advertisement
▼
Scroll to page 2
of 1101
Hirschmann Automation and Control GmbH RSP HiOS-3S Rel. 08100 Reference Manual Graphical User Interface User Manual Configuration Reference Manual Graphical User Interface Rail Switch Power HiOS-3S RM GUI RSP Release 8.1 12/2019 Technical support https://hirschmann-support.belden.com The naming of copyrighted trademarks in this manual, even when not specially indicated, should not be taken to mean that these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may be freely used by anyone. © 2019 Hirschmann Automation and Control GmbH Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation of a backup copy of the software for your own use. The performance features described here are binding only if they have been expressly agreed when the contract was made. This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give no guarantee in respect of the correctness or accuracy of the information in this document. Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated operating software. In addition, we refer to the conditions of use specified in the license contract. You can get the latest version of this manual on the Internet at the Hirschmann product site (www.hirschmann.com). Hirschmann Automation and Control GmbH Stuttgarter Str. 45-51 72654 Neckartenzlingen Germany 2019-12-05 RM GUI RSP Release 8.1 12/2019 Contents Contents Safety instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 About this Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Notes on the Graphical User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 Basic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Load/Save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . External Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 17 22 26 29 40 43 51 2 2.1 2.2 2.2.1 2.2.2 2.3 2.3.1 2.3.2 2.3.2.1 2.3.2.2 2.3.3 2.3.3.1 2.3.3.2 Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNTP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PTP Global. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PTP Boundary Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PTP Boundary Clock Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PTP Boundary Clock Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PTP Transparent Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PTP Transparent Clock Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PTP Transparent Clock Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 53 57 58 62 64 65 67 68 73 76 77 80 3 3.1 3.2 3.3 3.3.1 3.3.2 3.4 3.4.1 3.4.2 3.4.3 3.4.4 3.4.5 3.5 Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Authentication List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 LDAP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 LDAP Role Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 IP Access Restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 SNMPv1/v2 Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Pre-login Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 4 4.1 4.2 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Network Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Port Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 RM GUI RSP Release 8.1 12/2019 3 Contents 4.3 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 4.3.6 4.4 4.4.1 4.4.2 4.4.3 4.4.4 4.4.5 4.5 4.5.1 4.6 4.6.1 4.6.2 4.6.3 4.6.4 4.7 4.7.1 4.7.2 4.7.3 4.7.4 4.8 4.8.1 4.8.2 4.8.3 4.8.4 802.1X Port Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802.1X Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802.1X Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802.1X Port Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802.1X EAPOL Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802.1X Port Authentication History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802.1X Integrated Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RADIUS Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RADIUS Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RADIUS Accounting Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DoS Global. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Snooping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Snooping Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Snooping Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Snooping Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Snooping Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dynamic ARP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dynamic ARP Inspection Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dynamic ARP Inspection Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dynamic ARP Inspection ARP Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dynamic ARP Inspection Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ACL IPv4 Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ACL MAC Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ACL Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ACL Time Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 130 133 139 141 143 145 146 147 149 151 153 155 156 157 160 162 164 167 168 169 171 173 176 177 178 179 187 193 195 5 5.1 5.2 5.3 5.4 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.5 5.5.1 5.5.2 5.5.3 5.6 5.6.1 Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Switching Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rate Limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filter for MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP Snooping Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP Snooping Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP Snooping Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP Snooping Querier. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP Snooping Multicasts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MRP-IEEE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MRP-IEEE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MRP-IEEE Multiple MAC Registration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MRP-IEEE Multiple VLAN Registration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 198 201 204 206 207 209 213 216 219 220 221 222 226 229 230 4 RM GUI RSP Release 8.1 12/2019 Contents 5.6.2 5.7 5.7.1 5.7.2 5.7.3 5.7.4 5.7.5 5.7.6 5.7.6.1 5.7.6.2 5.7.6.3 5.7.6.4 5.7.6.5 5.8 5.8.1 5.8.2 5.8.3 5.8.4 5.8.5 5.8.6 5.8.7 5.9 5.9.1 5.9.2 5.9.3 5.9.3.1 5.9.3.2 5.9.4 5.9.4.1 5.9.4.2 5.9.4.3 5.9.4.4 5.9.5 5.9.5.1 5.9.5.2 5.9.5.3 5.9.5.4 5.9.6 5.9.6.1 5.9.6.2 5.9.6.3 5.9.7 5.9.8 5.9.9 5.9.9.1 5.9.9.2 5.9.9.3 RM GUI RSP GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . QoS/Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . QoS/Priority Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . QoS/Priority Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802.1D/p Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP DSCP Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Queue Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DiffServ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DiffServ Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DiffServ Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DiffServ Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DiffServ Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DiffServ Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLAN Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLAN Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLAN Voice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MAC Based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subnet Based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protocol Based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L2-Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HIPER Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DLR (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DLR Configuration (depends on hardware). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DLR Statistics (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PRP (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PRP Configuration (depends on hardware). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PRP DAN/VDAN Table (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PRP Proxy Node Table (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PRP Statistics (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HSR (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HSR Configuration (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HSR DAN/VDAN Table (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HSR Proxy Node Table (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HSR Statistics (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Spanning Tree Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Spanning Tree MSTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Spanning Tree Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Link Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FuseNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sub Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ring/Network Coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Redundant Coupling Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Release 8.1 12/2019 232 233 234 235 237 239 241 242 243 244 245 251 259 260 262 263 265 267 270 271 273 274 275 279 280 282 286 289 290 293 294 295 296 297 301 302 303 304 305 312 317 326 333 335 337 342 348 5 Contents 6 6.1 6.2 6.2.1 6.3 6.3.1 6.3.2 6.3.3 6.4 6.5 6.6 6.6.1 6.6.2 6.6.3 6.6.4 6.6.5 6.6.6 6.6.7 6.6.8 6.7 6.8 6.8.1 6.8.2 6.9 6.10 6.11 6.11.1 6.11.2 6.11.3 6.11.4 6.11.4.1 6.11.4.2 6.11.4.3 6.12 6.12.1 6.12.1.1 6.12.1.2 6.12.1.3 6.12.1.4 6.13 6.13.1 6.13.1.1 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing Interfaces Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ARP Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ARP Current. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ARP Static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Open Shortest Path First . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF Stub Areas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF Not So Stubby Areas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF Virtual Links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tracking Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tracking Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L3 Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Loopback Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multicast Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multicast Routing Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multicast Routing Boundary Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multicast Routing Static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP Proxy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP Proxy Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L3-Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1:1 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1:1 NAT Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 351 354 355 360 361 363 364 365 368 374 376 384 386 388 391 397 400 402 413 417 418 424 425 430 432 433 437 439 440 441 448 450 452 452 453 467 469 471 472 473 474 7 7.1 7.1.1 7.1.2 Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Status Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 476 477 481 6 RM GUI RSP Release 8.1 12/2019 Contents 7.1.3 7.1.3.1 7.1.4 7.1.5 7.2 7.2.1 7.2.2 7.2.3 7.2.4 7.2.5 7.2.6 7.3 7.3.1 7.3.2 7.3.3 7.4 7.5 7.5.1 7.5.2 7.5.3 7.5.4 7.5.5 7.6 7.6.1 7.6.2 7.7 7.7.1 7.7.2 7.8 7.8.1 7.8.2 7.8.3 7.8.4 Signal Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Signal Contact 1 / Signal Contact 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MAC Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alarms (Traps) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP Address Conflict Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selftest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Email Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Email Notification Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Email Notification Recipients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Email Notification Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SFP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TP cable diagnosis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auto-Disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LLDP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LLDP Topology Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SFlow Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SFlow Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Report Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Persistent Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488 489 493 496 498 499 500 501 503 508 509 511 512 516 517 519 522 523 525 527 539 543 547 548 552 555 557 559 560 561 565 568 569 8 8.1 8.1.1 8.1.2 8.2 8.2.1 8.2.2 8.2.3 8.3 8.3.1 8.3.1.1 8.3.1.2 8.3.1.3 Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP L2 Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP L2 Relay Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP L2 Relay Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Server Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Server Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Server Lease Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS Client Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS Client Current . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS Client Static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 570 571 574 575 576 577 581 582 582 583 584 585 RM GUI RSP Release 8.1 12/2019 7 Contents 8.3.1.4 8.4 8.4.1 8.4.2 8.4.3 8.4.4 8.5 DNS Client Static Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Industrial Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IEC61850-MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modbus TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PROFINET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EtherNet/IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 B Further support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 C Readers’ Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 8 587 588 589 592 594 597 598 RM GUI RSP Release 8.1 12/2019 Safety instructions Safety instructions WARNING UNCONTROLLED MACHINE ACTIONS To avoid uncontrolled machine actions caused by data loss, configure all the data transmission devices individually. Before you start any machine which is controlled via data transmission, be sure to complete the configuration of all data transmission devices. Failure to follow these instructions can result in death, serious injury, or equipment damage. RM GUI RSP Release 8.1 12/2019 9 About this Manual About this Manual The “Configuration” user manual contains the information you need to start operating the device. It takes you step by step from the first startup operation through to the basic settings for operation in your environment. The “Installation” user manual contains a device description, safety instructions, a description of the display, and the other information that you need to install the device. The “Graphical User Interface” reference manual contains detailed information on using the graphical user interface to operate the individual functions of the device. The “Command Line Interface” reference manual contains detailed information on using the Command Line Interface to operate the individual functions of the device. The Industrial HiVision Network Management software provides you with additional options for smooth configuration and monitoring: Auto-topology discovery Browser interface Client/server structure Event handling Event log Simultaneous configuration of multiple devices Graphical user interface with network layout SNMP/OPC gateway 10 RM GUI RSP Release 8.1 12/2019 Key Key The designations used in this manual have the following meanings: List Work step Link Cross-reference with link Note: A note emphasizes a significant fact or draws your attention to a dependency. Courier Representation of a CLI command or field contents in the graphical user interface Execution in the Graphical User Interface Execution in the Command Line Interface RM GUI RSP Release 8.1 12/2019 11 Notes on the Graphical User Interface Notes on the Graphical User Interface The Graphical User Interface of the device is divided as follows: Navigation area Dialog area Buttons Navigation area The Navigation area is located on the left side of the Graphical User Interface. The Navigation area contains the following elements: Toolbar Filter Menu You have the option of collapsing the entire Navigation area, for example when displaying the Graphical User Interface on small screens. To collapse or expand, you click the small arrow at the top of the navigation area. Toolbar The toolbar at the top of the navigation area contains several buttons. • When you position the mouse pointer over a button, a tooltip displays further information. • If the connection to the device is lost, then the toolbar is grayed out. The device automatically refreshes the toolbar information every 5 seconds. Clicking the button refreshes the toolbar manually. When you position the mouse pointer over the button, a tooltip displays the following information: User: Name of the logged in user Device name: Name of the device Clicking the button opens the Device Security > User Management dialog. When you position the mouse pointer over the button, a tooltip displays the summary of the Diagnostics > System > Configuration Check dialog. Clicking the button opens the Diagnostics > System > Configuration Check dialog. 12 RM GUI RSP Release 8.1 12/2019 Notes on the Graphical User Interface Clicking the button logs out the current user and displays the login page. Displays the remaining time in seconds until the device automatically logs out an inactive user. Clicking the button opens the Device Security > Management Access > Web dialog. There you can specify the timeout. When the configuration profile in the volatile memory (RAM) differs from the "Selected" configuration profile in the non-volatile memory (NVM), this button is visible. Otherwise, the button is hidden. Clicking the button opens the Basic Settings > Load/Save dialog. By right-clicking the button you can save the current settings in the non-volatile memory (NVM). When you position the mouse pointer over the button, a tooltip displays the following information: Device Status: This section displays a compressed view of the Device status frame in the Basic Settings > System dialog. The section displays the alarm that is currently active and whose occurrence was recorded first. Security Status: This section displays a compressed view of the Security status frame in the Basic Settings > System dialog. The section displays the alarm that is currently active and whose occurrence was recorded first. Boot Parameter: If you permanently save changes to the settings and at least one boot parameter differs from the configuration profile used during the last restart, then this section displays a note. The following settings cause the boot parameters to change: – Basic Settings > External Memory dialog, Software auto update parameter – Basic Settings > External Memory dialog, Config priority parameter – Device Security > Management Access > Server dialog, SNMP tab, UDP port parameter – Diagnostics > System > Selftest dialog, RAM test parameter – Diagnostics > System > Selftest dialog, SysMon1 is available parameter – Diagnostics > System > Selftest dialog, Load default config on error parameter Clicking the button opens the Diagnostics > Status Configuration > Device Status dialog. Filter The filter enables you to reduce the number of menu items in the menu. When filtering, the menu displays only menu items matching the search string entered in the filter field. RM GUI RSP Release 8.1 12/2019 13 Notes on the Graphical User Interface Menu The menu displays the menu items. You have the option of filtering the menu items. See section “Filter”. To display the corresponding dialog in the dialog area, you click the desired menu item. If the selected menu item is a node containing sub-items, then the node expands or collapses while clicking. The dialog area keeps the previously displayed dialog. You have the option of expanding or collapsing every node in the menu at the same time. When you right-click anywhere in the menu, a context menu displays the following entries: Expand Expands every node in the menu at the same time. The menu displays the menu items for every level. Collapse Collapses every node in the menu at the same time. The menu displays the top level menu items. Dialog area The Dialog area is located on the right side of the Graphical User Interface. When you click a menu item in the Navigation area, the Dialog area displays the corresponding dialog. Updating the display If a dialog remains opened for a longer time, then the values in the device have possibly changed in the meantime. To update the display in the dialog, click the button. Unsaved information in the dialog is lost. Saving the settings To transfer the changed settings to the volatile memory (RAM) of the device, click the To keep the changed settings, even after restarting the device, proceed as follows: Open the Basic Settings > Load/Save dialog. In the table, highlight the desired configuration profile. When in the Selected column the checkbox is unmarked, click the Select item. Click the button. button and then the button and then the Save item. Note: Unintentional changes to the settings can terminate the connection between your PC and the device. To keep the device accessible, enable the Undo configuration modifications function in the Basic Settings > Load/Save dialog, before changing any settings. Using the function, the device continuously checks whether it can still be reached from the IP address of the user’s PC. If the connection is lost, then the device loads the configuration profile saved in the non-volatile memory (NVM) after the specified time. Afterwards, the device can be accessed again. 14 RM GUI RSP Release 8.1 12/2019 Notes on the Graphical User Interface Working with tables The dialogs display numerous settings in table form. When you modify a table cell, the table cell displays a red mark in its top-left corner. The red mark indicates that your modifications are not yet transfered to the volatile memory (RAM) of the device. You have the option of customizing the look of the tables to fit your needs. When you position the mouse pointer over a column header, the column header displays a drop-down list button. When you click this button, the drop-down list displays the following entries: Sort ascending Sorts the table entries in ascending order based on the entries of the selected column. You recognize sorted table entries by an arrow in the column header. Sort descending Sorts the table entries in descending order based on the entries of the selected column. You recognize sorted table entries by an arrow in the column header. Columns Displays or hides columns. You recognize hidden columns by an unmarked checkbox in the drop-down list. Filters The table only displays the entries whose content matches the specified filter criteria of the selected column. You recognize filtered table entries by an emphasized column header. You have the option of selecting multiple table entries simultaneously and subsequently applying an action to them. This is useful when you are going to remove multiple table entries at the same time. Select several consecutive table entries: Click the first desired table entry to highlight it. Press and hold the <SHIFT> key. Click the last desired table entry to highlight every desired table entry. Select multiple individual table entries: Click the first desired table entry to highlight it. Press and hold the <CTRL> key. Click the next desired table entry to highlight it. Repeat until every desired table entry is highlighted. Buttons Here you find the description of the standard buttons. The special dialog-specific buttons are described in the corresponding dialog help text. Transfers the changes to the volatile memory (RAM) of the device and applies them to the device. To save the changes in the non-volatile memory, proceed as follows: Open the Basic Settings > Load/Save dialog. In the table, highlight the desired configuration profile. When in the Selected column the checkbox is unmarked, click the item. Click the RM GUI RSP Release 8.1 12/2019 button and then the Select button to save your current changes. 15 Notes on the Graphical User Interface Updates the fields with the values that are saved in the volatile memory (RAM) of the device. Transfers the settings from the volatile memory (RAM) into the configuration profile designated as “Selected” in the non-volatile memory (NVM). When in the Basic Settings > External Memory dialog the checkbox in the Backup config when saving column is marked, then the device generates a copy of the configuration profile in the external memory. Displays a submenu with menu items corresponding to the respective dialog. Opens the Wizard dialog. Adds a new table entry. Removes the highlighted table entry. Opens the online help. 16 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > System ] 1 Basic Settings The menu contains the following dialogs: System Network Software Load/Save External Memory Port Restart 1.1 System [ Basic Settings > System ] In this dialog, you monitor individual operating statuses. Device status The fields in this frame display the device status and inform you about alarms that have occurred. When an alarm currently exists, the frame is highlighted. You specify the parameters that the device monitors in the Diagnostics > Status Configuration > Device Status dialog. Note: If you connect only one power supply unit for the supply voltage to a device with a redundant power supply unit, then the device reports an alarm. To help avoid this alarm, you deactivate the monitoring of the missing power supply units in the Diagnostics > Status Configuration > Device Status dialog. Alarm counter Displays the number of currently existing alarms. When there is at least one currently existing alarm, the icon is visible. When you position the mouse pointer over the icon, a tooltip displays the cause of the currently existing alarms and the time at which the device triggered the alarm. If a monitored parameter differs from the desired status, then the device triggers an alarm. The Diagnostics > Status Configuration > Device Status dialog, Status tab displays an overview of the alarms. RM GUI RSP Release 8.1 12/2019 17 Basic Settings [ Basic Settings > System ] Security status The fields in this frame display the security status and inform you about alarms that have occurred. When an alarm currently exists, the frame is highlighted. You specify the parameters that the device monitors in the Diagnostics > Status Configuration > Security Status dialog. Alarm counter Displays the number of currently existing alarms. When there is at least one currently existing alarm, the icon is visible. When you position the mouse pointer over the icon, a tooltip displays the cause of the currently existing alarms and the time at which the device triggered the alarm. If a monitored parameter differs from the desired status, then the device triggers an alarm. The Diagnostics > Status Configuration > Security Status dialog, Status tab displays an overview of the alarms. Signal contact status The fields in this frame display the signal contact status and inform you about alarms that have occurred. When an alarm currently exists, the frame is highlighted. You specify the parameters that the device monitors in the Diagnostics > Status Configuration > Signal Contact > Signal Contact 1/Signal Contact 2 dialog. Alarm counter Displays the number of currently existing alarms. When there is at least one currently existing alarm, the icon is visible. When you position the mouse pointer over the icon, a tooltip displays the cause of the currently existing alarms and the time at which the device triggered the alarm. If a monitored parameter differs from the desired status, then the device triggers an alarm. The Diagnostics > Status Configuration > Signal Contact > Signal Contact 1/Signal Contact 2 dialog, Status tab displays an overview of the alarms. System data The fields in this frame display operating data and information on the location of the device. System name Specifies the name for which the device is known in the network. 18 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > System ] Possible values: Alphanumeric ASCII character string with 0..255 characters The following characters are allowed: – 0..9 – a..z – A..Z – !#$%&'()*+,-./:;<=>?@[\\]^_`{}~ – <device name>-<MAC address> (default setting) When creating HTTPS X.509 certificates, the application generating the certificate uses the specified value as the domain name and common name. The following functions use the specified value as a host name or FQDN (Fully Qualified Domain Name). For compatibility, it is recommended to use only small letters, since not every system compares the case in the FQDN. Verify that this name is unique in the whole network. DHCP client Syslog IEC61850-MMS PROFINET Note: For compatibility in PROFINET environments, specify the PROFINET device name. In PROFINET the name is limited to a maximum of 240 characters. Do not begin the name with a number. Programs read the device name using SNMP and PROFINET DCP. Location Specifies the location of the device. Possible values: Alphanumeric ASCII character string with 0..255 characters Contact person Specifies the contact person for this device. Possible values: Alphanumeric ASCII character string with 0..255 characters Device type Displays the product name of the device. Power supply 1 Power supply 2 Displays the status of the power supply unit on the relevant voltage supply connection. Possible values: present defective not installed unknown RM GUI RSP Release 8.1 12/2019 19 Basic Settings [ Basic Settings > System ] Uptime Displays the time that has elapsed since this device was last restarted. Possible values: Time in the format day(s), ...h ...m ...s Temperature [°C] Displays the current temperature in the device in °C. You activate the monitoring of the temperature thresholds in the Diagnostics > Status Configuration > Device Status dialog. Upper temp. limit [°C] Specifies the upper temperature threshold in °C. The “Installation” user manual contains detailed information about setting the temperature thresholds. Possible values: -99..99 (integer) If the temperature in the device exceeds this value, then the device generates an alarm. Lower temp. limit [°C] Specifies the lower temperature threshold in °C. The “Installation” user manual contains detailed information about setting the temperature thresholds. Possible values: -99..99 (integer) If the temperature in the device falls below this value, then the device generates an alarm. LED status This frame displays the states of the device status LEDs at the time of the last update. The “Installation” user manual contains detailed information about the device status LEDs. Parameters Status Power 20 Color Meaning There is currently no device status alarm. The device status is OK. There is currently at least one device status alarm. Therefore, see the Device status frame above. Device variant with 2 power supply units: Only one supply voltage is active. Device variant with 1 power supply unit: The supply voltage is active. Device variant with 2 power supply units: Both supply voltages are active. RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > System ] Parameters RM ACA Color Meaning The device is neither operating as a MRP ring manager nor as a DLR supervisor. Loss of redundancy reserve. The device is operating as a MRP ring manager. or The device is operating as a DLR supervisor. Redundancy reserve is available. The device is operating as a MRP ring manager. or The device is operating as a DLR supervisor. No external memory connected. The external memory is connected, but not ready for operation. The external memory is connected and ready for operation. Port status This frame displays a simplified view of the ports of the device at the time of the last update. The icons represent the status of the individual ports. In some situations, the following icons interfere with one another. When you position the mouse pointer over the appropriate port icon, a tooltip displays a detailed information about the port state. Parameters <Port number> Statu Meaning s The port is inactive. The port does not send or receive any data. The port is inactive. The cable is connected. Active link. The port is active. No cable connected or no active link. The port is active. The cable is connected. Connection okay. Active link. Full-duplex mode The half-duplex mode is enabled. Verify the settings in the Basic Settings > Ports dialog, Configuration tab. The port is in a blocking state due to a redundancy function. The port operates as a router interface. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 21 Basic Settings [ Basic Settings > Network ] 1.2 Network [ Basic Settings > Network ] This dialog lets you specify the IP, VLAN and HiDiscovery settings required for the access to the device management through the network. Management interface This frame lets you specify the following settings: The source from which the device management receives its IP parameters VLAN in which the device management can be accessed IP address assignment Specifies the source from which the device management receives its IP parameters. Possible values: Local The device uses the IP parameters from the internal memory. You specify the settings for this in the IP parameter frame. BOOTP The device receives its IP parameters from a BOOTP or DHCP server. The server evaluates the MAC address of the device, then assigns the IP parameters. DHCP (default setting) The device receives its IP parameters from a DHCP server. The server evaluates the MAC address, the DHCP name, or other parameters of the device, then assigns the IP parameters. When the server also provides the addresses of DNS servers, the device displays these addresses in the Advanced > DNS > Cache > Current dialog. Note: If there is no response from the BOOTP or DHCP server, then the device sets the IP address to 0.0.0.0 and makes another attempt to obtain a valid IP address. VLAN ID Specifies the VLAN in which the device management is accessible through the network. The device management is accessible through ports that are members of this VLAN. Possible values: 1..4042 (default setting: 1) The prerequisite is that the VLAN is already configured. See the Switching > VLAN > Configuration dialog. Assign a VLAN ID that is not assigned to any router interface. When you click the button after changing the value, the Information window opens. Select the port, over which you connect to the device in the future. After clicking the Ok button, the new device management VLAN settings are assigned to the port. • After that the port is a member of the VLAN and transmits the data packets without a VLAN tag (untagged). See the Switching > VLAN > Configuration dialog. • The device assigns the port VLAN ID of the device management VLAN to the port. See the Switching > VLAN > Port dialog. After a short time the device is reachable over the new port in the new device management VLAN. 22 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Network ] MAC address Displays the MAC address of the device. The device management is accessible via the network using the MAC address. MAC-Adresse Konflikterkennung Enables/disables the MAC-Adresse Konflikterkennung function. Possible values: marked The MAC-Adresse Konflikterkennung function is enabled. The device verifies that its MAC address is unique in the network. unmarked (default setting) The MAC-Adresse Konflikterkennung function is disabled. BOOTP/DHCP Client ID Displays the DHCP client ID that the device sends to the BOOTP or DHCP server. If the server is configured accordingly, then it reserves an IP address for this DHCP client ID. Therefore, the device receives the same IP from the server every time it requests it. The DHCP client ID that the device sends is the device name specified in the System name field in the Basic Settings > System dialog. HiDiscovery protocol v1/v2 This frame lets you specify settings for the access to the device using the HiDiscovery protocol. On a PC, the HiDiscovery software displays the Hirschmann devices that can be accessed in the network on which the HiDiscovery function is enabled. You can access these devices even if they have invalid or no IP parameters assigned. The HiDiscovery software lets you assign or change the IP parameters in the device. Note: With the HiDiscovery software you access the device only through ports that are members of the same VLAN as the device management. You specify which VLAN a certain port is assigned to in the Switching > VLAN > Configuration dialog. Operation Enables/disables the HiDiscovery function in the device. Possible values: On (default setting) HiDiscovery is enabled. You can use the HiDiscovery software to access the device from your PC. Off HiDiscovery is disabled. RM GUI RSP Release 8.1 12/2019 23 Basic Settings [ Basic Settings > Network ] Access Enables/disables the write access to the device using HiDiscovery. Possible values: readWrite (default setting) The HiDiscovery software is given write access to the device. With this setting you can change the IP parameters in the device. readOnly The HiDiscovery software is given read-only access to the device. With this setting you can view the IP parameters in the device. Recommendation: Change the setting to the value readOnly only after putting the device into operation. Signal Activates/deactivates the flashing of the port LEDs as does the function of the same name in the HiDiscovery software. The function lets you identify the device in the field. Possible values: marked The flashing of the port LEDs is active. The port LEDs flash until you disable the function again. unmarked (default setting) The flashing of the port LEDs is inactive. Relay status Activates/deactivates the HiDiscovery relay function. This function lets the HiDiscovery software to find and display devices located in other subnets. Possible values: marked (default setting) The HiDiscovery relay function is active. The device forwards the HiDiscovery request packets sent from the device management into directly connected subnets. The device also responds to requests with its IP parameters. unmarked The HiDiscovery relay function is inactive. The HiDiscovery software finds only the devices located in the same subnet as the device management. IP parameter This frame lets you assign the IP parameters manually. If you have selected the Local radio button in the Management interface frame, IP address assignment option list, then these fields can be edited. IP address Specifies the IP address under which the device management can be accessed through the network. Possible values: Valid IPv4 address 24 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Network ] Verify that the IP subnet of the device management is not overlapping with any subnet connected to another interface of the device: • router interface • loopback interface Netmask Specifies the netmask. Possible values: Valid IPv4 netmask Gateway address Specifies the IP address of a router through which the device accesses other devices outside its own network. Possible values: Valid IPv4 address If the device does not use the specified gateway, check whether another default gateway is specified. The setting in the following dialog has precedence: • Routing > Routing Table dialog, Next hop IP address column, if the value in the Network address column and in the Netmask column is 0.0.0.0 Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 25 Basic Settings [ Basic Settings > Software ] 1.3 Software [ Basic Settings > Software ] This dialog lets you update the device software and display information about the device software. You also have the option to restore a backup of the device software saved in the device. Note: Before updating the device software, follow the version-specific notes in the Readme text file. Version Stored version Displays the version number and creation date of the device software stored in the flash memory. The device loads the device software during the next restart. Running version Displays the version number and creation date of the device software that the device loaded during the last restart and is currently running. Backup version Displays the version number and creation date of the device software saved as a backup in the flash memory. The device copied this device software into the backup memory during the last software update or after you clicked the Restore button. Restore Restores the device software saved as a backup. In the process, the device changes the Stored version and the Backup version of the device software. Upon restart, the device loads the Stored version. Bootcode Displays the version number and creation date of the boot code. Software update Alternatively, when the image file is located in the external memory, the device lets you update the device software by right-clicking in the table. URL Specifies the path and the file name of the image file with which you update the device software. 26 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Software ] The device gives you the following options for updating the device software: Software update from the PC When the file is located on your PC or on a network drive, drag and drop the file in the Alternatively click in the area to select the file. area. Software update from an FTP server When the file is located on an FTP server, specify the URL for the file in the following form: ftp://<user>:<password>@<IP address>:<port>/<file name> Software update from a TFTP server When the file is located on a TFTP server, specify the URL for the file in the following form: tftp://<IP address>/<path>/<file name> Software update from an SCP or SFTP server When the file is located on an SCP or SFTP server, specify the URL for the file in one of the following forms: – scp:// or sftp://<IP address>/<path>/<file name> When you click the Start button, the device displays the Credentials window. There you enter User name and Password, to log on to the server. – scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name> Start Updates the device software. The device installs the selected file in the flash memory, replacing the previously saved device software. Upon restart, the device loads the installed device software. The device copies the existing software into the backup memory. To remain logged in to the device during the software update, move the mouse pointer occasionally. Alternatively, specify a sufficiently high value in the Device Security > Management Access > Web dialog, field Web interface session timeout [min] before the software update. Table File location Displays the storage location of the device software. Possible values: ram Volatile memory of the device flash Non-volatile memory (NVM) of the device sd-card External SD memory (ACA31) Index Displays the index of the device software. RM GUI RSP Release 8.1 12/2019 27 Basic Settings [ Basic Settings > Software ] For the device software in the flash memory, the index has the following meaning: 1 Upon restart, the device loads this device software. 2 The device copied this device software into the backup area during the last software update. File name Displays the device-internal file name of the device software. Firmware Displays the version number and creation date of the device software. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 28 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Load/Save ] 1.4 Load/Save [ Basic Settings > Load/Save ] This dialog lets you save the device settings permanently in a configuration profile. The device can hold several configuration profiles. When you activate an alternative configuration profile, you change to other device settings. You have the option of exporting the configuration profiles to your PC or to a server. You also have the option of importing the configuration profiles from your PC or from a server to the device. In the default setting, the device saves the configuration profiles unencrypted. If you enter a password in the Configuration encryption frame, then the device saves both the current and the future configuration profiles in an encrypted format. Unintentional changes to the settings can terminate the connection between your PC and the device. To keep the device accessible, enable the Undo configuration modifications function before changing any settings. If the connection is lost, then the device loads the configuration profile saved in the non-volatile memory (NVM) after the specified time. External memory Selected external memory Displays the type of the external memory. Possible values: sd External SD memory (ACA31) Status Displays the operating state of the external memory. Possible values: notPresent No external memory connected. removed Someone has removed the external memory from the device during operation. ok The external memory is connected and ready for operation. outOfMemory The memory space is occupied in the external memory. genericErr The device has detected an error. Configuration encryption Active Displays whether the configuration encryption is active/inactive in the device. RM GUI RSP Release 8.1 12/2019 29 Basic Settings [ Basic Settings > Load/Save ] Possible values: marked The configuration encryption is active. If the configuration profile is encrypted and the password matches the password stored in the device, then the device loads a configuration profile from the non-volatile memory (NVM). unmarked The configuration encryption is inactive. If the configuration profile is unencrypted, then the device loads a configuration profile from the non-volatile memory (NVM) only. If in the Basic Settings > External Memory dialog, the Config priority column has the value first and the configuration profile is unencrypted, then the Security status frame in the Basic Settings > System dialog displays an alarm. In the Diagnostics > Status Configuration > Security Status dialog, Global tab, Monitor column you specify whether the device monitors the Load unencrypted config from external memory parameter. Set password Opens the Set password window that helps you to enter the password needed for the configuration profile encryption. Encrypting the configuration profiles makes unauthorized access more difficult. When you are changing an existing password, enter the existing password in the Old password field. To display the password in plain text instead of ***** (asterisks), mark the Display content checkbox. In the New password field, enter the password. To display the password in plain text instead of ***** (asterisks), mark the Display content checkbox. Mark the Save configuration afterwards checkbox to use encryption also for the Selected configuration profile in the non-volatile memory (NVM) and in the external memory. Note: If a maximum of 1 configuration profile is stored in the non-volatile memory (NVM) of the device, then use this function only. Before creating additional configuration profiles, decide for or against permanently activated configuration encryption in the device. Save additional configuration profiles either unencrypted or encrypted with the same password. If you are replacing a device with an encrypted configuration profile, for example due to a defect, then you proceed as follows: Restart the new device and assign the IP parameters. Open the Basic Settings > Load/Save dialog on the new device. Encrypt the configuration profile in the new device. See above. Enter the same password you used in the defective device. Install the external memory from the defective device in the new device. Restart the new device. When you restart the device, the device loads the configuration profile with the settings of the defective device from the external memory. The device copies the settings into the volatile memory (RAM) and into the non-volatile memory (NVM). 30 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Load/Save ] Delete Opens the Delete window which helps you to cancel the configuration encryption in the device. In the Old password field, enter the existing password. To display the password in plain text instead of ***** (asterisks), mark the Display content checkbox. Mark the Save configuration afterwards checkbox to remove the encryption also for the Selected configuration profile in the non-volatile memory (NVM) and in the external memory. Note: If you keep additional encrypted configuration profiles in the memory, then the device helps prevent you from activating or designating these configuration profiles as "Selected". Information NVM in sync with running config Displays whether the configuration profile in the volatile memory (RAM) and the "Selected" configuration profile in the non-volatile memory (NVM) are the same. Possible values: marked The configuration profiles are the same. unmarked The configuration profiles differ. External memory in sync with NVM Displays whether the "Selected" configuration profile in the external memory and the "Selected" configuration profile in the non-volatile memory (NVM) are the same. Possible values: marked The configuration profiles are the same. unmarked The configuration profiles differ. Possible causes: – No external memory is connected to the device. – In the Basic Settings > External Memory dialog, the Backup config when saving function is disabled. Backup config on a remote server when saving Operation Enables/disables the Backup config on a remote server when saving function. RM GUI RSP Release 8.1 12/2019 31 Basic Settings [ Basic Settings > Load/Save ] Possible values: Enabled The Backup config on a remote server when saving function is enabled. When you save the configuration profile in the non-volatile memory (NVM), the device automatically backs up the configuration profile on the remote server specified in the URL field. Disabled (default setting) The Backup config on a remote server when saving function is disabled. URL Specifies path and file name of the backed up configuration profile on the remote server. Possible values: Alphanumeric ASCII character string with 0..128 characters Example: tftp://192.9.200.1/cfg/config.xml The device supports the following wildcards: – %d System date in the format YYYY-mm-dd – %t System time in the format HH_MM_SS – %i IP address of the device – %m MAC address of the device in the format AA-BB-CC-DD-EE-FF – %p Product name of the device Set credentials Opens the Credentials window which helps you to enter the credentials needed to authenticate on the remote server. In the User name field, enter the user name. To display the user name in plain text instead of ***** (asterisks), mark the Display content checkbox. Possible values: – Alphanumeric ASCII character string with 1..32 characters In the Password field, enter the password. To display the password in plain text instead of ***** (asterisks), mark the Display content checkbox. Possible values: Alphanumeric ASCII character string with 6..64 characters The following characters are allowed: a..z A..Z 0..9 !#$%&'()*+,-./:;<=>?