
224.0.0.0 to 239.255.255.255
E
240.0.0.0 to 255.255.255.255
UM Config RSP
Release 8.1 12/2019
Specifying the IP parameters
2.1 IP parameter basics
The first byte of an IP address is the network address. The worldwide leading regulatory board for
assigning network addresses is the IANA ("Internet Assigned Numbers Authority"). When you
require an IP address block, contact your Internet Service Provider (ISP). Your ISP contacts their
local higher-level organization to reserve an IP address block:
APNIC (Asia Pacific Network Information Center)
Asia/Pacific Region
ARIN (American Registry for Internet Numbers)
Americas and Sub-Sahara Africa
LACNIC (Regional Latin-American and Caribbean IP Address Registry)
Latin America and some Caribbean Islands
RIPE NCC (Réseaux IP Européens)
Europe and Surrounding Regions
0
Net ID - 7 bits
Host ID - 24 bits
Net ID - 14 bits
Host ID - 16 bits
Class A
I
0
I
I
0
I
I
I
0
Multicast Group ID - 28 bits
Class D
I
I
I
I
reserved for future use - 28 b its
Class E
Net ID - 21 bits
Host ID - 8 bit s
Class B
Class C
Figure 13: Bit representation of the IP address
When the first bit of an IP address is a zero, it belong to class A for example, the first octet is less
than 128.
When the first bit of an IP address is a one and the second bit is a zero, it belongs to class B for
example, the first octet is between 128 and 191.
When the first 2 bits of an IP address are a one, it belongs to class C for example, the first octet is
higher than 191.
Assigning the host address (host ID) is the responsibility of the network operator. The network
operator alone is responsible for the uniqueness of the assigned IP addresses.
2.1.2
Netmask
Routers and Gateways subdivide large networks into subnetworks. The netmask asssigns the IP
addresses of the individual devices to a particular subnetwork.
You perform subnetwork division using the netmask in much the same way as the division of the
network addresses (net id) into classes A to C.
Set the bits of the host address (host id) that represent the mask to one. Set the remaining host
address bits to zero (see the following examples).
Example of a subnet mask:
Decimal notation
255.255.192.0
Binary notation
11111111.11111111.11000000.00000000
Subnetwork mask bits
Class B
UM Config RSP
Release 8.1 12/2019
43
Specifying the IP parameters
2.1 IP parameter basics
Example of applying the subnet mask to IP addresses for subnetwork assignment:
Decimal notation
129.218.65.17
128 < 129 191 › Class B
Binary notation
10000001.11011010.01000001.00010001
Subnetwork 1
Network address
Decimal notation
129.218.129.17
128 < 129 191 › Class B
Binary notation
10000001.11011010.10000001.00010001
Subnetwork 2
Network address
Example of how the netmask is used
In a large network it is possible that Gateways and routers separate the management agent from
its network management station. How does addressing work in such a case?
Romeo
Juliet
Lorenzo
LAN 1
LAN 2
Figure 14: The management agent is separated from its network management station by a router
The network management station “Romeo” wants to send data to the management agent “Juliet”.
Romeo knows Juliet's IP address and also knows that the router “Lorenzo” knows the way to Juliet.
Romeo therefore puts his message in an envelope and writes Juliet's IP address as the destination
address; for the source address he writes his own IP address on the envelope.
Romeo then places this envelope in a second one with Lorenzo's MAC address as the destination
and his own MAC address as the source. This process is comparable to going from Layer 3 to
Layer 2 of the ISO/OSI base reference model.
Finally, Romeo puts the entire data packet into the mailbox which is comparable to going from
Layer 2 to Layer 1, that means to sending the data packet over the Ethernet.
44
UM Config RSP
Release 8.1 12/2019
Specifying the IP parameters
2.1 IP parameter basics
Lorenzo receives the letter, removes the outer envelope and recognizes from the inner envelope
that the letter is meant for Juliet. He places the inner envelope in a new outer envelope and
searches his address list (the ARP table) for Juliet's MAC address; he writes her MAC address on
the outer envelope as the destination address and his own MAC address as the source address.
He then places the entire data packet in the mail box.
Juliet receives the letter and removes the outer envelope. She finds the inner envelope with
Romeo's IP address. Opening the inner envelope and reading its contents corresponds to
transferring the message to the higher protocol layers of the ISO/OSI layer model.
Juliet would now like to send a reply to Romeo. She places her reply in an envelope with Romeo's
IP address as destination and her own IP address as source. But where is she to send the answer?