@[\\]^_`{}~ 32 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Load/Save ] Undo configuration modifications Operation Enables/disables the Undo configuration modifications function. Using the function, the device continuously checks whether it can still be reached from the IP address of the user’s PC. If the connection is lost, after a specified time period the device loads the “Selected” configuration profile from the non-volatile memory (NVM). Afterwards, the device can be accessed again. Possible values: On The function is enabled. – You specify the time period between the interruption of the connection and the loading of the configuration profile in the field Timeout [s] to recover after connection loss. – When the non-volatile memory (NVM) contains multiple configuration profiles, the device loads the configuration profile designated as “Selected”. Off (default setting) The function is disabled. Disable the function again before you close the Graphical User Interface. You thus help prevent the device from restoring the configuration profile designated as “Selected”. Note: Before you enable the function, save the settings in the configuration profile. Current changes, that are saved temporarily, are therefore maintained in the device. Timeout [s] to recover after connection loss Specifies the time in seconds after which the device loads the “Selected” configuration profile from the non-volatile memory (NVM) if the connection is lost. Possible values: 30..600 (default setting: 600) Specify a sufficiently large value. Take into account the time when you are viewing the dialogs of the Graphical User Interface without changing or updating them. Watchdog IP address Displays the IP address of the PC on which you have enabled the function. Possible values: IPv4 address (default setting: 0.0.0.0) Table Storage type Displays the storage location of the configuration profile. RM GUI RSP Release 8.1 12/2019 33 Basic Settings [ Basic Settings > Load/Save ] Possible values: RAM (volatile memory of the device) In the volatile memory, the device stores the settings for the current operation. NVM (non-volatile memory of the device) When applying the function Undo configuration modifications or during a restart, the device loads the “Selected” configuration profile from the non-volatile memory. The non-volatile memory provides space for multiple configuration profiles, depending on the number of settings saved in the configuration profile. The device manages a maximum of 20 configuration profiles in the non-volatile memory. You can load a configuration profile into the volatile memory (RAM): In the table, highlight the configuration profile. Click the button and then the Activate item. ENVM (external memory) In the external memory, the device saves a backup copy of the “Selected” configuration profile. The prerequisite is that in the Basic Settings > External Memory dialog you mark the Backup config when saving checkbox. Profile name Displays the name of the configuration profile. Possible values: running-config Name of the configuration profile in the volatile memory (RAM). config Name of the factory setting configuration profile in the non-volatile memory (NVM). User-defined name The device lets you save a configuration profile with a user-specified name by highlighting an existing configuration profile in the table, clicking the button and then the Save As.. item. To export the configuration profile as an XML file on your PC, click the link. Then you select the storage location and specify the file name. To save the file on a remote server, click the button and then the Export... item. Modification date (UTC) Displays the time (UTC) at which a user last saved the configuration profile. Selected Displays whether the configuration profile is designated as “Selected”. Possible values: marked The configuration profile is designated as “Selected”. – When applying the function Undo configuration modifications or during a restart, the device loads the configuration profile into the volatile memory (RAM). – When you click the configuration profile. button, the device saves the temporarily saved settings in this unmarked Another configuration profile is designated as “Selected”. To designate another configuration profile as “Selected”, you highlight the desired configuration profile in the table, click the 34 button and then the Activate item. RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Load/Save ] Encrypted Displays whether the configuration profile is encrypted. Possible values: marked The configuration profile is encrypted. unmarked The configuration profile is unencrypted. You activate/deactivate the encryption of the configuration profile in the Configuration encryption frame. Encryption verified Displays whether the password of the encrypted configuration profile matches the password stored in the device. Possible values: marked The passwords match. The device is able to unencrypt the configuration profile. unmarked The passwords are different. The device is unable to unencrypt the configuration profile. Software version Displays the version number of the device software that the device ran while saving the configuration profile. Fingerprint Displays the checksum saved in the configuration profile. When saving the settings, the device calculates the checksum and inserts it into the configuration profile. Fingerprint verified Displays whether the checksum saved in the configuration profile is valid. The device calculates the checksum of the configuration profile marked as “Selected” and compares it with the checksum saved in this configuration profile. Possible values: marked The calculated and the saved checksum match. The saved settings are consistent. unmarked For the configuration profile marked as “Selected” applies: The calculated and the saved checksum are different. The configuration profile contains modified settings. Possible causes: – The file is damaged. – The file system in the external memory is inconsistent. – A user has exported the configuration profile and changed the XML file outside the device. For the other configuration profiles the device has not calculated the checksum. RM GUI RSP Release 8.1 12/2019 35 Basic Settings [ Basic Settings > Load/Save ] The device verifies the checksum correctly only if the configuration profile has been saved before as follows: • on an identical device • with the same software version, which the device is running • with a lower or the same level of the device software such as HiOS-2A or HiOS-3S on a device which runs HiOS-3S Note: This function identifies changes to the settings in the configuration profile. The function does not provide protection against operating the device with modified settings. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Removes the configuration profile highlighted in the table from the non-volatile memory (NVM) or from the external memory. If the configuration profile is designated as "Selected", then the device helps prevent you from removing the configuration profile. Save As.. Copies the configuration profile highlighted in the table and saves it with a user-specified name in the non-volatile memory (NVM). The device designates the new configuration profile as “Selected”. Note: Before creating additional configuration profiles, decide for or against permanently activated configuration encryption in the device. Save additional configuration profiles either unencrypted or encrypted with the same password. If in the Basic Settings > External Memory dialog the checkbox in the Backup config when saving column is marked, then the device designates the configuration profile of the same name in the external memory as “Selected”. Activate Loads the settings of the configuration profile highlighted in the table to the volatile memory (RAM). The device terminates the connection to the Graphical User Interface. Reload the Graphical User Interface. Login again. The device immediately uses the settings of the configuration profile on the fly. Enable the Undo configuration modifications function before you activate another configuration profile. If the connection is lost afterwards, then the device loads the last configuration profile designated as “Selected” from the non-volatile memory (NVM). The device can then be accessed again. 36 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Load/Save ] If the configuration encryption is inactive, then the device loads an unencrypted configuration profile. If the configuration encryption is active and the password matches the password stored in the device, then the device loads an encrypted configuration profile. When you activate an older configuration profile, the device takes over the settings of the functions contained in this software version. The device sets the values of new functions to their default value. Select Designates the configuration profile highlighted in the table as “Selected”. In the Selected column, the checkbox is then marked. When applying the function Undo configuration modifications or during a restart, the device loads the settings of this configuration profile to the volatile memory (RAM). If the configuration encryption in the device is disabled, then designate an unencrypted configuration profile only as “Selected”. If the configuration encryption in the device is enabled and the password of the configuration profile matches the password saved in the device, then designate an encrypted configuration profile only as “Selected”. Otherwise, the device is unable to load and encrypt the settings in the configuration profile the next time it restarts. For this case you specify in the Diagnostics > System > Selftest dialog whether the device starts with the default settings or terminates the restart and stops. Note: You only mark the configuration profiles saved in the non-volatile memory (NVM). If in the Basic Settings > External Memory dialog the checkbox in the Backup config when saving column is marked, then the device designates the configuration profile of the same name in the external memory as “Selected”. Import... Opens the Import... window to import a configuration profile. The prerequisite is that you have exported the configuration profile using the Export... button or using the link in the Profile name column. In the Select source drop-down list, select from where the device imports the configuration profile. PC/URL The device imports the configuration profile from the local PC or from a remote server. External memory The device imports the configuration profile from the external memory. When PC/URL is selected above, in the Import profile from PC/URL frame you specify the configuration profile file to be imported. – Import from the PC When the file is located on your PC or on a network drive, drag and drop the file in the area. Alternatively click in the area to select the file. – Import from an FTP server When the file is located on an FTP server, specify the URL for the file in the following form: ftp://<user>:<password>@<IP address>:<port>/<file name> RM GUI RSP Release 8.1 12/2019 37 Basic Settings [ Basic Settings > Load/Save ] – Import from a TFTP server When the file is located on a TFTP server, specify the URL for the file in the following form: tftp://<IP address>/<path>/<file name> – Import from an SCP or SFTP server When the file is located on an SCP or SFTP server, specify the URL for the file in one of the following forms: scp:// or sftp://<IP address>/<path>/<file name> When you click the Start button, the device displays the Credentials window. There you enter User name and Password, to log on to the server. scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name> When External memory is selected above, in the Import profile from external memory frame you specify the configuration profile file to be imported. In the Profile name drop-down list, select the name of the configuration profile to be imported. In the Destination frame you specify where the device saves the imported configuration profile. In the Profile name field you specify the name under which the device saves the configuration profile. In the Storage type field you specify the storage location for the configuration profile. The prerequisite is that in the Select source drop-down list you have selected the value PC/URL. RAM The device saves the configuration profile in the volatile memory (RAM) of the device. This replaces the running-config, the device uses the settings of the imported configuration profile immediately. The device terminates the connection to the Graphical User Interface. Reload the Graphical User Interface. Login again. NVM The device saves the configuration profile in the non-volatile memory (NVM) of the device. When you import a configuration profile, the device takes over the settings as follows: • If the configuration profile was exported on the same device or on an identically equipped device of the same type, then: The device takes over the settings completely. • If the configuration profile was exported on an other device, then: The device takes over the settings which it can interpret based on its hardware equipment and software level. The remaining settings the device takes over from its running-config configuration profile. Regarding configuration profile encryption, also read the help text of the Configuration encryption frame. The device imports a configuration profile under the following conditions: • The configuration encryption of the device is inactive. The configuration profile is unencrypted. • The configuration encryption of the device is active. The configuration profile is encrypted with the same password that the device currently uses. Export... Exports the configuration profile highlighted in the table and saves it as an XML file on a remote server. To save the file on your PC, click the link in the Profile name column to select the storage location and specify the file name. 38 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Load/Save ] The device gives you the following options for exporting a configuration profile: Export to an FTP server To save the file on an FTP server, specify the URL for the file in the following form: ftp://<user>:<password>@<IP address>:<port>/<file name> Export to a TFTP server To save the file on a TFTP server, specify the URL for the file in the following form: tftp://<IP address>/<path>/<file name> Export to an SCP or SFTP server To save the file on an SCP or SFTP server, specify the URL for the file in one of the following forms: – scp:// or sftp://<IP address>/<path>/<file name> When you click the Ok button, the device displays the Credentials window. There you enter User name and Password, to log on to the server. – scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name> Load running-config as script Imports a script file which modifies the current running config configuration profile. The device gives you the following options to import a script file: Import from the PC When the file is located on your PC or on a network drive, drag and drop the file in the Alternatively click in the area to select the file. area. Import from an FTP server When the file is located on an FTP server, specify the URL for the file in the following form: ftp://<user>:<password>@<IP address>:<port>/<file name> Import from a TFTP server When the file is located on a TFTP server, specify the URL for the file in the following form: tftp://<IP address>/<path>/<file name> Import from an SCP or SFTP server When the file is located on an SCP or SFTP server, specify the URL for the file in one of the following forms: scp:// or sftp://<IP address>/<path>/<file name> Save running-config as script Saves the running config configuration profile as a script file on the local PC. This lets you backup your current device settings or to use them on various devices. Back to factory... Resets the settings in the device to the default values. The device deletes the saved configuration profiles from the volatile memory (RAM) and from the non-volatile memory (NVM). The device deletes the HTTPS certificate used by the web server in the device. The device deletes the RSA key (Host Key) used by the SSH server in the device. When an external memory is connected, the device deletes the configuration profiles saved in the external memory. After a brief period, the device reboots and loads the default values. Back to default Deletes the current operating (running config) settings from the volatile memory (RAM) . RM GUI RSP Release 8.1 12/2019 39 Basic Settings [ Basic Settings > External Memory ] 1.5 External Memory [ Basic Settings > External Memory ] This dialog lets you activate functions that the device automatically executes in combination with the external memory. The dialog also displays the operating state and identifying characteristics of the external memory. Table Type Displays the type of the external memory. Possible values: sd External SD memory (ACA31) Status Displays the operating state of the external memory. Possible values: notPresent No external memory connected. removed Someone has removed the external memory from the device during operation. ok The external memory is connected and ready for operation. outOfMemory The memory space is occupied in the external memory. genericErr The device has detected an error. Writable Displays whether the device has write access to the external memory. Possible values: marked The device has write access to the external memory. unmarked The device has read-only access to the external memory. Possibly the write protection is activated in the external memory. Software auto update Activates/deactivates the automatic device software update during the restart. 40 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > External Memory ] Possible values: marked (default setting) The automatic device software update during the restart is activated. The device updates the device software when the following files are located in the external memory: – the image file of the device software – a text file "startup.txt" with the content autoUpdate=<image_file_name>.bin unmarked The automatic device software update during the restart is deactivated. SSH key auto upload Activates/deactivates the loading of the RSA key from an external memory upon restart. Possible values: marked (default setting) The loading of the RSA key is activated. During a restart, the device loads the RSA key from the external memory when the following files are located in the external memory: – SSH RSA key file – a text file “startup.txt” with the content autoUpdateRSA=<filename_of_the_SSH_RSA_key> The device displays messages on the system console of the serial interface. unmarked The loading of the RSA key is deactivated. Note: When loading the RSA key from the external memory (ENVM), the device overwrites the existing keys in the non-volatile memory (NVM). Config priority Specifies the memory from which the device loads the configuration profile upon reboot. Possible values: disable The device loads the configuration profile from the non-volatile memory (NVM). first The device loads the configuration profile from the external memory. When the device does not find a configuration profile in the external memory, it loads the configuration profile from the non-volatile memory (NVM). Note: When loading the configuration profile from the external memory (ENVM), the device overwrites the settings of the Selected configuration profile in the non-volatile memory (NVM). If the Config priority column has the value first and the configuration profile is unencrypted, then the Security status frame in the Basic Settings > System dialog displays an alarm. In the Diagnostics > Status Configuration > Security Status dialog, Global tab, Monitor column you specify whether the device monitors the Load unencrypted config from external memory parameter. Backup config when saving Activates/deactivates creating a copy of the configuration profile in the external memory. RM GUI RSP Release 8.1 12/2019 41 Basic Settings [ Basic Settings > External Memory ] Possible values: marked (default setting) Creating a copy is activated. When you click in the Basic Settings > Load/Save dialog the Save button, the device generates a copy of the configuration profile on the active external memory. unmarked Creating a copy is deactivated. The device does not generate a copy of the configuration profile. Manufacturer ID Displays the name of the memory manufacturer. Revision Displays the revision number specified by the memory manufacturer. Version Displays the version number specified by the memory manufacturer. Name Displays the product name specified by the memory manufacturer. Serial number Displays the serial number specified by the memory manufacturer. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 42 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Port ] 1.6 Port [ Basic Settings > Port ] This dialog lets you specify settings for the individual ports. The dialog also displays the operating mode, connection status, bit rate and duplex mode for every port. The dialog contains the following tabs: [Configuration] [Statistics] [Utilization] [Configuration] Table Port Displays the port number. Name Name of the port. Possible values: Alphanumeric ASCII character string with 0..64 characters The following characters are allowed: – <space> – 0..9 – a..z – A..Z – !#$%&'()*+,-./:;<=>?@[\\]^_`{}~ Port on Activates/deactivates the port. Possible values: marked (default setting) The port is active. unmarked The port is inactive. The port does not send or receive any data. State Displays whether the port is currently physically enabled or disabled. RM GUI RSP Release 8.1 12/2019 43 Basic Settings [ Basic Settings > Port ] Possible values: marked The port is physically enabled. unmarked The port is physically disabled. When the Port on function is active, the Auto-Disable function has disabled the port. You specify the settings of the Auto-Disable function in the Diagnostics > Ports > Auto-Disable dialog. Power state (port off) Specifies, whether the port is physically switched on or off when you deactivate the port with the Port on function. Possible values: marked The port remains physically enabled. A connected device receives an active link. unmarked (default setting) The port is physically disabled. Auto power down Specifies how the port behaves when no cable is connected. Possible values: no-power-save (default setting) The port remains activated. auto-power-down The port changes to the energy-saving mode. unsupported The port does not support this function and remains activated. Automatic configuration Activates/deactivates the automatic selection of the operating mode for the port. Possible values: marked (default setting) The automatic selection of the operating mode is active. The port negotiates the operating mode independently using autonegotiation and detects the devices connected to the TP port automatically (Auto Cable Crossing). This setting has priority over the manual setting of the port. Elapse several seconds until the port has set the operating mode. unmarked The automatic selection of the operating mode is inactive. The port operates with the values you specify in the Manual configuration column and in the Manual cable crossing (Auto. conf. off) column. Grayed-out display No automatic selection of the operating mode. Manual configuration Specifies the operating mode of the ports when the Automatic configuration function is disabled. 44 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Port ] Possible values: 10 Mbit/s HDX Half duplex connection 10 Mbit/s FDX Full duplex connection 100 Mbit/s HDX Half duplex connection 100 Mbit/s FDX Full duplex connection 1000 Mbit/s FDX Full duplex connection Note: The operating modes of the port actually available depend on the device configuration. Link/Current settings Displays the operating mode which the port currently uses. Possible values: – No cable connected, no link. 10 Mbit/s HDX Half duplex connection 10 Mbit/s FDX Full duplex connection 100 Mbit/s HDX Half duplex connection 100 Mbit/s FDX Full duplex connection 1000 Mbit/s FDX Full duplex connection Note: The operating modes of the port actually available depend on the device configuration. Manual cable crossing (Auto. conf. off) Specifies the devices connected to a TP port. The prerequisite is that the Automatic configuration function is disabled. Possible values: mdi The device interchanges the send- and receive-line pairs on the port. mdix (default setting on TP ports) The device helps prevent the interchange of the send- and receive-line pairs on the port. auto-mdix The device detects the send and receive line pairs of the connected device and automatically adapts to them. Example: When you connect an end device with a crossed cable, the device automatically resets the port from mdix to mdi. unsupported (default setting on optical ports or TP-SFP ports) The port does not support this function. RM GUI RSP Release 8.1 12/2019 45 Basic Settings [ Basic Settings > Port ] Flow control Activates/deactivates the flow control on the port. Possible values: marked (default setting) The Flow control on the port is active. The sending and evaluating of pause packets (full-duplex operation) or collisions (half-duplex operation) is activated on the port. To enable the flow control in the device, also activate the Flow control function in the Switching > Global dialog. Activate the flow control also on the port of the device that is connected to this port. On an uplink port, activating the flow control can possibly cause undesired sending breaks in the higher-level network segment (“wandering backpressure”). unmarked The Flow control on the port is inactive. If you are using a redundancy function, then you deactivate the flow control on the participating ports. If the flow control and the redundancy function are active at the same time, it is possible that the redundancy function operates differently than intended. Send trap (Link up/down) Activates/deactivates the sending of SNMP traps when the device detects changes in the link up/ down status for this port. Possible values: marked (default setting) The sending of SNMP traps is active. When the device detects a link up/down status change, the device sends an SNMP trap. unmarked The sending of SNMP traps is inactive. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. MTU Specifies the maximum allowed size of Ethernet packets on the port in bytes. Possible values: 1518..12288 (default setting: 1518) With the setting 1518, the port transmits the Ethernet packets up to the following size: – 1518 bytes without VLAN tag (1514 bytes + 4 bytes CRC) – 1522 bytes with VLAN tag (1518 bytes + 4 bytes CRC) This setting lets you increase the size of the Ethernet packets for specific applications. The following list contains possible applications: When you use the PRP redundancy protocol, it is possible that you require an MTU that is larger by 6 bytes. (depends on hardware) When you use the device in the transfer network with double VLAN tagging, it is possible that you require an MTU that is larger by 4 bytes. 46 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Port ] On other interfaces, you specify the maximum permissible size of the Ethernet packets as follows: • Router interfaces Routing > Interfaces > Configuration dialog, MTU value column • HSR interfaces (depends on hardware) Switching > L2-Redundancy > HSR > Configuration dialog, Configuration frame, MTU field • PRP interfaces (depends on hardware) Switching > L2-Redundancy > PRP > Configuration dialog, Configuration frame, MTU field • Link Aggregation interfaces Switching > L2-Redundancy > Link Aggregation dialog, MTU column Signal Activates/deactivates the port LED flashing. This function lets you identify the port in the field. Possible values: marked The flashing of the port LED is active. The port LED flashes until you disable the function again. unmarked (default setting) The flashing of the port LED is inactive. Link monitoring Activates/deactivates the Link monitoring function on the interface. Use the Link monitoring function for end devices that do not support Far End Fault Indication (FEFI) on optical links. Possible values: marked The Link monitoring function is active. If the device recognizes an established link, then the port LED illuminates. If the device recognizes that a link has been lost, then the port LED extinguishes. unmarked (default setting) The Link monitoring function is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Clear port statistics Resets the counter for the port statistics to 0. [Statistics] This tab displays the following overview per port: Number of data packets/bytes received in the device – Received packets – Received octets RM GUI RSP Release 8.1 12/2019 47 Basic Settings [ Basic Settings > Port ] – Received unicast packets – Received multicast packets – Received broadcast packets Number of data packets/bytes sent from the device – Transmitted packets – Transmitted octets – Transmitted unicast packets – Transmitted multicast packets – Transmitted broadcast packets Number of errors detected by the device – Received fragments – Detected CRC errors – Detected collisions Number of data packets per size category received on the device – Packets 64 bytes – Packets 65 to 127 bytes – Packets 128 to 255 bytes – Packets 256 to 511 bytes – Packets 512 to 1023 bytes – Packets 1024 to 1518 bytes Number of data packets discarded by the device – Received discards – Transmitted discards To sort the table by a specific criterion click the header of the corresponding row. For example, to sort the table based on the number of received bytes in ascending order, click the header of the Received octets column once. To sort in descending order, click the header again. To reset the counter for the port statistics in the table to 0, proceed as follows: In the Basic Settings > Port dialog, click the button and then the Clear port statistics item. or In the Basic Settings > Restart dialog, click the Clear port statistics button. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Clear port statistics Resets the counter for the port statistics to 0. [Utilization] This tab displays the utilization (network load) for the individual ports. Table Port Displays the port number. 48 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Port ] Utilization [%] Displays the current utilization in percent in relation to the time interval specified in the Control interval [s] column. The utilization is the relationship of the received data quantity to the maximum possible data quantity at the currently configured data rate. Lower threshold [%] Specifies a lower threshold for the utilization. If the utilization of the port falls below this value, then the Alarm column displays an alarm. Possible values: 0.00..100.00 (default setting: 0.00) The value 0 deactivates the lower threshold. Upper threshold [%] Specifies an upper threshold for the utilization. If the utilization of the port exceeds this value, then the Alarm column displays an alarm. Possible values: 0.00..100.00 (default setting: 0.00) The value 0 deactivates the upper threshold. Control interval [s] Specifies the interval in seconds. Possible values: 1..3600 (default setting: 30) Alarm Displays the utilization alarm status. Possible values: marked The utilization of the port is below the value specified in the Lower threshold [%] column or above the value specified in the Upper threshold [%] column. The device sends an SNMP trap. unmarked The utilization of the port is above the value specified in the Lower threshold [%] column and below the value specified in the Upper threshold [%] column. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. RM GUI RSP Release 8.1 12/2019 49 Basic Settings [ Basic Settings > Port ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Clear port statistics Resets the counter for the port statistics to 0. 50 RM GUI RSP Release 8.1 12/2019 Basic Settings [ Basic Settings > Restart ] 1.7 Restart [ Basic Settings > Restart ] This dialog lets you restart the device, reset port counters and address tables, and delete log files. Restart Restart in Displays the remaining time until the device restarts. To update the display of the remaining time, click the button. Cancel Aborts a delayed restart. Cold start... Opens the Restart dialog to initiate an immediate or delayed restart of the device. If the configuration profile in the volatile memory (RAM) and the "Selected" configuration profile in the non-volatile memory (NVM) differ, then the device displays the Warning dialog. To permanently save the changes, click the Yes button in the Warning dialog. To discard the changes, click No in the Warning dialog. In the Restart in field you specify the delay time for the delayed restart. Possible values: – 00:00:00..596:31:23 (default setting: 00:00:00) When the delay time elapsed, the device restarts and goes through the following phases: If you activate the function in the Diagnostics > System > Selftest dialog, then the device performs a RAM test. The device starts the device software that the Stored version field displays in the Basic Settings > Software dialog. The device loads the settings from the "Selected" configuration profile. See the Basic Settings > Load/Save dialog. Note: During the restart, the device does not transfer any data. During this time, the device cannot be accessed by the Graphical User Interface or other management systems. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset MAC address table Removes the MAC addresses from the forwarding table that have in the Switching > Filter for MAC Addresses dialog the value learned in the Status column. RM GUI RSP Release 8.1 12/2019 51 Basic Settings [ Basic Settings > Restart ] Reset ARP table Removes the dynamically set up addresses from the ARP table. See the Diagnostics > System > ARP dialog. Clear port statistics Resets the counter for the port statistics to 0. See the Basic Settings > Port dialog, Statistics tab. Reset IGMP snooping data Removes the IGMP Snooping entries and resets the counter in the Information frame to 0. See the Switching > IGMP Snooping > Global dialog. Delete log file Removes the logged events from the log file. See the Diagnostics > Report > System Log dialog. Delete persistent log file Removes the log files from the external memory. See the Diagnostics > Report > Persistent Logging dialog. Clear email notification statistics Resets the counters in the Information frame to 0. See the Diagnostics > Email Notification > Global dialog. 52 RM GUI RSP Release 8.1 12/2019 Time [ Time > Basic Settings ] 2 Time The menu contains the following dialogs: Basic Settings SNTP PTP 2.1 Basic Settings [ Time > Basic Settings ] The device is equipped with a buffered hardware clock. This clock maintains the correct time if the power supply fails or you disconnect the device from the power supply. After the device is started, the current time is available to you, for example for log entries. The hardware clock bridges a power supply downtime of 3 hours. The prerequisite is that the power supply of the device has been connected continually for at least 5 minutes beforehand. In this dialog, you specify time-related settings independently of the time synchronization protocol specified. The dialog contains the following tabs: [Global] [Daylight saving time] [Global] In this tab, you specify the system time in the device and the time zone. Configuration System time (UTC) Displays the current date and time with reference to Universal Time Coordinated (UTC). Set time from PC The device uses the time on the PC as the system time. System time Displays the current date and time with reference to the local time: System time = System time (UTC) + Local offset [min] + Daylight saving time Time source Displays the time source from which the device gets the time information. RM GUI RSP Release 8.1 12/2019 53 Time [ Time > Basic Settings ] The device automatically selects the available time source with the greatest accuracy. Possible values: local System clock of the device. sntp The SNTP client is activated and the device is synchronized by an SNTP server. ptp PTP is activated and the clock of the device is synchronized with a PTP master clock. Local offset [min] Specifies the difference between the local time and System time (UTC) in minutes: Local offset [min] = System time − System time (UTC) Possible values: -780..840 (default setting: 60) Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Daylight saving time] In this tab, you activate the automatic daylight saving time function. You specify the beginning and the end of summertime using a pre-defined profile, or you specify these settings individually. During summertime, the device puts the local time forward by 1 hour. Operation Daylight saving time Enables/disables the Daylight saving time mode. Possible values: On The Daylight saving time mode is enabled. The device automatically changes between summertime and wintertime. Off (default setting) The Daylight saving time mode is disabled. The times at which the device changes between summertime and wintertime are specified in the Summertime begin and Summertime end frames. Profile... Displays the Profile... dialog. There you select a pre-defined profile for the beginning and the end of summertime. This profile overwrites the settings in the Summertime begin and Summertime end frames. 54 RM GUI RSP Release 8.1 12/2019 Time [ Time > Basic Settings ] Summertime begin In the first 3 fields you specify the day for the beginning of summertime, and in the last field the time. When the time in the System time field reaches the value entered here, the device switches to summertime. Week Specifies the week in the current month. Possible values: none (default setting) first second third fourth last Day Specifies the day of the week. Possible values: none (default setting) Sunday Monday Tuesday Wednesday Thursday Friday Saturday Month Specifies the month. Possible values: none (default setting) January February March April May June July August September October November December RM GUI RSP Release 8.1 12/2019 55 Time [ Time > Basic Settings ] System time Specifies the time. Possible values: <HH:MM> (default setting: 00:00) Summertime end In the first 3 fields you specify the day for the end of summertime, and in the last field the time. When the time in the System time field reaches the value entered here, the device switches to wintertime. Week Specifies the week in the current month. Possible values: none (default setting) first second third fourth last Day Specifies the day of the week. Possible values: none (default setting) Sunday Monday Tuesday Wednesday Thursday Friday Saturday Month Specifies the month. Possible values: none (default setting) January February March April 56 RM GUI RSP Release 8.1 12/2019 Time [ Time > SNTP ] May June July August September October November December System time Specifies the time. Possible values: <HH:MM> (default setting: 00:00) Buttons You find the description of the standard buttons in section “Buttons” on page 15. 2.2 SNTP [ Time > SNTP ] The Simple Network Time Protocol (SNTP) is a procedure described in the RFC 4330 for time synchronization in the network. The device lets you synchronize the system time in the device as an SNTP client. As the SNTP server, the device makes the time information available to other devices. The menu contains the following dialogs: SNTP Client SNTP Server RM GUI RSP Release 8.1 12/2019 57 Time [ Time > SNTP > Client ] 2.2.1 SNTP Client [ Time > SNTP > Client ] In this dialog, you specify the settings with which the device operates as an SNTP client. As an SNTP client the device obtains the time information from both SNTP servers and NTP servers and synchronizes the local clock with the time of the time server. Operation Operation Enables/disables the SNTP Client function of the device. Possible values: On The SNTP Client function is enabled. The device operates as an SNTP client. Off (default setting) The SNTP Client function is disabled. Configuration Mode Specifies whether the device actively requests the time information from an SNTP server known and configured in the network (Unicast mode) or passively waits for the time information from a random SNTP server (Broadcast mode). Possible values: unicast (default setting) The device takes the time information only from the configured SNTP server. The device sends Unicast requests to the SNTP server and evaluates its responses. broadcast The device obtains the time information from one or more SNTP or NTP servers. The device evaluates the Broadcasts or Multicasts only from these servers. Request interval [s] Specifies the interval in seconds at which the device requests time information from the SNTP server. Possible values: 5..3600 (default setting: 30) Broadcast recv timeout [s] Specifies the time in seconds a client in broadcast client mode waits before changing the value in the field from syncToRemoteServer to notSynchronized when the client receives no broadcast packets. 58 RM GUI RSP Release 8.1 12/2019 Time [ Time > SNTP > Client ] Possible values: 128..2048 (default setting: 320) Disable client after successful sync Activates/deactivates the disabling of the SNTP client after the device has successfully synchronized the time. Possible values: marked The disabling of the SNTP client is active. The device deactivates the SNTP client after successful time synchronization. unmarked (default setting) The disabling of the SNTP client is inactive. The SNTP client remains active after successful time synchronization. State State Displays the status of the SNTP client. Possible values: disabled The SNTP client is disabled. notSynchronized The SNTP client is not synchronized with any SNTP or NTP server. synchronizedToRemoteServer The SNTP client is synchronized with an SNTP or NTP server. Table In the table you specify the settings for up to 4 SNTP servers. Index Displays the index number to which the table entry relates. Possible values: 1..4 The device automatically assigns this number. When you delete a table entry, this leaves a gap in the numbering. When you create a new table entry, the device fills the first gap. RM GUI RSP Release 8.1 12/2019 59 Time [ Time > SNTP > Client ] After starting, the device sends requests to the SNTP server configured in the first table entry. When the server does not reply, the device sends its requests to the SNTP server configured in the next table entry. If none of the configured SNTP servers responds in the meantime, then the SNTP client interrupts its synchronization. The device cyclically sends requests to each SNTP server until a server delivers a valid time. The device synchronizes itself with this SNTP server, even if the other servers can be reached again later. Name Specifies the name of the SNTP server. Possible values: Alphanumeric ASCII character string with 1..32 characters Address Specifies the IP address of the SNTP server. Possible values: Valid IPv4 address or Hostname (default setting: 0.0.0.0) Destination UDP port Specifies the UDP Port on which the SNTP server expects the time information. Possible values: 1..65535 (default setting: 123) Exception: Port 2222 is reserved for internal functions. Status Displays the connection status between the SNTP client and the SNTP server. Possible values: success The device has successfully synchronized the time with the SNTP server. badDateEncoded The time information received contains protocol errors - synchronization failed. other – The value 0.0.0.0 is entered for the IP address of the SNTP server - synchronization failed. or – The SNTP client is using a different SNTP server. requestTimedOut The device has not received a reply from the SNTP server - synchronization failed. serverKissOfDeath The SNTP server is overloaded. The device is requested to synchronize itself with another SNTP server. When no other SNTP server is available, the device checks at intervals longer than the setting in the Request interval [s] field, if the server is still overloaded. 60 RM GUI RSP Release 8.1 12/2019 Time [ Time > SNTP > Client ] serverUnsychronized The SNTP server is not synchronized with either a local or an external reference time source synchronization failed. versionNotSupported The SNTP versions on the client and the server are incompatible with each other synchronization failed. Active Activates/deactivates the connection to the SNTP server. Possible values: marked The connection to the SNTP server is activated. The SNTP client has access to the SNTP server. unmarked (default setting) The connection to the SNTP server is deactivated. The SNTP client has no access to the SNTP server. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 61 Time [ Time > SNTP > Server ] 2.2.2 SNTP Server [ Time > SNTP > Server ] In this dialog, you specify the settings with which the device operates as an SNTP server. The SNTP server provides the Universal Time Coordinated (UTC) without considering local time differences. If the setting is appropriate, then the SNTP server operates in the broadcast mode. In broadcast mode, the SNTP server automatically sends broadcast messages or multicast messages according to the broadcast send interval. Operation Operation Enables/disables the SNTP Server function of the device. Possible values: On The SNTP Server function is enabled. The device operates as an SNTP server. Off (default setting) The SNTP Server function is disabled. Note the setting in the Disable server at local time source checkbox in the Configuration frame. Configuration UDP port Specifies the number of the UDP port on which the SNTP server of the device receives requests from other clients. Possible values: 1..65535 (default setting: 123) Exception: Port 2222 is reserved for internal functions. Broadcast admin mode Activates/deactivates the Broadcast mode. marked The SNTP server replies to requests from SNTP clients in Unicast mode and also sends SNTP packets in Broadcast mode as Broadcasts or Multicasts. unmarked (default setting) The SNTP server replies to requests from SNTP clients in the Unicast mode. Broadcast destination address Specifies the IP address to which the SNTP server of the device sends the SNTP packets in Broadcast mode. 62 RM GUI RSP Release 8.1 12/2019 Time [ Time > SNTP > Server ] Possible values: Valid IPv4 address (default setting: 0.0.0.0) Broadcast and Multicast addresses are permitted. Broadcast UDP port Specifies the number of the UDP port on which the SNTP server sends the SNTP packets in Broadcast mode. Possible values: 1..65535 (default setting: 123) Exception: Port 2222 is reserved for internal functions. Broadcast VLAN ID Specifies the ID of the VLAN in which the SNTP server of the device sends the SNTP packets in Broadcast mode. Possible values: 0 The SNTP server sends the SNTP packets in the same VLAN in which the access to the device management is possible. See the Basic Settings > Network dialog. 1..4042 (default setting: 1) Broadcast send interval [s] Specifies the time interval at which the SNTP server of the device sends SNTP broadcast packets. Possible values: 64..1024 (default setting: 128) Disable server at local time source Activates/deactivates the disabling of the SNTP server when the device is synchronized to the local clock. Possible values: marked The disabling of the SNTP server is active. If the device is synchronized to the local clock, then the device disables the SNTP server. The SNTP server continues to reply to requests from SNTP clients. In the SNTP packet, the SNTP server informs the clients that it is synchronized locally. unmarked (default setting) The disabling of the SNTP server is inactive. If the device is synchronized to the local clock, then the SNTP server remains active. State State Displays the state of the SNTP server. RM GUI RSP Release 8.1 12/2019 63 Time [ Time > PTP ] Possible values: disabled The SNTP server is disabled. notSynchronized The SNTP server is not synchronized with either a local or an external reference time source. syncToLocal The SNTP server is synchronized with the hardware clock of the device. syncToRefclock The SNTP server is synchronized with an external reference time source, for example PTP. syncToRemoteServer The SNTP server is synchronized with an SNTP server that is higher than the device in a cascade. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 2.3 PTP [ Time > PTP ] The menu contains the following dialogs: PTP Global PTP Boundary Clock PTP Transparent Clock 64 RM GUI RSP Release 8.1 12/2019 Time [ Time > PTP > Global ] 2.3.1 PTP Global [ Time > PTP > Global ] In this dialog, you specify basic settings for the PTP protocol. The Precision Time Protocol (PTP) is a procedure described in the IEEE 1588-2008 standard that supplies the devices in the network with a precise time. The method synchronizes the clocks in the network with a precision of a few 100 ns. The protocol uses Multicast communication, so the load on the network due to the PTP synchronization messages is negligible. PTP is significantly more accurate than SNTP. If the SNTP function and the PTP function are enabled in the device at the same time, then the PTP function has priority. With the Best Master Clock Algorithm, the devices in the network determine which device has the most accurate time. The devices use the device with the most accurate time as the reference time source (Grandmaster). Subsequently the participating devices synchronize themselves with this reference time source. If you want to transport PTP time accurately through your network, then use only devices with PTP hardware support on the transport paths. The protocol differentiates between the following clocks: Boundary Clock (BC) This clock has any number of PTP ports and operates as both PTP master and PTP slave. In its respective network segment, the clock operates as an Ordinary Clock. – As PTP slave, the clock synchronizes itself with a PTP master that is higher than the device in the cascade. – As PTP master, the clock forwards the time information via the network to PTP slaves that are higher than the device in the cascade. Transparent Clock (TC) This clock has any number of PTP ports. In contrast to the Boundary Clock, this clock corrects the time information before forwarding it, without synchronizing itself. Operation IEEE1588/PTP Operation IEEE1588/PTP Enables/disables the PTP function. Possible values: On The PTP function is enabled. The device synchronizes its clock with PTP. If the SNTP function and the PTP function are enabled in the device at the same time, then the PTP function has priority. Off (default setting) The PTP function is disabled. The device transmits the PTP synchronization messages without any correction on every port. RM GUI RSP Release 8.1 12/2019 65 Time [ Time > PTP > Global ] Configuration IEEE1588/PTP PTP mode Specifies the PTP version and mode of the local clock. Possible values: v2-transparent-clock (default setting) v2-boundary-clock Sync lower bound [ns] Specifies the lower threshold value in nanoseconds for the path difference between the local clock and the reference time source (Grandmaster). If the path difference falls below this value once, then the local clock is classed as synchronized. Possible values: 0..999999999 (default setting: 30) Sync upper bound [ns] Specifies the upper threshold value in nanoseconds for the path difference between the local clock and the reference time source (Grandmaster). If the path difference exceeds this value once, then the local clock is classed as unsynchronized. Possible values: 31..1000000000 (default setting: 5000) PTP management Activates/deactivates the PTP management defined in the PTP standard. Possible values: marked PTP management is activated. unmarked (default setting) PTP management is deactivated. Status Is synchronized Displays whether the local clock is synchronized with the reference time source (Grandmaster). If the path difference between the local clock and the reference time source (Grandmaster) falls below the synchronization lower threshold one time, then the local clock is synchronized. This status is kept until the path difference exceeds the synchronization upper threshold one time. You specify the synchronization thresholds in the Configuration IEEE1588/PTP frame. 66 RM GUI RSP Release 8.1 12/2019 Time [ Time > PTP > Boundary Clock ] Max. offset absolute [ns] Displays the maximum path difference in nanoseconds that has occurred since the local clock was synchronized with the reference time source (Grandmaster). PTP time Displays the date and time for the PTP time scale when the local clock is synchronized with the reference time source (Grandmaster). Format: Month Day, Year hh:mm:ss AM/PM Buttons You find the description of the standard buttons in section “Buttons” on page 15. 2.3.2 PTP Boundary Clock [ Time > PTP > Boundary Clock ] With this menu you can configure the Boundary Clock mode for the local clock. The menu contains the following dialogs: PTP Boundary Clock Global PTP Boundary Clock Port RM GUI RSP Release 8.1 12/2019 67 Time [ Time > PTP > Boundary Clock > Global ] 2.3.2.1 PTP Boundary Clock Global [ Time > PTP > Boundary Clock > Global ] In this dialog, you enter general, cross-port settings for the Boundary Clock mode for the local clock. The Boundary Clock (BC) operates according to PTP version 2 (IEEE 1588-2008). The settings are effective when the local clock operates as the Boundary Clock (BC). For this, you select in the Time > PTP > Global dialog in the PTP mode field the value v2-boundary-clock. Operation IEEE1588/PTPv2 BC Priority 1 Specifies priority 1 for the device. Possible values: 0..255 (default setting: 128) The Best Master Clock Algorithm first evaluates priority 1 among the participating devices in order to determine the reference time source (Grandmaster). The lower you set this value, the more probable it is that the device becomes the reference time source (Grandmaster). See the Grandmaster frame. Priority 2 Specifies priority 2 for the device. Possible values: 0..255 (default setting: 128) When the previously evaluated criteria are the same for multiple devices, the Best Master Clock Algorithm evaluates priority 2 of the participating devices. The lower you set this value, the more probable it is that the device becomes the reference time source (Grandmaster). See the Grandmaster frame. Domain number Assigns the device to a PTP domain. Possible values: 0..255 (default setting: 0) The device transmits time information from and to devices only in the same domain. Status IEEE1588/PTPv2 BC Two step Displays that the clock is operating in Two-Step mode. 68 RM GUI RSP Release 8.1 12/2019 Time [ Time > PTP > Boundary Clock > Global ] Steps removed Displays the number of communication paths passed through between the local clock of the device and the reference time source (Grandmaster). For a PTP slave, the value 1 means that the clock is connected with the reference time source (Grandmaster) directly through 1 communication path. Offset to master [ns] Displays the measured difference (offset) between the local clock and the reference time source (Grandmaster) in nanoseconds. The PTP slave calculates the difference from the time information received. In Two-Step mode the time information consists of 2 PTP synchronization messages each, which the PTP master sends cyclically: The first synchronization message (sync message) contains an estimated value for the exact sending time of the message. The second synchronization message (follow-up message) contains the exact sending time of the first message. The PTP slave uses the two PTP synchronization messages to calculate the difference (offset) from the master and corrects its clock by this difference. Here the PTP slave also considers the Delay to master [ns] value. Delay to master [ns] Displays the delay when transmitting the PTP synchronization messages from the PTP master to the PTP slave in nanoseconds. The PTP slave sends a “Delay Request” packet to the PTP master and thus determines the exact sending time of the packet. When it receives the packet, the PTP master generates a time stamp and sends this in a “Delay Response” packet back to the PTP slave. The PTP slave uses the two packets to calculate the delay, and considers this starting from the next offset measurement. The prerequisite is that the delay mechanism value of the slave ports is specified as e2e. Grandmaster This frame displays the criteria that the Best Master Clock Algorithm uses when evaluating the reference time source (Grandmaster). The algorithm first evaluates priority 1 of the participating devices. The device with the lowest value for priority 1 is designated as the reference time source (Grandmaster). When the value is the same for multiple devices, the algorithm takes the next criterion, and when this is also the same, the algorithm takes the next criterion after this one. When every value is the same for multiple devices, the lowest value in the Clock identity field decides which device is designated as the reference time source (Grandmaster). The device lets you influence which device in the network is designated as the reference time source (Grandmaster). To do this, modify the value in the Priority 1 field or the Priority 2 field in the Operation IEEE1588/PTPv2 BC frame. Priority 1 Displays priority 1 for the device that is currently the reference time source (Grandmaster). RM GUI RSP Release 8.1 12/2019 69 Time [ Time > PTP > Boundary Clock > Global ] Clock class Displays the class of the reference time source (Grandmaster). Parameter for the Best Master Clock Algorithm. Clock accuracy Displays the estimated accuracy of the reference time source (Grandmaster). Parameter for the Best Master Clock Algorithm. Clock variance Displays the variance of the reference time source (Grandmaster), also known as the Offset scaled log variance. Parameter for the Best Master Clock Algorithm. Priority 2 Displays priority 2 for the device that is currently the reference time source (Grandmaster). Local time properties Time source Specifies the time source from which the local clock gets its time information. Possible values: atomicClock gps terrestrialRadio ptp ntp handSet other internalOscillator (default setting) UTC offset [s] Specifies the difference between the PTP time scale and the UTC. See the PTP timescale checkbox. Possible values: -32768..32767 Note: The default setting is the value valid on the creation date of the device software. You can find further information in the "Bulletin C" of the Earth Rotation and Reference Systems Service (IERS): http://www.iers.org/IERS/EN/Publications/Bulletins/bulletins.html UTC offset valid Specifies whether the value specified in the UTC offset [s] field is correct. 70 RM GUI RSP Release 8.1 12/2019 Time [ Time > PTP > Boundary Clock > Global ] Possible values: marked unmarked (default setting) Time traceable Displays whether the device gets the time from a primary UTC reference, for example from an NTP server. Possible values: marked unmarked Frequency traceable Displays whether the device gets the frequency from a primary UTC reference, for example from an NTP server. Possible values: marked unmarked PTP timescale Displays whether the device uses the PTP time scale. Possible values: marked unmarked According to IEEE 1588, the PTP time scale is the TAI atomic time started on 01.01.1970. In contrast to UTC, TAI does not use leap seconds. On 01.01.2017, the difference between TAI and UTC was +37 seconds. Identities The device displays the identities as byte sequences in hexadecimal notation. The identification numbers (UUID) are made up as follows: The device identification number consists of the MAC address of the device, with the values ff and fe added between byte 3 and byte 4. The port UUID consists of the device identification number followed by a 16-bit port ID. Clock identity Displays the device’s own identification number (UUID). Parent port identity Displays the port identification number (UUID) of the directly superior master device. RM GUI RSP Release 8.1 12/2019 71 Time [ Time > PTP > Boundary Clock > Global ] Grandmaster identity Displays the identification number (UUID) of the reference time source (Grandmaster) device. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 72 RM GUI RSP Release 8.1 12/2019 Time [ Time > PTP > Boundary Clock > Port ] 2.3.2.2 PTP Boundary Clock Port [ Time > PTP > Boundary Clock > Port ] In this dialog, you specify the Boundary Clock (BC) settings on each individual port. The settings are effective when the local clock operates as the Boundary Clock (BC). For this, you select in the Time > PTP > Global dialog in the PTP mode field the value v2-boundary-clock. Table Port Displays the port number. PTP enable Activates/deactivates PTP synchronization message transmission on the port. Possible values: marked (default setting) The transmission is activated. The port forwards and receives PTP synchronization messages. unmarked The transmission is deactivated. The port blocks PTP synchronization messages. PTP status Displays the current status of the port. Possible values: initializing Initialization phase faulty Faulty mode: error in the PTP protocol. disabled PTP is disabled on the port. listening Device port is waiting for PTP synchronization messages. pre-master PTP pre-master mode master PTP master mode passive PTP passive mode uncalibrated PTP uncalibrated mode slave PTP slave mode Sync interval Specifies the interval in seconds at which the port transmits PTP synchronization messages. RM GUI RSP Release 8.1 12/2019 73 Time [ Time > PTP > Boundary Clock > Port ] Possible values: 0.25 0.5 1 (default setting) 2 Delay mechanism Specifies the mechanism with which the device measures the delay for transmitting the PTP synchronization messages. Possible values: disabled The measurement of the delay for the PTP synchronization messages for the connected PTP devices is inactive. e2e (default setting) End-to-End: As the PTP slave, the port measures the delay for the PTP synchronization messages to the PTP master. The device displays the measured value in the Time > PTP > Boundary Clock > Global dialog. p2p Peer-to-Peer: The device measures the delay for the PTP synchronization messages for the connected PTP devices, provided that these devices support P2P. This mechanism saves the device from having to determine the delay again in the case of a reconfiguration. P2P delay Displays the measured Peer-to-Peer delay for the PTP synchronization messages. The prerequisite is that you select the value p2p in the Delay mechanism column. P2P delay interval [s] Specifies the interval in seconds at which the port measures the Peer-to-Peer delay. The prerequisite is that you have specified the value p2p on this port and on the port of the remote device. Possible values: 1 (default setting) 2 4 8 16 32 Network protocol Specifies which protocol the port uses to transmit the PTP synchronization messages. Possible values: IEEE 802.3 (default setting) UDP/IPv4 74 RM GUI RSP Release 8.1 12/2019 Time [ Time > PTP > Boundary Clock > Port ] Announce interval [s] Specifies the interval in seconds at which the port transmits messages for the PTP topology discovery. Assign the same value to every device of a PTP domain. Possible values: 1 2 (default setting) 4 8 16 Announce timeout Specifies the number of announce intervals. Example: For the default setting (Announce interval [s] = 2 and Announce timeout = 3), the timeout is 3 ∙ 2 s = 6 s. Possible values: 2..10 (default setting: 3) Assign the same value to every device of a PTP domain. E2E delay interval [s] Displays the interval in seconds at which the port measures the End-to-End delay: When the port is operating as the PTP master, the device assigns to the port the value 8. When the port is operating as the PTP slave, the value is specified by the PTP master connected to the port. V1 hardware compatibility Specifies whether the port adjusts the length of the PTP synchronization messages when you have set in the Network protocol column the value udpIpv4. It is possible that other devices in the network expect the PTP synchronization messages to be the same length as PTPv1 messages. Possible values: auto (default setting) The device automatically detects whether other devices in the network expect the PTP synchronization messages to be the same length as PTPv1 messages. If this is the case, then the device extends the length of the PTP synchronization messages before transmitting them. on The device extends the length of the PTP synchronization messages before transmitting them. off The device transmits PTP synchronization messages without changing the length. Asymmetry Corrects the measured delay value corrupted by asymmetrical transmission paths. RM GUI RSP Release 8.1 12/2019 75 Time [ Time > PTP > Transparent Clock ] Possible values: -2000000000..2000000000 (default setting: 0) The value represents the delay symmetry in nanoseconds. A measured delay value of x ns corresponds to an asymmetry of x∙2 ns. The value is positive if the delay from the PTP master to the PTP slave is longer than in the opposite direction. VLAN Specifies the VLAN ID with which the device marks the PTP synchronization messages on this port. Possible values: none (default setting) The device transmits PTP synchronization messages without a VLAN tag. 0..4042 You specify VLANs that you have already set up in the device from the list. Verify that the port is a member of the VLAN. See the Switching > VLAN > Configuration dialog. VLAN priority Specifies the priority with which the device transmits the PTP synchronization messages marked with a VLAN ID (Layer 2, IEEE 802.1D). Possible values: 0..7 (default setting: 4) If you specified in the VLAN column the value none, then the device ignores the VLAN priority. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 2.3.3 PTP Transparent Clock [ Time > PTP > Transparent Clock ] With this menu you can configure the Transparent Clock mode for the local clock. The menu contains the following dialogs: PTP Transparent Clock Global PTP Transparent Clock Port 76 RM GUI RSP Release 8.1 12/2019 Time [ Time > PTP > Transparent Clock > Global ] 2.3.3.1 PTP Transparent Clock Global [ Time > PTP > Transparent Clock > Global ] In this dialog, you enter general, cross-port settings for the Transparent Clock mode for the local clock. The Transparent Clock (TC) operates according to PTP version 2 (IEEE 1588-2008). The settings are effective when the local clock operates as the Transparent Clock (TC). For this, you select in the Time > PTP > Global dialog in the PTP mode field the value v2-transparent-clock. Operation IEEE1588/PTPv2 TC Delay mechanism Specifies the mechanism with which the device measures the delay for transmitting the PTP synchronization messages. Possible values: e2e (default setting) As the PTP slave, the port measures the delay for the PTP synchronization messages to the PTP master. The device displays the measured value in the Time > PTP > Transparent Clock > Global dialog. p2p The device measures the delay for the PTP synchronization messages for every connected PTP device, provided that the device supports P2P. This mechanism saves the device from having to determine the delay again in the case of a reconfiguration. If you specify this value, then the value IEEE 802.3 is only available in the Network protocol field. e2e-optimized Like e2e, with the following special characteristics: – The device transmits the delay requests of the PTP slaves only to the PTP master, even though these requests are multicast messages. The device thus spares the other devices from unnecessary multicast requests. – If the master-slave topology changes, then the device relearns the port for the PTP master as soon as it receives a synchronization message from another PTP master. – If the device does not know a PTP master, then the device transmits delay requests to the ports. disabled The delay measuring is disabled on the port. The device discards messages for the delay measuring. Primary domain Assigns the device to a PTP domain. Possible values: 0..255 (default setting: 0) The device transmits time information from and to devices only in the same domain. Network protocol Specifies which protocol the port uses to transmit the PTP synchronization messages. RM GUI RSP Release 8.1 12/2019 77 Time [ Time > PTP > Transparent Clock > Global ] Possible values: ieee8023 (default setting) udpIpv4 Multi domain mode Activates/deactivates the PTP synchronization message correction in every PTP domain. Possible values: marked The device corrects PTP synchronization messages in every PTP domain. unmarked (default setting) The device corrects PTP synchronization messages only in the primary PTP domain. See the Primary domain field. VLAN ID Specifies the VLAN ID with which the device marks the PTP synchronization messages on this port. Possible values: none (default setting) The device transmits PTP synchronization messages without a VLAN tag. 0..4042 You specify VLANs that you have already set up in the device from the list. VLAN priority Specifies the priority with which the device transmits the PTP synchronization messages marked with a VLAN ID (Layer 2, IEEE 802.1D). Possible values: 0..7 (default setting: 4) If you specified the value none in the VLAN ID field, then the device ignores the specified value. Local synchronization Syntonize Activates/deactivates the frequency synchronization of the Transparent Clock with the PTP master. Possible values: marked (default setting) The frequency synchronization is active. The device synchronizes the frequency. unmarked The frequency synchronization is inactive. The frequency remains constant. Synchronize local clock Activates/deactivates the synchronization of the local system time. 78 RM GUI RSP Release 8.1 12/2019 Time [ Time > PTP > Transparent Clock > Global ] Possible values: marked The synchronization is active. The device synchronizes the local system time with the time received via PTP. The prerequisite is that the Syntonize checkbox is marked. unmarked (default setting) The synchronization is inactive. The local system time remains constant. Current master Displays the port identification number (UUID) of the directly superior master device on which the device synchronizes its frequency. If the value contains only zeros, this is because: The Syntonize function is disabled. or The device cannot find a PTP master. Offset to master [ns] Displays the measured difference (offset) between the local clock and the PTP master in nanoseconds. The device calculates the difference from the time information received. The prerequisite is that the Synchronize local clock function is enabled. Delay to master [ns] Displays the delay when transmitting the PTP synchronization messages from the PTP master to the PTP slave in nanoseconds. Prerequisite: The Synchronize local clock function is enabled. In the Delay mechanism field, the value e2e is selected. Status IEEE1588/PTPv2 TC Clock identity Displays the device’s own identification number (UUID). The device displays the identities as byte sequences in hexadecimal notation. The device identification number consists of the MAC address of the device, with the values ff and fe added between byte 3 and byte 4. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 79 Time [ Time > PTP > Transparent Clock > Port ] 2.3.3.2 PTP Transparent Clock Port [ Time > PTP > Transparent Clock > Port ] In this dialog, you specify the Transparent Clock (TC) settings on each individual port. The settings are effective when the local clock operates as the Transparent Clock (TC). For this, you select in the Time > PTP > Global dialog in the PTP mode field the value v2-transparent-clock. Table Port Displays the port number. PTP enable Activates/deactivates the transmitting of PTP synchronization messages on the port. Possible values: marked (default setting) The transmitting is active. The port forwards and receives PTP synchronization messages. unmarked The transmitting is inactive. The port blocks PTP synchronization messages. P2P delay interval [s] Specifies the interval in seconds at which the port measures the Peer-to-Peer delay. The prerequisite is that you specify the value p2p on this port and on the port of the remote terminal. See the Delay mechanism option list in the Time > PTP > Transparent Clock > Global dialog. Possible values: 1 (default setting) 2 4 8 16 32 P2P delay Displays the measured Peer-to-Peer delay for the PTP synchronization messages. The prerequisite is that you select in the Delay mechanism option list the radio button p2p. See the Delay mechanism field in the Time > PTP > Transparent Clock > Global dialog. Asymmetry Corrects the measured delay value corrupted by asymmetrical transmission paths. 80 RM GUI RSP Release 8.1 12/2019 Time [ Time > PTP > Transparent Clock > Port ] Possible values: -2000000000..2000000000 (default setting: 0) The value represents the delay symmetry in nanoseconds. A measured delay value of x ns corresponds to an asymmetry of x∙2 ns. The value is positive if the delay from the PTP master to the PTP slave is longer than in the opposite direction. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 81 Device Security [ Device Security > User Management ] 3 Device Security The menu contains the following dialogs: User Management Authentication List LDAP Management Access Pre-login Banner 3.1 User Management [ Device Security > User Management ] If users log in with valid login data, then the device lets them have access to its device management. In this dialog you manage the users of the local user management. You also specify the following settings here: Settings for the login Settings for saving the passwords Specify policy for valid passwords The methods that the device uses for the authentication you specify in the Device Security > Authentication List dialog. Configuration This frame lets you specify settings for the login. Login attempts Number of login attempts possible. Possible values: 0..5 (default setting: 0) If the user makes one more unsuccessful login attempt, then the device locks access for the user. The device lets only users with the administrator authorization remove the lock. The value 0 deactivates the lock. The user has unlimited attempts to login. Login attempts period Displays the time period before the device resets the counter in the Login attempts field. Possible values: 0..60 (default setting: 0) 82 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > User Management ] Min. password length The device accepts the password if it contains at least the number of characters specified here. The device checks the password according to this setting, regardless of the setting for the Policy check checkbox. Possible values: 1..64 (default setting: 6) Password policy This frame lets you specify the policy for valid passwords. The device checks every new password and password change according to this policy. The settings effect the Password column. The prerequisite is that you mark the checkbox in the Policy check column. Upper-case characters (min.) The device accepts the password if it contains at least as many upper-case letters as specified here. Possible values: 0..16 (default setting: 1) The value 0 deactivates this setting. Lower-case characters (min.) The device accepts the password if it contains at least as many lower-case letters as specified here. Possible values: 0..16 (default setting: 1) The value 0 deactivates this setting. Digits (min.) The device accepts the password if it contains at least as many numbers as specified here. Possible values: 0..16 (default setting: 1) The value 0 deactivates this setting. Special characters (min.) The device accepts the password if it contains at least as many special characters as specified here. RM GUI RSP Release 8.1 12/2019 83 Device Security [ Device Security > User Management ] Possible values: 0..16 (default setting: 1) The value 0 deactivates this setting. Table Every user requires an active user account to gain access to the device management. The table lets you set up and manage user accounts. To change settings, click the desired parameter in the table and modify the value. User name Displays the name of the user account. To create a new user account, click the button. Active Activates/deactivates the user account. Possible values: marked The user account is active. The device accepts the login of a user with this user name. unmarked (default setting) The user account is inactive. The device rejects the login of a user with this user name. When one user account exists with the administrator access role, this user account is constantly active. Password Displays ***** (asterisks) instead of the password with which the user logs in. To change the password, click the relevant field. Possible values: Alphanumeric ASCII character string with 6..64 characters The following characters are allowed: – a..z – A..Z – 0..9 – !#$%&'()*+,-./:;<=>?@[\]^_`{}~ The minimum length of the password is specified in the Configuration frame. The device differentiates between upper and lower case. If the checkbox in the Policy check column is marked, then the device checks the password according to the policy specified in the Password policy frame. The device constantly checks the minimum length of the password, even if the checkbox in the Policy check column is unmarked. 84 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > User Management ] Role Specifies the user role that regulates the access of the user to the individual functions of the device. Possible values: unauthorized The user is blocked, and the device rejects the user log on. Assign this value to temporarily lock the user account. If the device detects an error when another role is being assigned, then the device assigns this role to the user account. guest (default setting) The user is authorized to monitor the device. auditor The user is authorized to monitor the device and to save the log file in the Diagnostics > Report > Audit Trail dialog. operator The user is authorized to monitor the device and to change the settings – with the exception of security settings for device access. administrator The user is authorized to monitor the device and to change the settings. The device assigns the Service Type transferred in the response of a RADIUS server as follows to a user role: • • • Administrative-User: administrator Login-User: operator NAS-Prompt-User: guest User locked Unlocks the user account. Possible values: marked The user account is locked. The user has no access to the device management. If the user makes too many unsuccessful log in attempts, then the device automatically locks the user. unmarked (grayed out) (default setting) The user account is unlocked. The user has access to the device management. Policy check Activates/deactivates the password check. Possible values: marked The password check is activated. When you set up or change the password, the device checks the password according to the policy specified in the Password policy frame. unmarked (default setting) The password check is deactivated. SNMP auth type Specifies the authentication protocol that the device applies for user access via SNMPv3. RM GUI RSP Release 8.1 12/2019 85 Device Security [ Device Security > User Management ] Possible values: hmacmd5 (default value) For this user account, the device uses protocol HMACMD5. hmacsha For this user account, the device uses protocol HMACSHA. SNMP encryption type Specifies the encryption protocol that the device applies for user access via SNMPv3. Possible values: none No encryption. des (default value) DES encryption aesCfb128 AES128 encryption Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the User name field, you specify the name of the user account. Possible values: – Alphanumeric ASCII character string with 1..32 characters 86 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Authentication List ] 3.2 Authentication List [ Device Security > Authentication List ] In this dialog you manage the authentication lists. In a authentication list you specify which method the device uses for the authentication. You also have the option to assign pre-defined applications to the authentication lists. If users log in with valid login data, then the device lets them have access to its device management. The device authenticates the users using the following methods: User management of the device LDAP RADIUS With the port-based access control according to IEEE 802.1X, if connected end devices log in with valid login data, then the device lets them have access to the network. The device authenticates the end devices using the following methods: RADIUS IAS (Integrated Authentication Server) In the default setting the following authentication lists are available: defaultDot1x8021AuthList defaultLoginAuthList defaultV24AuthList Table Note: If the table does not contain a list, then the access to the device management is only possible using the Command Line Interface through the serial interface of the device. In this case, the device authenticates the user by using the local user management. See the Device Security > User Management dialog. Name Displays the name of the list. To create a new list, click the button. Possible values: Alphanumeric ASCII character string with 1..32 characters Policy 1 Policy 2 Policy 3 Policy 4 Policy 5 Specifies the authentication policy that the device uses for access using the application specified in the Dedicated applications column. The device gives you the option of a fall-back solution. For this, you specify another policy in each of the policy fields. If the authentication with the specified policy is unsuccessful, then the device can use the next policy, depending on the order of the values entered in each policy. RM GUI RSP Release 8.1 12/2019 87 Device Security [ Device Security > Authentication List ] Possible values: local (default setting) The device authenticates the users by using the local user management. See the Device Security > User Management dialog. You cannot assign this value to the authentication list defaultDot1x8021AuthList. radius The device authenticates the users with a RADIUS server in the network. You specify the RADIUS server in the Network Security > RADIUS > Authentication Server dialog. reject The device accepts or rejects the authentication depending on which policy you try first. The following list contains authentication scenarios: – If the first policy in the authentication list is local and the device accepts the credentials of the user, then it logs the user in without attempting the other polices. – If the first policy in the authentication list is local and the device denies the credentials of the user, then it attempts to log the user in using the other polices in the order specified. – If the first policy in the authentication list is radius or ldapand the device rejects a login, then the login is immediately rejected without attempting to login the user using another policy. If there is no response from the RADIUS or LDAP server, then the device attempts to authenticate the user with the next policy. – If the first policy in the authentication list is reject, then the devices immediately rejects the user login without attempting another policy. – Verify that the authentication list defaultV24AuthList contains at least one policy different from reject. ias The device authenticates the end devices logging in via 802.1X with the integrated authentication server (IAS). The integrated authentication server manages the log in data in a separate database. See the Network Security > 802.1X Port Authentication > Integrated Authentication Server dialog. You can only assign this value to the authentication list defaultDot1x8021AuthList. ldap The device authenticates the users with authentication data and access role saved in a central location. You specify the Active Directory server that the device uses in the Network Security > LDAP > Configuration dialog. Dedicated applications Displays the dedicated applications. When users access the device with the relevant application, the device uses the specified policies for the authentication. To allocate another application to the list or remove the allocation, click the button and then the Allocate applications item. The device lets you assign each application to exactly one list. Active Activates/deactivates the list. Possible values: marked The list is activated. The device uses the policies in this list when users access the device with the relevant application. unmarked (default setting) The list is deactivated. 88 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > LDAP ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Allocate applications Opens the Allocate applications window. The left field displays the applications that can be allocated to the highlighted list. The right field displays the applications that are allocated to the highlighted list. Buttons: Moves every entry to the right field. Moves the highlighted entries from the left field to the right field. Moves the highlighted entries from the right field to the left field. Moves every entry to the left field. Note: When you move the entry WebInterface to the left field, the connection to the device is lost, after you click the Ok button. 3.3 LDAP [ Device Security > LDAP ] The Lightweight Directory Access Protocol (LDAP) lets you authenticate and authorize the users at a central point in the network. A widely used directory service accessible through LDAP is Active Directory®. The device forwards the log in data of the user to the authentication server using the LDAP protocol. The authentication server decides whether the login data is valid and transfers the user’s authorizations to the device. Upon successful log on, the device saves the log on data temporarily in the cache. This speeds up the logon process when users logon again. In this case, no complex LDAP search operation is necessary. The menu contains the following dialogs: LDAP Configuration LDAP Role Mapping RM GUI RSP Release 8.1 12/2019 89 Device Security [ Device Security > LDAP > Configuration ] 3.3.1 LDAP Configuration [ Device Security > LDAP > Configuration ] This dialog lets you specify up to 4 authentication servers. An authentication server authenticates and authorizes the users when the device forwards the login data to the server. The device sends the log on data to the first authentication server. When no response comes from this server, the device contacts the next server in the table. Operation Operation Enables/disables the LDAP client. If in the Device Security > Authentication List dialog you specify the value ldap in 1 of the rows Policy 1 to Policy 5, then the device uses the LDAP client. Prior to this, specify in the Device Security > LDAP > Role Mapping dialog at least 1 Mapping for this role administrator. This provides you access to the device as administrator after logging on through LDAP. Possible values: On The LDAP client is enabled. Off (default setting) The LDAP client is disabled. Configuration Client cache timeout [min] Specifies for how many minutes after successfully logging on the logon data of a user remain valid. When a user logs on again within this time, no complex LDAP search operation is necessary. The logon process is much faster. Possible values: 1..1440 (default setting: 10) Bind user Specifies the user ID in the form of the “Distinguished Name” (DN) with which the device logs on to the LDAP server. If the LDAP server requires a user ID in the form of the “Distinguished Name” (DN) for the log on, then this information is necessary. In Active Directory environments, this information is unnecessary. The device logs on to the LDAP server with the user ID to find the “Distinguished Name” (DN) for the users logging on. The device conducts the search according to the settings in the fields Base DN and User name attribute. 90 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > LDAP > Configuration ] Possible values: Alphanumeric ASCII character string with 0..64 characters Bind user password Specifies the password which the device uses together with the user ID specified in the Bind user field when logging on to the LDAP server. Possible values: Alphanumeric ASCII character string with 0..64 characters Base DN Specifies the starting point for the search in the directory tree in the form of the “Distinguished Name” (DN). Possible values: Alphanumeric ASCII character string with 0..255 characters User name attribute Specifies the LDAP attribute which contains a biunique user name. Afterwards, the user uses the user name contained in this attribute to log on. Often the LDAP attributes userPrincipalName, mail, sAMAccountName and uid contain a unique user name. The device adds the character string specified in the Default domain field to the user name under the following condition: • The user name contained in the attribute does not contain the @ character. • In the Default domain field, a domain name is specified. Possible values: Alphanumeric ASCII character string with 0..64 characters (default setting: userPrincipalName) Default domain Specifies the character string which the device adds to the user name of the users logging on if the user name does not contain the @ character. Possible values: Alphanumeric ASCII character string with 0..64 characters CA certificate URL Specifies the path and file name of the certificate. RM GUI RSP Release 8.1 12/2019 91 Device Security [ Device Security > LDAP > Configuration ] The device accepts certificates with the following properties: • X.509 format • .PEM file name extension • Base64-coded, enclosed by -----BEGIN CERTIFICATE----and -----END CERTIFICATE----For security reasons, we recommend to constantly use a certificate which is signed by a certification authority. The device gives you the following options for copying the certificate to the device: Import from the PC When the certificate is located on your PC or on a network drive, drag and drop the certificate in the area. Alternatively click in the area to select the certificate. Import from an FTP server When the certificate is on a FTP server, specify the URL for the file in the following form: ftp://<user>:<password>@<IP address>:<port>/<path>/<file name> Import from a TFTP server When the certificate is on a TFTP server, specify the URL for the file in the following form: tftp://<IP address>/<path>/<file name> Import from an SCP or SFTP server When the certificate is on an SCP or SFTP server, specify the URL for the file in the following form: – scp:// or sftp://<IP address>/<path>/<file name> When you click the Start button, the device displays the Credentials window. There you enter User name and Password, to log on to the server. – scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name> Start Copies the certificate specified in the URL field to the device. Table Index Displays the index number to which the table entry relates. Description Specifies the description. You have the option to describe here the authentication server or note additional information. Possible values: Alphanumeric ASCII character string with 0..255 characters Address Specifies the IP address or the DNS name of the server. 92 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > LDAP > Configuration ] Possible values: IPv4 address (default setting: 0.0.0.0) DNS name in the format <domain>.<tld> or <host>.<domain>.<tld> _ldap._tcp.<domain>.<tld> Using this DNS name, the device queries the LDAP server list (SRV Resource Record) from the DNS server. If in the Connection security row a value other than none is specified and the certificate contains only DNS names of the server, then use a DNS name. Enable the Client function in the Advanced > DNS > Client > Global dialog. Destination TCP port Specifies the TCP Port on which the server expects the requests. If you have specified the value _ldap._tcp.domain.tld in the Address column, then the device ignores this value. Possible values: 0..65535 (default setting: 389) Exception: Port 2222 is reserved for internal functions. Frequently used TCP-Ports: • LDAP: 389 • LDAP over SSL: 636 • Active Directory Global Catalogue: 3268 • Active Directory Global Catalogue SSL: 3269 Connection security Specifies the protocol which encrypts the communication between the device and the authentication server. Possible values: none No encryption. The device establishes an LDAP connection to the server and transmits the communication including the passwords in clear text. ssl Encryption with SSL. The device establishes a TLS connection to the server and tunnels the LDAP communication over it. startTLS (default setting) Encryption with startTLS extension. The device establishes an LDAP connection to the server and encrypts the communication. The prerequisite for encrypted communication is that the device uses the correct time. If the certificate contains only the DNS names, then you specify the DNS name of the server in the Address row. Enable the Client function in the Advanced > DNS > Client > Global dialog. If the certificate contains the IP address of the server in the “Subject Alternative Name” field, then the device is able to verify the identity of the server without the DNS configuration. RM GUI RSP Release 8.1 12/2019 93 Device Security [ Device Security > LDAP > Configuration ] Server status Displays the connection status and the authentication with the authentication server. Possible values: ok The server is reachable. If in the Connection security row a value other than none is specified, then the device has verified the certificate of the server. unreachable Server is unreachable. other The device has not established a connection to the server yet. Active Activates/deactivates the use of the server. Possible values: marked The device uses the server. unmarked (default setting) The device does not use the server. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Flush cache Removes the cached log on data of the successfully logged on users. 94 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > LDAP > Role Mapping ] 3.3.2 LDAP Role Mapping [ Device Security > LDAP > Role Mapping ] This dialog lets you create up to 64 mappings to assign a role to users. In the table, you specify whether the device assigns a role to the user based on an attribute with a specific value or based on the group membership. The device searches for the attribute and the attribute value within the user object. By evaluating the “Distinguished Name” (DN) contained in the member attributes, the device checks group the membership. When a user logs on, the device searches for the following information on the LDAP server: In the related user project, the device searches for attributes specified in the mappings. In the group objects of the groups specified in the mappings, the device searches for the member attributes. On this basis, the device checks any mapping. • Does the user object contain the required attribute? or • Is the user member of the group? If the device does not find a match, then the user does not get access to the device. If the device finds more than 1 mapping that applies to a user, then the setting in the Matching policy field decides. The user either obtains the role with the more extensive authorizations or the 1st role in the table that applies. Configuration Matching policy Specifies which role the device applies if more than 1 mapping applies to a user. Possible values: highest (default setting) The device applies the role with more extensive authorizations. first The device applies the rule which has the lower value in the Index column to the user. Table Index Displays the index number to which the table entry relates. Role Specifies the user role that regulates the access of the user to the individual functions of the device. RM GUI RSP Release 8.1 12/2019 95 Device Security [ Device Security > LDAP > Role Mapping ] Possible values: unauthorized The user is blocked, and the device rejects the user log on. Assign this value to temporarily lock the user account. If an error occurs when another role is being assigned, then the device assigns this role to the user account. guest (default setting) The user is authorized to monitor the device. auditor The user is authorized to monitor the device and to save the log file in the Diagnostics > Report > Audit Trail dialog. operator The user is authorized to monitor the device and to change the settings – with the exception of security settings for device access. administrator The user is authorized to monitor the device and to change the settings. Type Specifies whether a group or an attribute with an attribute value is set in the Parameter column. Possible values: attribute (default setting) The Parameter column contains an attribute with an attribute value. group The Parameter column contains the “Distinguished Name” (DN) of a group. Parameter Specifies a group or an attribute with an attribute value, depending on the setting in the Type column. Possible values: Alphanumeric ASCII character string with 0..255 characters The device differentiates between upper and lower case. – If in the Type column the value attribute is specified, then you specify the attribute in the form of Attribute_name=Attribute_value. Example: l=Germany – If in the Type column the value group is specified, then you specify the “Distinguished Name” (DN) of a group. Example: CN=admin-users,OU=Groups,DC=example,DC=com Active Activates/deactivates the role mapping. Possible values: marked (default setting) The role mapping is active. unmarked The role mapping is inactive. 96 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Management Access ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Index field, you specify the index number. Possible values: – 1..64 3.4 Management Access [ Device Security > Management Access ] The menu contains the following dialogs: Server IP Access Restriction Web Command Line Interface SNMPv1/v2 Community RM GUI RSP Release 8.1 12/2019 97 Device Security [ Device Security > Management Access > Server ] 3.4.1 Server [ Device Security > Management Access > Server ] This dialog lets you set up the server services which enable users or applications to access the management of the device. The dialog contains the following tabs: [Information] [SNMP] [Telnet] [SSH] [HTTP] [HTTPS] [Information] This tab displays as an overview which server services are enabled. Table SNMPv1 Displays whether the server service is active or inactive, which authorizes access to the device using SNMP version 1. See the SNMP tab. Possible values: marked Server service is active. unmarked Server service is inactive. SNMPv2 Displays whether the server service is active or inactive, which authorizes access to the device using SNMP version 2. See the SNMP tab. Possible values: marked Server service is active. unmarked Server service is inactive. SNMPv3 Displays whether the server service is active or inactive, which authorizes access to the device using SNMP version 3. See the SNMP tab. 98 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Management Access > Server ] Possible values: marked Server service is active. unmarked Server service is inactive. Telnet server Displays whether the server service is active or inactive, which authorizes access to the device using Telnet. See the Telnet tab. Possible values: marked Server service is active. unmarked Server service is inactive. SSH server Displays whether the server service is active or inactive, which authorizes access to the device using Secure Shell. See the SSH tab. Possible values: marked Server service is active. unmarked Server service is inactive. HTTP server Displays whether the server service is active or inactive, which authorizes access to the device using the Graphical User Interface through HTTP. See the HTTP tab. Possible values: marked Server service is active. unmarked Server service is inactive. HTTPS server Displays whether the server service is active or inactive, which authorizes access to the device using the Graphical User Interface through HTTPS. See the HTTPS tab. Possible values: marked Server service is active. unmarked Server service is inactive. RM GUI RSP Release 8.1 12/2019 99 Device Security [ Device Security > Management Access > Server ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. [SNMP] This tab lets you specify settings for the SNMP agent of the device and to enable/disable access to the device with different SNMP versions. The SNMP agent enables access to the device management with SNMP-based applications. Configuration SNMPv1 Activates/deactivates the access to the device with SNMP version 1. Possible values: marked (default setting) Access is activated. unmarked Access is deactivated. You specify the community names in the Device Security > Management Access > SNMPv1/v2 Community dialog. SNMPv2 Activates/deactivates the access to the device with SNMP version 2. Possible values: marked (default setting) Access is activated. unmarked Access is deactivated. You specify the community names in the Device Security > Management Access > SNMPv1/v2 Community dialog. SNMPv3 Activates/deactivates the access to the device with SNMP version 3. Possible values: marked (default setting) Access is activated. unmarked Access is deactivated. Network management systems like Industrial HiVision use this protocol to communicate with the device. 100 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Management Access > Server ] UDP port Specifies the number of the UDP port on which the SNMP agent receives requests from clients. Possible values: 1..65535 (default setting: 161) Exception: Port 2222 is reserved for internal functions. To enable the SNMP agent to use the new port after a change, you proceed as follows: Click the button. Select in the Basic Settings > Load/Save dialog the active configuration profile. Click the button to save the current changes. Restart the device. SNMPover802 Activates/deactivates the access to the device through SNMP over IEEE-802. Possible values: marked Access is activated. unmarked (default setting) Access is deactivated. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Telnet] This tab lets you enable/disable the Telnet server in the device and specify its settings. The Telnet server enables access to the device management remotely through the Command Line Interface. Telnet connections are unencrypted. Operation Operation Enables/disables the Telnet server. RM GUI RSP Release 8.1 12/2019 101 Device Security [ Device Security > Management Access > Server ] Possible values: On (default setting) The Telnet server is enabled. The access to the device management is possible through the Command Line Interface using an unencrypted Telnet connection. Off The Telnet server is disabled. Note: If the SSH server is disabled and you also disable Telnet, then the access to the Command Line Interface is only possible through the serial interface of the device. Configuration TCP port Specifies the number of the TCP port on which the device receives Telnet requests from clients. Possible values: 1..65535 (default setting: 23) Exception: Port 2222 is reserved for internal functions. The server restarts automatically after the port is changed. Existing connections remain in place. Connections Displays how many Telnet connections are currently established to the device. Connections (max.) Specifies the maximum number of Telnet connections to the device that can be set up simultaneously. Possible values: 1..5 (default setting: 5) Session timeout [min] Specifies the timeout in minutes. After the device has been inactive for this time it ends the session for the user logged on. A change in the value takes effect the next time a user logs on to the device. Possible values: 0 Deactivates the function. The connection remains established in the case of inactivity. 1..160 (default setting: 5) Buttons You find the description of the standard buttons in section “Buttons” on page 15. 102 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Management Access > Server ] [SSH] This tab lets you enable/disable the SSH server in the device and specify its settings required for SSH. The server works with SSH version 2. The SSH server enables access to the device management remotely through the Command Line Interface. SSH connections are encrypted. The SSH server identifies itself to the clients using its public RSA key. When first setting up the connection, the client program displays the user the fingerprint of this key. The fingerprint contains a Base64-coded character sequence that is easy to check. When you make this character sequence available to the users via a reliable channel, they have the option to compare both fingerprints. If the character sequences match, then the client is connected to the correct server. The device lets you create the private and public keys (host keys) required for RSA directly in the device. Otherwise you have the option to copy your own keys to the device in PEM format. As an alternative, the device lets you load the RSA key (host key) from an external memory upon restart. You activate this function in the Basic Settings > External Memory dialog, SSH key auto upload column. Operation Operation Enables/disables the SSH server. Possible values: On (default setting) The SSH server is enabled. The access to the device management is possible through the Command Line Interface using an encrypted SSH connection. You can start the server only if there is an RSA signature in the device. Off The SSH server is disabled. When you disable the SSH server, the existing connections remain established. However, the device helps prevent new connections from being set up. Note: If the Telnet server is disabled and you also disable SSH, then the access to the Command Line Interface is only possible through the serial interface of the device. Configuration TCP port Specifies the number of the TCP port on which the device receives SSH requests from clients. Possible values: 1..65535 (default setting: 22) Exception: Port 2222 is reserved for internal functions. The server restarts automatically after the port is changed. Existing connections remain in place. RM GUI RSP Release 8.1 12/2019 103 Device Security [ Device Security > Management Access > Server ] Sessions Displays how many SSH connections are currently established to the device. Sessions (max.) Specifies the maximum number of SSH connections to the device that can be set up simultaneously. Possible values: 1..5 (default setting: 5) Session timeout [min] Specifies the timeout in minutes. After the user logged on has been inactive for this time, the device ends the connection. A change in the value takes effect the next time a user logs on to the device. Possible values: 0 Deactivates the function. The connection remains established in the case of inactivity. 1..160 (default setting: 5) Fingerprint The fingerprint is an easy to verify string that uniquely identifies the host key of the SSH server. After importing a new host key, the device continues to display the existing fingerprint until you restart the server. RSA Fingerprint Displays the fingerprint of the public host key of the SSH server. Signature RSA present Displays whether an RSA host key is present in the device. Possible values: marked A key is present. unmarked No key is present. Create Generates a host key in the device. The prerequisite is that the SSH server is disabled. 104 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Management Access > Server ] Length of the key created: 2048 bit (RSA) To get the SSH server to use the generated host key, re-enable the SSH server. Alternatively, you have the option to copy your own host key to the device in PEM format. See the Key import frame. Delete Removes the host key from the device. The prerequisite is that the SSH server is disabled. Oper status Displays whether the device currently generates a host key. It is possible that another user triggered this action. Possible values: rsa The device currently generates an RSA host key. none The device does not generate a host key. Key import URL Specifies the path and file name of your own RSA host key. The device accepts the RSA key if it has the following key length: • 2048 bit (RSA) The device gives you the following options for copying the key to the device: Import from the PC When the host key is located on your PC or on a network drive, drag and drop the file that contains the key in the area. Alternatively click in the area to select the file. Import from an FTP server When the key is on an FTP server, specify the URL for the file in the following form: ftp://<user>:<password>@<IP address>:<port>/<file name> Import from a TFTP server When the key is on a TFTP server, specify the URL for the file in the following form: tftp://<IP address>/<path>/<file name> Import from an SCP or SFTP server When the key is on an SCP or SFTP server, specify the URL for the file in the following form: – scp:// or sftp://<IP address>/<path>/<file name> When you click the Start button, the device displays the Credentials window. There you enter User name and Password, to log on to the server. – scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name> RM GUI RSP Release 8.1 12/2019 105 Device Security [ Device Security > Management Access > Server ] Start Copies the key specified in the URL field to the device. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [HTTP] This tab lets you enable/disable the HTTP protocol for the web server and specify the settings required for HTTP. The web server provides the Graphical User Interface via an unencrypted HTTP connection. For security reasons, disable the HTTP protocol and use the HTTPS protocol instead. The device supports up to 10 simultaneous connections using HTTP or HTTPS. Note: If you change the settings in this tab and click the button, then the device ends the session and disconnects every opened connection. To continue working with the Graphical User Interface, login again. Operation Operation Enables/disables the HTTP protocol for the web server. Possible values: On (default setting) The HTTP protocol is enabled. The access to the device management is possible through an unencrypted HTTP connection. When the HTTPS protocol is also enabled, the device automatically redirects the request for a HTTP connection to an encrypted HTTPS connection. Off The HTTP protocol is disabled. When the HTTPS protocol is enabled, the access to the device management is possible through an encrypted HTTPS connection. Note: If the HTTP and HTTPS protocols are disabled, then you can enable the HTTP protocol using the Command Line Interface command http server to get to the Graphical User Interface. Configuration TCP port Specifies the number of the TCP port on which the web server receives HTTP requests from clients. 106 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Management Access > Server ] Possible values: 1..65535 (default setting: 80) Exception: Port 2222 is reserved for internal functions. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [HTTPS] This tab lets you enable/disable the HTTPS protocol for the web server and specify the settings required for HTTPS. The web server provides the Graphical User Interface via an encrypted HTTP connection. A digital certificate is required for the encryption of the HTTP connection. The device lets you create this certificate yourself or to load an existing certificate onto the device. The device supports up to 10 simultaneous connections using HTTP or HTTPS. Note: If you change the settings in this tab and click the button, then the device ends the session and disconnects every opened connection. To continue working with the Graphical User Interface, login again. Operation Operation Enables/disables the HTTPS protocol for the web server. Possible values: On (default setting) The HTTPS protocol is enabled. The access to the device management is possible through an encrypted HTTPS connection. When there is no digital certificate present, the device generates a digital certificate before it enables the HTTPS protocol. Off The HTTPS protocol is disabled. When the HTTP protocol is enabled, the access to the device management is possible through an unencrypted HTTP connection. Note: If the HTTP and HTTPS protocols are disabled, then you can enable the HTTPS protocol using the Command Line Interface command https server to get to the Graphical User Interface. RM GUI RSP Release 8.1 12/2019 107 Device Security [ Device Security > Management Access > Server ] Configuration TCP port Specifies the number of the TCP port on which the web server receives HTTPS requests from clients. Possible values: 1..65535 (default setting: 443) Exception: Port 2222 is reserved for internal functions. Fingerprint The fingerprint is an easily verified hexadecimal number sequence that uniquely identifies the digital certificate of the HTTPS server. After importing a new digital certificate, the device displays the current fingerprint until you restart the server. Fingerprint type Specifies which fingerprint the Fingerprint field displays. Possible values: sha1 The Fingerprint field displays the SHA1 fingerprint of the certificate. sha256 The Fingerprint field displays the SHA256 fingerprint of the certificate. Fingerprint Character sequence of the digital certificate used by the server. When you change the settings in the Fingerprint type field, click afterwards the the button and then button to update the display. Certificate Note: If the device uses a certificate that is not signed by a certification authority, then the web browser displays a message while loading the Graphical User Interface. To continue, add an exception rule for the certificate in the web browser. Present Displays whether the digital certificate is present in the device. Possible values: marked The certificate is present. unmarked The certificate has been removed. 108 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Management Access > Server ] Create Generates a digital certificate in the device. Until restarting the web server uses the previous certificate. To get the web server to use the newly generated certificate, restart the web server. Restarting the web server is possible only through the Command Line Interface. Alternatively, you have the option of copying your own certificate to the device. See the Certificate import frame. Delete Deletes the digital certificate. Until restarting the web server uses the previous certificate. Oper status Displays whether the device currently generates or deletes a digital certificate. It is possible that another user has triggered the action. Possible values: none The device does currently not generate or delete a certificate. delete The device currently deletes a certificate. generate The device currently generates a certificate. Certificate import URL Specifies the path and file name of the certificate. The device accepts certificates with the following properties: • X.509 format • .PEM file name extension • Base64-coded, enclosed by • -----BEGIN PRIVATE KEY----and -----END PRIVATE KEY----as well as • -----BEGIN CERTIFICATE----and -----END CERTIFICATE----• RSA key with 2048 bit length RM GUI RSP Release 8.1 12/2019 109 Device Security [ Device Security > Management Access > Server ] The device gives you the following options for copying the certificate to the device: Import from the PC When the certificate is located on your PC or on a network drive, drag and drop the certificate in the area. Alternatively click in the area to select the certificate. Import from an FTP server When the certificate is on a FTP server, specify the URL for the file in the following form: ftp://<user>:<password>@<IP address>:<port>/<path>/<file name> Import from a TFTP server When the certificate is on a TFTP server, specify the URL for the file in the following form: tftp://<IP address>/<path>/<file name> Import from an SCP or SFTP server When the certificate is on an SCP or SFTP server, specify the URL for the file in the following form: – scp:// or sftp://<IP address>/<path>/<file name> When you click the Start button, the device displays the Credentials window. There you enter User name and Password, to log on to the server. – scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name> Start Copies the certificate specified in the URL field to the device. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 110 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Management Access > IP Access Restriction ] 3.4.2 IP Access Restriction [ Device Security > Management Access > IP Access Restriction ] This dialog enables you to restrict the access to the device management to specific IP address ranges and selected IP-based applications. If the function is disabled, then the access to the device management is possible from any IP address and using every application. If the function is enabled, then the access is restricted. You have access to the device management only under the following conditions: – At least one table entry is activated. and – You are accessing the device with a permitted application from a permitted IP address range. Operation Note: Before you enable the function, verify that at least one active entry in the table lets you access. Otherwise, if you change the settings, then the connection to the device terminates. The access to the device management is possible only using the Command Line Interface through the serial interface. Operation Enables/disables the IP Access Restriction function. Possible values: On The IP Access Restriction function is enabled. The access to the device management is restricted. Off (default setting) The IP Access Restriction function is disabled. Table You have the option of defining up to 16 table entries and activating them separately. Index Displays the index number to which the table entry relates. When you delete a table entry, this leaves a gap in the numbering. When you create a new table entry, the device fills the first gap. Possible values: 1..16 Address Specifies the IP address of the network from which you allow the access to the device management. You specify the network range in the Netmask column. RM GUI RSP Release 8.1 12/2019 111 Device Security [ Device Security > Management Access > IP Access Restriction ] Possible values: Valid IPv4 address (default setting: 0.0.0.0) Netmask Specifies the range of the network specified in the Address column. Possible values: Valid netmask (default setting: 0.0.0.0) HTTP Activates/deactivates the HTTP access. Possible values: marked (default setting) Access is activated for the adjacent IP address range. unmarked Access is deactivated. HTTPS Activates/deactivates the HTTPS access. Possible values: marked (default setting) Access is activated for the adjacent IP address range. unmarked Access is deactivated. SNMP Activates/deactivates the SNMP access. Possible values: marked (default setting) Access is activated for the adjacent IP address range. unmarked Access is deactivated. Telnet Activates/deactivates the Telnet access. Possible values: marked (default setting) Access is activated for the adjacent IP address range. unmarked Access is deactivated. SSH Activates/deactivates the SSH access. 112 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Management Access > IP Access Restriction ] Possible values: marked (default setting) Access is activated for the adjacent IP address range. unmarked Access is deactivated. IEC61850-MMS Activates/deactivates the access to the MMS server. Possible values: marked (default setting) Access is activated for the adjacent IP address range. unmarked Access is deactivated. Modbus TCP Activates/deactivates the access to the Modbus TCP server. Possible values: marked (default setting) Access is activated for the adjacent IP address range. unmarked Access is deactivated. EtherNet/IP Activates/deactivates the access to the EtherNet/IP server. Possible values: marked (default setting) Access is activated for the adjacent IP address range. unmarked Access is deactivated. PROFINET Activates/deactivates the access to the PROFINET server. Possible values: marked (default setting) Access is activated for the adjacent IP address range. unmarked Access is deactivated. Active Activates/deactivates the table entry. RM GUI RSP Release 8.1 12/2019 113 Device Security [ Device Security > Management Access > IP Access Restriction ] Possible values: marked (default setting) Table entry is activated. The device restricts the access to the device management to the adjacent IP address range and the selected IP-based applications. unmarked Table entry is deactivated. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 114 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Management Access > Web ] 3.4.3 Web [ Device Security > Management Access > Web ] In this dialog, you specify settings for the Graphical User Interface. Configuration Web interface session timeout [min] Specifies the timeout in minutes. After the device has been inactive for this time it ends the session for the user logged on. Possible values: 0..160 (default setting: 5) The value 0 deactivates the function, and the user remains logged on when inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 115 Device Security [ Device Security > Management Access > CLI ] 3.4.4 Command Line Interface [ Device Security > Management Access > CLI ] In this dialog, you specify settings for the Command Line Interface. You find detailed information about the Command Line Interface in the “Command Line Interface” reference manual. The dialog contains the following tabs: [Global] [Login banner] [Global] This tab lets you change the prompt in the Command Line Interface and specify the automatic closing of sessions through the serial interface when they have been inactive. The device has the following serial interfaces. V.24 interface Configuration Login prompt Specifies the character string that the device displays in the Command Line Interface at the start of every command line. Possible values: Alphanumeric ASCII character string with 0..128 characters (0x20..0x7E) including space characters Wildcards – %d date – %i IP address – %m MAC address – %p product name – %t time Default setting: (RSP) Changes to this setting are immediately effective in the active Command Line Interface session. Serial interface timeout [min] Specifies the time in minutes after which the device automatically closes the session of a logged on user in the Command Line Interface via the serial interface when it has been inactive. Possible values: 0..160 (default setting: 5) The value 0 deactivates the function, and the user remains logged on when inactive. A change in the value takes effect the next time a user logs on to the device. For Telnet and SSH, you specify the timeout in the Device Security > Management Access > Server dialog. 116 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Management Access > CLI ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Login banner] In this tab, you replace the start screen of the Command Line Interface with your own text. In the default setting, the start screen displays information about the device, such as the software version and the device settings. With the function in this tab, you deactivate this information and replace it with an individually specified text. To display your own text in the Command Line Interface and in the Graphical User Interface before the login, you use the Device Security > Pre-login Banner dialog. Operation Operation Enables/disables the Login banner function. Possible values: On The Login banner function is enabled. The device displays the text information specified in the Banner text field to the users that login to the device using the Command Line Interface. Off (default setting) The Login banner function is disabled. The start screen displays information about the device. The text information in the Banner text field is kept. Banner text Banner text Specifies the character string that the device displays in the Command Line Interface at the start of every session. Possible values: Alphanumeric ASCII character string with 0..1024 characters (0x20..0x7E) including space characters <Tab> <Line break> Remaining characters Displays how many characters are still remaining in the Banner text field for the text information. RM GUI RSP Release 8.1 12/2019 117 Device Security [ Device Security > Management Access > CLI ] Possible values: 1024..0 Buttons You find the description of the standard buttons in section “Buttons” on page 15. 118 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Management Access > SNMPv1/v2 Community ] 3.4.5 SNMPv1/v2 Community [ Device Security > Management Access > SNMPv1/v2 Community ] In this dialog, you specify the community name for SNMPv1/v2 applications. Applications send requests via SNMPv1/v2 with a community name in the SNMP data packet header. Depending on the community name, the application gets read authorization or read and write authorization for the device. You activate the access to the device via SNMPv1/v2 in the Device Security > Management Access > Server dialog. Table Community Displays the authorization for SNMPv1/v2 applications to the device: Write For requests with the community name entered, the application receives read and write authorization for the device. Read For requests with the community name entered, the application receives read authorization for the device. Name Specifies the community name for the adjacent authorization. Possible values: Alphanumeric ASCII character string with 0..32 characters private (default setting for read and write authorizations) public (default setting for read authorization) Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 119 Device Security [ Device Security > Pre-login Banner ] 3.5 Pre-login Banner [ Device Security > Pre-login Banner ] This dialog lets you display a greeting or information text to users before they login to the device. The users see this text in the login dialog of the Graphical User Interface and of the Command Line Interface. Users logging in with SSH see the text - regardless of the client used - before or during the login. To display the text only in the Command Line Interface, use the settings in the Device Security > Management Access > CLI dialog. Operation Operation Enables/disables the Pre-login Banner function. Using the Pre-login Banner function, the device displays a greeting or information text in the login dialog of the Graphical User Interface and of the Command Line Interface. Possible values: On The Pre-login Banner function is enabled. The device displays the text specified in the Banner text field in the login dialog. Off (default setting) The Pre-login Banner function is disabled. The device does not display a text in the login dialog. When you enter a text in the Banner text field, this text is saved in the device. Banner text Banner text Specifies information text that the device displays in the Login dialog of the Graphical User Interface and of the Command Line Interface. Possible values: Alphanumeric ASCII character string with 0..512 characters (0x20..0x7E) including space characters <Tab> <Line break> Remaining characters Displays how many characters are still remaining in the Banner text field. Possible values: 512..0 120 RM GUI RSP Release 8.1 12/2019 Device Security [ Device Security > Pre-login Banner ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 121 Network Security [ Network Security > Overview ] 4 Network Security The menu contains the following dialogs: Network Security Overview Port Security 802.1X Port Authentication RADIUS DoS DHCP Snooping Dynamic ARP Inspection ACL 4.1 Network Security Overview [ Network Security > Overview ] This dialog displays the network security rules used in the device. Parameter Port/VLAN Specifies whether the device displays VLAN- and/or port-based rules. Possible values: All (default setting) The device displays the VLAN- and port-based rules specified by you. Port: <Port Number> The device displays port-based rules for a specific port. This selection is available, when you specified one or more rules for this port. VLAN: <VLAN ID> The device displays VLAN-based rules for a specific VLAN. This selection is available, when you specified one or more rules for this VLAN. ACL Displays the ACL rules in the overview. You edit ACL rules in the Network Security > ACL dialog. 1:1 NAT Displays the 1:1 NAT rules in the overview. You edit 1:1 NAT rules in the Routing > NAT > 1:1 NAT dialog. All Marks the adjacent checkboxes. The device displays the related rules in the overview. 122 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > Overview ] None Unmarks the adjacent checkboxes. The device does not display any rules in the overview. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 123 Network Security [ Network Security > Port Security ] 4.2 Port Security [ Network Security > Port Security ] The device lets you transmit only data packets from desired senders on one port. When this function is enabled, the device checks the VLAN ID and MAC address of the sender before it transmits a data packet. The device discards data packets from other senders and logs this event. If the Auto-Disable function is activated, the device disables the port. This restriction makes MAC Spoofing attacks more difficult. The Auto-Disable function enables the relevant port again automatically when the parameters are no longer being exceeded. In this dialog a Wizard window helps you to connect the ports with one or more desired sources. In the device these addresses are known as Static entries (/). To view the specified static addresses, highlight the relevant port and click the button. To simplify the setup process, the device lets you record the desired senders automatically. The device “learns” the senders by evaluating the received data packets. In the device these addresses are known as Dynamic entries. When a user-defined upper limit has been reached (Dynamic limit), the device stops the “learning” on the relevant port and transmits only the data packets of the senders already recorded. When you adjust the upper limit to the number of expected senders, you thus make MAC Flooding attacks more difficult. Note: With the automatic recording of the Dynamic entries, the device constantly discards the 1st data packet from unknown senders. Using this 1st data packet, the device checks whether the upper limit has been reached. The device records the sender until the upper limit is reached. Afterwards, the device transmits data packets that it receives on the relevant port from this sender. Operation Operation Enables/disables the Port Security function. Possible values: On The Port Security function is enabled. The device checks the VLAN ID and MAC address of the source before it transmits a data packet. The device transmits a received data packet only if its source is desired on the relevant port. Also activate the checking of the source on the relevant ports. Off (default setting) The Port Security function is disabled. The device transmits every received data packet without checking the source. Configuration Auto-disable Activates/deactivates the Auto-Disable function for Port Security. 124 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > Port Security ] Possible values: marked The Auto-Disable function for Port Security is active. Also mark the checkbox in the Auto-disable column for the relevant ports. unmarked (default setting) The Auto-Disable function for Port Security is inactive. Table Port Displays the port number. Active Activates/deactivates the checking of the source on the port. Possible values: marked The device checks every data packet received on the port and transmits it only if the source of the data packet is allowed. Also enable the function in the Operation frame. unmarked (default setting) The device transmits every data packet received on the port without checking the source. Note: When you operate the device as an active subscriber within an MRP ring, we recommend that you unmark the checkbox. Auto-disable Activates/deactivates the Auto-Disable function for the parameters that the Port Security function is monitoring on the port. Possible values: marked (default setting) The Auto-Disable function is active on the port. The prerequisite is that you mark the checkbox Auto-disable in the Configuration frame. – If the port registers source MAC addresses that are not allowed or more source MAC addresses than specified in the Dynamic limit column, then the device disables the port. The “Link status” LED for the port flashes 3× per period. – The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently disabled due to the parameters being exceeded. – The Auto-Disable function reactivates the port automatically. For this you go to the Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the relevant port in the Reset timer [s] column. unmarked The Auto-Disable function on the port is inactive. Send trap Activates/deactivates the sending of SNMP traps when the device discards data packets from an undesired sender on the port. RM GUI RSP Release 8.1 12/2019 125 Network Security [ Network Security > Port Security ] Possible values: marked If the device discards data packets from a sender that is not allowed on the port, then the device sends an SNMP trap. unmarked (default setting) The sending of SNMP traps is deactivated. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. Trap interval [s] Specifies the delay time in seconds that the device waits after sending an SNMP trap before sending the next SNMP trap. Possible values: 0..3600 (default setting: 0) The value 0 deactivates the delay time. Dynamic limit Specifies the upper limit for the number of automatically registered sources (Dynamic entries). When the upper limit is reached, the device stops “learning” on this port. Adjust the value to the number of expected sources. If the port registers more senders than specified here, then the port disables the Auto-Disable function. The prerequisite is that you mark the checkbox in the Auto-disable column and the Autodisable checkbox in the Configuration frame. Possible values: 0 Deactivates the automatic registering of sources on this port. 1..600 (default setting: 600) Static limit Specifies the upper limit for the number of sources connected to the port (Static entries (/)). The Wizard window helps you to connect the port with one or more desired sources. Possible values: 0..64 (default setting: 64) The value 0 helps prevent you from connecting a source with the port. Dynamic entries Displays the number of senders that the device has automatically determined. See the Wizard window, Dynamic entries field. 126 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > Port Security ] Static entries Displays the number of senders that are linked with the port. See the Wizard window, Static entries (/) field. Last violating VLAN ID/MAC Displays the VLAN ID and MAC address of an undesired sender whose data packets the device last discarded on this port. Sent traps Displays the number of discarded data packets on this port that caused the device to send an SNMP trap. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Port security (Wizard)] The Wizard window helps you to connect the ports with one or more desired sources. After you specify the settings, click the Finish button. Note: The device saves the sources connected with the port until you deactivate the checking of the source on the relevant port or in the Operation frame. After closing the Wizard window, click the button to save your settings. [Port security (Wizard) – Select port] Port Specifies the port that you assign to the sender in the next step. [Port security (Wizard) – Addresses] VLAN ID Specifies the VLAN ID of the desired source. Possible values: 1..4042 To transfer the VLAN ID and the MAC address to the Static entries (/) field, click the Add button. RM GUI RSP Release 8.1 12/2019 127 Network Security [ Network Security > Port Security ] MAC address Specifies the MAC address of the desired source. Possible values: Valid Unicast MAC address Specify the value with a colon separator, for example 00:11:22:33:44:55. To transfer the VLAN ID and the MAC address to the Static entries (/) field, click the Add button. Add Transfers the values specified in the VLAN ID and MAC address fields to the Static entries (/) field. Static entries (/) Displays the VLAN ID and MAC address of desired senders connected to the port. The device uses this field to display the number of senders connected to the port and the upper limit. You specify the upper limit for the number of entries in the table, Static limit field. Note: You cannot assign a MAC address that you assign to this port to any other port. Remove Removes the entries highlighted in the Static entries (/) field. Moves the entries highlighted in the Dynamic entries field to the Static entries (/) field. Moves every entry from the Dynamic entries field to the Static entries (/) field. When the Dynamic entries field contains more entries than are allowed in theStatic entries (/) field, the device moves the foremost entries until the upper limit is reached. Dynamic entries Displays in ascending order the VLAN ID and MAC address of the senders automatically recorded on this port. The device transmits data packets from these senders when receiving the data packets on this port. You specify the upper limit for the number of entries in the table, Dynamic limit field. The and buttons allow you to transfer entries from this field into the Static entries (/) field. In this way, you connect the relevant senders with the port. 128 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > 802.1X Port Authentication ] 4.3 802.1X Port Authentication [ Network Security > 802.1X Port Authentication ] With the port-based access control according to IEEE 802.1X, the device monitors the access to the network from connected end devices. The device (authenticator) lets an end device (supplicant) have access to the network if it logs in with valid login data. The authenticator and the end devices communicate via the EAPoL (Extensible Authentication Protocol over LANs) authentication protocol. The device supports the following methods to authenticate end devices: radius A RADIUS server in the network authenticates the end devices. ias The Integrated Authentication Server (IAS) implemented in the device authenticates the end devices. Compared to RADIUS, the IAS provides only basic functions. The menu contains the following dialogs: 802.1X Global 802.1X Port Configuration 802.1X Port Clients 802.1X EAPOL Port Statistics 802.1X Port Authentication History 802.1X Integrated Authentication Server RM GUI RSP Release 8.1 12/2019 129 Network Security [ Network Security > 802.1X Port Authentication > Global ] 4.3.1 802.1X Global [ Network Security > 802.1X Port Authentication > Global ] This dialog lets you specify basic settings for the port-based access control. Operation Operation Enables/disables the 802.1X Port Authentication function. Possible values: On The 802.1X Port Authentication function is enabled. The device checks the access to the network from connected end devices. The port-based access control is enabled. Off (default setting) The 802.1X Port Authentication function is disabled. The port-based access control is disabled. Configuration VLAN assignment Activates/deactivates the assigning of the relevant port to a VLAN. This function lets you provide selected services to the connected end device in this VLAN. Possible values: marked The assigning is active. If the end device successfully authenticates itself, then the device assigns to the relevant port the VLAN ID transferred by the RADIUS authentication server. unmarked (default setting) The assigning is inactive. The relevant port is assigned to the VLAN specified in the Network Security > 802.1X Port Authentication > Port Configuration dialog, Assigned VLAN ID row. Dynamic VLAN creation Activates/deactivates the automatic creation of the VLAN assigned by the RADIUS authentication server if the VLAN does not exist. Possible values: marked The automatic VLAN creation is active. The device creates the VLAN if it does not exist. unmarked (default setting) The automatic VLAN creation is inactive. If the assigned VLAN does not exist, then the port remains assigned to the original VLAN. 130 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > 802.1X Port Authentication > Global ] Monitor mode Activates/deactivates the monitor mode. Possible values: marked The monitor mode is active. The device monitors the authentication and helps with diagnosing detected errors. If an end device has not logged in successfully, then the device gives the end device access to the network. unmarked (default setting) The monitor mode is inactive. MAC authentication bypass format options Group size Specifies the size of the MAC address groups. The device splits the MAC address for authentication into groups. The size of the groups is specified in half bytes, each of which is represented as 1 character. Possible values: 1 The device splits the MAC address into 12 groups of 1 character. Example: A:A:B:B:C:C:D:D:E:E:F:F 2 The device splits the MAC address into 6 groups of 2 characters. Example: AA:BB:CC:DD:EE:FF 4 The device splits the MAC address into 3 groups of 4 characters. Example: AABB:CCDD:EEFF 12 (default setting) The device formats the MAC address as 1 group of 12 characters. Example: AABBCCDDEEFF Group separator Specifies the character which separates the groups. Possible values: dash : colon . dot Upper or lower case Specifies whether the device formats the authentication data in lowercase or uppercase letters. RM GUI RSP Release 8.1 12/2019 131 Network Security [ Network Security > 802.1X Port Authentication > Global ] Possible values: lower-case upper-case Password Specifies the optional password for the clients which use the authentication bypass. Possible values: Alphanumeric ASCII character string with 0..64 characters After entering the field displays ***** (asterisk) instead of the password. <empty> The device uses the username of the client also as the password. Information Monitor mode clients Displays to how many end devices the device gave network access even though they did not login successfully. The prerequisite is that you activate the Monitor mode function. See the Configuration frame. Non monitor mode clients Displays the number of end devices to which the device gave network access after successful login. Policy 1 Displays the method that the device currently uses to authenticate the end devices using IEEE 802.1X. You specify the method used in the Device Security > Authentication List dialog. To authenticate the end devices through a RADIUS server, you assign the radius policy to the 8021x list. To authenticate the end devices through the Integrated Authentication Server (IAS) you assign the ias policy to the 8021x list. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 132 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > 802.1X Port Authentication > Port Configuration ] 4.3.2 802.1X Port Configuration [ Network Security > 802.1X Port Authentication > Port Configuration ] This dialog lets you specify the access settings for every port. When multiple end devices are connected to a port, the device lets you authenticate these individually (multi-client authentication). In this case, the device lets logged in end devices have access to the network. In contrast, the device blocks access for unauthenticated end devices, or for end devices whose authentication has elapsed. Table Port Displays the port number. Port initialization Activates/deactivates the port initialization in order to activate the access control on the port or reset it to its initial state. Use this function only on ports in which the Port control column contains the value auto or multiClient. Possible values: marked The port initialization is active. When the initialization is complete, the device changes the value to unmarked again. unmarked (default setting) The port initialization is inactive. The device keeps the current port status. Port reauthentication Activates/deactivates the one-time reauthentication request. Use this function only on ports in which the Port control column contains the value auto or multiClient. The device also lets you periodically request the end device to login again. See the Periodic reauthentication column. Possible values: marked The one-time reauthentication request is active. The device requests the end device to login again. Afterwards, the device changes the value to unmarked again. unmarked (default setting) The one-time reauthentication request is inactive. The device keeps the end device logged in. Authentication activity Displays the current status of the Authenticator (Authenticator PAE state). RM GUI RSP Release 8.1 12/2019 133 Network Security [ Network Security > 802.1X Port Authentication > Port Configuration ] Possible values: initialize disconnected connecting authenticating authenticated aborting held forceAuth forceUnauth Backend authentication state Displays the current status of the connection to the authentication server (Backend Authentication state). Possible values: request response success fail timeout idle initialize Authentication state Displays the current status of the authentication on the port (Controlled Port Status). Possible values: authorized The end device is logged in successfully. unauthorized The end device is not logged in. Users (max.) Specifies the upper limit for the number of end devices that the device authenticates on this port at the same time. This upper limit applies only to ports in which the Port control column contains the value multiClient. Possible values: 1..16 (default setting: 16) Port control Specifies how the device grants access to the network (Port control mode). 134 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > 802.1X Port Authentication > Port Configuration ] Possible values: forceUnauthorized The device blocks the access to the network. You use this setting if an end device is connected to the port that does not receive access to the network. auto The device grants access to the network if the end device logged in successfully. You use this setting if an end device is connected to the port that logs in at the authenticator. Note: If other end devices are connected through the same port, then they get access to the network without additional authentication. forceAuthorized (default setting) When end devices do not support IEEE 802.1X, the device grants access to the network. You use this setting if an end device is connected to the port that receives access to the network without logging in. multiClient The device grants access to the network if the end device logs in successfully. If the end device does not send any EAPOL data packets, then the device grants or denies access to the network individually depending on the MAC address of the end device. See the MAC authorized bypass column. You use this setting if multiple end devices are connected to the port or if the MAC authorized bypass function is required. Quiet period [s] Specifies the time period in seconds in which the authenticator does not accept any more logins from the end device after an unsuccessful log in attempt (Quiet period [s]). Possible values: 0..65535 (default setting: 60) Transmit period [s] Specifies the period in seconds after which the authenticator requests the end device to login again. After this waiting period, the device sends an EAP request/identity data packet to the end device. Possible values: 1..65535 (default setting: 30) Supplicant timeout period [s] Specifies the period in seconds for which the authenticator waits for the login of the end device. Possible values: 1..65535 (default setting: 30) Server timeout [s] Specifies the period in seconds for which the authenticator waits for the response from the authentication server (RADIUS or IAS). Possible values: 1..65535 (default setting: 30) RM GUI RSP Release 8.1 12/2019 135 Network Security [ Network Security > 802.1X Port Authentication > Port Configuration ] Requests (max.) Specifies how many times the authenticator requests the end device to login until the time specified in the Supplicant timeout period [s] column has elapsed. The device sends an EAP request/identity data packet to the end device as often as specified here. Possible values: 0..10 (default setting: 2) Assigned VLAN ID Displays the ID of the VLAN that the authenticator assigned to the port. This value applies only on ports in which the Port control column contains the value auto. Possible values: 0..4042 (default setting: 0) You find the VLAN ID that the authenticator assigned to the ports in the Network Security > 802.1X Port Authentication > Port Clients dialog. For the ports in which the Port control column contains the value multiClient, the device assigns the VLAN tag based on the MAC address of the end device when receiving data packets without a VLAN tag. Assignment reason Displays the cause for the assignment of the VLAN ID. This value applies only on ports in which the Port control column contains the value auto. Possible values: notAssigned (default setting) radius guestVlan unauthenticatedVlan You find the VLAN ID that the authenticator assigned to the ports for a supplicant in the Network Security > 802.1X Port Authentication > Port Clients dialog. Reauthentication period [s] Specifies the period in seconds after which the authenticator periodically requests the end device to login again. Possible values: 1..65535 (default setting: 3600) Periodic reauthentication Activates/deactivates periodic reauthentication requests. 136 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > 802.1X Port Authentication > Port Configuration ] Possible values: marked The periodic reauthentication requests are active. The device periodically requests the end device to login again. You specify this time period in the Reauthentication period [s] column. If the authenticator assigned the ID of a Voice VLAN, Unauthenticated VLAN or Guest VLAN to the end device, then this setting becomes ineffective. unmarked (default setting) The periodic reauthentication requests are inactive. The device keeps the end device logged in. Guest VLAN ID Specifies the ID of the VLAN that the authenticator assigns to the port if the end device does not log in during the time period specified in the Guest VLAN period column. This value applies only on ports in which the Port control column contains the value auto or multiClient. This function lets you grant end devices, without IEEE 802.1X support, access to selected services in the network. Possible values: 0 (default setting) The authenticator does not assign a Guest VLAN to the port. When you enable the MAC-based authentication in the MAC authorized bypass column, the device automatically sets the value to 0. 1..4042 Note: The MAC authorized bypass function and the Guest VLAN ID function cannot be in use simultaneously. Guest VLAN period Specifies the period in seconds for which the authenticator waits for EAPOL data packets after the end device is connected. If this period elapses, then the authenticator grants the end device access to the network and assigns the port to the Guest VLAN specified in the Guest VLAN ID column. Possible values: 1..300 (default setting: 90) Unauthenticated VLAN ID Specifies the ID of the VLAN that the authenticator assigns to the port if the end device does not login successfully. This value applies only on ports in which the Port control column contains the value auto. This function lets you grant end devices without valid login data access to selected services in the network. Possible values: 0..4042 (default setting: 0) The effect of the value 0 is that the authenticator does not assign a Unauthenticated VLAN to the port. Note: Assign to the port a VLAN set up statically in the device. RM GUI RSP Release 8.1 12/2019 137 Network Security [ Network Security > 802.1X Port Authentication > Port Configuration ] MAC authorized bypass Activates/deactivates the MAC-based authentication. This function lets you authenticate end devices without IEEE 802.1X support on the basis of their MAC address. Possible values: marked The MAC-based authentication is active. The device sends the MAC address of the end device to the RADIUS authentication server. The device assigns the supplicant by its MAC address to the corresponding VLAN as if the authentication was performed through IEEE 802.1X directly. unmarked (default setting) The MAC-based authentication is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 138 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > 802.1X Port Authentication > Port Clients ] 4.3.3 802.1X Port Clients [ Network Security > 802.1X Port Authentication > Port Clients ] This dialog displays information on the connected end devices. Table Port Displays the port number. User name Displays the user name with which the end device logged in. MAC address Displays the MAC address of the end device. Filter ID Displays the name of the filter list that the RADIUS authentication server assigned to the end device after successful authentication. The authentication server transfers the filter ID attributes in the Access Accept data packet. Assigned VLAN ID Displays the VLAN ID that the authenticator assigned to the port after the successful authentication of the end device. If for the port in the Network Security > 802.1X Port Authentication > Port Configuration dialog, Port control column the value multiClient is specified, then the device assigns the VLAN tag based on the MAC address of the end device when receiving data packets without a VLAN tag. Assignment reason Displays the reason for the assignment of the VLAN. Possible values: default radius unauthenticatedVlan guestVlan monitorVlan invalid The field only displays a valid value as long as the client is authenticated. RM GUI RSP Release 8.1 12/2019 139 Network Security [ Network Security > 802.1X Port Authentication > Port Clients ] Session timeout Displays the remaining time in seconds until the log in of the end device expires. This value applies only if for the port in the Network Security > 802.1X Port Authentication > Port Configuration dialog, Port control column the value auto or multiClient is specified. The authentication server assigns the timeout period to the device through RADIUS. The value 0 means that the authentication server has not assigned a timeout. Termination action Displays the action performed by the device when the login has elapsed. Possible values: default reauthenticate Buttons You find the description of the standard buttons in section “Buttons” on page 15. 140 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > 802.1X Port Authentication > Statistics ] 4.3.4 802.1X EAPOL Port Statistics [ Network Security > 802.1X Port Authentication > Statistics ] This dialog displays which EAPOL data packets the end device has sent and received for the authentication of the end devices. Table Port Displays the port number. Received packets Displays the total number of EAPOL data packets that the device received on the port. Transmitted packets Displays the total number of EAPOL data packets that the device sent on the port. Start packets Displays the number of EAPOL start data packets that the device received on the port. Logoff packets Displays the number of EAPOL logoff data packets that the device received on the port. Response/ID packets Displays the number of EAP response/identity data packets that the device received on the port. Response packets Displays the number of valid EAP response data packets that the device received on the port (without EAP response/identity data packets). Request/ID packets Displays the number of EAP request/identity data packets that the device received on the port. Request packets Displays the number of valid EAP request data packets that the device received on the port (without EAP request/identity data packets). Invalid packets Displays the number of EAPOL data packets with an unknown frame type that the device received on the port. RM GUI RSP Release 8.1 12/2019 141 Network Security [ Network Security > 802.1X Port Authentication > Statistics ] Received error packets Displays the number of EAPOL data packets with an invalid packet body length field that the device received on the port. Packet version Displays the protocol version number of the EAPOL data packet that the device last received on the port. Source of last received packet Displays the sender MAC address of the EAPOL data packet that the device last received on the port. The value 00:00:00:00:00:00 means that the port has not received any EAPOL data packets yet. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 142 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > 802.1X Port Authentication > Port Authentication History ] 4.3.5 802.1X Port Authentication History [ Network Security > 802.1X Port Authentication > Port Authentication History ] The device registers the authentication process of the end devices that are connected to its ports. This dialog displays the information recorded during the authentication. Table Port Displays the port number. Authentification time stamp Displays the time at which the authenticator authenticated the end device. Result age Displays since when this entry has been entered in the table. MAC address Displays the MAC address of the end device. VLAN ID Displays the ID of the VLAN that was assigned to the end device before the login. Authentication status Displays the status of the authentication on the port. Possible values: success The authentication was successful. failure The authentication failed. Access status Displays whether the device grants the end device access to the network. Possible values: granted The device grants the end device access to the network. denied The device denies the end device access to the network. Assigned VLAN ID Displays the ID of the VLAN that the authenticator assigned to the port. RM GUI RSP Release 8.1 12/2019 143 Network Security [ Network Security > 802.1X Port Authentication > Port Authentication History ] Assignment type Displays the type of the VLAN that the authenticator assigned to the port. Possible values: default radius unauthenticatedVlan guestVlan monitorVlan notAssigned Assignment reason Displays the reason for the assignment of the VLAN ID and the VLAN type. 802.1X Port Authentication History Port Simplifies the table and displays only the entries relating to the port selected here. This makes it easier for you to record the table and sort it as you desire. Possible values: all The table displays the entries for every port. <Port number> The table displays the entries that apply to the port selected here. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 144 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > 802.1X Port Authentication > Integrated Authentication Server ] 4.3.6 802.1X Integrated Authentication Server [ Network Security > 802.1X Port Authentication > Integrated Authentication Server ] The Integrated Authentication Server (IAS) lets you authenticate end devices using IEEE 802.1X. Compared to RADIUS, the IAS has a very limited range of functions. The authentication is based only on the user name and the password. In this dialog you manage the login data of the end devices. The device lets you set up to 100 sets of login data. To authenticate the end devices through the Integrated Authentication Server you assign in the Device Security > Authentication List dialog the ias policy to the 8021x list. Table User name Displays the user name of the end device. To create a new user, click the button. Password Specifies the password with which the user authenticates. Possible values: Alphanumeric ASCII character string with 0..64 characters The device differentiates between upper and lower case. Active Activates/deactivates the login data. Possible values: marked The login data is active. An end device has the option of logging in through IEEE 802.1X using this login data. unmarked (default setting) The login data is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 145 Network Security [ Network Security > RADIUS ] 4.4 RADIUS [ Network Security > RADIUS ] With its factory settings, the device authenticates users based on the local user management. However, as the size of a network increases, it becomes more difficult to keep the login data of the users consistent across the devices. RADIUS (Remote Authentication Dial-In User Service) lets you authenticate and authorize the users at a central point in the network. A RADIUS server performs the following tasks here: Authentication The authentication server authenticates the users when the RADIUS client at the access point forwards the login data of the users to the server. Authorization The authentication server authorizes logged in users for selected services by assigning various parameters for the relevant end device to the RADIUS client at the access point. Accounting The accounting server records the traffic data that has occurred during the port authentication according to IEEE 802.1X. This enables you to subsequently determine which services the users have used, and to what extent. If you assign the radius policy to an application in the Device Security > Authentication List dialog, then the device operates in the role of the RADIUS client. The device forwards the users’ login data to the primary authentication server. The authentication server decides whether the login data is valid and transfers the user’s authorizations to the device. The device assigns the Service Type transferred in the response of a RADIUS server as follows to a user role existing in the device: • Administrative-User: administrator • Login-User: operator • NAS-Prompt-User: guest The device also lets you authenticate end devices with IEEE 802.1X through an authentication server. To do this, you assign the radius policy to the 8021x list in the Device Security > Authentication List dialog. The menu contains the following dialogs: RADIUS Global RADIUS Authentication Server RADIUS Accounting Server RADIUS Authentication Statistics RADIUS Accounting Statistics 146 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > RADIUS > Global ] 4.4.1 RADIUS Global [ Network Security > RADIUS > Global ] This dialog lets you specify basic settings for RADIUS. RADIUS configuration Retransmits (max.) Specifies how many times the device retransmits an unanswered request to the authentication server before the device sends the request to an alternative authentication server. Possible values: 1..15 (default setting: 4) Timeout [s] Specifies how many seconds the device waits for a response after a request to an authentication server before it retransmits the request. Possible values: 1..30 (default setting: 5) Accounting Activates/deactivates the accounting. Possible values: marked Accounting is active. The device sends the traffic data to an accounting server specified in the Network Security > RADIUS > Accounting Server dialog. unmarked (default setting) Accounting is inactive. NAS IP address (attribute 4) Specifies the IP address that the device transfers to the authentication server as attribute 4. Specify the IP address of the device or another available address. Possible values: Valid IPv4 address (default setting: 0.0.0.0) In many cases, there is a firewall between the device and the authentication server. In the Network Address Translation (NAT) in the firewall changes the original IP address, and the authentication server receives the translated IP address of the device. The device transfers the IP address in this field unchanged across the Network Address Translation (NAT). RM GUI RSP Release 8.1 12/2019 147 Network Security [ Network Security > RADIUS > Global ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Deletes the statistics in the Network Security > RADIUS > Authentication Statistics dialog and in the Network Security > RADIUS > Accounting Statistics dialog. 