For she did not receive Romeo's MAC address. It was lost, because Lorenzo replaced the outer
envelope.
In the MIB, Juliet finds Lorenzo listed under the variable hm NetGatewayIPAddr as a means of
communicating with Romeo. She therefore puts the envelope with the IP addresses in a further
envelope with Lorenzo's MAC destination address.
The letter now travels back to Romeo via Lorenzo, the same way the first letter traveled from
Romeo to Juliet.
2.1.3
Classless Inter-Domain Routing
Class C with a maximum of 254 addresses was too small, and class B with a maximum of
65534 addresses was too large for most users. Resulting in an ineffective usage of the available
class B addresses.
Class D contains reserved Multicast addresses. Class E is for experimental purposes. A nonparticipating Gateway ignores experimental datagrams with these destination addresses.
Since 1993, RFC 1519 has been using Classless Inter-Domain Routing (CIDR) to provide a
solution. CIDR overcomes these class boundaries and supports classless address ranges.
With CIDR, you enter the number of bits that designate the IP address range. You represent the IP
address range in binary form and count the mask bits that designate the netmask. The mask bits
equal the number of bits used for the subnet in a given IP address range.
Example:
IP address,
decimal
Network mask,
decimal
IP address,
binary
192.168.112.1
192.168.112.127
255.255.255.128
11000000 10101000 01110000 00000001
11000000 10101000 01110000 01111111
25 mask bits
CIDR notation: 192.168.112.0/25
Mask bits
The term “supernetting” refers to combing a number of class C address ranges. Supernetting
enables you to subdivide class B address ranges to a fine degree.
UM Config RSP
Release 8.1 12/2019
45
Specifying the IP parameters
2.2 Specifying the IP parameters using the Command Line Interface
2.2
Specifying the IP parameters using the Command Line
Interface
There are several methods you enter the system configuration, either using BOOTP/DHCP, the
HiDiscovery protocol, the external memory. You have the option of performing the configuration
over the serial interface using the Command Line Interface.
The device lets you specify the IP parameters using the HiDiscovery protocol or using the
Command Line Interface over the serial interface.
Entering IP addresses
Connect the PC with terminal
program started to the RJ11 socket
Command Line Interface
starts after key press
Log in and change to the
Privileged EXEC Mode
Enter and save IP parameters
End of entering IP addresses
Figure 15: Flow chart for entering IP addresses
46
UM Config RSP
Release 8.1 12/2019
Specifying the IP parameters
2.2 Specifying the IP parameters using the Command Line Interface
Note: If a terminal or PC with terminal emulation is unavailable in the vicinity of the installation
location, you can configure the device at your own workstation, then take it to its final installation
location.
Set up a connection to the device.
The start screen appears.
Deactivate DHCP.
Enter the IP parameters.
Local IP address
In the default setting, the local IP address is 0.0.0.0.
Netmask
When you divided your network into subnetworks, and these are identified with a netmask,
enter the netmask here. In the default setting, the local netmask is 0.0.0.0.
IP address of the Gateway.
This entry is only required, in cases where the device and the network management station
or TFTP server are located in different subnetworks (see on page 44 “Example of how the
netmask is used”).
Specify the IP address of the Gateway between the subnetwork with the device and the path
to the network management station.
In the default setting, the IP address is 0.0.0.0.
Save the configuration specified using copy config running-config nvm.
enable
Change to the Privileged EXEC mode.
network protocol none
Deactivating DHCP.
network parms 10.0.1.23 255.255.255.0
Assign the device the IP address 10.0.1.23 and the
netmask 255.255.255.0. You have the option of also
assigning a Gateway address.
copy config running-config nvm
Save the current settings in the non-volatile
memory (nvm) in the “selected” configuration profile.
After entering the IP parameters, you easily configure the device using the Graphical User
Interface.
UM Config RSP
Release 8.1 12/2019
47
Specifying the IP parameters
2.3 Specifying the IP parameters using HiDiscovery
2.3
Specifying the IP parameters using HiDiscovery
The HiDiscovery protocol enables you to assign IP parameters to the device using the Ethernet.
You easily configure other parameters using the Graphical User Interface.
Install the HiDiscovery software on your PC. The software is on the product DVD supplied with the
device.
To install it, you start the installation program on the DVD.
Start the HiDiscovery program.
Figure 16: HiDiscovery
When HiDiscovery is started, HiDiscovery automatically searches the network for those devices
which support the HiDiscovery protocol.
HiDiscovery uses the first network interface found for the PC. When your computer has several
network cards, you can select the one you desire in the HiDiscovery toolbar.
HiDiscovery displays a line for every device that responds to a HiDiscovery protocol inquiry.
HiDiscovery enables you to identify the devices displayed.
Select a device line.
To set the LEDs to flashing for the selected device, click the Signal button on the tool bar. To
stop the flashing, click the Signal button again.
By double-clicking a line, you open a window in which you specify the device name and the IP
parameter.
Figure 17: HiDiscovery – assigning IP parameters
48
UM Config RSP
Release 8.1 12/2019
Specifying the IP parameters
2.3 Specifying the IP parameters using HiDiscovery
Note: Disable the HiDiscovery function in the device, after you have assigned the IP parameters to
the device.
Note: Save the settings so that you will still have the entries after a restart.
2.3.1
Relay
When you connect the management station to a switching subnetwork, the HiDiscovery requests
collect information from the devices located in that subnetwork. The HiDiscovery Relay lets you
discover and set IP parameters on devices in other subnetworks.
The HiDiscovery function and the HiDiscovery Relay are independent from each other. You can
enable the HiDiscovery Relay without enabling the HiDiscovery function. When you activate the
relay with the function disabled, the device forwards the requests to other subnetworks, but does
not respond to requests.
The HiDiscovery Relay is active in the default setting.
Note: When you activate the HiDiscovery Relay, the device forwards requests received on the
router interfaces only to other router interfaces. A loopback interface is an internal virtual router
interface. If you connect the management station to a loopback interface, then the device does not
forward the request to the other connected subnetworks. The device does not forward responses
received on a router interface to the subnetwork of the management station.
2.3.2
Example configuration
192.168.47.0
192.168.45.0
Sw A
Sw C
192.168.46.0
Sw B
Rt A
Rt B
Sw D
Figure 18: Management station connected to a switch.
To poll devices in the 192.168.47.0 subnetwork use the following steps on both Rt A and Rt B.
With the relay activated on router Rt A, the device forwards the requests packets into the
192.168.47.0 subnetwork. With the relay activated on router Rt B, the device returns the
responses from the 192.168.47.0 subnetwork back to the management station.
When the HiDiscovery Relay is inactive on either router, the management station only displays the
devices located in the 192.168.45.0 subnetwork.
UM Config RSP
Release 8.1 12/2019
49
Specifying the IP parameters
2.3 Specifying the IP parameters using HiDiscovery
The prerequisite for these steps is that you already configured the device as a router and installed
it in a network.
Open the Basic Settings > Network dialog.
In the HiDiscovery protocol v1/v2 frame, mark the Relay status checkbox.
50
enable
Change to the Privileged EXEC mode.
network hidiscovery relay
Activating the HiDiscovery relay.
UM Config RSP
Release 8.1 12/2019
Specifying the IP parameters
2.4 Specifying the IP parameters using the Graphical User Interface
2.4
Specifying the IP parameters using the Graphical User
Interface
Perform the following steps:
Open the Basic Settings > Network dialog.
In this dialog you first specify the source from which the device gets its IP parameters after
starting. You also define the VLAN in which the device management can be accessed,
configure the HiDiscovery access and allocate manual IP parameters.
In the Management interface frame you first specify where the device gets its IP parameters
from:
In the BOOTP mode, the configuration is using a BOOTP or DHCP server on the basis of
the MAC address of the device.
In the DHCP mode, the configuration is using a DHCP server on the basis of the MAC
address or the name of the device.
In the Local mode, the device uses the network parameters from the internal device
memory.
Note: When you change the allocation mode of the IP address, the device activates the new
mode immediately after you click the
button.
In the VLAN ID column you specify the VLAN in which the device management can be
accessed over the network.
Note here that you can only access the device management using ports that are members
of the relevant VLAN.
The MAC address field displays the MAC address of the device with which you access the
device over the network.
In the HiDiscovery protocol v1/v2 frame you specify the settings for accessing the device
using the HiDiscovery software.
The HiDiscovery protocol lets you allocate an IP address to the device on the basis of its
MAC address. Activate the HiDiscovery protocol if you want to allocate an IP address to
the device from your PC with the HiDiscovery software.
If required, you enter the IP address, the netmask and the Gateway in the IP parameter
frame.
To save the changes temporarily, click the
UM Config RSP
Release 8.1 12/2019
button.
51
Specifying the IP parameters
2.5 Specifying the IP parameters using BOOTP
2.5
Specifying the IP parameters using BOOTP
With the BOOTP function activated the device sends a boot request message to the BOOTP server.