148 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > RADIUS > Authentication Server ] 4.4.2 RADIUS Authentication Server [ Network Security > RADIUS > Authentication Server ] This dialog lets you specify up to 8 authentication servers. An authentication server authenticates and authorizes the users when the device forwards the login data to the server. The device sends the login data to the specified primary authentication server. When the server does not respond, the device contacts the specified authentication server that is highest in the table. When no response comes from this server either, the device contacts the next server in the table. Table Index Displays the index number to which the table entry relates. Name Displays the name of the server. To change the value, click the relevant field. Possible values: Alphanumeric ASCII character string with 1..32 characters (default setting: Default-RADIUS-Server) Address Specifies the IP address of the server. Possible values: Valid IPv4 address Destination UDP port Specifies the number of the UDP port on which the server receives requests. Possible values: 0..65535 (default setting: 1812) Exception: Port 2222 is reserved for internal functions. Secret Displays ****** (asterisks) when you specify a password with which the device logs in to the server. To change the password, click the relevant field. Possible values: Alphanumeric ASCII character string with 1..64 characters You get the password from the administrator of the authentication server. RM GUI RSP Release 8.1 12/2019 149 Network Security [ Network Security > RADIUS > Authentication Server ] Primary server Specifies the authentication server as primary or secondary. Possible values: marked The server is specified as the primary authentication server. The device sends the login data for authenticating the users to this authentication server. When you activate multiple servers, the device specifies the last server activated as the primary authentication server. unmarked (default setting) The server is the secondary authentication server. When the device does not receive a response from the primary authentication server, the device sends the login data to the secondary authentication server. Active Activates/deactivates the connection to the server. The device uses the server, if you specify in the Device Security > Authentication List dialog the value radius in one of the rows Policy 1 to Policy 5. Possible values: marked (default setting) The connection is active. The device sends the login data for authenticating the users to this server if the preconditions named above are fulfilled. unmarked The connection is inactive. The device does not send any login data to this server. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Index field, you specify the index number. In the Address field, you specify the IP address of the server. 150 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > RADIUS > Accounting Server ] 4.4.3 RADIUS Accounting Server [ Network Security > RADIUS > Accounting Server ] This dialog lets you specify up to 8 accounting servers. An accounting server records the traffic data that has occurred during the port authentication according to IEEE 802.1X. The prerequisite is that you activate in the Network Security > RADIUS > Global menu the Accounting function. The device sends the traffic data to the first accounting server that can be reached. When the accounting server does not respond, the device contacts the next server in the table. Table Index Displays the index number to which the table entry relates. Possible values: 1..8 Name Displays the name of the server. To change the value, click the relevant field. Possible values: Alphanumeric ASCII character string with 1..32 characters (default setting: Default-RADIUS-Server) Address Specifies the IP address of the server. Possible values: Valid IPv4 address Destination UDP port Specifies the number of the UDP port on which the server receives requests. Possible values: 0..65535 (default setting: 1813) Exception: Port 2222 is reserved for internal functions. Secret Displays ****** (asterisks) when you specify a password with which the device logs in to the server. To change the password, click the relevant field. Possible values: Alphanumeric ASCII character string with 1..16 characters You get the password from the administrator of the authentication server. RM GUI RSP Release 8.1 12/2019 151 Network Security [ Network Security > RADIUS > Accounting Server ] Active Activates/deactivates the connection to the server. Possible values: marked (default setting) The connection is active. The device sends traffic data to this server if the preconditions named above are fulfilled. unmarked The connection is inactive. The device does not send any traffic data to this server. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Index field, you specify the index number. In the Address field, you specify the IP address of the server. 152 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > RADIUS > Authentication Statistics ] 4.4.4 RADIUS Authentication Statistics [ Network Security > RADIUS > Authentication Statistics ] This dialog displays information about the communication between the device and the authentication server. The table displays the information for each server in a separate row. To delete the statistic, click in the Network Security > RADIUS > Global dialog the Clear RADIUS statistics? button. Table Name Displays the name of the server. Address Displays the IP address of the server. Round trip time Displays the time interval in hundredths of a second between the last response received from the server (Access Reply/Access Challenge) and the corresponding data packet sent (Access Request). Access requests Displays the number of access data packets that the device sent to the server. This value does not take repetitions into account. Retransmitted access-request packets Displays the number of access data packets that the device retransmitted to the server. Access accepts Displays the number of access accept data packets that the device received from the server. Access rejects Displays the number of access reject data packets that the device received from the server. Access challenges Displays the number of access challenge data packets that the device received from the server. Malformed access responses Displays the number of malformed access response data packets that the device received from the server (including data packets with an invalid length). RM GUI RSP Release 8.1 12/2019 153 Network Security [ Network Security > RADIUS > Authentication Statistics ] Bad authenticators Displays the number of access response data packets with an invalid authenticator that the device received from the server. Pending requests Displays the number of access request data packets that the device sent to the server to which it has not yet received a response from the server. Timeouts Displays how many times no response to the server was received before the specified waiting time elapsed. Unknown types Displays the number data packets with an unknown data type that the device received from the server on the authentication port. Packets dropped Displays the number of data packets that the device received from the server on the authentication port and then discarded them. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 154 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > RADIUS > Accounting Statistics ] 4.4.5 RADIUS Accounting Statistics [ Network Security > RADIUS > Accounting Statistics ] This dialog displays information about the communication between the device and the accounting server. The table displays the information for each server in a separate row. To delete the statistic, click in the Network Security > RADIUS > Global dialog the Clear RADIUS statistics? button. Table Name Displays the name of the server. Address Displays the IP address of the server. Round trip time Displays the time interval in hundredths of a second between the last response received from the server (Accounting Response) and the corresponding data packet sent (Accounting Request). Accounting-request packets Displays the number of accounting request data packets that the device sent to the server. This value does not take repetitions into account. Retransmitted accounting-request packets Displays the number of accounting request data packets that the device retransmitted to the server. Received packets Displays the number of accounting response data packets that the device received from the server. Malformed packets Displays the number of malformed accounting response data packets that the device received from the server (including data packets with an invalid length). Bad authenticators Displays the number of accounting response data packets with an invalid authenticator that the device received from the server. Pending requests Displays the number of accounting request data packets that the device sent to the server to which it has not yet received a response from the server. RM GUI RSP Release 8.1 12/2019 155 Network Security [ Network Security > DoS ] Timeouts Displays how many times no response to the server was received before the specified waiting time elapsed. Unknown types Displays the number data packets with an unknown data type that the device received from the server on the accounting port. Packets dropped Displays the number of data packets that the device received from the server on the accounting port and then discarded them. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 4.5 DoS [ Network Security > DoS ] Denial of Service (DoS) is a cyber-attack that aims to bring down specific services or devices. In this dialog you can set up several filters to help protect the device itself and other devices in the network from DoS attacks. The menu contains the following dialogs: DoS Global 156 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > DoS > Global ] 4.5.1 DoS Global [ Network Security > DoS > Global ] In this dialog, you specify the DoS settings for the TCP/UDP, IP and ICMP protocols. TCP/UDP A scanner uses port scans to prepare network attacks. The scanner uses different techniques to determine running devices and open ports. This frame lets you activate filters for specific scanning techniques. The device supports the detection of the following scan types: Null scans Xmas scans SYN/FIN scans TCP Offset attacks TCP SYN attacks L4 Port attacks Minimal Header scans Null Scan filter Activates/deactivates the Null Scan filter. The Null Scan filter detects incoming data packets with no TCP flags set and discards them. Possible values: marked The filter is active. unmarked (default setting) The filter is inactive. Xmas filter Activates/deactivates the Xmas filter. The Xmas filter detects incoming data packets with the TCP flags FIN, URG and PUSH set simultaneously and discards them. Possible values: marked The filter is active. unmarked (default setting) The filter is inactive. SYN/FIN filter Activates/deactivates the SYN/FIN filter. The SYN/FIN filter detects incoming data packets with the TCP flags SYN and FIN set simultaneously and discards them. RM GUI RSP Release 8.1 12/2019 157 Network Security [ Network Security > DoS > Global ] Possible values: marked The filter is active. unmarked (default setting) The filter is inactive. TCP Offset protection Activates/deactivates the TCP Offset protection. The TCP Offset protection detects incoming TCP data packets whose fragment offset field of the IP header is equal to 1 and discards them. The TCP Offset protection accepts UDP and ICMP packets whose fragment offset field of the IP header is equal to 1. Possible values: marked The protection is active. unmarked (default setting) The protection is inactive. TCP SYN protection Activates/deactivates the TCP SYN protection. The TCP SYN protection detects incoming data packets with the TCP flag SYN set and a L4 source port <1024 and discards them. Possible values: marked The protection is active. unmarked (default setting) The protection is inactive. L4 Port protection Activates/deactivates the L4 Port protection. The L4 Port protection detects incoming TCP and UDP data packets whose source port number and destination port number are identical and discards them. Possible values: marked The protection is active. unmarked (default setting) The protection is inactive. Min. Header Size filter Activates/deactivates the Minimal Header filter. The Minimal Header filter detects incoming data packets whose IP payload length in the IP header less the outer IP header size is smaller than the minimum TCP header size. If this is the first fragment that the device detects, then the device discards the data packet. 158 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > DoS > Global ] Possible values: marked The filter is active. unmarked (default setting) The filter is inactive. Min. TCP header size Displays the minimum size of a valid TCP header. IP This frame lets you activate or deactivate the Land Attack filter. With the land attack method, the attacking station sends data packets whose source and destination addresses are identical to those of the recipient. When you activate this filter, the device detects data packets with identical source and destination addresses and discards these data packets. Land Attack filter Activates/deactivates the Land Attack filter. The Land Attack filter detects incoming IP data packets whose source and destination IP address are identical and discards them. Possible values: marked The filter is active. unmarked (default setting) The filter is inactive. ICMP This dialog provides you with filter options for the following ICMP parameters: Fragmented data packets ICMP packets from a specific size upwards Broadcast pings Filter fragmented packets Activates/deactivates the filter for fragmented ICMP packets. The filter detects fragmented ICMP packets and discards them. Possible values: marked The filter is active. unmarked (default setting) The filter is inactive. RM GUI RSP Release 8.1 12/2019 159 Network Security [ Network Security > DHCP Snooping ] Filter by packet size Activates/deactivates the filter for incoming ICMP packets. The filter detects ICMP packets whose payload size exceeds the size specified in the Allowed payload size [byte] field and discards them. Possible values: marked The filter is active. unmarked (default setting) The filter is inactive. Allowed payload size [byte] Specifies the maximum allowed payload size of ICMP packets in bytes. Mark the Filter by packet size checkbox if you want the device to discard incoming data packets whose payload size exceeds the maximum allowed size for ICMP packets. Possible values: 0..1472 (default setting: 512) Drop broadcast ping Activates/deactivates the filter for Broadcast Pings. Broadcast Pings are a known evidence for Smurf Attacks. Possible values: marked The filter is active. The device detects Broadcast Pings and drops them. unmarked (default setting) The filter is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 4.6 DHCP Snooping [ Network Security > DHCP Snooping ] DHCP Snooping is a function that supports the network security. DHCP Snooping monitors DHCP packets between the DHCP client and the DHCP server and acts like a firewall between the unsecured hosts and the secured DHCP servers. In this dialog, you configure and monitor the following device properties: Validate DHCP packets from untrusted sources and filter out invalid packets. Limit DHCP data traffic from trusted and untrusted sources. 160 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > DHCP Snooping ] Set up and update the DHCP Snooping binding database. This database contains the MAC address, IP address, VLAN and port of DHCP clients at untrusted ports. Validate follow-up requests from untrusted hosts on the basis of the DHCP Snooping binding database. You can activate DHCP Snooping globally and for a specific VLAN. You specify the security status (trusted or untrusted) on individual ports. Verify that the DHCP service can be reached via trusted ports. For DHCP Snooping you typically configure the user/client ports as untrusted and the uplink ports as trusted. The menu contains the following dialogs: DHCP Snooping Global DHCP Snooping Configuration DHCP Snooping Statistics DHCP Snooping Bindings RM GUI RSP Release 8.1 12/2019 161 Network Security [ Network Security > DHCP Snooping > Global ] 4.6.1 DHCP Snooping Global [ Network Security > DHCP Snooping > Global ] This dialog lets you configure the global DHCP Snooping parameters for your device: Activate/deactivate DHCP Snooping globally. Activate/deactivate Auto-Disable globally. Enable/disable the checking of the source MAC address. Configure the name, storage location and storing interval for the binding database. Operation Operation Enables/disables the DHCP Snooping function globally. Possible values: On Off (default setting) Configuration Verify MAC Activates/deactivates the source MAC address verification in the Ethernet packet. Possible values: marked The source MAC address verification is active. The device compares the source MAC address with the MAC address of the client in the received DHCP packet. unmarked (default setting) The source MAC address verification is inactive. Auto-disable Activates/deactivates the Auto-Disable function for DHCP Snooping. Possible values: marked The Auto-Disable function for DHCP Snooping is active. Also mark the checkbox in the Auto-disable column on the Port tab in the Network Security > DHCP Snooping > Configuration dialog for the relevant ports. unmarked (default setting) The Auto-Disable function for DHCP Snooping is inactive. 162 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > DHCP Snooping > Global ] Binding database Remote file name Specifies the name of the file in which the device saves the DHCP Snooping binding database. Note: The device saves only dynamic bindings in the persistent binding database. The device saves static bindings in the configuration profile. Remote IP address Specifies the remote IP address under which the device saves the persistent DHCP Snooping binding database. With the value 0.0.0.0 the device saves the binding database locally. Possible values: Valid IPv4 address 0.0.0.0 (default setting) The device saves the DHCP Snooping binding database locally. Store interval [s] Specifies the time delay in seconds after which the device saves the DHCP Snooping binding database when the device identifies a change in the database. Possible values: 15..86400 (default setting: 300) Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 163 Network Security [ Network Security > DHCP Snooping > Configuration ] 4.6.2 DHCP Snooping Configuration [ Network Security > DHCP Snooping > Configuration ] This dialog lets you configure DHCP Snooping for individual ports and for individual VLANs. The dialog contains the following tabs: [Port] [VLAN ID] [Port] In this tab, you configure the DHCP Snooping function for individual ports. Configure a port as trusted/untrusted. Activate/deactivate the logging of invalid packets for individual ports. Limit the number of DHCP packets. Deactivate a port automatically if the DHCP data traffic exceeds the specified limit. Table Port Displays the port number. Trust Activates/deactivates the security status (trusted, untrusted) of the port. When this function is active, the port is configured as trusted. Typically, you have connected the trusted port to a DHCP server. When this function is inactive, the port is configured as untrusted. Possible values: marked The port is specified as trusted. DHCP Snooping forwards permissible client packets through trusted ports. unmarked (default setting) The port is configured as untrusted. On untrusted ports, the device compares the receiver port with the client port in the binding database. Log Activates/deactivates the logging of invalid packets that the device determines on this port. Possible values: marked The logging of invalid packets is active. unmarked (default setting) The logging of invalid packets is inactive. 164 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > DHCP Snooping > Configuration ] Rate limit Specifies the maximum number of DHCP packets per burst interval for this port. If the number of incoming DHCP packets is currently exceeding the specified limit in a burst interval, then the device discards the additional incoming DHCP packets. The value -1 deactivates the limitation. Possible values: -1 (default setting) Deactivates the limitation of the number of DHCP packets per burst interval on this port. 0..150packets per interval Limits the maximum number of DHCP packets per burst interval on this port. You specify the burst interval in the Burst interval column. If you activate the auto-disable function, then the device also disables the port. You find the autodisable function in the Auto-disable column. Burst interval Specifies the length of the burst interval in seconds on this port. The burst interval is relevant for the rate limiting function. You specify the maximum number of DHCP packets per burst interval in the Rate limit column. Possible values: 1..15 (default setting: 1) Auto-disable Activates/deactivates the Auto-Disable function for the parameters that the DHCP Snooping function is monitoring on the port. Possible values: marked (default setting) The Auto-Disable function is active on the port. The prerequisite is that in the Network Security > DHCP Snooping > Global dialog the Auto-disable checkbox in the Configuration frame is marked. – If the port receives more DHCP packets than specified in the Rate limit field in the time specified in the Burst interval column, then the device disables the port. The “Link status” LED for the port flashes 3× per period. – The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently disabled due to the parameters being exceeded. – The Auto-Disable function reactivates the port automatically. For this you go to the Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the relevant port in the Reset timer [s] column. unmarked The Auto-Disable function on the port is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 165 Network Security [ Network Security > DHCP Snooping > Configuration ] [VLAN ID] In this tab, you configure the DHCP Snooping function for individual VLANs. Table VLAN ID Displays the VLAN ID to which the table entry relates. Active Activates/deactivates the DHCP Snooping function in this VLAN. The DHCP Snooping function forwards valid DHCP client messages to the trusted ports in VLANs without the Routing function. Possible values: marked The DHCP Snooping function is active in this VLAN. unmarked (default setting) The DHCP Snooping function is inactive in this VLAN. The device forwards DHCP packets according to the switching settings without monitoring the packets. The binding database remains unchanged. Note: To enable DHCP Snooping for a port, enable the DHCP Snooping function globally in the Network Security > DHCP Snooping > Global dialog. Verify that you assigned the port to a VLAN in which DHCP Snooping is enabled. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 166 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > DHCP Snooping > Statistics ] 4.6.3 DHCP Snooping Statistics [ Network Security > DHCP Snooping > Statistics ] With DHCP Snooping, the device logs detected errors and generates statistics. In this dialog, you monitor the DHCP Snooping statistics for each port. The device logs the following: Errors detected when validating the MAC address of the DHCP client DHCP client messages with a detected incorrect port DHCP server messages to untrusted ports Table Port Displays the port number. MAC verify failures Displays the number of discrepancies between the MAC address of the DHCP client in the ‘chaddr’ field of the DHCP data packet and the source address in the Ethernet packet. Invalid client messages Displays the number of incoming DHCP client messages received on the port for which the device expects the client on another port according to the DHCP Snooping binding database. Invalid server messages Displays the number of DHCP server messages the device received on the untrusted port. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Resets the entire table. RM GUI RSP Release 8.1 12/2019 167 Network Security [ Network Security > DHCP Snooping > Bindings ] 4.6.4 DHCP Snooping Bindings [ Network Security > DHCP Snooping > Bindings ] DHCP Snooping uses DHCP messages to set up and update the binding database. Static bindings The device lets you enter up to 1024 static DHCP Snooping bindings in the database. Dynamic bindings The dynamic binding database contains data for clients only on untrusted ports. This menu lets you specify the settings for static and dynamic bindings. Set up new static bindings and set them to active/inactive. Display, activate/deactivate or delete static bindings that have been set up. Table MAC address Specifies the MAC address in the table entry that you bind to a IP address and VLAN ID. Possible values: Valid Unicast MAC address Specify the value with a colon separator, for example 00:11:22:33:44:55. IP address Specifies the IP address for the static DHCP Snooping binding. Possible values: Valid Unicast IPv4 address smaller than 224.x.x.x and outside the range 127.0.0.0/8 (default setting: 0.0.0.0) VLAN ID Specifies the ID of the VLAN to which the table entry applies. Possible values: <ID of the VLANs that are set up> Port Specifies the port for the static DHCP Snooping binding. Possible values: Available ports Remaining binding time Displays the remaining time for the dynamic DHCP Snooping binding. Active Activates/deactivates the specified static DHCP Snooping binding. 168 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > Dynamic ARP Inspection ] Possible values: marked The static DHCP Snooping binding is active. unmarked (default setting) The static DHCP Snooping binding is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the MAC address field, you specify the MAC address which you bind to an IP address and a VLAN ID. Removes the highlighted table entry. The prerequisite is that the checkbox in the Active column is unmarked. Also, the device removes the dynamic bindings of this port created with the IP Source Guard function. 4.7 Dynamic ARP Inspection [ Network Security > Dynamic ARP Inspection ] Dynamic ARP Inspection is a function that supports the network security. This function analyzes ARP packets, logs them, and discards invalid and hostile ARP packets. The Dynamic ARP Inspection function helps prevent a range of man-in-the-middle attacks. With this kind of attack, a hostile station listens in on the data traffic from other subscribers by encroaching on the ARP cache of its unsuspecting neighbors. The hostile station sends ARP requests and ARP responses and enters the IP address of another subscriber for its own MAC address in the IP-toMAC address relationship (binding). RM GUI RSP Release 8.1 12/2019 169 Network Security [ Network Security > Dynamic ARP Inspection ] Using the following measures, the Dynamic ARP Inspection function helps ensure that the device only forwards valid ARP requests and ARP responses. Listening in on ARP requests and ARP responses on untrusted ports. Verifying that the determined packets have a valid IP to MAC address relationship (binding) before the device updates the local ARP cache and before the device forwards the packets to the related destination address. Discarding invalid ARP packets. The device lets you specify up to 100 active ARP ACLs (access lists). You can activate up to 20 rules for each ARP ACL. The menu contains the following dialogs: Dynamic ARP Inspection Global Dynamic ARP Inspection Configuration Dynamic ARP Inspection ARP Rules Dynamic ARP Inspection Statistics 170 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > Dynamic ARP Inspection > Global ] 4.7.1 Dynamic ARP Inspection Global [ Network Security > Dynamic ARP Inspection > Global ] Configuration Verify source MAC Activates/deactivates the source MAC address verification. The device executes the check in both ARP requests and ARP responses. Possible values: marked The source MAC address verification is active. The device checks the source MAC address of the received ARP packets. – The device transmits ARP packets with a valid source MAC address to the related destination address and updates the local ARP cache. – The device discards ARP packets with an invalid source MAC address. unmarked (default setting) The source MAC address verification is inactive. Verify destination MAC Activates/deactivates the destination MAC address verification. The device executes the check in ARP responses. Possible values: marked The destination MAC address verification is active. The device checks the destination MAC address of the incoming ARP packets. – The device transmits ARP packets with a valid destination MAC address to the related destination address and updates the local ARP cache. – The device discards ARP packets with an invalid destination MAC address. unmarked (default setting) The checking of the destination MAC address of the incoming ARP packets is inactive. Verify IP address Activates/deactivates the IP address verification. In ARP requests, the device checks the source IP address. In ARP responses, the device checks the destination and source IP address. The device designates the following IP addresses as invalid: • 0.0.0.0 • Broadcast addresses 255.255.255.255 • Multicast addresses 224.0.0.0/4 (Class D) • Class E addresses 240.0.0.0/4 (reserved for subsequent purposes) • Loopback addresses in the range 127.0.0.0/8. RM GUI RSP Release 8.1 12/2019 171 Network Security [ Network Security > Dynamic ARP Inspection > Global ] Possible values: marked The IP address verification is active. The device checks the IP address of the incoming ARP packets. The device transmits ARP packets with a valid IP address to the related destination address and updates the local ARP cache. The device discards ARP packets with an invalid IP address. unmarked (default setting) The IP address verification is inactive. Auto-disable Activates/deactivates the Auto-Disable function for Dynamic ARP Inspection. Possible values: marked The Auto-Disable function for Dynamic ARP Inspection is active. Also mark the checkbox in the Port column on the Auto-disable tab in the Network Security > Dynamic ARP Inspection > Configuration dialog for the relevant ports. unmarked (default setting) The Auto-Disable function for Dynamic ARP Inspection is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 172 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > Dynamic ARP Inspection > Configuration ] 4.7.2 Dynamic ARP Inspection Configuration [ Network Security > Dynamic ARP Inspection > Configuration ] The dialog contains the following tabs: [Port] [VLAN ID] [Port] Table Port Displays the port number. Trust Activates/deactivates the monitoring of ARP packets on untrusted ports. Possible values: marked Monitoring is active. The device monitors ARP packets on untrusted ports. The device immediately forwards ARP packets on trusted ports. unmarked (default setting) Monitoring is inactive. Rate limit Specifies the maximum number of ARP packets per interval on this port. If the rate of incoming ARP packets is currently exceeding the specified limit in a burst interval, then the device discards the additional incoming ARP packets. You specify the burst interval in the Burst interval column. Optionally, the device also deactivates the port if you activate the auto-disable function. You enable/disable the Auto-Disable function in the Auto-disable column. Possible values: -1 (default setting) Deactivates the limitation of the number of ARP packets per burst interval on this port. 0..300packets per interval Limits the maximum number of ARP packets per burst interval on this port. Burst interval Specifies the length of the burst interval in seconds on this port. The burst interval is relevant for the rate limiting function. You specify the maximum number of ARP packets per burst interval in the Rate limit column. RM GUI RSP Release 8.1 12/2019 173 Network Security [ Network Security > Dynamic ARP Inspection > Configuration ] Possible values: 1..15 (default setting: 1) Auto-disable Activates/deactivates the Auto-Disable function for the parameters that the Dynamic ARP Inspection function is monitoring on the port. Possible values: marked (default setting) The Auto-Disable function is active on the port. The prerequisite is that in the Network Security > Dynamic ARP Inspection > Global dialog the Autodisable checkbox in the Configuration frame is marked. – If the port receives more ARP packets than specified in the Rate limit field in the time specified in the Burst interval column, then the device disables the port. The “Link status” LED for the port flashes 3× per period. – The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently disabled due to the parameters being exceeded. – The Auto-Disable function reactivates the port automatically. For this you go to the Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the relevant port in the Reset timer [s] column. unmarked The Auto-Disable function on the port is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [VLAN ID] Table VLAN ID Displays the VLAN ID to which the table entry relates. Log Activates/deactivates the logging of invalid ARP packets that the device determines in this VLAN. If the device detects an error when checking the IP, source MAC or destination MAC address, or when checking the IP-to-MAC address relationship (binding), then the device identifies an ARP packet as invalid. Possible values: marked The logging of invalid packets is active. The device registers invalid ARP packets. unmarked (default setting) The logging of invalid packets is inactive. 174 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > Dynamic ARP Inspection > Configuration ] Binding check Activates/deactivates the checking of incoming ARP packets that the device receives on untrusted ports and on VLANs for which the Dynamic ARP Inspection function is active. For these ARP packets the device checks the ARP ACL and the DHCP Snooping relationship (bindings). Possible values: marked (default setting) The binding check of ARP packets is active. unmarked The binding check of ARP packets is inactive. ACL strict Activates/deactivates the strict checking of incoming ARP packets based on the ARP ACL rules specified. Possible values: marked The strict checking is active. The device checks the incoming ARP packets based on the ARP ACL rule specified in the ARP ACL column. unmarked (default setting) The strict checking is inactive. The device checks the incoming ARP packets based on the ARP ACL rule specified in the ARP ACL column and subsequently on the entries in the DHCP Snooping database. ARP ACL Specifies the ARP ACL that the device uses. Possible values: <rule name> You create and edit the rules in the Network Security > Dynamic ARP Inspection > ARP Rules dialog. Active Activates/deactivates the Dynamic ARP Inspection function in this VLAN. Possible values: marked The Dynamic ARP Inspection function is active in this VLAN. unmarked (default setting) The Dynamic ARP Inspection function is inactive in this VLAN. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 175 Network Security [ Network Security > Dynamic ARP Inspection > ARP Rules ] 4.7.3 Dynamic ARP Inspection ARP Rules [ Network Security > Dynamic ARP Inspection > ARP Rules ] This dialog lets you specify rules for checking and filtering ARP packets. Table Name Displays the name of the ARP rule. Source IP address Specifies the source address of the IP data packets to which the device applies the rule. Possible values: Valid IPv4 address The device applies the rule to IP data packets with the specified source address. Source MAC address Specifies the source address of the MAC data packets to which the device applies the rule. Possible values: Valid MAC address The device applies the rule to MAC data packets with the specified source address. Active Activates/deactivates the ARP rule. Possible values: marked (default setting) The rule is active. unmarked The rule is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Name field, you specify the name of the ARP rule. In the Source IP address field, you specify the source IP address of the ARP rule. In the Source MAC address field, you specify the source MAC address of the ARP rule. 176 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > Dynamic ARP Inspection > Statistics ] 4.7.4 Dynamic ARP Inspection Statistics [ Network Security > Dynamic ARP Inspection > Statistics ] This window displays the number of discarded and forwarded ARP packets in an overview. Table VLAN ID Displays the VLAN ID to which the table entry relates. Packets forwarded Displays the number of ARP packets that the device forwards after checking them using the Dynamic ARP Inspection function. Packets dropped Displays the number of ARP packets that the device discards after checking them using the Dynamic ARP Inspection function. DHCP drops Displays the number of ARP packets that the device discards after checking the DHCP Snooping relationship (binding). DHCP permits Displays the number of ARP packets that the device forwards after checking the DHCP Snooping relationship (binding). ACL drops Displays the number of ARP packets that the device discards after checking them using the ARP ACL rules. ACL permits Displays the number of ARP packets that the device forwards after checking them using the ARP ACL rules. Bad source MAC Displays the number of ARP packets that the device discards after the Dynamic ARP Inspection function detected an error in the source MAC address. Bad destination MAC Displays the number of ARP packets that the device discards after the Dynamic ARP Inspection function detected an error in the destination MAC address. RM GUI RSP Release 8.1 12/2019 177 Network Security [ Network Security > ACL ] Invalid IP address Displays the number of ARP packets that the device discards after the Dynamic ARP Inspection function detected an error in the IP address. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Resets the entire table. 4.8 ACL [ Network Security > ACL ] In this menu, you specify the settings for the Access Control Lists (ACL). Access Control Lists contain rules which the device applies successively to the data stream on its ports or VLANs. If a data packet complies with the criteria of one or more rules, then the device applies the action specified in the first rule that applies to the data stream. The device ignores the rules following. Possible actions include: permit: The device transmits the data packet to a port or to a VLAN. When necessary, the device transmits a copy of the data packets to a further port. deny: The device drops the data packet. In the default setting, the device forwards every data packet. Once you assign an Access Control List to an interface or VLAN, there is changing this behavior. The device enters at the end of an Access Control List an implicit Deny-All rule. Consequently, the device discards data packets that do not meet any of the rules. If you want a different behavior, then add a "permit" rule at the end of your Access Control Lists. Proceed as follows to set up Access Control Lists and rules: Make a time profile if necessary. See the Network Security > ACL > Time Profile dialog. The device applies Access Control Lists with a time profile at specified times instead of permanently. Make a rule and specify the rule settings. See the Network Security > ACL > IPv4 Rule dialog, or the Network Security > ACL > MAC Rule dialog. Assign the Access Control List to the Ports and VLANs of the device. See the Network Security > ACL > Assignment dialog. The menu contains the following dialogs: ACL IPv4 Rule ACL MAC Rule ACL Assignment ACL Time Profile 178 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > ACL > IPv4 Rule ] 4.8.1 ACL IPv4 Rule [ Network Security > ACL > IPv4 Rule ] In this dialog, you specify the rules that the device applies to the IP data packets. An Access Control List (group) contains one or more rules. The device applies the rules of an Access Control List successively, beginning with the rule with the lowest value in the Index column. The device lets you filter according to the following criteria: Source or destination IP address of a data packet Type of the transmitting protocol Source or destination port of a data packet Classification according to DSCP Classification according to ToS Table Group name Displays the name of the Access Control List. The Access Control List contains the rules. Index Displays the number of the rule within the Access Control List. If the Access Control List contains multiple rules, then the device processes the rule with the lowest value first. Match every packet Specifies to which IP data packets the device applies the rule. Possible values: marked (default setting) The device applies the rule to every IP data packet. unmarked The device applies the rule to IP data packets depending on the value in the following fields: – Source IP address, Destination IP address, Protocol – DSCP, TOS priority, TOS mask – ICMP type, ICMP code – IGMP type – Established – Packet fragmented – TCP flag Source IP address Specifies the source address of the IP data packets to which the device applies the rule. RM GUI RSP Release 8.1 12/2019 179 Network Security [ Network Security > ACL > IPv4 Rule ] Possible values: ?.?.?.? (default setting) The device applies the rule to IP data packets with any source address. Valid IPv4 address The device applies the rule to IP data packets with the specified source address. You use the ? character as a wild card. Example 192.?.?.32: The device applies the rule to IP data packets whose source address begins with 192. and ends with .32. Valid IPv4 address/bit mask The device applies the rule to IP data packets with the specified source address. The inverse bit mask lets you specify the address range with bit-level accuracy. Example 192.168.1.1/0.0.0.127: The device applies the rule to IP data packets with a source address in the range from 192.168.1.0 to ….127. Destination IP address Specifies the destination address of the IP data packets to which the device applies the rule. Possible values: ?.?.?.? (default setting) The device applies the rule to IP data packets with any destination address. Valid IPv4 address The device applies the rule to IP data packets with the specified destination address. You use the ? character as a wild card. Example 192.?.?.32: The device applies the rule to IP data packets whose source address begins with 192. and ends with .32. Valid IPv4 address/bit mask The device applies the rule to IP data packets with the specified destination address. The inverse bit mask lets you specify the address range with bit-level accuracy. Example 192.168.1.1/0.0.0.127: The device applies the rule to IP data packets with a destination address in the range from 192.168.1.0 to ….127. Protocol Specifies the protocol type of the IP data packets to which the device applies the rule. Possible values: any (default setting) The device applies the rule to every IP data packet without considering the protocol type. icmp igmp ip-in-ip tcp udp ip Source TCP/UDP port Specifies the source port of the IP data packets to which the device applies the rule. The prerequisite is that you specify in the Protocol column the value TCP or UDP. 180 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > ACL > IPv4 Rule ] Possible values: any (default setting) The device applies the rule to every IP data packet without considering the source port. 1..65535 The device applies the rule only to IP data packets containing the specified source port. To specify a port range, you can use one of the following operators: – < Range below the specified port number – > Range above the specified port number – != Entire port range except the specified port Destination TCP/UDP port Specifies the destination port of the IP data packets to which the device applies the rule. The prerequisite is that you specify in the Protocol column the value TCP or UDP. Possible values: any (default setting) The device applies the rule to every IP data packet without considering the destination port. 1..65535 The device applies the rule only to IP data packets containing the specified destination port. To specify a port range, you can use one of the following operators: – < Range below the specified port number – > Range above the specified port number – != Entire port range except the specified port DSCP Specifies the Differentiated Service Code Point (DSCP value) in the header of the IP data packets to which the device applies the rule. Possible values: – (default setting) The device applies the rule to every IP data packet without considering the DSCP value. 0..63 The device applies the rule only to IP data packets containing the specified DSCP value. TOS priority Specifies the IP precedence (ToS value) in the header of the IP data packets to which the device applies the rule. Possible values: any (default setting) The device applies the rule to every IP data packet without considering the ToS value. 0..7 The device applies the rule only to IP data packets containing the specified ToS value. RM GUI RSP Release 8.1 12/2019 181 Network Security [ Network Security > ACL > IPv4 Rule ] TOS mask Specifies the bit mask for the ToS value in the header of the IP data packets to which the device applies the rule. The prerequisite is that you specify in the TOS priority column a ToS value. Possible values: any (default setting) The device applies the rule to IP data packets and considers the ToS value completely. 1..1f The device applies the rule to IP data packets and considers the bits of the ToS value specified in the bit mask. ICMP type Specifies the ICMP type in the TCP header of the IP data packets to which the device applies the rule. Possible values: -1 (default setting) ICMP type matching is inactive. 0..255 The device applies the rule to every IP data packet and considers the specified ICMP type. ICMP code Specifies the ICMP code in the TCP header of the IP data packets to which the device applies the rule. The prerequisite is that, in the ICMP type field, you specify an ICMP value. Possible values: -1 (default setting) ICMP code matching is inactive. 0..255 The device applies the rule to every IP data packet and considers the specified ICMP code. IGMP type Specifies the IGMP type in the TCP header of the IP data packets to which the device applies the rule. Possible values: 0 (default setting) IGMP type matching is inactive. 1..255 The device applies the rule to every IP data packet and considers the specified IGMP type. Established Activates/deactivates applying the ACL rule to TCP data packets which have either the RST bit, or the ACK bit set in the TCP header. Possible values: marked The device applies the rule to every IP data packet in which the RST bit, or the ACK bit is set in the TCP header. unmarked (default setting) Matching is inactive. 182 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > ACL > IPv4 Rule ] Packet fragmented Activates/deactivates applying the ACL rule to fragmented packets. Possible values: marked The device applies the ACL rule to fragmented packets. unmarked (default setting) Matching is inactive. TCP flag Specifies the TCP flag and mask value. The device lets you enter multiple values, by separating the values with a comma. Specify the flags as either + or -. Possible values: - (default setting) TCP flag matching is inactive. When you use this value in combination with the following flags, the device considers packets in which the flag is not set. + When you use this value in combination with the following flags, the device considers packets in which the flag is set. fin Indicates that the sending device has finished its transmission. syn Indicates that the Synchronize sequence numbers are significant. Only the first packet sent from each end device has this flag set. rst Indicates a reset on the link. psh Indicates the push function, in which a device asks to push the buffered data to the receiving application. ack Indicates that the Acknowledgment field is significant. Every packet, after the initial syn packet sent by the client, has this flag set. urg Indicates that the Urgent pointer field is significant. Action Specifies how the device handles received IP data packets when the device applies the rule. Possible values: permit (default setting) The device transmits the IP data packets. deny The device drops the IP data packets. RM GUI RSP Release 8.1 12/2019 183 Network Security [ Network Security > ACL > IPv4 Rule ] Redirection port Specifies the port on which the device transmits the IP data packets. The prerequisite is that you specify in the Action column the value permit. Possible values: – (default setting) The Redirection port function is disabled. <Port number> The device transmits the IP data packets on the specified port. The device does not provide the option of mirroring IP data packets across VLAN boundaries or to router interfaces. Mirror port Specifies the port on which the device transmits a copy of the IP data packets. The prerequisite is that you specify in the Action column the value permit. Possible values: – (default setting) The Mirror port function is disabled. <Port number> The device transmits a copy of the IP data packets on the specified port. The device does not provide the option of mirroring IP data packets across VLAN boundaries or to router interfaces. Assigned queue ID Specifies the priority queue to which the device assigns the IP data packets. Possible values: 0..7 (default setting: 0) Log Activates/deactivates the logging in the log file. See the Diagnostics > Report > System Log dialog. Possible values: marked Logging is activated. The prerequisite is that you assign the Access Control List in the Network Security > ACL > Assignment dialog to a VLAN or port. The device registers in the log file, in an interval of 30 s, how many times it applied the deny rule to IP data packets. unmarked (default setting) Logging is deactivated. The device lets you activate this function for up to 128 deny rules. Time profile Specifies whether the device applies the rule permanently or time-controlled. 184 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > ACL > IPv4 Rule ] Possible values: <empty> (default setting) The device applies the rule permanently. [Time Profile] The device applies the rule only at the times specified in the time profile. You edit the time profile in the Network Security > ACL > Time Profile dialog. Rate limit Specifies the limit for the data transfer rate for the port specified in the Redirection port column. The limit applies to the summary of the data sent and received. This function limits the data stream on the port or in the VLAN: Possible values: 0 (default setting) No limitation of the data transfer rate. 1..4294967295 If the data transfer rate on the port exceeds the value specified, then the device discards surplus IP data packets. The prerequisite is that you specify in the Burst size column a value >0. You specify the measurement unit of the limit in the Unit column. Unit Specifies the measurement unit for the data transfer rate specified in the Rate limit column. Possible values: kbps (default setting) kByte per second pps Data packet per second Burst size Specifies the limit in KByte for the data volume during temporary bursts. Possible values: 0 (default setting) No limitation of the data volume. 1..128 If during temporary bursts on the port the data volume exceeds the value specified, then the device discards surplus MAC data packets. The prerequisite is that you specify in the Rate limit column a value >0. Recommendation: If the bandwidth is known: Burst size = bandwidth x allowed duration of a burst / 8. If the bandwidth is unknown: Burst size = 10 x MTU (Maximum Transmission Unit) of the port. RM GUI RSP Release 8.1 12/2019 185 Network Security [ Network Security > ACL > IPv4 Rule ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Group name field, you specify the name of the Access Control List to which the rule belongs. In the Index field, you specify the number of the rule within the Access Control List. If the Access Control List contains multiple rules, then the device processes the rule with the lowest value first. 