The boot request message contains the Client ID configured in the Basic Settings > Network dialog.
The BOOTP server enters the Client ID into a database and assigns an IP address. The server
answers with a boot reply message. The boot reply message contains the assigned IP address.
52
UM Config RSP
Release 8.1 12/2019
Specifying the IP parameters
2.6 Specifying the IP parameters using DHCP
2.6
Specifying the IP parameters using DHCP
The DHCP (Dynamic Host Configuration Protocol) is a further development of BOOTP, which it has
replaced. The DHCP additionally lets the configuration of a DHCP client using a name instead of
using the MAC address.
For the DHCP, this name is known as the “Client Identifier” in accordance with RFC 2131.
The device uses the name entered under sysName in the system group of the MIB II as the Client
Identifier. You can change the system name using the graphic user interface (see dialog Basic
Settings > System), the Command Line Interface or SNMP.
The device sends its system name to the DHCP server. The DHCP server then uses the system
name to allocate an IP address as an alternative to the MAC address.
In addition to the IP address, the DHCP server sends
the netmask
the default Gateway (if available)
the TFTP URL of the configuration file (if available).
The device applies the configuration data to the appropriate parameters. When the DHCP Sever
assigns the IP address, the device permanently saves the configuration data in non-volatile
memory.
Table 10: DHCP options which the device requests
Options
Meaning
1
Subnet Mask
2
Time Offset
3
Router
4
Time server
12
Host Name
42
NTP server
61
Client Identifier
66
TFTP Server Name
67
Bootfile Name
The advantage of using DHCP instead of BOOTP is that the DHCP server can restrict the validity
of the configuration parameters (“Lease”) to a specific time period (known as dynamic address
allocation). Before this period (“Lease Duration”) elapses, the DHCP client can attempt to renew
this lease. Alternatively, the client can negotiate a new lease. The DHCP server then allocates a
random free address.
To help avoid this, DHCP servers provide the explicit configuration option of assigning a specific
client the same IP address based on a unique hardware ID (known as static address allocation).
In the default setting, DHCP is activated. As long as DHCP is activated, the device attempts to
obtain an IP address. When the device cannot find a DHCP server after restarting, it will not have
an IP address. The Basic Settings > Network dialog lets you activate or deactivate DHCP.
Note: When using Industrial HiVision network management, verify that DHCP allocates the original
IP address to every device.
UM Config RSP
Release 8.1 12/2019
53
Specifying the IP parameters
2.6 Specifying the IP parameters using DHCP
The appendix contains an example configuration of the BOOTP/DHCP-server.
Example of a DHCP-configuration file:
# /etc/dhcpd.conf for DHCP Daemon
#
subnet 10.1.112.0 netmask 255.255.240.0 {
option subnet-mask 255.255.240.0;
option routers 10.1.112.96;
}
#
# Host berta requests IP configuration
# with her MAC address
#
host berta {
hardware ethernet 00:80:63:08:65:42;
fixed-address 10.1.112.82;
}
#
# Host hugo requests IP configuration
# with his client identifier.
#
host hugo {
#
option dhcp-client-identifier "hugo";
option dhcp-client-identifier 00:68:75:67:6f;
fixed-address 10.1.112.83;
server-name "10.1.112.11";
filename "/agent/config.dat";
}
Lines beginning with the # character, contain comments.
The lines preceding the individually listed devices refer to settings that apply to the following device.
The fixed-address line assigns a permanent IP address to the device.
For further information, please refer to the DHCP server manual.
54
UM Config RSP
Release 8.1 12/2019
Specifying the IP parameters
2.7 Management address conflict detection
2.7
Management address conflict detection
You assign an IP address to the device using several different methods. This function helps the
device detect IP address conflicts on a network after boot up and the device also checks
periodically during operation. This function is described in RFC 5227.
When enabled, the device sends an SNMP trap informing you that it detected an IP address
conflict.
The following list contains the default settings for this function:
• Operation: On
• Detection mode: active and passive
• Send periodic ARP probes: marked
• Detection delay [ms]: 200
• Release delay [s]: 15
• Address protections: 3
• Protection interval [ms]: 200
• Send trap: marked
2.7.1
Active and passive detection
Actively checking the network helps prevent the device from connecting to the network with a
duplicate IP address. After connecting the device to a network or after configuring the IP address,
the device immediately checks whether its IP address exists within the network. To check the
network for address conflicts, the device sends 4 ARP probes with the detection delay of 200 ms
into the network. When the IP address exists, the device attemps to return to the previous
configuration, and make another check after the configured release delay time.
When you disable active detection, the device sends 2 gratuitous APR announcements in 2 s
intervals. Using the ARP announcements with passive detection enabled, the device polls the
network to determine whether there is an address conflict. After resolving an address conflict or
after expired release delay time, the device reconnects to the network. Following 10 detected
conflicts, when the configured release delay interval is less than 60 s, the device sets the release
delay interval to 60 s.
After the device performs active detection or you disable the active detection function, with passive
detection enabled the device listens on the network for other devices using the same IP address.
When the device detects a duplicate IP address, it initially defends its address by employing the
ACD mechanism in the passive detection mode and sends out gratuitous ARPs. The number of
protections that the device sends and the protection interval are configurable. To resolve conflicts,
if the remote device remains connected to the network, then the network interface of the local
device disconnects from the network.
When a DHCP server assigns an IP address to the device and an address conflict occurs, the
device returns a DHCP decline message.
The device uses the ARP probe method. This has the following advantages:
ARP caches on other devices remain unchanged
the method is robust through multiple ARP probe transmissions
UM Config RSP
Release 8.1 12/2019
55
Access to the device
3.1 First login (Password change)
3 Access to the device
3.1
First login (Password change)
To help prevent undesired access to the device, it is imperative that you change the default
password during initial setup.
Perform the following steps:
Open the Graphical User Interface, the Command Line Interface, or HiView the first time you log
on to the device.
Log on to the device with the default password.
The device prompts you to type in a new password.
Type in your new password.
To help increase security, choose a password that contains at least 8 characters which includes
upper-case characters, lower-case characters, numerical digits, and special characters.
When you log on to the device with the Command Line Interface, then the device prompts you
to confirm your new password.
Log on to the device again with your new password.
Note: If you lost your password, then use the System Monitor to reset the password.
For further information see: hirschmann-support.belden.com.
56
UM Config RSP
Release 8.1 12/2019
Access to the device
3.2 Authentication lists
3.2
Authentication lists
When a user accesses the device using a specific connection, the device verifies the credentials of
the user in an authentication list which contains the policies that the device applies for
authentication.
The prerequisite for a user's access to the device management is that at least one policy is
assigned to the authentication list of the application through which access is performed.
3.2.1
Applications
The device provides an application for each type of connection through which someone accesses
the device:
Access to the Command Line Interface using a serial connection: Console(V.24)
Access to the Command Line Interface using SSH: SSH
Access to the Command Line Interface using Telnet: Telnet
Access to the Graphical User Interface: WebInterface
The device also provides an application to control the access to the network from connected end
devices using port-based access control: 8021x
3.2.2
Policies
When a user logs in with valid login data, the device lets the user have access to its device
management. The device authenticates the users using the following policies:
User management of the device
LDAP
RADIUS
When the end device logs in with valid login data, the device lets the connected end devices have
access to the network with the port-based access control according to IEEE 802.1X. The device
authenticates the end devices using the following policies:
RADIUS
IAS (Integrated Authentication Server)
The device gives you the option of a fall-back solution. For this, you specify more than one policy
in the authentication list. When authentication is unsuccessful using the current policy, the device
applies the next specified policy.
UM Config RSP
Release 8.1 12/2019
57
Access to the device
3.2 Authentication lists
3.2.3
Managing authentication lists
You manage the authentication lists in the Graphical User Interface or in the Command Line
Interface.
Perform the following steps:
Open the Device Security > Authentication List dialog.
The dialog displays the authentication lists that are set up.
show authlists
Displays the authentication lists that are set up.
Deactivate the authentication list for those applications by means of which no access to the
device is performed, for example 8021x.
In the Active column of the authentication list defaultDot1x8021AuthList, unmark the
checkbox.
To save the changes temporarily, click the
authlists disable
defaultDot1x8021AuthList
58
button.
Deactivates the authentication list
defaultDot1x8021AuthList.
UM Config RSP
Release 8.1 12/2019
Access to the device
3.2 Authentication lists
3.2.4
Adjust the settings
Example:
Set up a separate authentication list for the application WebInterface which is by default included
in the authentication list defaultLoginAuthList. The device forwards authentication requests to
a RADIUS server in the network. As a fall-back solution, the device authenticates users using the
local user management.
Perform the following steps:
Create an authentication list loginGUI.
Open the Device Security > Authentication List dialog.
Click the
button.
The dialog displays the Create window.
Enter a meaningful name in the Name field.