186 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > ACL > MAC Rule ] 4.8.2 ACL MAC Rule [ Network Security > ACL > MAC Rule ] In this dialog, you specify the rules that the device applies to the MAC data packets. An Access Control List (group) contains one or more rules. The device applies the rules of an Access Control List successively, beginning with the rule with the lowest value in the Index column. The device lets you filter according to the following criteria: Source or destination MAC address of a data packet Type of the transmitting protocol Membership of a specific VLAN Service class of a data packet Table Group name Displays the name of the Access Control List. The Access Control List contains the rules. Index Displays the number of the rule within the Access Control List. If the Access Control List contains multiple rules, then the device processes the rule with the lowest value first. Match every packet Specifies to which MAC data packets the device applies the rule. Possible values: marked (default setting) The device applies the rule to every MAC data packet. The device ignores the value in the fields Source MAC address, Destination MAC address, Ethertype, Ethertype custom value, VLAN ID, and COS. unmarked The device applies the rule to MAC data packets depending on the value in the fields Source MAC address, Destination MAC address, Ethertype, Ethertype custom value, VLAN ID, and COS. Source MAC address Specifies the source address of the MAC data packets to which the device applies the rule. RM GUI RSP Release 8.1 12/2019 187 Network Security [ Network Security > ACL > MAC Rule ] Possible values: ??:??:??:??:??:?? (default setting) The device applies the rule to MAC data packets with any source address. Valid MAC address The device applies the rule to MAC data packets with the specified source address. You use the ? character as a wild card. Example 00:11:??:??:??:??: The device applies the rule to MAC data packets whose source address begins with 00:11. Valid MAC address/bit mask The device applies the rule to MAC data packets with the specified source address. The bit mask lets you specify the address range with bit-level accuracy. Example 00:11:22:33:44:54/FF:FF:FF:FF:FF:FC: The device applies the rule to MAC data packets with a source address in the range from 00:11:22:33:44:54 to …:57. Destination MAC address Specifies the destination address of the MAC data packets to which the device applies the rule. Possible values: ??:??:??:??:??:?? (default setting) The device applies the rule to MAC data packets with any destination address. Valid MAC address The device applies the rule to MAC data packets with the specified destination address. You use the ? character as a wild card. Example 00:11:??:??:??:??: The device applies the rule to MAC data packets whose destination address begins with 00:11. Valid MAC address/bit mask The device applies the rule to MAC data packets with the specified source address. The bit mask lets you specify the address range with bit-level accuracy. Example 00:11:22:33:44:54/FF:FF:FF:FF:FF:FC: The device applies the rule to MAC data packets with a destination address in the range from 00:11:22:33:44:54 to …:57. Ethertype Specifies the Ethertype keyword of the MAC data packets to which the device applies the rule. Possible values: custom (default setting) The device applies the value specified in the Ethertype custom value column. appletalk arp ibmsna ipv4 ipv6 ipxold mplsmcast mplsucast netbios novell rarp pppoe 188 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > ACL > MAC Rule ] Ethertype custom value Specifies the Ethertype value of the MAC data packets to which the device applies the rule. The prerequisite is that in the Ethertype column the value custom is specified. Possible values: any (default setting) The device applies the rule to every MAC data packet without considering the Ethertype value. 600..ffff The device applies the rule only to MAC data packets containing the Ethertype value specified here. VLAN ID Specifies the VLAN ID of the MAC data packets to which the device applies the rule. Possible values: 0 (default setting) The device applies the rule to every MAC data packet without considering the VLAN ID. 1..4042 COS Specifies the Class of Service (COS) value of the MAC data packets to which the device applies the rule. Possible values: 0..7 any (default setting) The device applies the rule to every MAC data packet without considering the Class of Service value. Note: For data packets without a VLAN tag, the device uses the port priority instead of the COS value. Action Specifies how the device handles received MAC data packets when the device applies the rule. Possible values: permit (default setting) The device transmits the MAC data packets. deny The device discards the MAC data packets. Redirection port Specifies the port on which the device transmits the MAC data packets. The prerequisite is that in the Action column the value permit is specified. RM GUI RSP Release 8.1 12/2019 189 Network Security [ Network Security > ACL > MAC Rule ] Possible values: – (default setting) The Redirection port function is disabled. <Port number> The device transmits the MAC data packets on the specified port. The device does not provide the option of mirroring IP data packets across VLAN boundaries or to router interfaces. Mirror port Specifies the port on which the device transmits a copy of the MAC data packets. The prerequisite is that in the Action column the value permit is specified. Possible values: – (default setting) The Mirror port function is disabled. <Port number> The device transmits a copy of the MAC data packets on the specified port. The device does not provide the option of mirroring IP data packets across VLAN boundaries or to router interfaces. Assigned queue ID Specifies the ID of the priority queue on which the device transmits the MAC data packets. Possible values: 0..7 (default setting: 0) Log Activates/deactivates the logging in the log file. See the Diagnostics > Report > System Log dialog. Possible values: marked Logging is activated. The prerequisite is that you assign the Access Control List in the Network Security > ACL > Assignment dialog to a VLAN or port. The device registers in the log file, in an interval of 30 s, how many times it applied the deny rule to MAC data packets. unmarked (default setting) Logging is deactivated. The device lets you activate this function for up to 128 deny rules. Time profile Specifies whether the device applies the rule permanently or time-controlled. 190 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > ACL > MAC Rule ] Possible values: <empty> (default setting) The device applies the rule permanently. [Time Profile] The device applies the rule only at the times specified in the time profile. You edit the time profile in the Network Security > ACL > Time Profile dialog. Rate limit Specifies the limit for the data transfer rate for the port specified in the Redirection port column. The limit applies to the summary of the data sent and received. This function limits the data stream on the port or in the VLAN: Possible values: 0 (default setting) No limitation of the data transfer rate. 1..4294967295 If the data transfer rate on the port exceeds the value specified, then the device discards surplus MAC data packets. The prerequisite is that you specify in the Burst size column a value >0. You specify the measurement unit of the limit in the Unit column. Unit Specifies the unit of measurement for the data transfer rate specified in the Rate limit column. Possible values: kbps (default setting) kByte per second pps Data packet per second Burst size Specifies the limit in KByte for the data volume during temporary bursts. Possible values: 0 (default setting) No limitation of the data volume. 1..128 If during temporary bursts on the port the data volume exceeds the value specified, then the device discards surplus MAC data packets. The prerequisite is that you specify in the Rate limit column a value >0. Recommendation: If the bandwidth is known: Burst size = bandwidth x allowed duration of a burst / 8. If the bandwidth is unknown: Burst size = 10 x MTU (Maximum Transmission Unit) of the port. RM GUI RSP Release 8.1 12/2019 191 Network Security [ Network Security > ACL > MAC Rule ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Group name field, you specify the name of the Access Control List to which the rule belongs. In the Index field, you specify the number of the rule within the Access Control List. If the Access Control List contains multiple rules, then the device processes the rule with the lowest value first. 192 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > ACL > Assignment ] 4.8.3 ACL Assignment [ Network Security > ACL > Assignment ] This dialog lets you assign one or more Access Control Lists to the ports and VLANs of the device. By assigning a priority you specify the processing sequence, provided you assign one or more Access Control Lists to a port or VLAN. The device applies rules successively, namely in the sequence specified by the rule index. You specify the priority of a group in the Priority column. The lower the number, the higher the priority. In this process, the device applies the rules with a high priority before the rules with a low priority. The assignment of Access Control Lists to ports and VLANs results in the following different types of ACL: Port-based IPv4-ACLs Port-based MAC ACLs VLAN-based IPv4 ACLs VLAN-based MAC ACLs Note: Before you enable the function, verify that at least one active entry in the table lets you access. Otherwise, the connection to the device terminates if you change the settings. To access the device management is possible only using the CLI through the serial interface of the device. Table Group name Displays the name of the Access Control List. The Access Control List contains the rules. Type Displays whether the Access Control List contains MAC rules or IPv4 rules. Possible values: mac The Access Control List contains MAC rules. ip The Access Control List contains IPv4 rules. You edit Access Control Lists with IPv4 rules in the Network Security > ACL > IPv4 Rule dialog. You edit Access Control Lists with MAC rules in the Network Security > ACL > ACL MAC Rule dialog. Port Displays the port to which the Access Control List is assigned. The field remains empty when the Access Control List is assigned to a VLAN. VLAN ID Displays the VLAN to which the Access Control List is assigned. The field remains empty when the Access Control List is assigned to a port. RM GUI RSP Release 8.1 12/2019 193 Network Security [ Network Security > ACL > Assignment ] Direction Displays that the device applies the Access Control List to received data packets. Priority Displays the priority of the Access Control List. Using the priority, you specify the sequence in which the device applies the Access Control Lists to the data stream. The device applies the rules in ascending order starting with priority 1. Possible values: 1..4294967295 If an Access Control List is assigned to a port and to a VLAN with the same priority, then the device applies the rules to the port first. Active Activates/deactivates the Access Control List on the port or in the VLAN. Possible values: marked (default setting) The Access Control List is active. unmarked The Access Control List is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create dialog to assign a rule to a port or a VLAN. In the Port/VLAN field, you specify the port or the VLAN ID. In the Priority field, you specify the source MAC address of the ARP rule. In the Direction field, you specify the data packets to which the device applies the rule. In the Group name filed, you specify which rule the device assigns to the port or VLAN. 194 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > ACL > Time Profile ] 4.8.4 ACL Time Profile [ Network Security > ACL > Time Profile ] This dialog lets you edit time profiles. If you assign a time profile to a MAC or IPv4 rule, then the device applies the rule at the times specified in the time profile. If no time profile is assigned, the device applies the rule permanently. The device lets you create up to 100 time profiles with up to 10 time periods. The device applies the MAC and IPv4 rules during the time specified within the time period. If you specify the time periods using the Absolute option, then the device applies the rule one time. If you specify the time periods using the Periodic option, then the device applies the rule recurrently. The implied Deny-All rule of the ACLs is constantly valid independently of the time control. Table Note: If you reconfigure a time period, then first specify the end time and then the start time. Otherwise, the dialog displays an error message. Profile name Displays the name of the time profile. The time profile contains the time periods. Index Displays the number of the time period within the time profile. The device automatically assigns this number. Absolute Start date Specifies the date at which the device starts to apply the one-time rule. Possible values: YYYY-MM-DD or DD.MM.YY (depending on the language preferences of your web browser) Start time Specifies the time at which the device starts to apply the one-time rule. Possible values: hh:mm Hour:Minute End date Specifies the date at which the device terminates the one-time rule. RM GUI RSP Release 8.1 12/2019 195 Network Security [ Network Security > ACL > Time Profile ] Possible values: YYYY-MM-DD or DD.MM.YY (depending on the language preferences of your web browser) End time Specifies the time at which the device terminates the one-time rule. Possible values: hh:mm Hour:Minute Periodic Starting days Specifies the days of the week on which the device periodically starts to apply the rule. Possible values: Sun Mon Tue Wed Thu Fri Sat Start time Specifies the time at which the device periodically starts to apply the rule. Possible values: hh:mm Hour:Minute Ending days Specifies the days of the week on which the device periodically terminates the rule. Possible values: Sun Mon Tue Wed Thu Fri Sat End time Specifies the time at which the device periodically terminates the rule. 196 RM GUI RSP Release 8.1 12/2019 Network Security [ Network Security > ACL > Time Profile ] Possible values: hh:mm Hour:Minute Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create dialog to create a new time period. In the Profile name field, you specify the name of the time profile to which the time period belongs. In the Type field, you specify the type of time period. – With the Periodic radio button, you specify a time period at which the device activates the recurring rule. – With the Absolute radio button, you specify a time period at which the device activates the rule one time. Within every time profile, exactly one such time period is allowed. In the Start frame, you specify the time at which the device starts to apply the rule. In the End frame, you specify the time at which the device terminates to apply the rule. RM GUI RSP Release 8.1 12/2019 197 Switching [ Switching > Global ] 5 Switching The menu contains the following dialogs: Switching Global Rate Limiter Filter for MAC Addresses IGMP Snooping MRP-IEEE GARP QoS/Priority VLAN L2-Redundancy 5.1 Switching Global [ Switching > Global ] This dialog lets you specify the following settings: Change the Aging time of the address table Enable the flow control in the device Enable the VLAN Unaware Mode If a large number of data packets are received in the priority queue of a port at the same time, then this can cause the port memory to overflow. This happens, for example, when the device receives data on a Gigabit port and forwards it to a port with a lower bandwidth. The device discards surplus data packets. The flow control mechanism described in standard IEEE 802.3 helps ensure that no data packets are lost due to a port memory overflowing. Shortly before a port memory is completely full, the device signals to the connected devices that it is not accepting any more data packets from them. In full-duplex mode, the device sends a pause data packet. In half-duplex mode, the device simulates a collision. Then the connected devices do not send any more data packets for as long as the signaling takes. On uplink ports, this can possibly cause undesired sending breaks in the higher-level network segment (“wandering backpressure”). According to standard IEEE 802.1Q, the device forwards data packets with a VLAN tag in a VLAN ≥1. However, a small number of applications on connected end devices send or receive data packets with a VLAN ID=0. When the device receives one of these data packets, before forwarding it the device overwrites the original value in the data packet with the VLAN ID of the receiving port. If you activate the VLAN Unaware Mode, then this deactivates the VLAN settings in the device. The device then transparently forwards the data packets and evaluates the priority information contained only in the data packet. Configuration MAC address Displays the MAC address of the device. 198 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > Global ] Aging time [s] Specifies the aging time in seconds. Possible values: 10..500000 (default setting: 30) The device monitors the age of the learned unicast MAC addresses. The device deletes address entries that exceed a particular age (aging time) from its address table. You find the address table in the Switching > Filter for MAC Addresses dialog. In connection with the router redundancy, specify a time ≥ 30 s. Flow control Activates/deactivates the flow control in the device. Possible values: marked The flow control is active in the device. Additionally activate the flow control on the required ports. See the Basic Settings > Port dialog, Configuration tab, checkbox in the Flow control column. unmarked (default setting) The flow control is inactive in the device. If you are using a redundancy function, then deactivate the flow control on the participating ports. If the flow control and the redundancy function are active at the same time, it is possible that the redundancy function operates differently than intended. VLAN unaware mode Activates/deactivates the VLAN unaware mode. Possible values: marked The VLAN unaware mode is active. The device works in the VLAN Unaware bridging mode (802.1Q): – The device ignores the VLAN settings in the device and the VLAN tags in the data packets. The device transmits the data packets based on their destination MAC address or destination IP address in VLAN 1. – The device ignores the VLAN settings specified in the Switching > VLAN > Configuration and Switching > VLAN > Port dialogs. Every port is assigned to VLAN 1. – The device evaluates the priority information contained in the data packet. Note: You specify the VLAN ID 1 for every function in the device which uses VLAN settings. Among other things, this applies to static filters, MRP and IGMP Snooping. unmarked (default setting) The VLAN unaware mode is inactive. The device works in the VLAN-aware bridging mode (802.1Q): – The device evaluates the VLAN tags in the data packets. – The device transmits the data packets based on their destination MAC address or destination IP address in the corresponding VLAN. – The device evaluates the priority information contained in the data packet. RM GUI RSP Release 8.1 12/2019 199 Switching [ Switching > Global ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. 200 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > Rate Limiter ] 5.2 Rate Limiter [ Switching > Rate Limiter ] The device lets you limit the traffic on the ports in order to help provide stable operation even with a large traffic volume. If the traffic on a port exceeds the traffic value entered, then the device discards the excess traffic on this port. The rate limiter function operates only on Layer 2, and is used to limit the effects of storms of data packets that flood the device (typically Broadcasts). The rate limiter function ignores protocol information on higher levels, such as IP or TCP. The dialog contains the following tabs: [Ingress] [Egress] [Ingress] In this tab, you enable the Rate Limiter function. The threshold value specifies the maximum amount of traffic the port receives. If the traffic on this port exceeds the threshold value, then the device discards the excess traffic on this port. Table Port Displays the port number. Threshold unit Specifies the unit for the threshold value: Possible values: percent (default setting) Specifies the threshold value as a percentage of the data rate of the port. pps Specifies the threshold value in data packets per second. Broadcast mode Activates/deactivates the rate limiter function for received broadcast data packets. Possible values: marked unmarked (default setting) If the threshold value is exceeded, then the device discards the excess broadcast data packets on this port. RM GUI RSP Release 8.1 12/2019 201 Switching [ Switching > Rate Limiter ] Broadcast threshold Specifies the threshold value for received broadcasts on this port. Possible values: 0..14880000 (default setting: 0) The value 0 deactivates the rate limiter function on this port. If you select the value percent in the Threshold unit column, then enter a percentage value from 0 to 100. If you select the value pps in the Threshold unit column, then enter an absolute value for the data rate. Multicast mode Activates/deactivates the rate limiter function for received multicast data packets. Possible values: marked unmarked (default setting) If the threshold value is exceeded, then the device discards the excess multicast data packets on this port. Multicast threshold Specifies the threshold value for received multicasts on this port. Possible values: 0..14880000 (default setting: 0) The value 0 deactivates the rate limiter function on this port. If you select the value percent in the Threshold unit column, then enter a percentage value from 0 to 100. If you select the value pps in the Threshold unit column, then enter an absolute value for the data rate. Unknown unicast mode Activates/deactivates the rate limiter function for received unicast data packets with an unknown destination address. Possible values: marked unmarked (default setting) If the threshold value is exceeded, then the device discards the excess unicast data packets on this port. Unicast threshold Specifies the threshold value for received unicasts with an unknown destination address on this port. 202 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > Rate Limiter ] Possible values: 0..14880000 (default setting: 0) The value 0 deactivates the rate limiter function on this port. If you select the value percent in the Threshold unit, then enter a percentage value from 0 to 100. If you select the value pps in the Threshold unit column, then enter an absolute value for the data rate. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Egress] In this tab, you specify the egress transmission rate on the port. Table Port Displays the port number. Bandwidth [%] Specifies the egress transmission rate. Possible values: 0 (default setting) The bandwidth limitation is disabled. 1..100 The bandwidth limitation is enabled. This value specifies the percentage of overall link speed for the port in 1% increments. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 203 Switching [ Switching > Filter for MAC Addresses ] 5.3 Filter for MAC Addresses [ Switching > Filter for MAC Addresses ] This dialog lets you display and edit address filters for the address table. Address filters specify the way the data packets are forwarded in the device based on the destination MAC address. Each row in the table represents one filter. The device automatically sets up the filters. The device lets you set up additional filters manually. The device transmits the data packets as follows: When the table contains an entry for the destination address of a data packet, the device transmits the data packet from the receiving port to the port specified in the table entry. When there is no table entry for the destination address, the device transmits the data packet from the receiving port to every other port. Table To delete the learned MAC addresses from the address table, click in the Basic Settings > Restart dialog the Reset MAC address table button. Address Displays the destination MAC address to which the table entry applies. VLAN ID Displays the ID of the VLAN to which the table entry applies. The device learns the MAC addresses for every VLAN separately (independent VLAN learning). Status Displays how the device has set up the address filter. Possible values: learned Address filter set up automatically by the device based on received data packets. permanent Address filter set up manually. The address filter stays set up permanently. IGMP Address filter automatically set up by IGMP Snooping. mgmt MAC address of the device. The address filter is protected against changes. MRP-MMRP Multicast address filter automatically set up by MMRP. GMRP Multicast address filter automatically set up by GMRP. <Port number> Displays how the corresponding port transmits data packets which it directs to the adjacent destination address. 204 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > Filter for MAC Addresses ] Possible values: – The port does not transmit any data packets to the destination address. learned The port transmits data packets to the destination address. The device created the filter automatically based on received data packets. IGMP learned The port transmits data packets to the destination address. The device created the filter automatically based on IGMP. unicast static The port transmits data packets to the destination address. A user created the filter. multicast static The port transmits data packets to the destination address. A user created the filter. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Address field, you specify the destination MAC address. In the VLAN ID field, you specify the ID of the VLAN. In the Port field, you specify the port. – Select one port if the destination MAC address is a unicast address. – Select one or more ports if the destination MAC address is a multicast address. – Select no port to create a discard filter. The device discards data packets with the destination MAC address specified in the table entry. Reset MAC address table Removes the MAC addresses from the forwarding table that have the value learned in the Status column. RM GUI RSP Release 8.1 12/2019 205 Switching [ Switching > IGMP Snooping ] 5.4 IGMP Snooping [ Switching > IGMP Snooping ] The Internet Group Management Protocol (IGMP) is a protocol for dynamically managing Multicast groups. The protocol describes the distribution of Multicast data packets between routers and end devices on Layer 3. The device lets you use the IGMP Snooping function to also use the IGMP mechanisms on Layer 2: Without IGMP Snooping, the device transmits the Multicast data packets to every port. With the activated IGMP Snooping function, the device transmits the Multicast data packets only on ports to which Multicast receivers are connected. This reduces the network load. The device evaluates the IGMP data packets transmitted on Layer 3 and uses the information on Layer 2. Activate the IGMP Snooping function not until the following conditions are fulfilled: – There is a Multicast router in the network that creates IGMP queries (periodic queries). – The devices participating in IGMP Snooping forward the IGMP queries. The device links the IGMP reports with the entries in its address table. When a multicast receiver joins a multicast group, the device creates a table entry for this port in the Switching > Filter for MAC Addresses dialog. When the multicast receiver leaves the multicast group, the device removes the table entry. The menu contains the following dialogs: IGMP Snooping Global IGMP Snooping Configuration IGMP Snooping Enhancements IGMP Snooping Querier IGMP Snooping Multicasts 206 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > IGMP Snooping > Global ] 5.4.1 IGMP Snooping Global [ Switching > IGMP Snooping > Global ] This dialog lets you enable the IGMP Snooping protocol in the device and also configure it for each port and each VLAN. Operation Operation Enables/disables the IGMP Snooping function in the device. Possible values: On The IGMP Snooping function is enabled in the device according to RFC 4541 (Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches). Off (default setting) The IGMP Snooping function is disabled in the device. The device transmits received query, report, and leave data packets without evaluating them. Received data packets with a Multicast destination address are transmitted to every port by the device. Information Multicast control packets processed Displays the number of Multicast control data packets processed. This statistic encompasses the following packet types: • IGMP Reports • IGMP Queries version V1 • IGMP Queries version V2 • IGMP Queries version V3 • IGMP Queries with an incorrect version • PIM or DVMRP packets The device uses the Multicast control data packets to create the address table for transmitting the Multicast data packets. Possible values: 0..2 31 -1 You use the Reset IGMP snooping data button in the Basic Settings > Restart dialog or the command using the Command Line Interface to reset the IGMP Snooping entries, including the counter for the processed multicast control data packets. clear igmp-snooping RM GUI RSP Release 8.1 12/2019 207 Switching [ Switching > IGMP Snooping > Global ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset IGMP snooping counters Removes the IGMP Snooping entries and resets the counter in the Information frame to 0. 208 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > IGMP Snooping > Configuration ] 5.4.2 IGMP Snooping Configuration [ Switching > IGMP Snooping > Configuration ] This dialog lets you enable the IGMP Snooping function in the device and also configure it for each port and each VLAN. The dialog contains the following tabs: [VLAN ID] [Port] [VLAN ID] In this tab, you configure the IGMP Snooping function for every VLAN. Table VLAN ID Displays the ID of the VLAN to which the table entry applies. Active Activates/deactivates the IGMP Snooping function for this VLAN. The prerequisite is that the IGMP Snooping function is globally enabled. Possible values: marked IGMP Snooping is activated for this VLAN. The VLAN has joined the Multicast data stream. unmarked (default setting) IGMP Snooping is deactivated for this VLAN. The VLAN has left the Multicast data stream. Group membership interval Specifies the time in seconds for which a VLAN from a dynamic Multicast group remains entered in the address table when the device does not receive any more report data packets from the VLAN. Specify a value larger than the value in the Max. response time column. Possible values: 2..3600 (default setting: 260) Max. response time Specifies the time in seconds in which the members of a multicast group should respond to a query data packet. For their response, the members specify a random time within the response time. You thus help prevent the multicast group members from responding to the query at the same time. Specify a value smaller than the value in the Group membership interval column. RM GUI RSP Release 8.1 12/2019 209 Switching [ Switching > IGMP Snooping > Configuration ] Possible values: 1..25 (default setting: 10) Fast leave admin mode Activates/deactivates the Fast Leave function for this VLAN. Possible values: marked When the Fast Leave function is active and the device receives an IGMP Leave message from a multicast group, the device immediately removes the entry from its address table. unmarked (default setting) When the Fast Leave function is inactive, the device first sends MAC-based queries to the members of the multicast group and removes an entry when a VLAN does not send any more report messages. MRP expiration time Multicast Router Present Expiration Time. Specifies the time in seconds for which the device waits for a query on this port that belongs to a VLAN. When the port does not receive a query data packet, the device removes the port from the list of ports with connected multicast routers. You have the option of configuring this parameter only if the port belongs to an existing VLAN. Possible values: 0 unlimited timeout - no expiration time 1..3600 (default setting: 260) Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Port] In this tab, you configure the IGMP Snooping function for every port. Table Port Displays the port number. Active Activates/deactivates the IGMP Snooping function for this port. The prerequisite is that the IGMP Snooping function is globally enabled. 210 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > IGMP Snooping > Configuration ] Possible values: marked IGMP Snooping is active on this port. The device includes the port in the multicast data stream. unmarked (default setting) IGMP Snooping is inactive on this port. The port left the multicast data stream. Group membership interval Specifies the time in seconds for which a port, from a dynamic multicast group, remains entered in the address table when the device does not receive any more report data packets from the port. Possible values: 2..3600 (default setting: 260) Specify the value larger than the value in the Max. response time column. Max. response time Specifies the time in seconds in which the members of a multicast group should respond to a query data packet. For their response, the members specify a random time within the response time. You thus help prevent the multicast group members from responding to the query at the same time. Possible values: 1..25 (default setting: 10) Specify a value lower than the value in the Group membership interval column. MRP expiration time Specifies the Multicast Router Present Expiration Time. The MRP expiration time is the time in seconds for which the device waits for a query packet on this port. When the port does not receive a query data packet, the device removes the port from the list of ports with connected multicast routers. Possible values: 0 unlimited timeout - no expiration time 1..3600 (default setting: 260) Fast leave admin mode Activates/deactivates the Fast Leave function for this port. Possible values: marked When the Fast Leave function is active and the device receives an IGMP Leave message from a multicast group, the device immediately removes the entry from its address table. unmarked (default setting) When the Fast Leave function is inactive, the device first sends MAC-based queries to the members of the multicast group and removes an entry when a port does not send any more report messages. Static query port Activates/deactivates the Static query port mode. RM GUI RSP Release 8.1 12/2019 211 Switching [ Switching > IGMP Snooping > Configuration ] Possible values: marked The Static query port mode is active. The port is a static query port in the VLANs that are set up. If you use the Redundant Coupling Protocol function and the device operates as slave, then do not activate the Static query port mode for the ports on the secondary ring/network. unmarked (default setting) The Static query port mode is inactive. The port is not a static query port. The device transmits IGMP report messages to the port only if it receives IGMP queries. VLAN IDs Displays the ID of the VLANs to which the table entry applies. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 212 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > IGMP Snooping > Snooping Enhancements ] 5.4.3 IGMP Snooping Enhancements [ Switching > IGMP Snooping > Snooping Enhancements ] This dialog lets you select a port for a VLAN ID and to configure the port. Table VLAN ID Displays the ID of the VLAN to which the table entry applies. <Port number> Displays for every VLAN set up in the device whether the relevant port is a query port. Additionally, the field displays whether the device transmits every Multicast stream in the VLAN to this port. Possible values: – The port is not a query port in this VLAN. L = Learned The device detected the port as a query port because the port received IGMP queries in this VLAN. The port is not a statically configured query port. A = Automatic The device detected the port as a query port. The prerequisite is that you configure the port as Learn by LLDP. S = Static (manual setting) A user specified the port as a static query port. The device transmits IGMP reports only to ports on which it previously received IGMP queries – and to statically configured query ports. To assign this value, proceed as follows: Open the Wizard window. On the Configuration page, mark the Static checkbox. P = Learn by LLDP (manual setting) A user specified the port as Learn by LLDP. With the Link Layer Discovery Protocol (LLDP), the device detects Hirschmann devices connected directly to the port. The device denotes the detected query ports with A. To assign this value, proceed as follows: Open the Wizard window. On the Configuration page, mark the Learn by LLDP checkbox. F = Forward All (manual setting) A user specified the port so that the device transmits every received Multicast stream in the VLAN to this port. Use this setting for diagnostics purposes, for example. To assign this value, proceed as follows: Open the Wizard window. On the Configuration page, mark the Forward all checkbox. RM GUI RSP Release 8.1 12/2019 213 Switching [ Switching > IGMP Snooping > Snooping Enhancements ] Display categories Enhances the clarity of the display. The table emphasizes the cells which contain the specified value. This helps to analyze and sort the table according to your needs. Learned (L) The table displays cells which contain the value L and possibly further values. Cells which contain other values than L only, the table displays with the “-“ symbol. Static (S) The table displays cells which contain the value S and possibly further values. Cells which contain other values than S only, the table displays with the “-“ symbol. Automatic (A) The table displays cells which contain the value A and possibly further values. Cells which contain other values than A only, the table displays with the “-“ symbol. Learned by LLDP (P) The table displays cells which contain the value P and possibly further values. Cells which contain other values than P only, the table displays with the “-“ symbol. Forward all (F) The table displays cells which contain the value F and possibly further values. Cells which contain other values than F only, the table displays with the “-“ symbol. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Wizard window that helps you to select and configure the ports. [Selection VLAN/Port (Wizard)] On the Selection VLAN/Port page you assign a VLAN ID to port. On the Configuration page you specify the settings for the port. After closing the Wizard window, click the button to save your settings. [Selection VLAN/Port (Wizard) – Selection VLAN/Port] VLAN ID Select the ID of the VLAN. Possible values: 1..4042 Port Select the port. 214 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > IGMP Snooping > Snooping Enhancements ] Possible values: <Port number> [Selection VLAN/Port (Wizard) – Configuration] VLAN ID Displays the ID of the selected VLAN. Port Displays the number of the selected port. Static Specifies the port as a static query port in the VLANs that are set up. The device transmits IGMP report messages to the ports at which it receives IGMP queries. This lets you also transmit IGMP report messages to other selected ports (enable) or connected Hirschmann devices (Automatic). Learn by LLDP Specifies the port as Learn by LLDP. Lets the device detect directly connected Hirschmann devices using LLDP and learn the related ports as a query port. Forward all Specifies the port as Forward all. With the Forward all setting, the device transmits at this port every data packet with a Multicast address in the destination address field. RM GUI RSP Release 8.1 12/2019 215 Switching [ Switching > IGMP Snooping > Querier ] 5.4.4 IGMP Snooping Querier [ Switching > IGMP Snooping > Querier ] The device lets you send a Multicast stream only to those ports to which a Multicast receiver is connected. To determine which ports Multicast receivers are connected to, the device sends query data packets to the ports at a definable interval. When a Multicast receiver is connected, it joins the Multicast stream by responding to the device with a report data packet. This dialog lets you configure the Snooping Querier settings globally and for the VLANs that are set up. Operation Operation Enables/disables the IGMP Querier function globally in the device. Possible values: On Off (default setting) Configuration In this frame you specify the IGMP Snooping Querier settings for the general query data packets. Protocol version Specifies the IGMP version of the general query data packets. Possible values: 1 IGMP v1 2 (default setting) IGMP v2 3 IGMP v3 Query interval [s] Specifies the time in seconds after which the device generates general query data packets itself when it has received query data packets from the Multicast router. Possible values: 1..1800 (default setting: 60) 216 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > IGMP Snooping > Querier ] Expiry interval [s] Specifies the time in seconds after which an active querier switches from the passive state back to the active state if it has not received any query packets for longer than specified here. Possible values: 60..300 (default setting: 125) Table In the table you specify the Snooping Querier settings for the VLANs that are set up. VLAN ID Displays the ID of the VLAN to which the table entry applies. Active Activates/deactivates the IGMP Snooping Querier function for this VLAN. Possible values: marked The IGMP Snooping Querier function is active for this VLAN. unmarked (default setting) The IGMP Snooping Querier function is inactive for this VLAN. Current state Displays whether the Snooping Querier is active for this VLAN. Possible values: marked The Snooping Querier is active for this VLAN. unmarked The Snooping Querier is inactive for this VLAN. Address Specifies the IP address that the device adds as the source address in generated general query data packets. You use the address of the multicast router. Possible values: Valid IPv4 address (default setting: 0.0.0.0) Protocol version Displays the IGMP protocol version of the general query data packets. RM GUI RSP Release 8.1 12/2019 217 Switching [ Switching > IGMP Snooping > Querier ] Possible values: 1 IGMP v1 2 IGMP v2 3 IGMP v3 Max. response time Displays the time in seconds in which the members of a Multicast group should respond to a query data packet. For their response, the members specify a random time within the response time. This helps prevent every Multicast group member to respond to the query at the same time. Last querier address Displays the IP address of the Multicast router from which the last received IGMP query was sent out.. Last querier version Displays the IGMP version that the Multicast router used when sending out the last IGMP query received in this VLAN. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 218 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > IGMP Snooping > Multicasts ] 5.4.5 IGMP Snooping Multicasts [ Switching > IGMP Snooping > Multicasts ] The device lets you specify how it transmits data packets with unknown Multicast addresses: Either the device discards these data packets, floods them to every port, or transmits them only to the ports that previously received query packets. The device also lets you transmit the data packets with known Multicast addresses to the query ports. Configuration Unknown multicasts Specifies how the device transmits the data packets with unknown Multicast addresses. Possible values: Discard The device discards data packets with an unknown MAC/IP Multicast address. Send to all ports (default setting) The device forwards data packets with an unknown MAC/IP Multicast address to the registered ports. Send to query ports The device forwards data packets with an unknown MAC/IP Multicast address to the query ports. Table In the table you specify the settings for known Multicasts for the VLANs that are set up. VLAN ID Displays the ID of the VLAN to which the table entry applies. Known multicasts Specifies how the device transmits the data packets with known Multicast addresses. Possible values: send to query and registered ports The device forwards data packets with an unknown MAC/IP Multicast address to the query ports and to the registered ports. send to registered ports (default setting) The device forwards data packets with an unknown MAC/IP Multicast address to registered ports. RM GUI RSP Release 8.1 12/2019 219 Switching [ Switching > MRP-IEEE ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. 5.5 MRP-IEEE [ Switching > MRP-IEEE ] The IEEE 802.1ak amendment to the IEEE 802.1Q standard introduced the Multiple Registration Protocol (MRP) to replace the Generic Attribute Registration Protocol (GARP). The IEEE also modified and replaced the GARP applications, GARP Multicast Registration Protocol (GMRP) and GARP VLAN Registration Protocol (GVRP). The Multiple MAC Registration Protocol (MMRP) and the Multiple VLAN Registration Protocol (MVRP) replace these protocols. MRP-IEEE helps confine traffic to the required areas of the LAN. To confine traffic, the MRPIEEE applications distribute attribute values to participating MRP-IEEE devices across a LAN registering and de-registering multicast group membership and VLAN identifiers. Registering group participants lets you reserve resources for specific traffic transversing a LAN. Defining resource requirements regulates the level of traffic, allowing the devices to determine the required resources and provides for dynamic maintenance of the allocated resources. The menu contains the following dialogs: MRP-IEEE Configuration MRP-IEEE Multiple MAC Registration Protocol MRP-IEEE Multiple VLAN Registration Protocol 220 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > MRP-IEEE > Configuration ] 5.5.1 MRP-IEEE Configuration [ Switching > MRP-IEEE > Configuration ] This dialog lets you set the various MRP timers. By maintaining a relationship between the various timer values, the protocol operates efficiently and with less likelihood of unnecessary attribute withdraws and re-registration. The default timer values effectively maintain these relationships. When you reconfigure the timers, maintain the following relationships: To allow for re-registration after a Leave or LeaveAll event, even if there is a lost message, specify the LeaveTime to: ≥ (2x JoinTime) + 60. To minimize the volume of rejoining traffic generated following a LeaveAll event, specify the value for the LeaveAll timer larger than the LeaveTime value. Table Port Displays the port number. Join time [1/100s] Specifies the Join timer which controls the interval between transmit opportunities applied to the Applicant state machine. Possible values: 10..100 (default setting: 20) Leave time [1/100s] Specifies the Leave timer which controls the period that the Registrar state machine waits in the leave (LV) state before transiting to the empty (MT) state. Possible values: 20..600 (default setting: 60) Leave all time [1/100s] Specifies the LeaveAll timer which controls the frequency with which the LeaveAll state machine generates LeaveAll PDUs. Possible values: 200..6000 (default setting: 1000) Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 221 Switching [ Switching > MRP-IEEE > MMRP ] 5.5.2 MRP-IEEE Multiple MAC Registration Protocol [ Switching > MRP-IEEE > MMRP ] The Multiple MAC Registration Protocol (MMRP) lets end devices and MAC switches register and de-register group membership and individual MAC address information with switches located in the same LAN. The switches within the LAN disseminate the information through switches that support extended filtering services. Using the MAC address information, MMRP lets you confine multicast traffic to the required areas of a Layer 2 network. For an example of how MMRP works, consider a security camera mounted on a mast overlooking a building. The camera sends multicast packets onto a LAN. You have 2 end devices installed for surveillance in separate locations. You register the MAC addresses of the camera and the 2 end devices in the same multicast group. You then specify the MMRP settings on the ports to send the multicast group packets to the 2 end devices. The dialog contains the following tabs: [Configuration] [Service requirement] [Statistics] [Configuration] In this tab, you select active MMRP port participants and set the device to transmit periodic events. The dialog also lets you enable VLAN registered MAC address broadcasting. A periodic state machine exists for each port and transmits periodic events regularly to the applicant state machines associated with active ports. Periodic events contain information indicating the status of the devices associated with the active port. Operation Operation Enables/disables the global MMRP function in the device. The device participates in MMRP message exchanges. Possible values: On The device is a normal participant in MMRP message exchanges. Off (default setting) The device ignores MMRP messages. Configuration Periodic state machine Enables/disables the global periodic state machine in the device. 222 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > MRP-IEEE > MMRP ] Possible values: On With MMRP Operation enabled globally, the device transmits MMRP messages in one-second intervals, on MMRP participating ports. Off (default setting) Disables the periodic state machine in the device. Table Port Displays the port number. Active Activates/deactivates the port MMRP participation. Possible values: marked (default setting) With MMRP enabled globally and on this port, the device sends and receives MMRP messages on this port. unmarked Disables the port MMRP participation. Restricted group registration Activates/deactivates the restriction of dynamic MAC address registration using MMRP on the port. Possible values: marked If enabled and a static filter entry for the MAC address exists on the VLAN concerned, then the device registers the MAC address attributes dynamically. unmarked (default setting) Activates/deactivates the restriction of dynamic MAC address registration using MMRP on the port. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Service requirement] This tab contains forwarding parameters for each active VLAN, specifying the ports on which multicast forwarding applies. The device lets you statically setup VLAN ports as Forward all or Forbidden. You set the Forbidden MMRP service requirement statically only through the Graphical User Interface or Command Line Interface. A port is setup only as ForwardAll or Forbidden. RM GUI RSP Release 8.1 12/2019 223 Switching [ Switching > MRP-IEEE > MMRP ] Table VLAN ID Displays the ID of the VLAN. <Port number> Specifies the service requirement handling for the port. Possible values: FA Specifies the ForwardAll traffic setting on the port. The device forwards traffic destined to MMRP registered multicast MAC addresses on the VLAN. The device forwards traffic to ports which MMRP has dynamically setup or ports which the administrator has statically setup as ForwardAll ports. F Specifies the Forbidden traffic setting on the port. The device blocks dynamic MMRP ForwardAll service requirements. With ForwardAll requests blocked on this port in this VLAN, the device blocks traffic destined to MMRP registered multicast MAC addresses on this port. Furthermore, the device blocks MMRP service request for changing this value on this port. - (default setting) Disables the forwarding functions on this port. Learned Displays values setup by MMRP service requests. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Statistics] Devices on a LAN exchange Multiple MAC Registration Protocol Data Units (MMRPDU) to maintain statuses of devices on an active MMRP port. This tab lets you monitor the MMRP traffic statistics for each port. Information Transmitted MMRP PDU Displays the number of MMRPDUs transmitted in the device. Received MMRP PDU Displays the number of MMRPDUs received in the device. Received bad header PDU Displays the number of MMRPDUs received with a bad header in the device. 224 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > MRP-IEEE > MMRP ] Received bad format PDU Displays the number of MMRPDUs with a bad data field that were not transmitted in the device. Transmission failed Displays the number of MMRPDUs not transmitted in the device. Table Port Displays the port number. Transmitted MMRP PDU Displays the number of MMRPDUs transmitted on the port. Received MMRP PDU Displays the number of MMRPDUs received on the port. Received bad header PDU Displays the number of MMRPDUs with a bad header that were received on the port. Received bad format PDU Displays the number of MMRPDUs with a bad data field that were not transmitted on the port. Transmission failed Displays the number of MMRPDUs not transmitted on the port. Last received MAC address Displays the last MAC address from which the port received MMRPPDUs. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Resets the port statistics counters and the values in the Last received MAC address column. RM GUI RSP Release 8.1 12/2019 225 Switching [ Switching > MRP-IEEE > MVRP ] 5.5.3 MRP-IEEE Multiple VLAN Registration Protocol [ Switching > MRP-IEEE > MVRP ] The Multiple VLAN Registration Protocol (MVRP) provides a mechanism that lets you distribute VLAN information and configure VLANs dynamically. For example, when you configure a VLAN on an active MVRP port, the device distributes the VLAN information to other MVRP enabled devices. Using the information received, an MVRP enabled device dynamically creates the VLAN trunks on other MVRP enabled devices as needed. The dialog contains the following tabs: [Configuration] [Statistics] [Configuration] In this tab, you select active MVRP port participants and set the device to transmit periodic events. A periodic state machine exists for each port and transmits periodic events regularly to the applicant state machines associated with active ports. Periodic events contain information indicating the status of the VLANs associated with the active port. Using the periodic events, MVRP enabled switches dynamically maintain the VLANs. Operation Operation Enables/disables the global Applicant Administrative Control which specifies whether the Applicant state machine participates in MMRP message exchanges. Possible values: On Normal Participant. The Applicant state machine participates in MMRP message exchanges. Off (default setting) Non-Participant. The Applicant state machine ignores MMRP messages. Configuration Periodic state machine Enables/disables the periodic state machine in the device. 