In this example, enter the name loginGUI.
Click the Ok button.
The device adds a new table entry.
enable
Change to the Privileged EXEC mode.
configure
Change to the Configuration mode.
authlists add loginGUI
Creates the authentication list loginGUI.
Select the policies for the authentication list loginGUI.
In the Policy 1 column, select the value radius.
In the Policy 2 column, select the value local.
In the Policy 3 to Policy 5 columns, select the value reject to help prevent further fall-back.
In the Active column, mark the checkbox.
To save the changes temporarily, click the
button.
authlists set-policy loginGUI radius
local reject reject reject
Assigns the policies radius, local and reject to the
authentication list loginGUI.
show authlists
Displays the authentication lists that are set up.
authlists enable loginGUI
Activates the authentication list loginGUI.
Assign an application to the authentication list loginGUI.
In the Device Security > Authentication List dialog, highlight the authentication list loginGUI.
Click the
button and then the Allocate applications item.
The dialog displays the Allocate applications window.
In the left column, highlight the application WebInterface.
UM Config RSP
Release 8.1 12/2019
59
Access to the device
3.2 Authentication lists
Click the button.
The right column now displays the application WebInterface.
Click the Ok button.
The dialog displays the updated settings:
– The Dedicated applications column of authentication list loginGUI displays the
application WebInterface.
– The Dedicated applications column of authentication list defaultLoginAuthList does
not display the application WebInterface anymore.
To save the changes temporarily, click the
Displays the applications and the allocated lists.
show appllists
appllists set-authlist
loginGUI
60
button.
WebInterface
Assigns the loginGUI application to the
authentication list WebInterface.
UM Config RSP
Release 8.1 12/2019
Access to the device
3.3 User management
3.3
User management
When a user logs in with valid login data, the device lets the user have access to its device
management. The device authenticates the users either using the local user management or with
a RADIUS server in the network. To get the device to use the user management, assign the local
policy to an authentication list, see the Device Security > Authentication List dialog.
In the local user management, you manage the user accounts. One user account is usually
allocated to each user.
3.3.1
Access roles
The device lets you use a role-based authorization model to specifically control the access to the
device management. Users to whom a specific authorization profile is allocated are allowed to use
commands and functions from the same authorization profile or a lower one.
The device uses the authorization profiles on every application with which the device management
can be accessed.
UM Config RSP
Release 8.1 12/2019
61
Access to the device
3.3 User management
Every user account is linked to an access role that regulates the access to the individual functions
of the device. Depending on the planned activity for the respective user, you assign a pre-defined
access role to the user. The device differentiates between the following access roles.
Table 11: Access roles for user accounts
62
Role
Description
Authorized for the following activities
Administrator
The user is authorized to
monitor and administer the
device.
All activities with read/write access, including the
following activities reserved for an administrator:
Add, modify or delete user accounts
Activate, deactivate or unlock user accounts
Change every password
Configure password management
Set or change system time
Load files to the device, for example device
configurations, certificates or software images
Reset settings and security-related settings to
the state on delivery
Configure RADIUS server and authentication
lists
Apply scripts using the Command Line
Interface
Enable/disable CLI logging and SNMP logging
External memory activation and deactivation
System monitor activation and deactivation
Enable/disable the services for the access to
the device management (for example SNMP).
Configure access restrictions to the Graphical
User Interface or the Command Line Interface
based on the IP addresses
Operator
The user is authorized to
All activities with read/write access, with the
monitor and configure the
exception of the above-named activities, which are
device - with the exception of reserved for an administrator:
security-related settings.
Auditor
The user is authorized to
monitor the device and to
save the log file in the
Diagnostics > Report > Audit
Trail dialog.
Guest
The user is authorized to
Monitoring activities with read access.
monitor the device - with the
exception of security-related
settings.
Unauthorized
No access to the device
No activities allowed.
possible.
As an administrator you
assign this access role to
temporarily lock a user
account.
If an administrator assigns
a different access role to
the user account and an
error occurs, then the
device assigns this
access role to the user
account.
Monitoring activities with read access.
UM Config RSP
Release 8.1 12/2019
Access to the device
3.3 User management
3.3.2
Managing user accounts
You manage the user accounts in the Graphical User Interface or in the Command Line Interface.
Perform the following steps:
Open the Device Security > User Management dialog.
The dialog displays the user accounts that are set up.
Displays the user accounts that are set up.
show users
3.3.3
Default setting
In the state on delivery, the user accounts admin and user are set up in the de
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
Download PDF
advertisement