226 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > MRP-IEEE > MVRP ] Possible values: On The periodic state machine is enabled. With MVRP Operation enabled globally, the device transmits MVRP periodic events in 1 second intervals, on MVRP participating ports. Off (default setting) The periodic state machine is disabled. Disables the periodic state machine in the device. Table Port Displays the port number. Active Activates/deactivates the port MVRP participation. Possible values: marked (default setting) With MVRP enabled globally and on this port, the device distributes VLAN membership information to MVRP-aware devices connected to this port. unmarked Disables the port MVRP participation. Restricted VLAN registration Activates/deactivates the Restricted VLAN registration function on this port. Possible values: marked If enabled and a static VLAN registration entry exists, then the device lets you create a dynamic VLAN for this entry. unmarked (default setting) Disables the Restricted VLAN registration function on this port. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 227 Switching [ Switching > MRP-IEEE > MVRP ] [Statistics] Devices on a LAN exchange Multiple VLAN Registration Protocol Data Units (MVRPDU) to maintain statuses of VLANs on active ports. This tab lets you monitor the MVRP traffic. Information Transmitted MVRP PDU Displays the number of MVRPDUs transmitted in the device. Received MVRP PDU Displays the number of MVRPDUs received in the device. Received bad header PDU Displays the number of MVRPDUs received with a bad header in the device. Received bad format PDU Displays the number of MVRPDUs with a bad data field that the device blocked. Transmission failed Displays the number of failures while adding a message into the MVRP queue. Message queue failures Displays the number of MVRPDUs that the device blocked. Table Port Displays the port number. Transmitted MVRP PDU Displays the number of MVRPDUs transmitted on the port. Received MVRP PDU Displays the number of MVRPDUs received on the port. Received bad header PDU Displays the number of MVRPDUs with a bad header that the device received on the port. Received bad format PDU Displays the number of MVRPDUs with a bad data field that the device blocked on the port. 228 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > GARP ] Transmission failed Displays the number of MVRPDUs that the device blocked on the port. Registrations failed Displays the number of failed registration attempts on the port. Last received MAC address Displays the last MAC address from which the port received MMRPDUs. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Resets the port statistics counters and the values in the Last received MAC address column. 5.6 GARP [ Switching > GARP ] The Generic Attribute Registration Protocol (GARP) is defined by the IEEE to provide a generic framework so switches can register and deregister attribute values, such as VLAN identifiers and multicast group membership. When an attribute for a participant is registered or deregistered according to GARP, the participant is modified according to specific rules. The participants are a set of reachable end stations and network devices. The defined set of participants at any given time, along with their attributes, is the reachability tree for the subset of the network topology. The device forwards the data frames only to the registered end stations. The station registration helps prevent attempts to send data to the end stations that are unreachable. Note: Before you enable the GMRP function, verify that the MMRP function is disabled. The menu contains the following dialogs: GMRP GVRP RM GUI RSP Release 8.1 12/2019 229 Switching [ Switching > GARP > GMRP ] 5.6.1 GMRP [ Switching > GARP > GMRP ] The GARP Multicast Registration Protocol (GMRP) is a Generic Attribute Registration Protocol (GARP) that provides a mechanism allowing network devices and end stations to dynamically register group membership. The devices register group membership information with the devices attached to the same LAN segment. GARP also lets the devices distribute the information across the network devices that support extended filtering services. GMRP and GARP are industry-standard protocols defined by the IEEE 802.1P. Operation Operation Enables/disables the global GMRP function in the device. The device participates in GMRP message exchanges. Possible values: On GMRP is enabled. Off (default setting) The device ignores GMRP messages. Multicasts Unknown multicasts Enables/disables the unknown multicast data to be either flooded or discarded. Possible values: discard The device discards unknown multicast data. flood (default setting) The device forwards unknown multicast data to every port. Table Port Displays the port number. GMRP active Activates/deactivates the port GMRP participation. The prerequisite is that the GMRP function is globally enabled. 230 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > GARP > GMRP ] Possible values: marked (default setting) The port GMRP participation is active. unmarked The port GMRP participation is inactive. Service requirement Specifies the ports on which multicast forwarding applies. Possible values: Forward all unregistered groups (default setting) The device forwards data destined to GMRP-registered multicast MAC addresses on the VLAN. The device forwards data to the unregistered groups. Forward all groups The device forwards data destined to every group, registered or unregistered. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 231 Switching [ Switching > GARP > GVRP ] 5.6.2 GVRP [ Switching > GARP > GVRP ] The GARP VLAN Registration Protocol (GVRP) or Generic VLAN Registration Protocol is a protocol that facilitates control of Virtual Local Area Networks (VLANs) within a larger network. GVRP is a Layer 2 network protocol, used to automatically configure devices in a VLAN network. GVRP is a GARP application that provides IEEE 802.1Q-compliant VLAN pruning, and creating dynamic VLAN on 802.1Q trunk ports. With GVRP, the device exchanges VLAN configuration information with other GVRP devices. Thus, the device reduces the unnecessary broadcast and unknown unicast traffic. Exchanging VLAN configuration information also lets you dynamically create and manage VLANs connected through the 802.1Q trunk ports. Operation Operation Enables/disables the GVRP function globally in the device. The device participates in GVRP message exchanges. If the function is disabled, then the device ignores GVRP messages. Possible values: On The GVRP function is enabled. Off (default setting) The GVRP function is disabled. Table Port Displays the port number. GVRP active Activates/deactivates the port GVRP participation. The prerequisite is that the GVRP function is globally enabled. Possible values: marked (default setting) The port GVRP participation is active. unmarked The port GVRP participation is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 232 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority ] 5.7 QoS/Priority [ Switching > QoS/Priority ] Communication networks transmit a number of applications at the same time that have different requirements as regards availability, bandwidth and latency periods. QoS (Quality of Service) is a procedure defined in IEEE 802.1D. It is used to distribute resources in the network. You therefore have the possibility of providing minimum bandwidth for necessary applications. The prerequisite is that the end devices and the devices in the network support prioritized data transmission. Data packets with high priority are given preference when transmitted by devices in the network. You transfer data packets with lower priority when there are no data packets with a higher priority to be transmitted. The device provides the following setting options: You specify how the device evaluates QoS/prioritization information for inbound data packets. For outbound packets, you specify which QoS/prioritization information the device writes in the data packet (for example priority for management packets, port priority). Note: If you use the functions in this menu, then disable the flow control. The flow control is inactive if in the Switching > Global dialog, Configuration frame the Flow control checkbox is unmarked. The menu contains the following dialogs: QoS/Priority Global QoS/Priority Port Configuration 802.1D/p Mapping IP DSCP Mapping Queue Management DiffServ RM GUI RSP Release 8.1 12/2019 233 Switching [ Switching > QoS/Priority > Global ] 5.7.1 QoS/Priority Global [ Switching > QoS/Priority > Global ] The device lets you maintain access to the device management, even in situations with heavy utilization. In this dialog you specify the required QoS/priority settings. Configuration VLAN priority for management packets Specifies the VLAN priority for sending management data packets. Depending on the VLAN priority, the device assigns the data packet to a specific traffic class and thus to a specific priority queue of the port. Possible values: 0..7 (default setting: 0) In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every VLAN priority. IP DSCP value for management packets Specifies the IP DSCP value for sending management data packets. Depending on the IP DSCP value, the device assigns the data packet to a specific traffic class and thus to a specific priority queue of the port. Possible values: 0 (be/cs0)..63 (default setting: 0 (be/cs0)) Some values in the list also have a DSCP keyword, for example 0 (be/cs0), 10 (af11) and 46 (ef). These values are compatible with the IP precedence model. In the Switching > QoS/Priority > IP DSCP Mapping dialog you assign a traffic class to every IP DSCP value. Queues per port Displays the number of priority queues per port. The device has 8 priority queues per port. You assign every priority queue to a specific traffic class (traffic class according to IEEE 802.1D). Buttons You find the description of the standard buttons in section “Buttons” on page 15. 234 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority > Port Configuration ] 5.7.2 QoS/Priority Port Configuration [ Switching > QoS/Priority > Port Configuration ] In this dialog, you specify for every port how the device processes received data packets based on their QoS/priority information. Table Port Displays the port number. Port priority Specifies what VLAN priority information the device writes into a data packet if the data packet contains no priority information. After this, the device transmits the data packet depending on the value specified in the Trust mode column. Possible values: 0..7 (default setting: 0) Trust mode Specifies how the device handles a received data packet if the data packet contains QoS/priority information. Possible values: untrusted The device transmits the data packet according to the priority specified in the Port priority column. The device ignores the priority information contained in the data packet. In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every VLAN priority. trustDot1p (default setting) The device transmits the data packet according to the priority information in the VLAN tag. In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every VLAN priority. trustIpDscp – If the data packet is an IP packet, then: The device transmits the data packet according to the IP DSCP value contained in the data packet. In the Switching > QoS/Priority > IP DSCP Mapping dialog you assign a traffic class to every IP DSCP value. – If the data packet is not an IP packet, then: The device transmits the data packet according to the priority specified in the Port priority column. In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every VLAN priority. Untrusted traffic class Displays the traffic class assigned to the VLAN priority information specified in the Port priority column. In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every VLAN priority. RM GUI RSP Release 8.1 12/2019 235 Switching [ Switching > QoS/Priority > Port Configuration ] Possible values: 0..7 Buttons You find the description of the standard buttons in section “Buttons” on page 15. 236 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority > 802.1D/p Mapping ] 5.7.3 802.1D/p Mapping [ Switching > QoS/Priority > 802.1D/p Mapping ] The device transmits data packets with a VLAN tag according to the contained QoS/priority information with a higher or lower priority. In this dialog, you assign a traffic class to every VLAN priority. You assign the traffic classes to the priority queues of the ports. Table VLAN priority Displays the VLAN priority. Traffic class Specifies the traffic class assigned to the VLAN priority. Possible values: 0..7 0 assigned to the priority queue with the lowest priority. 7 assigned to the priority queue with the highest priority. Note: Among other things redundancy mechanisms use the highest traffic class. Therefore, select another traffic class for application data. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Default assignment of the VLAN priority to traffic classes RM GUI RSP VLAN Priority Traffic class Content description according to IEEE 802.1D 0 2 1 0 2 1 3 3 4 4 Best Effort Normal data without prioritizing Background Non-time-sensitive data and background services Standard Normal data Excellent Effort Crucial data Controlled Load Time-sensitive data with a high priority Release 8.1 12/2019 237 Switching [ Switching > QoS/Priority > 802.1D/p Mapping ] 238 VLAN Priority Traffic class Content description according to IEEE 802.1D 5 5 6 6 7 7 Video Video transmission with delays and jitter < 100 ms Voice Voice transmission with delays and jitter < 10 ms Network Control Data for network management and redundancy mechanisms RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority > IP DSCP Mapping ] 5.7.4 IP DSCP Mapping [ Switching > QoS/Priority > IP DSCP Mapping ] The device transmits IP data packets according to the DSCP value contained in the data packet with a higher or lower priority. In this dialog, you assign a traffic class to every DSCP value. You assign the traffic classes to the priority queues of the ports. Table DSCP value Displays the DSCP value. Traffic class Specifies the traffic class which is assigned to the DSCP value. Possible values: 0..7 0 assigned to the priority queue with the lowest priority. 7 assigned to the priority queue with the highest priority. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Default assignment of the DSCP values to traffic classes RM GUI RSP DSCP Value DSCP Name Traffic class 0 1-7 8 9,11,13,15 10,12,14 16 17,19,21,23 18,20,22 24 25,27,29,31 26,28,30 32 33,35,37,39 34,36,38 Best Effort /CS0 2 2 0 0 0 1 1 1 3 3 3 4 4 4 Release 8.1 12/2019 CS1 AF11,AF12,AF13 CS2 AF21,AF22,AF23 CS3 AF31,AF32,AF33 CS4 AF41,AF42,AF43 239 Switching [ Switching > QoS/Priority > IP DSCP Mapping ] 240 DSCP Value DSCP Name Traffic class 40 41,42,43,44,45,47 46 48 49-55 56 57-63 CS5 5 5 5 6 6 7 7 EF CS6 CS7 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority > Queue Management ] 5.7.5 Queue Management [ Switching > QoS/Priority > Queue Management ] This dialog lets you enable and disable the Strict priority function for the traffic classes. When you disable the Strict priority function, the device processes the priority queues of the ports with "Weighted Fair Queuing". You also have the option of assigning a minimum bandwidths to every traffic classes which the device uses to process the priority queues with "Weighted Fair Queuing" Table Traffic class Displays the traffic class. Strict priority Activates/deactivates the processing of the port priority queue with Strict priority for this traffic class. Possible values: marked (default setting) The processing of the port priority queue with Strict priority is active. – The port forwards only data packets that are in the priority queue with the highest priority. When this priority queue is empty, the port forwards data packets that are in the priority queue with the next lower priority. – The port forwards data packets with a lower traffic class after the priority queues with a higher priority are empty. In unfavorable situations, the port does not send these data packets. – When you select this setting for a traffic class, the device also enables the function for traffic classes with a higher priority. – Use this setting for applications such as VoIP or video that require the least possible delay. unmarked The processing of the port priority queue with Strict priority is inactive. The device uses "Weighted Fair Queuing"/"Weighted Round Robin" (WRR) to process the port priority queue. – The device assigns a minimum bandwidth to each traffic class. – Even under a high network load the port transmits data packets with a low traffic class. – When you select this setting for a traffic class, the device also disables the function for traffic classes with a lower priority. Min. bandwidth [%] Specifies the minimum bandwidth for this traffic class when the device is processing the priority queues of the ports with "Weighted Fair Queuing". Possible values: 0..100 (default setting: 0 = the device does not reserve any bandwidth for this traffic class) The value specified in percent refers to the available bandwidth on the port. When you disable the Strict priority function for every traffic class, the maximum bandwidth is available on the port for the "Weighted Fair Queuing". The maximum total of the assigned bandwidths is 100 %. RM GUI RSP Release 8.1 12/2019 241 Switching [ Switching > QoS/Priority > DiffServ ] Max. bandwidth [%] Specifies the shaping rate at which a Traffic Class transmits packets (Queue Shaping). Possible values: 0 (default setting) The device does not reserve any bandwidth for this traffic class. 1..100 The device reserves the specified bandwidth for this traffic class. The specified value in percent refers to the maximum available bandwidth on this port. For example, using queue shaping lets you limit the rate of a strict-high priority queue. Limiting a strict-high priority queue lets the device also process low-priority queues. To use queue shaping, you set the maximum bandwidth for a particular queue. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 5.7.6 DiffServ [ Switching > QoS/Priority > DiffServ ] Differentiated Services (DiffServ) filter data packets in order to prioritize or limit the data stream. • In a class, you specify the filter criteria. • In a policy, you link the class with actions. The device applies the actions of the policy to those data packets that meet the filter criteria of the assigned class. To configure DiffServ, perform the following steps: Create a class with the filter criteria. Create a policy. Assign a class with the filter criteria to the policy. Specify the actions of the policy. Assign the policy to a port. Activate the DiffServ function. The device lets you use the following per class and per instance configurations: 13 rules per class 28 instances per policy 3 attributes per instance The menu contains the following dialogs: DiffServ Overview DiffServ Global DiffServ Class DiffServ Policy DiffServ Assignment 242 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority > DiffServ > Overview ] 5.7.6.1 DiffServ Overview [ Switching > QoS/Priority > DiffServ > Overview ] This dialog displays the configured DiffServ settings. Port Port Simplifies the table and displays the entries relating to a specific port. Displaying the table in this fashion makes it easier for you to sort the table as you desire. Possible values: All (default setting) The table displays the entries for every port. <Port number> The table displays the entries that apply to the selected port. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 243 Switching [ Switching > QoS/Priority > DiffServ > Global ] 5.7.6.2 DiffServ Global [ Switching > QoS/Priority > DiffServ > Global ] In this dialog, you enable the DiffServ function. Operation Operation Enables/disables the DiffServ function. Possible values: On The DiffServ function is enabled. The device processes traffic according to the DiffServ rules. Off (default setting) The DiffServ function is disabled. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 244 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority > DiffServ > Class ] 5.7.6.3 DiffServ Class [ Switching > QoS/Priority > DiffServ > Class ] In this dialog, you specify the data packets to which the device executes the actions specified in the Policy dialog. This assignment is called a class. Only one class can be assigned to a policy. This means each class can contain multiple filter criteria. Table Class name Specifies the name of the DiffServ class. The device lets you change the class name directly in the table. Possible values: Alphanumeric ASCII character string with 1..31 characters Criteria Displays the specified criteria for this rule. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. Create Class name Specifies the name of the DiffServ class. Possible values: Alphanumeric ASCII character string with 1..31 characters Type Specifies the type of Class Rule for matching; this determines the individual match conditions for the present class rule. Depending on which value you select, the following visible parameters change. To match every packet regardless of content, select the value every. RM GUI RSP Release 8.1 12/2019 245 Switching [ Switching > QoS/Priority > DiffServ > Class ] Possible values: cos (default setting) dstip dstl4port dstmac every ipdscp ipprecedence iptos protocol refclass srcip srcl4port srcmac cos2 etype vlanid vlanid2 Type = cos COS Specifies the class of service as the match value for the class. Possible values: 0..7 (default setting: 0) Type = dstip Destination IP address Specifies the destination IP address as the match value for the class. Possible values: Valid IP address Destination IP address mask Specifies the mask for the destination IP address. Possible values: Valid netmask Type = dstl4port Destination port Specifies the destination Layer 4 port as the match value for the class. Possible values: Valid TCP or UDP port number 246 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority > DiffServ > Class ] Type = dstmac Destination MAC address Specifies the destination MAC address as the match value for the class. Possible values: Valid MAC address Destination MAC address mask Specifies the mask for the destination MAC address. Possible values: Valid netmask Type = ipdscp DSCP Specifies the IP DiffServ Code Point (DSCP) as the match value for the class. Possible values: 0..63 (default setting: 0(be/cs0)) Type = ipprecedence TOS priority Specifies the IP Precedence as the match value for the class. The precedence bits are the highorder 3 bits of the Service Type octet in the IPv4 header. Possible values: 0..7 (default setting: 0) Type = iptos TOS mask Specifies the IP TOS bits and mask as the match value for the class. The TOS bits are the 8 bits of the Service Type octet in the IPv4 header. Possible values: 0x00..0xFF Type = protocol Protocol number Specifies the internet protocol number as the match value for the class. RM GUI RSP Release 8.1 12/2019 247 Switching [ Switching > QoS/Priority > DiffServ > Class ] Possible values: 0..255 Some common values are listed here: – 1 ICMP – 2 IGMP – 4 IPv4 – 6 TCP – 17 UDP – 255 A rule with this value matches every protocol in the list. The IANA defined the “Assigned Internet Protocol Numbers” that you enter here. To find a list of the assigned numbers use the following link: www.iana.org/assignments/protocolnumbers/protocol-numbers.xhtml. Type = refclass Ref class Specifies the parent class as a corresponding reference class. This reference class uses the set of match rules specified in a parent class as the match value. Possible values: <Name of the DiffServ Class> Conditions: If the reference class refers only to the parent class, then the parent class to which the user binds this rule and the reference class produce the same results. Any attempt to delete the parent class while still referenced to by another class fails. If the reference class uses the parent class as the match value, then any subsequent change to the parent class rules changes the reference class rules only. You add subsequent rules to the parent class compatible with the rules existing in the reference class. Type = srcip Source IP address Specifies the source IP address as the match value for the class. Possible values: Valid IP address Source IP address mask Specifies the mask for the source IP address. Possible values: Valid netmask 248 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority > DiffServ > Class ] Type = srcl4port Source port Specifies the source Layer 4 port as the match value for the class. Possible values: Valid TCP or UDP port number Type = srcmac Source MAC address Specifies the source MAC address as the match value for the class. Possible values: Valid MAC address and mask Source MAC address mask Specifies the mask for the source MAC address. Possible values: Valid netmask Type = cos2 COS 2 Specifies a secondary class of service as the match value for the class. Possible values: 0..7 (default setting: 0) Type = etype Etype Specifies the Ethertype as the match value for the class. Possible values: custom (default setting) You specify the Ethertype in the Etype value field. appletalk arp ibmsna ipv4 ipv6 ipx mplsmcast mplsucast netbios novell RM GUI RSP Release 8.1 12/2019 249 Switching [ Switching > QoS/Priority > DiffServ > Class ] pppoe rarp Etype value Specifies the user-defined Ethertype value. The prerequisite is that in the Etype field you specify the value custom. Possible values: 0x0600..0xFFFF Type = vlanid VLAN ID Specifies the VLAN ID as the match value for the class. Possible values: 1..4042 Type = vlanid2 VLAN2 ID Specifies the secondary VLAN ID as the match value for the class. Possible values: 1..4042 250 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority > DiffServ > Policy ] 5.7.6.4 DiffServ Policy [ Switching > QoS/Priority > DiffServ > Policy ] In this dialog, you specify which actions the device performs on data packets which fulfill the filter criteria specified in the Class dialog. This assignment is called a policy. Only one policy can be assigned to a port. Each policy can contain multiple actions. Table Policy name Displays the name of the policy. To change the value, click the relevant field. Possible values: Alphanumeric ASCII character string with 1..31 characters Direction Displays that the device applies the policy to received data packets. Class name Displays the name of the class that is assigned to the policy. The filter criteria are specified in the class. Attribute Displays the action that the device performs on the data packets. To change an existing action, select the affected row, click the attribute item. To add additional actions to a policy, click the button and then the Modify button. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. Modify attribute Specifies the action that the device performs on the data packets. RM GUI RSP Release 8.1 12/2019 251 Switching [ Switching > QoS/Priority > DiffServ > Policy ] Create In this dialog you create a new policy or add further actions to an existing policy. Policy name Specifies the name of the policy. To create a new policy, add a new name. To add more actions to an existing policy, select a name in the list. Possible values: Alphanumeric ASCII character string with 1..31 characters Direction Displays that the device applies the policy to received data packets. Class name Assigns the class to the policy. The filter criteria are specified in the class. Type Specifies the policy type. Depending on which value you select, the following visable parameters change. Possible values: markCosVal (default setting) markIpDscpVal markIpPrecedenceVal policeSimple policeTworate assignQueue drop redirect mirror markCosAsSecCos 252 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority > DiffServ > Policy ] Type = markCosVal Overwrites the priority field in the VLAN tag of the Ethernet packets: • in the VLAN tag, the device overwrites the priority value in the COS parameter. • With QinQ-tagged data packets, the device writes the value to the outer tag (C tag). • With data packets without VLAN tags, the device adds a priority tag. Can be combined with Type = redirect and mirror. COS Specifies the priority value that the device writes to the priority field of the VLAN tag of the Ethernet packets. Possible values: 0..7 Type = markIpDscpVal Overwrites the DS field of the IP packets. The device writes the value specified in the DSCP parameter to the DS field. Subsequent devices in the network to which the device forwards the IP packets, prioritize the IP packets according to this setting. For making the device prioritize the IP packets, also enter the IP packets with Type = assignQueue into the desired queue. Can be combined with Type = assignQueue, redirect and mirror. DSCP Specifies the value that the device writes to the DS field of the IP packets. Possible values: 0..63 Type = markIpPrecedenceVal Overwrites the TOS field of the IP packets. The device writes the value specified in the TOS priority parameter to the TOS field. Can be combined with Type = assignQueue, redirect and mirror. TOS priority Specifies the value that the device writes to the TOS field of the IP packets. Possible values: 0..7 RM GUI RSP Release 8.1 12/2019 253 Switching [ Switching > QoS/Priority > DiffServ > Policy ] Type = policeSimple Limits the classified data stream to the values specified in the Simple C rate and Simple C burst fields: • If the transfer rate and burst size of the data stream are below the specified values, then the device applies the action specified in the Conform action field. • If the transfer rate and burst size of the data stream are above the specified values, then the device applies the action specified in the Non conform action field. Can be combined with Type = assignQueue, redirect and mirror. Simple C rate Specifies the committed rate in kbit/s. Upper limit Possible values: 1..4294967295 Simple C burst Specifies the committed burst size in kBytes. Possible values: 0..128 Conform action,Non conform action In the Conform action field, you specify the action that the device applies to the compliant data stream. Compliant means that the data stream is under the limits specified in the parameters Simple C rate and Simple C burst. In the Non conform action field, you specify the action that the device applies to the non-compliant data stream. Non-compliant means that the data stream is over the limits specified in the parameters Simple C rate and Simple C burst. Possible values: drop Discards the data packets. markDscp Overwrites the DS field of the IP packets. The device writes the value specified in the adjacent field [0..63] to the DS field. markPrec Overwrites the TOS field of the IP packets. The device writes the value specified in the adjacent field [0..7] to the TOS field. send Sends the data packets. markCos Overwrites the priority field in the VLAN tag of the Ethernet packets: – in the VLAN tag, the device overwrites the priority value in the COS parameter. – With QinQ-tagged Ethernet packets, the device writes the value to the outer tag (C tag). – With Ethernet packets without VLAN tags, the device adds a priority tag. 254 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority > DiffServ > Policy ] markCos2 With QinQ-tagged Ethernet packets, overwrites the priority field in the inner tag (S tag) with the value specified in the adjacent field [0..7]. markCosAsSecCos Overwrites the priority field in the outer tag (C tag) with the priority value of the inner tag (S tag). Color conform class Specifies the class of the received data stream that the devices designates as conform (green). Possible values: blind The device operates in the color-blind mode. The devices designates the complete data stream received as conform (green). <Name of the DiffServ Class> The devices designates only this class of the received data stream as conform (green). Those classes are selectable for which in the Switching > QoS/Priority > DiffServ > Class dialog, Criteria column a rule of the type cos, ipdscp, ipprec, cos2 is specified. Verify that the filter criteria of the class selected in the Class name drop-down list above and of the class selected in this drop-down list, is neither identical nor exclude each other. Exclusion criteria are: • The filter criteria have the same rule type, for example cos and cos. Use classes with a different rule type, for example cos and ipdscp. • One of the classes references with the rule type refclass another class that conflicts with the used classes. Type = policeTworate Limits the classified data stream to the values specified in the Two rate C rate, Two rate C burst, Two rate P rate, and Two rate P burst fields. • If the transfer rate and burst size are below Two rate C rate and Two rate C burst, then the device applies the Conform action action to the data stream. • If the transfer rate and burst size are between Two rate C rate and Two rate P rate as well as Two rate C burst and Two rate P burst, then the device applies the Exceed action action to the data stream. • If the transfer rate and burst size are above Two rate P rate and Two rate P burst, then the device applies the Non conform action action to the data stream. Can be combined with Type = assignQueue, redirect and mirror. Two rate C rate Specifies the committed rate in kbit/s. Possible values: 1..4294967295 Two rate C burst Specifies the committed burst size in kBytes. Possible values: 0..128 RM GUI RSP Release 8.1 12/2019 255 Switching [ Switching > QoS/Priority > DiffServ > Policy ] Two rate P rate Specifies the peak rate (max. allowable transfer rate of the data stream) in kbit/s. Possible values: 1..4294967295 Two rate P burst Specifies the peak burst size (max. allowable burst size) in kBytes. Possible values: 1..128 Conform action Conform value Exceed action Exceed value Non conform action Non conform value In the Conform action field, you specify the action that the device applies to the compliant data stream. Compliant means that transfer rate and burst size are below Two rate C rate and Two rate C burst. In the Exceed action field, you specify the action that the device applies to the data stream. The prerequisite is that the transfer rate and burst size are between Two rate C rate and Two rate P rate as well as Two rate C burst and Two rate P burst. In the Non conform action field, you specify the action that the device applies to the non-compliant data stream. Non-compliant means that the transfer rate and burst size are above Two rate P rate and Two rate P burst. Possible values: drop Discards the data packets. markDscp Overwrites the DS field of the IP packets. The device writes the value specified in the adjacent field [0..63] to the DS field. markPrec Overwrites the TOS field of the IP packets. The device writes the value specified in the adjacent field [0..7] to the TOS field. send Sends the data packets. markCos Overwrites the priority field in the VLAN tag of the Ethernet packets: – in the VLAN tag, the device overwrites the priority value in the COS parameter. – With QinQ-tagged Ethernet packets, the device writes the value to the outer tag (C tag). – With Ethernet packets without VLAN tags, the device adds a priority tag. 256 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority > DiffServ > Policy ] markCos2 With QinQ-tagged Ethernet packets, overwrites the priority field in the inner tag (S tag) with the value specified in the adjacent field [0..7]. markCosAsSecCos Overwrites the priority field in the outer tag (C tag) with the priority value of the inner tag (S tag). Color conform class Specifies the class of the received data stream that the devices designates as conform (green). Possible values: 0 - blind The device operates in the color blind mode. The devices designates the complete data stream received as conform (green). <Name of the DiffServ Class> The devices designates only this class of the received data stream as conform (green). Those classes are selectable for which in the Switching > QoS/Priority > DiffServ > Class dialog, Criteria column a rule of the type cos, ipdscp, ipprec, cos2 is specified. Verify that the filter criteria of the class selected in the Class name drop-down list above and of the class selected in this drop-down list, is neither identical nor exclude each other. Exclusion criteria are: • The filter criteria have the same rule type, for example cos and cos. Use classes with a different rule type, for example cos and ipdscp. • One of the classes references with the rule type refclass another class that conflicts with the used classes. Type = assignQueue Changes the priority queue into which the device adds the data packets. The device enqueues the data packets into the priority queue with the ID specified in the Queue ID parameter. Can be combined with Type = drop, markCosVal and markCosAsSecCos. Queue ID Specifies the ID of the priority queue into which the device adds the data packets. See the Traffic class field and the Switching > QoS/Priority > 802.1D/p Mapping dialog. Possible values: 0..7 Type = drop Discards the data packets. Can be combined with Type = mirror if mirror is set up first. RM GUI RSP Release 8.1 12/2019 257 Switching [ Switching > QoS/Priority > DiffServ > Policy ] Type = redirect The device forwards the received data stream to the port specified in the Redirection interface field. Can be combined with Type = markCosVal, markIpDscpVal, markIpPrecedenceVal, policeSimple, policeTworate, assignQueue and markCosAsSecCos. Redirection interface Specifies the destination port. Possible values: <Port number> Number of the destination port. The device forwards the data packets to this port. Note: The destination port needs sufficient bandwidth to absorb the data stream. If the copied data stream exceeds the bandwidth of the destination port, then the device discards surplus data packets on the destination port. Type = mirror The device copies the received data stream and also transfers it to the port specified in the Mirror interface field. Can be combined with Type = markCosVal, markIpDscpVal, markIpPrecedenceVal, policeSimple, policeTworate, assignQueue and markCosAsSecCos. Mirror interface Specifies the destination port. Possible values: <Port number> Number of the destination port. The device copies the data packets to this port. Note: The destination port needs sufficient bandwidth to absorb the data stream. If the copied data stream exceeds the bandwidth of the destination port, then the device discards surplus data packets on the destination port. Type = markCosAsSecCos Overrides the priority field in the outer VLAN tag of the Ethernet packets with the priority value of the inner VLAN tag. Can be combined with Type = assignQueue, redirect and mirror. 258 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > QoS/Priority > DiffServ > Assignment ] 5.7.6.5 DiffServ Assignment [ Switching > QoS/Priority > DiffServ > Assignment ] In this dialog you assign the policy to a port. Table Port Displays the port number. Direction Displays the interface direction to which you assigned the policy. Policy name Displays the name of the policy assigned to the interface. Status Displays the port status. Active Activates/deactivates the DiffServ parameters associated with this row. Possible values: marked The device forwards traffic according to the specified DiffServ settings. unmarked The device forwards traffic without regarding the specified DiffServ settings. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. Create Port Specifies the port to which the table entry relates. RM GUI RSP Release 8.1 12/2019 259 Switching [ Switching > VLAN ] Possible values: Available ports Direction Specifies the direction in which the device applies the policy. Possible values: In (default setting) Out Policy Specifies the policy assigned to the port. Possible values: Available policies 5.8 VLAN [ Switching > VLAN ] With VLAN (Virtual Local Area Network) you distribute the data traffic in the physical network to logical subnetworks. This provides you with the following advantages: High flexibility – With VLAN you distribute the data traffic to logical networks in the existing infrastructure. Without VLAN, it would be necessary to have additional devices and complicated cabling. – With VLAN you specify network segments independently of the location of the individual end devices. Improved throughput – In VLANs data packets can be transferred by priority. When the priority is high, the device transfers the data of a VLAN preferentially, for example for time-sensitive applications such as VoIP phone calls. – When the data packets and Broadcasts are distributed in small network segments instead of in the entire network, the network load is considerably reduced. Increased security The distribution of the data traffic among individual logical networks makes unwanted accessing more difficult and strengthens the system against attacks such as MAC Flooding or MAC Spoofing. The device supports packet-based “tagged” VLANs according to the IEEE 802.1Q standard. The VLAN tagging in the data packet indicates the VLAN to which the data packet belongs. The device transmits the tagged data packets of a VLAN only on ports that are assigned to the same VLAN. This reduces the network load. The device learns the MAC addresses for every VLAN separately (independent VLAN learning). The device prioritizes the received data stream in the following sequence: Voice VLAN MAC-based VLAN IP subnet-based VLAN 260 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > VLAN ] Protocol-based VLAN Port-based VLAN The menu contains the following dialogs: VLAN Global VLAN Configuration VLAN Port VLAN Voice MAC Based VLAN Subnet Based VLAN Protocol Based VLAN RM GUI RSP Release 8.1 12/2019 261 Switching [ Switching > VLAN > Global ] 5.8.1 VLAN Global [ Switching > VLAN > Global ] This dialog lets you view general VLAN parameters for the device. Configuration Max. VLAN ID Highest ID assignable to a VLAN. See the Switching > VLAN > Configuration dialog. VLANs (max.) Displays the maximum number of VLANs possible. See the Switching > VLAN > Configuration dialog. VLANs Number of VLANs currently configured in the device. See the Switching > VLAN > Configuration dialog. The VLAN ID 1 is constantly present in the device. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Clear... Resets the VLAN settings of the device to the default setting. Note that you lose your connection to the device if you have changed the VLAN ID for the device management in the Basic Settings > Network dialog. 262 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > VLAN > Configuration ] 5.8.2 VLAN Configuration [ Switching > VLAN > Configuration ] In this dialog, you manage the VLANs. To set up a VLAN, create a further row in the table. There you specify for each port if it transmits data packets of the respective VLAN and if the data packets contain a VLAN tag. You distinguish between the following VLANs: The user sets up static VLANs. The device sets up dynamic VLANs automatically and removes them if the prerequisites cease to apply. For the following functions the device creates dynamic VLANs: – MRP: If you assign to the ring ports a non-existing VLAN, then the device creates this VLAN. – MVRP: The device creates a VLAN based on the messages of neighboring devices. – Routing: The device creates a VLAN for every router interface. Note: The settings are effective only if the VLAN Unaware Mode is disabled. See the Switching > Global dialog. Table VLAN ID ID of the VLAN. The device supports up to 256 VLANs simultaneously set up. Possible values: 1..4042 Status Displays how the VLAN is set up. Possible values: other VLAN 1 or VLAN set up using the 802.1X Port Authentication function. See the Network Security > 802.1X Port Authentication dialog. permanent VLAN set up by the user. or VLAN set up using the MRP function. See the Switching > L2-Redundancy > MRP dialog. If you save the changes in the non-volatile memory, then the VLANs with this setting remain set up after a restart. dynamicMvrp VLAN set up using the MVRP function. See the Switching > MRP-IEEE > MVRP dialog. VLANs with this setting are write-protected. The device removes a VLAN from the table as soon as the last port leaves the VLAN. RM GUI RSP Release 8.1 12/2019 263 Switching [ Switching > VLAN > Configuration ] Creation time Displays the time of VLAN creation. The field displays the time stamp for the operating time (system uptime). Name Specifies the name of the VLAN. Possible values: Alphanumeric ASCII character string with 1..32 characters <Port number> Specifies if the respective port transmits data packets of the VLAN and if the data packets contain a VLAN tag. Possible values: - (default setting) The port is not a member of the VLAN and does not transmit data packets of the VLAN. T = Tagged The port is a member of the VLAN and transmits the data packets with a VLAN tag. You use this setting for uplink ports, for example. LT = Tagged Learned The port is a member of the VLAN and transmits the data packets with a VLAN tag. The device created the entry automatically based on the GVRP or MVRP function. F = Forbidden The port is not a member of the VLAN and does not transmit data packets of this VLAN. Additionally, the device helps prevent the port from becoming a VLAN member through the MVRP function. U = Untagged (default setting for VLAN 1) The port is a member of the VLAN and transmits the data packets without a VLAN tag. Use this setting if the connected device does not evaluate any VLAN tags, for example on end ports. LU = Untagged Learned The port is a member of the VLAN and transmits the data packets without a VLAN tag. The device created the entry automatically based on the GVRP or MVRP function. Note: Verify that the port on which the network management station is connected is a member of the VLAN in which the device transmits the management data. In the default setting, the device transmits the management data on VLAN 1. Otherwise, the connection to the device terminates when you transfer the changes to the device. The access to the device management is possible only using the Command Line Interface through the serial interface. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the VLAN ID field, you specify the ID of the VLAN. 264 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > VLAN > Port ] 5.8.3 VLAN Port [ Switching > VLAN > Port ] In this dialog you specify how the device handles received data packets that have no VLAN tag, or whose VLAN tag differs from the VLAN ID of the port. This dialog lets you assign a VLAN to the ports and thus specify the port VLAN ID. Additionally, you also specify for each port how the device transmits data packets if the VLAN Unaware mode is disabled and one of the following situations occurs: The port receives data packets without a VLAN tagging. The port receives data packets with VLAN priority information (VLAN ID 0, priority tagged). The VLAN tagging of the data packet differs from the VLAN ID of the port. Note: The settings are effective only if the VLAN Unaware Mode is disabled. See the Switching > Global dialog. Table Port Displays the port number. Port-VLAN ID Specifies the ID of the VLAN which the devices assigns to data packets without a VLAN tag. The prerequisite is that you specify in the Acceptable packet types column the value admitAll. Possible values: ID of a VLAN you set up (default setting: 1) If you use the MRP function and you did not assign a VLAN to the ring ports, then you specify the value 1 here for the ring ports. Otherwise, the device assigns the value to the ring ports automatically. Acceptable packet types Specifies whether the port transmits or discards received data packets without a VLAN tag. Possible values: admitAll (default setting) The port accepts data packets both with and without a VLAN tag. admitOnlyVlanTagged The port accepts only data packets tagged with a VLAN ID ≥ 1. Ingress filtering Activates/deactivates the ingress filtering. RM GUI RSP Release 8.1 12/2019 265 Switching [ Switching > VLAN > Port ] Possible values: marked The ingress filtering is active. The device compares the VLAN ID in the data packet with the VLANs of which the device is a member. See the Switching > VLAN > Configuration dialog. If the VLAN ID in the data packet matches one of these VLANs, then the port transmits the data packet. Otherwise, the device discards the data packet. unmarked (default setting) The ingress filtering is inactive. The device transmits received data packets without comparing the VLAN ID. Thus the port also transmits data packets with a VLAN ID of which the port is not a member. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 266 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > VLAN > Voice ] 5.8.4 VLAN Voice [ Switching > VLAN > Voice ] Use the Voice VLAN feature to separate voice and data traffic on a port, by VLAN and/or priority. A primary benefit of Voice VLAN is safeguarding the quality of voice traffic when data traffic on the port is high. The device detects VoIP phones using the Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED). The device then adds the appropriate port to the member set of the configured Voice VLAN. The member set is either tagged or untagged. Tagging depends on the Voice VLAN interface mode (VLAN ID, Dot1p, None, Untagged). Another benefit of the Voice VLAN feature is that the VoIP phone obtains VLAN ID or priority information via LLDP-MED from the device. As a result, the VoIP phone sends voice data tagged as priority, or untagged. This depends on the configured Voice VLAN Interface mode. You activate Voice VLAN on the port which is connecting to the VoIP phone. Operation Operation Enables/disables the VLAN Voice function of the device globally. Possible values: On Off (default setting) Table Port Displays the port number. Voice VLAN mode Specifies whether the port transmits or discards received data packets without a voice VLAN tagging or with voice VLAN priority information. Possible values: disabled (default setting) Deactivates the VLAN Voice function for this table entry. none Lets the IP telephone use its own configuration for sending untagged voice traffic. vlan/dot1p-priority The port filters data packets of the voice VLAN using the vlan and dot1p priority tags. untagged The port filters data packets without a voice VLAN tag. RM GUI RSP Release 8.1 12/2019 267 Switching [ Switching > VLAN > Voice ] vlan The port filters data packets of the voice VLAN using the vlan tag. dot1p-priority The port filters data packets of the voice VLAN using the dot1p priority tags. If you select this value, then additionally specify a proper value in the Priority column. Data priority mode Specifies the trust mode for the data traffic on the particular port. The device uses this mode for data traffic on the voice VLAN, when it detects a VoIP telephone and a PC and when these devices use the same cable for transmitting and receiving data. Possible values: trust (default setting) If voice traffic is present on the interface, then the data traffic uses the normal priority with this setting. untrust If voice traffic is present and the Voice VLAN mode is set to dot1p-priority, then the data has the priority 0. If the interface only transmits data, then the data has the normal priority. Status Displays the status of the Voice VLAN on the port. Possible values: marked The Voice VLAN is enabled. unmarked The Voice VLAN is disabled. VLAN ID Specifies the ID of the VLAN to which the table entry applies. To forward traffic to this VLAN ID using this filter, select in the Voice VLAN mode column the value vlan. Possible values: 0..4042 Priority Specifies the Voice VLAN Priority of the port. The prerequisite is that you specify in the Voice VLAN mode column the value dot1p-priority. Possible values: 0..7 none Deactivates the Voice VLAN Priority of the port. Bypass authentication Activates the Voice VLAN Authentication mode. 268 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > VLAN > Voice ] If you deactivate the function and set the value in the Voice VLAN mode column to dot1p-priority, then voice devices require an authentication. Possible values: marked (default setting) If you activated the function in the Dialog Network Security > 802.1X Port Authentication > Global dialog, then set the Port control parameter for this port to the multiClient value before activating this function. The parameter Port control you find in the Network Security > 802.1X Port Authentication > Global dialog. unmarked Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 269 Switching [ Switching > VLAN > MAC Based VLAN ] 5.8.5 MAC Based VLAN [ Switching > VLAN > MAC Based VLAN ] In a MAC-based VLAN, the device forwards traffic based on the source MAC address associated with a VLAN. User-defined filters determine whether a packet belongs to a particular VLAN. MAC-based VLANs specify the filtering criteria only for untagged or priority-tagged packets. Assign a port to a MAC-based VLAN for a specific source MAC address. The device then forwards untagged packets received with the configured MAC address to the MAC-based VLAN ID. Other untagged packets are subject to normal VLAN classification rules. Table MAC address Displays the MAC address to which the table entry relates. The device supports up to 256 simultaneous MAC-based VLAN assignments. Possible values: Valid MAC address VLAN ID Displays the ID of the VLAN to which the table entry applies. Possible values: 1..4042 (set up VLAN IDs) Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the MAC address field, you specify the MAC address. In the VLAN ID field, you specify the ID of the VLAN. 270 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > VLAN > Subnet Based VLAN ] 5.8.6 Subnet Based VLAN [ Switching > VLAN > Subnet Based VLAN ] In IP subnet-based VLANs, the device forwards traffic based on the source IP address and subnet mask associated with the VLAN. User-defined filters determine whether a packet belongs to a particular VLAN. IP subnet-based VLANs specify the filtering criteria only for untagged packets or priority tagged packets. Assign a port to an IP subnet-based VLAN for a specific source address. The device then forwards untagged packets received with the configured address to the IP subnet-based VLAN ID. To configure an IP subnet based VLAN, specify an IP address, a subnet mask, and the corresponding VLAN identifier. When multiple entries apply, the device uses the entry with the longest prefix first. Table IP address Displays the IP address to which you assign the subnetwork based VLAN. The device supports up to 128 VLANs set up simultaneously to subnetwork based VLANs. Possible values: Valid IP address Netmask Displays the netmask to which you assign the subnetwork based VLAN. Possible values: Valid IP netmask VLAN ID Displays the VLAN ID. Possible values: 1..4042 RM GUI RSP Release 8.1 12/2019 271 Switching [ Switching > VLAN > Subnet Based VLAN ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the IP address field, you specify the IP address. In the Netmask field, you specify the netmask. In the VLAN ID field, you specify the ID of the VLAN. 272 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > VLAN > Protocol Based VLAN ] 5.8.7 Protocol Based VLAN [ Switching > VLAN > Protocol Based VLAN ] In a protocol-based VLAN, specified ports bridge traffic based on the L3 protocol (EtherType) associated with the VLAN. User-defined packet filters determine whether a packet belongs to a particular VLAN. Protocol-based VLANs specify the filtering criteria only for untagged packets. Assign a port to a protocol-based VLAN for a specific protocol. The device then forwards untagged packets received with the configured protocol to the protocol-based VLAN ID. The device assigns other untagged packets with the port VLAN ID. Table Group ID Displays the group identifier of the protocol-based VLAN entry. The device supports up to 128 protocol-based VLAN associations simultaneously. Possible values: 1..128 Name Specifies the group name of the protocol-based VLAN entry. Possible values: Alphanumeric ASCII character string with 1..16 characters VLAN ID Specifies the ID of the VLAN. Possible values: 1..4042 Port Specifies the ports that are assigned to the group. Possible values: <Port number> Select the ports in the drop-down list. Ethertype Specifies the Ethertype value assigned to the VLAN. The Ethertype is a two-octet field in an Ethernet packet to indicate which protocol the payload contains. RM GUI RSP Release 8.1 12/2019 273 Switching [ Switching > L2-Redundancy ] Possible values: 0x0600..0xFFFF Ethertype as a hexadecimal number sequence When you enter a decimal value, the device converts the value into a hexadecimal number sequence when you click the Add button. ip Ethertype keyword for IPv4 (equivalent to 0x0800) arp Ethertype keyword for ARP (equivalent to 0x0806) ipx Ethertype keyword for IPX (equivalent to 0x8137) Buttons You find the description of the standard buttons in section “Buttons” on page 15. 5.9 L2-Redundancy [ Switching > L2-Redundancy ] The menu contains the following dialogs: MRP HIPER Ring DLR (depends on hardware) PRP (depends on hardware) HSR (depends on hardware) Spanning Tree Link Aggregation Link Backup FuseNet 274 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > MRP ] 5.9.1 MRP [ Switching > L2-Redundancy > MRP ] The Media Redundancy Protocol (MRP) is a protocol that lets you set up high-availability, ringshaped network structures. An MRP ring with Hirschmann devices is made up of up to 100 devices that support the MRP protocol according to IEC 62439. If a section fails, then the ring structure of an MRP ring changes back into a line structure. The maximum recovery time can be configured. The Ring Manager function of the device closes the ends of a backbone in a line structure to a redundant ring. Note: Spanning Tree and Ring Redundancy have an effect on each other. Deactivate the Spanning Tree protocol for the ports connected to the MRP ring. See the Switching > L2-Redundancy > Spanning Tree > Port dialog. When you work with oversized Ethernet packets (the value in the MTU column for the port is > 1518, see the Basic Settings > Port dialog), the switching time of the MRP ring reconfiguration depends on the following parameters: Bandwidth of the ring line Size of the Ethernet packets Number of devices in the ring Set the recovery time sufficiently large to help avoid delays in the MRP packages due to latencies in the devices. You can find the formula for calculating the switching time in IEC 62439-2, section 9.5. Operation Operation Enables/disables the MRP function. After you configured the parameters for the MRP ring, enable the function here. Possible values: On The MRP function is enabled. After you configured the devices in the MRP ring, the redundancy is active. Off (default setting) The MRP function is disabled. Ring port 1/Ring port 2 Port Specifies the number of the port that is operating as a ring port. RM GUI RSP Release 8.1 12/2019 275 Switching [ Switching > L2-Redundancy > MRP ] Possible values: <Port number> Number of the ring port Note: If the device uses the software supporting Fast MRP, then you cannot select a Link Aggregation port as a ring port. Operation Displays the operating status of the ring port. Possible values: forwarding The port is enabled, connection exists. blocked The port is blocked, connection exists. disabled The port is disabled. not-connected No connection exists. Fixed backup Activates/deactivates the backup port function for the Ring port 2. Note: The switch over to the primary port can exceed the maximum ring recovery time. Possible values: marked The Ring port 2 backup function is active. When the ring is closed, the ring manager reverts back to the primary ring port. unmarked (default setting) The Ring port 2 backup function is inactive. When the ring is closed, the ring manager continues to send data on the secondary ring port. Configuration Ring manager Enables/disables the Ring manager function. If there is one device at each end of the line, then you activate this function. Possible values: On The Ring manager function is enabled. The device operates as a ring manager. Off (default setting) The Ring manager function is disabled. The device operates as a ring client. 276 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > MRP ] Advanced mode Activates/deactivates the advanced mode for fast recovery times. Possible values: marked (default setting) Advanced mode active. MRP-capable Hirschmann devices support this mode. unmarked Advanced mode inactive. Select this setting if another device in the ring does not support this mode. Ring recovery Specifies the maximum recovery time in milliseconds for reconfiguration of the ring. This setting is effective if the device operates as a ring manager. Possible values: 500ms 200ms (default setting) 30ms (depends on hardware) 10ms (depends on hardware) Shorter switching times make greater demands on the response time of every individual device in the ring. Use values lower than 500ms if the other devices in the ring also support this shorter recovery time. Note: The switching times 30ms and 10ms are available for devices with an FPGA (hardware for extended functions). The product code indicates whether your device supports Fast MRP. In order to use the functions, load the device software supporting Fast MRP. Set the switching time to 10ms only if you use up to 20 devices in the ring that support this switching time. If you use more than 20 of these devices, then set the switching time to at least 30ms. When you are working with oversized Ethernet packets, the number of devices in the ring is limited. Note that the switching time depends on several parameters. See the description above. VLAN ID Specifies the ID of the VLAN which you assign to the ring ports. Possible values: 0 (default setting) No VLAN assigned. Assign in the Switching > VLAN > Configuration dialog to the ring ports for VLAN 1 the value U. 1..4042 VLAN assigned. If you assign to the ring ports a non-existing VLAN, then the device creates this VLAN. In the Switching > VLAN > Configuration dialog, the device creates an entry in the table for the VLAN and assigns the value T to the ring ports. RM GUI RSP Release 8.1 12/2019 277 Switching [ Switching > L2-Redundancy > MRP ] Information Information Displays messages for the redundancy configuration and the possible causes of errors. When the device operates as a ring client or a ring manager, the following messages are possible: Redundancy available The redundancy is set up. When a component of the ring is down, the redundant line takes over its function. Configuration error: Error on ringport link. Error in the cabling of the ring ports. When the device operates as a ring manager, the following messages are possible: Configuration error: Packets from another ring manager received. Another device exists in the ring that operates as the ring manager. Enable the Ring manager function only on one device in the ring. Configuration error: Ring link is connected to wrong port. A line in the ring is connected with a different port instead of with a ring port. The device only receives test data packets on 1 ring port. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Delete ring configuration Disables the redundancy function and resets the settings in the dialog to the default setting. 278 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > HIPER Ring ] 5.9.2 HIPER Ring [ Switching > L2-Redundancy > HIPER Ring ] The concept of HIPER ring redundancy enables the construction of high-availability, ring-shaped networks. This device provides a HIPER ring client. This function lets you extend an existing HIPER ring or to replace a device already participating as a client in a HIPER ring. A HIPER ring contains a Ring Manager (RM) which controls the ring. The RM sends watchdog packets into the ring on both the primary and secondary ports. When the RM receives the watchdog packets on both ports, the primary port remains in the forwarding state and the secondary port remains in the discarding state. The device operates only in the ring client mode. This means that the device is able to recognize and forward the watchdog packets on the ring ports and can also forward the change in link status to the RM for example, LinkDown and LinkUp packets. The device only supports Fast Ethernet and Gigabit Ethernet ports as ring ports. Furthermore, the device only supports HIPER ring in VLAN 1. Note: Spanning Tree and Ring Redundancy have an effect on each other. Deactivate the Spanning Tree protocol for the ports connected to the HIPER ring. See the Switching > L2-Redundancy > Spanning Tree > Port dialog. Note: Configure the devices of the HIPER ring individually. Before you connect the redundant link, complete the configuration of every device of the HIPER ring. You thus help avoid loops during the configuration phase. Operation Operation Enables/disables the HIPER Ring client. Possible values: On The HIPER Ring client is enabled. Off (default setting) The HIPER Ring client is disabled. Ring port 1/Ring port 2 Port Specifies the port number of the primary/secondary ring port. Possible values: - (default setting) No primary/secondary ring port selected. <Port number> Number of the ring port RM GUI RSP Release 8.1 12/2019 279 Switching [ Switching > L2-Redundancy > DLR ] State Displays the state of the primary/secondary ring port. Possible values: not-available The HIPER Ring client is disabled. or No primary or secondary ring port selected. active The ring port is enabled and logically up. inactive The ring port is logically down. As soon as the link goes down on a ring port, the device sends a LinkDown packet to the Ring Manager on the other ring port. Information Mode Displays that the device is able to operate in the ring client mode. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 5.9.3 DLR (depends on hardware) [ Switching > L2-Redundancy > DLR ] The Device Level Ring (DLR) protocol provides high network availability in a ring topology. The primarily intent for the DLR protocol is implementation in EtherNet/IP end-devices that have 2 Ethernet ports and embedded Layer 2 switch technology. The DLR protocol provides network fault detection and reconfiguration to support demanding control applications. The DLR network uses a ring supervisor to monitor the network. The ring supervisor controls data on the ring by sending data only on the primary ring port until a break in the ring occurs. When a break in the ring occurs, the ring supervisor unblocks the secondary port allowing the data to reach the ring participants located on the other side of the break. To maintain control of the network, the active ring supervisor sends Beacon packets through both ports. The device lets you specify the interval between consecutive Beacon packets. The Beacon packets help detect breaks in the ring, send Ring State messages to the participants, and also contain the following information: the precedence of the active ring supervisor the MAC address of the active ring supervisor the Beacon timeout the DLR VLAN ID 280 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > DLR ] In the supervisor mode, the device also sends Announce packets, once every second, through the unblocked port only. The Announce packets also contain Ring State messages. In the non-supervisor mode, the device functions as a Beacon-based participant. Upon receiving a Ring Fault State message from the active ring supervisor, the Beacon-based participant flushes its unicast MAC address table, and conducts a Neighbor Check. The Neighbor Check helps isolate a break between adjacent participants. DLR uses a VLAN to distribute information contained in the Beacon Packet, to other ring participants as priority tagged. The default setting for the DLR VLAN ID is 0. VLAN ID is 0 is only set in this dialog. You use VLAN ID 0 in conjunction with the VLAN unaware mode. Verify that the functions which directly affect the DLR function have the following settings: EtherNet/IP Spanning Tree VLAN IGMP Snooping Advanced > Industrial Protocols > EtherNet/IP dialog • Operation = On • Write access = marked Switching > L2-Redundancy > Spanning Tree > Global dialog • Operation = Off Switching > Global dialog • VLAN unaware mode = marked Switching > IGMP Snooping > Global dialog • Operation = On Switching > IGMP Snooping > Configuration dialog, Port tab • Active = marked Switching > IGMP Snooping > Snooping Enhancements dialog • DLR ring ports = SF (Static and Forward all) Switching > IGMP Snooping > Querier dialog • Operation = On Note: DLR is available for devices with an FPGA (hardware for extended functions). The product code indicates whether your device supports DLR. In order to use the functions, load the device software supporting DLR. The menu contains the following dialogs: DLR Configuration (depends on hardware) DLR Statistics (depends on hardware) RM GUI RSP Release 8.1 12/2019 281 Switching [ Switching > L2-Redundancy > DLR > Configuration ] 5.9.3.1 DLR Configuration (depends on hardware) [ Switching > L2-Redundancy > DLR > Configuration ] In this dialog, you specify the role of the device in the ring. When you specify the device as a ring supervisor, the device sends Beacon packets containing its precedence for active ring supervisor candidacy. As active ring supervisor, the device monitors the ring for breaks, and sends configuration information to the ring participants. Operation Operation Enables/disables the DLR function globally. Possible values: On (default setting) The DLR function is enabled. Off The DLR function is disabled. Table Ring index Displays the index number to which the table entry relates. Name Specifies the name of the DLR ring. Possible values: Alphanumeric ASCII character string with 0..255 characters Ring port 1 Specifies the first of 2 ring ports used to connect the device to the DLR ring. Possible values: <Port number> (default setting: 1/1) Select the port from the drop-down list. Ring port 1 status Displays the status of ring port 1. 282 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > DLR > Configuration ] Possible values: disabled The port is disabled. To enable the port, open the Basic Settings > Port dialog, Configuration tab. In the Port on column, mark the appropriate checkbox. blocked The port is the secondary port, sending and receiving only Beacon packets. forwarding The port is the primary port, sending and receiving data, Beacon packets, and Announce packets. notConnected The port is physically unconnected. Ring port 2 Specifies the second of 2 ring ports used to connect the device to the DLR ring. Possible values: <Port number> (default setting: 1/2) Select the port from the drop-down list. Ring port 2 status Displays the status of ring port 2. Possible values: disabled The port is disabled. To enable the port, open the Basic Settings > Port dialog, Configuration tab. In the Port on column, mark the appropriate checkbox. blocked The port is the secondary port, sending and receiving only Beacon packets. forwarding The port is the primary port, sending and receiving data, Beacon packets, and Announce packets. notConnected The port is physically unconnected. Supervisor active Activates/deactivates the supervisor function. Possible values: marked (default setting) The device is configured as a ring supervisor. The device monitors the ring for breaks. If a break in the ring occurs, then the device unblocks and forwards data on the secondary port. unmarked The device is a Beacon-based ring participant. Status Displays the status of the device in the DLR ring. RM GUI RSP Release 8.1 12/2019 283 Switching [ Switching > L2-Redundancy > DLR > Configuration ] Possible values: backup Another device in the same ring is the active supervisor. supervisor This device is the active supervisor. node The device functions as a Beacon-based ring participant. nonDlr The device has detected that the network topology is something other than a ring using the DLR protocol. unsupported The configuration in the row is invalid. Supervisor precedence Specifies the precedence value of the device for the ring supervisor selection. The device sends the value to other ring devices in the Beacon packets. When another ring supervisor is present on the same ring, the device with the higher value is selected active ring supervisor. When both values are the same, the device with the higher MAC address becomes active supervisor. Possible values: 0..255 (default setting: 0) A numerically higher value indicates a higher precedence. Beacon interval [µs] Specifies the interval, in microseconds, at which the supervisor sends Beacon packets. The ring supervisor transmits a Beacon packet through both of its Ethernet ports once per Beacon interval. When the ring is intact, the device receives the Beacon packet on the opposite ports, and leaves the blocked port in the blocking mode. Possible values: 400..100000 (default setting: 400) Lower interval times increase the recovery time. When the ring contains only DLR participants, use the following formula to calculate: Minimum value = 13 * Number of ring participants Beacon timeout [µs] Specifies the amount of time, in microseconds, the device listens for Beacon packets. After the device times out the reception of a Beacon packet, it takes the appropriate action depending on its role as an active supervisor or ring participant. Possible values: 1600..500000 (default setting: 1960) Set this value to at least 4 times the value specified in the Beacon interval [µs] column. When the ring contains only DLR participants, use the following formula to calculate: Maximum value = (Number of ring participants * (1 - 0.1) * 25) + (Number of ring participants * 0.1 * 137) VLAN ID Specifies the VLAN ID used to send the DLR protocol messages to the other devices on the ring. The active supervisor informs the ring participants which VLAN ID to use in the Beacon packets. Create and configure the VLAN in the Switching > VLAN > Configuration dialog. 284 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > DLR > Configuration ] The prerequisite for setting the VLAN ID to 0 is that you activate the VLAN unaware mode. In the Switching > Global dialog, mark the VLAN unaware mode checkbox. Possible values: 0..4042 (default setting: 0) Active Activates/deactivates the DLR configuration. Possible values: marked The DLR configuration is active. unmarked (default setting) The DLR configuration is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Service action Opens the Service action dialog to specify the DLR services that the device uses to help locate and clear detected faults. Possible values: verifyFaultLocation (default setting) The supervisor verifies the fault location by retransmitting the Locate_Fault packet to ring participants. clearRapidFaults Clears the Rapid Fault condition where the ring supervisor detected a cycle of rapid ring faults. restartSignOn Restarts the Sign On process and refreshes the participants list. RM GUI RSP Release 8.1 12/2019 285 Switching [ Switching > L2-Redundancy > DLR > Statistics ] 5.9.3.2 DLR Statistics (depends on hardware) [ Switching > L2-Redundancy > DLR > Statistics ] This dialog displays the status of the ring, the type of topology, number of participants, and other information to help you to analyze the network. This dialog also displays a list of participating ring participants. The active ring supervisor gathers the information contained in the participants list using the Sign_On packet. If the participants list is too large, then the DLR Object returns, Reply Data Too Large (code 0x11). The dialog contains the following tabs: [Status] [Participants] [Status] Table Ring index Displays the index number to which the table entry relates. Capability Displays the capabilities of the device. Possible values: announce The device is an announce-based ring participant. beacon The device is capable of sending Beacon packets. supervisor The device is capable of being a supervisor. gateway The device is capable of being a gateway. flushTable The device is capable of flushing the unicast MAC address table. Status Displays the status of the device in the DLR ring. Possible values: backup Another device in the same ring is the active supervisor. supervisor This device is the active supervisor. node The device functions as a Beacon-based ring participant. 286 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > DLR > Statistics ] nonDlr The device has detected that the network topology is something other than a ring using the DLR protocol. unsupported The row parameters are invalid. Network topology Displays the current network topology mode. Possible values: linear The network is linear. ring The network is a DLR ring. Network status Displays the current network status. Possible values: normal After the device receives Beacon packets on both ports, the supervisor transitions to the NORMAL_STATE, flushes the unicast MAC address table, and reconfigures a port to blocking. The device sends Beacon packets with the Ring State set to RING_NORMAL_STATE. The ring supervisor also sends an Announce packet out of the forwarding port, with the Ring State set to RING_NORMAL_STATE. ringFault The reasons for which the device displays the value are as follows: – Upon boot up, an enabled ring supervisor starts in the FAULT_STATE with both ports forwarding packets. – The device received a Beacon packet from another supervisor with a higher precedence. – Upon receipt of a Beacon packet with the Ring State set to RING_FAULT_STATE. When the device is in the FAULT_STATE, the ring supervisor continues to send Beacon packets, in order to detect ring restoration. loop The device has detected a loop in the network. partial The device detected a partial network fault where the Beacon packets are lost only in 1 direction. If the active ring supervisor detects a partial fault, then it blocks traffic on 1 port and sets a status value in the DLR Object. The condition requires user intervention. rapidFault The device detected a rapid fault, 5 faults in a 30 second period. Rapid faults can lead to an instable network. If the active ring supervisor detects a rapid fault, then it blocks traffic on 1 port and sets a status value in the DLR Object. The condition requires user intervention. To reset the device open the Switching > L2-Redundancy > DLR > Configuration dialog and set the value clearRapidFaults in the Service column. Last status change Displays the time, in seconds, since the network status last changed. Participants Displays the number of devices in the ring protocol participants list. RM GUI RSP Release 8.1 12/2019 287 Switching [ Switching > L2-Redundancy > DLR > Statistics ] Supervisor IP address Displays the IPv4 address assigned to the active supervisor. Supervisor MAC address Displays the MAC address of the active ring supervisor. Supervisor precedence Displays the precedence value of the active ring supervisor. Faults Displays the number of times that the device has detected a ring fault, since starting as either the active or the backup supervisor. Port 1 IP address Displays the IPv4 address assigned to port 1. Port 1 MAC address Displays the MAC address of last active ring participant on port 1. Port 2 IP address Displays the IPv4 address assigned to port 2. Port 2 MAC address Displays the MAC address of last active ring participant on port 2. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Participants] Only the active ring supervisor displays the ring participants. Table Index Displays the index number to which the table entry relates. Address Displays the IP address of the participating ring participant. 288 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > PRP ] MAC address Displays the MAC address of the participating ring participant. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 5.9.4 PRP (depends on hardware) [ Switching > L2-Redundancy > PRP ] The Parallel Redundancy Protocol (PRP) is defined in the international standard IEC 62439-3. PRP uses 2 independent LANs with any ring, star, bus and mesh topologies, providing a high availability of network connections. To connect the device to the PRP network, use either 100 Mbit/s FDX or 1000 Mbit/s FDX on both of the specially marked ports, Port A and Port B. The maximum allowed size of Ethernet packets on these ports is restricted to 1534 bytes. See the MTU column in the Basic Settings > Port dialog. The main advantage of PRP is that the destination node receives packets from the source as long as 1 LAN is available. The absence of the second LAN due to repairs or maintenance has no impact on the packet transmission. The network device which connects the end devices to the network implements the PRP protocol. The Ethernet switches in both LANs are standard switches that are oblivious to PRP. A Double Attached Node implementing PRP (DANP) is a network device with PRP functionality and has 1 connection into each independent LAN. A Single Attached Node (SAN) is a standard Ethernet device with a single LAN interface directly connected to one of the redundant LANs. For this reason, a SAN is unable to use the redundant LAN. A Redundancy Box (RedBox) is a network device which implements the PRP functionality for standard ethernet devices. A standard ethernet device when connected to a PRP network via a RedBox is a virtual DANP (VDAN). Note: PRP is available for devices with an FPGA (hardware for extended functions). The product code indicates whether your device supports PRP. In order to use the functions, load the device software supporting PRP. Note: If the inter-frame gap is shorter than the latency between the 2 LANs, then a frame-ordering mismatch can occur. Frame-ordering mismatch is a phenomenon of the PRP protocol. The only solution to help avoid a frame-ordering mismatch is to verify that the inter-frame gap is greater than the latency between the LANs. The menu contains the following dialogs: PRP Configuration (depends on hardware) PRP DAN/VDAN Table (depends on hardware) PRP Proxy Node Table (depends on hardware) PRP Statistics (depends on hardware) RM GUI RSP Release 8.1 12/2019 289 Switching [ Switching > L2-Redundancy > PRP > Configuration ] 5.9.4.1 PRP Configuration (depends on hardware) [ Switching > L2-Redundancy > PRP > Configuration ] In this dialog, you enable/disable the PRP function, and configure PRP supervision packet reception and transmission. The MRP and Spanning Tree functions cannot operate on the same ports as the PRP function. Disable the MRP function or choose different ports. Deactivate the Spanning Tree function on the PRP ports. Note: When PRP is active, it uses the interfaces 1/1 and 1/2. As seen in the Switching > VLAN, Switching > Rate Limiter and Switching > Filter for MAC Addresses dialogs, the PRP function replaces the interfaces 1/1 and 1/2 with the interface prp/1. Configure the VLAN membership, the rate limiting, and the MAC filtering for the interface prp/1. Operation Operation Enables/disables the PRP function. Possible values: On The PRP function is enabled globally. When this function is active, the device processes the data stream according to the set up. Off (default setting) The PRP function is disabled globally. To help avoid network loops, disable the PRP function on Port A or Port B before disabling the PRP function globally. Note: When you use SFPs for PRP ports and the device only supports 100 Mbit/s, verify that the SFPs support 100 Mbit/s. Port A / Port B Physical port Displays the number of the physical port which the device uses as the PRP Port A or Port B. Port A admin state Enables/disables the PRP function on the port. Possible values: On (default setting) The PRP function on the port is enabled. Off The PRP function on the port is disabled. 290 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > PRP > Configuration ] Supervision packet receiver Evaluate supervision packets Activates/deactivates the analysis of the supervision packets. Possible values: marked (default setting) The analysis of the supervision packets is activated. The device receives Supervision Packets and analyzes them. unmarked The analysis of the supervision packets is deactivated. The device receives supervision packets without analyzing them. Supervision packet sender Active Enables/disables the transmission of supervision packets. Possible values: On (default setting) The transmission of supervision packets is enabled. The RedBox transmits its own supervision packets. Off The transmission of supervision packets is disabled. Send VDAN packets Activates/deactivates the transmission of VDAN supervision packets. The prerequisite is that you activate the Supervision packet sender first. Possible values: marked (default setting) The transmission of VDAN supervision packets is active. The RedBox transmits both its own supervision packets and the supervision packets for the VDANs listed in the PRP Proxy Node Table. unmarked The transmission of VDAN supervision packets is inactive. Configuration MTU Specifies the maximum allowed size of Ethernet packets on the interface in bytes. RM GUI RSP Release 8.1 12/2019 291 Switching [ Switching > L2-Redundancy > PRP > Configuration ] Possible values: 1518..1530 (default setting: 1518) With the setting 1518, the port transmits the Ethernet packets up to the following size: – 1518 bytes without VLAN tag (1514 bytes + 4 bytes CRC) – 1522 bytes with VLAN tag (1518 bytes + 4 bytes CRC) This setting lets you increase the size of the Ethernet packets for specific applications. Speed Specifies the speed of the PRP interface. The prerequisite is that both PRP member ports operate with the specified speed. Possible values: 100Mbps (default setting) 1Gbps Buttons You find the description of the standard buttons in section “Buttons” on page 15. 292 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > PRP > DAN/VDAN Table ] 5.9.4.2 PRP DAN/VDAN Table (depends on hardware) [ Switching > L2-Redundancy > PRP > DAN/VDAN Table ] This dialog lets you analyze the LANs. This is helpful for example, when the Last seen A counter of one port continually increases while the Last seen B counter remains the same (and the other way round). This condition indicates an interruption of LAN connection. DAN/VDAN means Double Attached Node / Virtual Double Attached Node. Table Index Displays the index number to which the table entry relates. MAC address Displays the MAC address of the node. Last seen A Displays the time between received first packets for this node on LAN A. When the counter threshold reaches 497 days, it restarts from 0. Last seen B Displays the time between received first packets for this node on LAN B. When the counter threshold reaches 497 days, it restarts from 0. Remote node type Displays the type of node. Possible values: redboxp Management vdanp Client Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Resets the entire table. RM GUI RSP Release 8.1 12/2019 293 Switching [ Switching > L2-Redundancy > PRP > Proxy Node Table ] 5.9.4.3 PRP Proxy Node Table (depends on hardware) [ Switching > L2-Redundancy > PRP > Proxy Node Table ] This dialog informs you of the connected devices for which this device provides PRP redundancy. Note: The Redbox supports up to 128 hosts. If this number is exceeded with Redbox, then the device drops the packets. Table Index Displays the index number to which the table entry relates. Possible values: 1..128 MAC address Displays the MAC address of the connected devices for which this device implements PRP redundancy. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Resets the entire table. 294 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > PRP > Statistics ] 5.9.4.4 PRP Statistics (depends on hardware) [ Switching > L2-Redundancy > PRP > Statistics ] This dialog lists receive events for various MIB Managed Objects. Each entry represents link degradation for the MIB Managed Objects listed in the description column. The table lists how many times the event occurred for each path through the device. The Port A entries for example, specify the path between the transceiver, through the Link Redundancy Entity (LRE) to the UDP and TCP layers. Table Description Displays the MIB Managed Objects description to which the Port A, Port B, and Interlink entries refer. Port A Displays the number of MIB Managed Objects events on Port A. The device examines the traffic as it passes from receive transceiver A to the LRE. Port B Displays the number of MIB Managed Objects events on Port B. The device examines the traffic as it passes from receive transceiver B to the LRE. Interlink Displays the number of MIB Managed Objects events on the interlink. The counters are active for the MIB Managed Objects that pertain to the interlink. The other counters remain empty. A sample is made of the traffic as it passes from the LRE to the switch. CPU port Displays the number of MIB Managed Objects events on the CPU Port. There is one MIB Managed Object that pertains to the CPU Port. The other counters remain empty. A sample is made of the traffic as it passes from receive transceiver to the CPU. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Resets the entire table. RM GUI RSP Release 8.1 12/2019 295 Switching [ Switching > L2-Redundancy > HSR ] 5.9.5 HSR (depends on hardware) [ Switching > L2-Redundancy > HSR ] An HSR-based ring offers zero recovery time (HSR = High-availability Seamless Redundancy). HSR is suited for applications that demand high availability and short reaction times. For example, protection applications for electrical station automation and controllers for synchronized drives which require constant connection. HSR Redundancy Boxes (RedBox) use 2 Ethernet ports operating in parallel to connect to a ring. An HSR RedBox operating in this configuration is a Doubly Attached Node implementing the HSR protocol (DANH). A standard ethernet device connected to the HSR ring through an HSR RedBox is a Virtual DANH (VDANH). The transmitting HSR node or HSR RedBox sends twin packets, 1 in each direction, on the ring. For identification, the HSR node injects the twin packets with an HSR tag. The HSR tag consists of a port identifier, the length of the payload and a sequence number. In a normal operating ring, the destination HSR node or RedBox receives both packets within a certain time skew. An HSR node forwards the first packet to arrive to the upper layers and discards the second packet when it arrives. A RedBox on the other hand forwards the first packet to the VDANHs and discards the second packet when it arrives. The device performs a specific role in the network. Configure a device as an HSR RedBox connecting standard ethernet devices to an HSR ring. Configure a device as an HSR node connecting a PRP LAN to an HSR ring. A single HSR ring accommodates up to 7 PRP LANs. Configure the device to identify and tag the traffic addressed for the connected PRP LAN. The number of HSR nodes in the ring should not exceed 50. If the HSR interface speed is 1Gbps, then the number should not exceed 300. It is useful to limit the traffic injected into the HSR ring. If there are any third party devices with a higher latency in the ring, then you reduce the number of ring participants. Verify that the sum of bandwidths applied to the HSR nodes is less than 84 %. Note: HSR is available for devices with an FPGA (hardware for extended functions). The product code indicates whether your device supports HSR. In order to use the functions, load the device software supporting HSR. The menu contains the following dialogs: HSR Configuration (depends on hardware) HSR DAN/VDAN Table (depends on hardware) HSR Proxy Node Table (depends on hardware) HSR Statistics (depends on hardware) 296 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > HSR > Configuration ] 5.9.5.1 HSR Configuration (depends on hardware) [ Switching > L2-Redundancy > HSR > Configuration ] In this dialog, you enable the HSR function, configure HSR supervision packets, and specify the function that the device executes in the HSR ring. The MRP and Spanning Tree functions cannot operate on the same ports as the HSR function. Disable the MRP function or choose different ports. Deactivate the Spanning Tree function on the HSR ports. Note: When HSR is active, it uses the interfaces 1/1 and 1/2. As seen in the Switching > Rate Limiter and Switching > Filter for MAC Addresses dialogs, the HSR function replaces the interfaces 1/1 and 1/ 2 with the interface hsr/1. Set up the VLAN membership and the rate limiting for the interface hsr/ 1. Operation Operation Enables/disables the HSR function globally. Possible values: On When this function is active, the device processes the data stream according to the set up. Off (default setting) Note: When you use SFPs for HSR ports and the device only supports 100 Mbit/s, verify that the SFPs support 100 Mbit/s. Port A / Port B Physical port Displays the number of the physical port which the device uses as the HSR Port A or Port B. Port A admin state Enables/disables the HSR function on the port. Possible values: On (default setting) The HSR function on the port is enabled. Off The HSR function on the port is disabled. RM GUI RSP Release 8.1 12/2019 297 Switching [ Switching > L2-Redundancy > HSR > Configuration ] Supervision packet receiver Evaluate supervision packets Activates/deactivates the supervision packet analysis. Possible values: marked (default setting) Supervision packet analysis is active. The device receives supervision data packets and analyzes them. unmarked Supervision packet analysis is inactive. The device receives supervision data packets without analyzing them. Supervision packet sender Active Enables/disables the transmission of supervision packets. Possible values: On (default setting) The transmission of supervision packets is enabled. The RedBox transmits its own supervision packets. Off The transmission of supervision packets is disabled. Send VDAN packets Activates/deactivates the transmission of VDAN supervision packets. The prerequisite is that you enable the transmission of supervision packets. See the Active field. Possible values: marked The transmission of VDAN supervision packets is active. The RedBox transmits both its own supervision packets and the supervision packets for the VDANs listed in the HSR Proxy Node Table. unmarked (default setting) The transmission of VDAN supervision packets is inactive. Configuration (depends on hardware) MTU Specifies the maximum allowed size of Ethernet packets on the interface in bytes. 298 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > HSR > Configuration ] Possible values: 1518..1530 (default setting: 1518) With the setting 1518, the port transmits the Ethernet packets up to the following size: – 1518 bytes without VLAN tag (1514 bytes + 4 bytes CRC) – 1522 bytes with VLAN tag (1518 bytes + 4 bytes CRC) This setting lets you increase the size of the Ethernet packets for specific applications. Note: If you increase the value, then it can be necessary to increase the MTU size of other ports by the same amount. See the MTU column in the Basic Settings > Port dialog, Configuration tab. Speed Specifies the speed of the HSR interface. The prerequisite is that both HSR member ports operate with the specified speed. Possible values: 100Mbps (default setting) 1Gbps HSR parameter HSR mode Specifies the forwarding capacity of the device for unicast traffic. Possible values: modeh (default setting) If the host functions as a proxy for a destination device, then it removes unicast traffic from the ring and forwards it to the destination address. modeu If the host operates as a proxy for a destination device, then it forwards unicast traffic around the ring and forwards it to the destination address. If the packets return to the source node, then it discards the unicast traffic. Switching node type Specifies the function that the device executes in the HSR ring. Possible values: hsrredboxsan (default setting) You use this setting if you connect SANs to the device within a HSR ring. hsrredboxprpa You use this setting to connect the corresponding device with PRP LAN A. Furthermore, set the Redbox identity parameter for the corresponding network connection. hsrredboxprpb You use this setting to connect the corresponding device with PRP LAN B. Furthermore, set the Redbox identity parameter for the corresponding network connection. RM GUI RSP Release 8.1 12/2019 299 Switching [ Switching > L2-Redundancy > HSR > Configuration ] Note: If you specify the value hsrredboxprpa or hsrredboxprpb, then increase the MTU size on the interface. See the Configuration frame, MTU field. Also increase the MTU size of the ports connected with LAN A and B in the PRP networks by the same amount. See the MTU column in the Basic Settings > Port dialog, Configuration tab. Redbox identity Specifies the tags for the PRP LAN traffic. The parameter identifies and tags the data traffic for the PRP LAN that you connect to this device. The device identifies the traffic for up to 7 PRP LANs that you connect to the HSR ring. The prerequisite is that you set the Switching node type parameter to hsrredboxprpa or to hsrredboxprpb. Possible values: id1a (default setting) Use this value to handle the HSR data traffic for LAN A in PRP network 1. id1b Use this value to handle the HSR data traffic for LAN B in PRP network 1. id2a Use this value to handle the HSR data traffic for LAN A in PRP network 2. id2b Use this value to handle the HSR data traffic for LAN B in PRP network 2. id7a Use this value to handle the HSR data traffic for LAN A in PRP network 7. id7b Use this value to handle the HSR data traffic for LAN B in PRP network 7. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 300 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > HSR > DAN/VDAN Table ] 5.9.5.2 HSR DAN/VDAN Table (depends on hardware) [ Switching > L2-Redundancy > HSR > DAN/VDAN Table ] This dialog lets you analyze the LANs. This is helpful for example, when the Last seen A counter of one port continually increases while the Last seen B counter remains the same (and the other way round). This condition indicates an interruption of LAN connection. DAN/VDAN means Double Attached Node / Virtual Double Attached Node. Table Index Displays the index number to which the table entry relates. MAC address Displays the MAC address of the node. Last seen A Displays the time between received first packets for this node on LAN A. When the counter threshold reaches 497 days, it restarts from 0. Last seen B Displays the time between received first packets for this node on LAN B. When the counter threshold reaches 497 days, it restarts from 0. Remote node type Displays the type of node. Possible values: redboxh Management vdanh Client Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Resets the entire table. RM GUI RSP Release 8.1 12/2019 301 Switching [ Switching > L2-Redundancy > HSR > Proxy Node Table ] 5.9.5.3 HSR Proxy Node Table (depends on hardware) [ Switching > L2-Redundancy > HSR > Proxy Node Table ] This dialog informs you of the connected devices for which this device provides HSR redundancy. Table Index Displays the index number to which the table entry relates. Possible values: 1..128 MAC address Displays the MAC addresses of the connected devices for which this device implements HSR redundancy. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Resets the entire table. 302 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > HSR > Statistics ] 5.9.5.4 HSR Statistics (depends on hardware) [ Switching > L2-Redundancy > HSR > Statistics ] This dialog lists receive events for various MIB Managed Objects. Each entry represents link degradation for the MIB Managed Objects listed in the description column. The table lists how many times the event occurred for each path through the device. The Port A entries for example, specify the path between the transceiver, through the Link Redundancy Entity (LRE) to the UDP and TCP layers. Table Description Displays the MIB Managed Objects description to which the Port A, Port B, and Interlink entries refer. Port A Displays the number of MIB Managed Objects events on Port A. The device examines the traffic as it passes from receive transceiver A to the LRE. Port B Displays the number of MIB Managed Objects events on Port B. The device examines the traffic as it passes from receive transceiver B to the LRE. Interlink Displays the number of MIB Managed Objects events on the interlink. The counters are active for the MIB Managed Objects that pertain to the interlink. The other counters remain empty. A sample is made of the traffic as it passes from the LRE to the switch. CPU port Displays the number of MIB Managed Objects events on the CPU Port. There is one MIB Managed Object that pertains to the CPU Port. The other counters remain empty. A sample is made of the traffic as it passes from receive transceiver to the CPU. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Resets the entire table. RM GUI RSP Release 8.1 12/2019 303 Switching [ Switching > L2-Redundancy > Spanning Tree ] 5.9.6 Spanning Tree [ Switching > L2-Redundancy > Spanning Tree ] The Spanning Tree Protocol (STP) is a protocol that deactivates redundant paths of a network in order to help avoid loops. If a network component becomes inoperable on the path, then the device calculates the new topology and reactivates these paths. The Rapid Spanning Tree Protocol (RSTP) enables fast switching to a newly calculated topology without interrupting existing connections. RSTP gets average reconfiguration times of less than a second. When you use RSTP in a ring with 10 to 20 devices, you can get reconfiguration times in the order of milliseconds. The device supports the Multiple Spanning Tree Protocol (MSTP) standardized in IEEE 802.1, which is a further development of the Spanning Tree Protocol (STP). Note: When you connect the device to the network through twisted pair SFPs instead of through usual twisted pair ports, the reconfiguration of the network takes slightly longer. The menu contains the following dialogs: Spanning Tree Global Spanning Tree MSTP Spanning Tree Port 304 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Spanning Tree > Global ] 5.9.6.1 Spanning Tree Global [ Switching > L2-Redundancy > Spanning Tree > Global ] In this dialog, you enable/disable the Spanning Tree function and specify the bridge settings. Operation Operation Enables/disables the Spanning Tree function in the device. Possible values: On (default setting) Off The device behaves transparently. The device floods received Spanning Tree data packets like multicast data packets to the ports. Variant Variant Specifies the protocol used for the Spanning Tree function: Possible values: rstp (default setting) The protocol RSTP is active. With RSTP (IEEE 802.1Q-2005), the Spanning Tree function operates for the underlying physical layer. mstp The protocol MSTP is active. To help avoid longer recovery times, specify the maximum value 40 in the Tx holds field. Traps Send trap Activates/deactivates the sending of SNMP traps for the following events: • Another bridge takes over the root bridge role. • The topology changes. A port changes its Port state from forwarding into discarding or from discarding into forwarding. Possible values: marked The sending of SNMP traps is active. unmarked (default setting) The sending of SNMP traps is inactive. RM GUI RSP Release 8.1 12/2019 305 Switching [ Switching > L2-Redundancy > Spanning Tree > Global ] Ring only mode Active Activates/deactivates the Ring only mode function, in which the device does not verify the age of the BPDUs. Possible values: marked The Ring only mode function is active. Use this setting for applications for RSTP rings with diameters greater than 40. unmarked (default setting) The Ring only mode function is inactive. First port Specifies the port number of the first interface. Possible values: <Port number> (default setting: -) Second port Specifies the port number of the second interface. Possible values: <Port number> (default setting: -) Bridge configuration Bridge ID Displays the bridge ID of the device. The device with the lowest bridge ID numerical value takes over the role of the root bridge in the network. Possible values: <Bridge priority> / <MAC address> Value in the Priority field / MAC address of the device Priority Specifies the bridge priority of the device. Possible values: 0..61440 in steps of 4096 (default setting: 32768) To make this device the root bridge, assign the lowest numeric priority value in the network to the device. 306 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Spanning Tree > Global ] Hello time [s] Specifies the time in seconds between the sending of two configuration messages (Hello data packets). Possible values: 1..2 (default setting: 2) If the device takes over the role of the root bridge, then the other devices in the network use the value specified here. Otherwise, the device uses the value specified by the root bridge. See the Root information frame. Due to the interaction with the Tx holds parameter, we recommend that you do not change the default setting. Forward delay [s] Specifies the delay time for the status change in seconds. Possible values: 4..30 (default setting: 15) If the device takes over the role of the root bridge, then the other devices in the network use the value specified here. Otherwise, the device uses the value specified by the root bridge. See the Root information frame. In the RSTP protocol, the bridges negotiate a status change without a specified delay. The Spanning Tree protocol uses the parameter to delay the status change between the statuses disabled, discarding, learning, forwarding. The parameters Forward delay [s] and Max age have the following relationship: Forward delay [s] ≥ (Max age/2) + 1 If you enter values in the fields that contradict this relationship, then the device replaces these values with the last valid values or with the default value. Max age Specifies the maximum permitted branch length for example, the number of devices to the root bridge. Possible values: 6..40 (default setting: 20) If the device takes over the role of the root bridge, then the other devices in the network use the value specified here. Otherwise, the device uses the value specified by the root bridge. See the Root information frame. The Spanning Tree protocol uses the parameter to specify the validity of STP-BPDUs in seconds. Tx holds Limits the maximum transmission rate for sending BPDUs. RM GUI RSP Release 8.1 12/2019 307 Switching [ Switching > L2-Redundancy > Spanning Tree > Global ] Possible values: 1..40 (default setting: 10) To help avoid longer recovery times when using the MSTP protocol, set the maximum value to 40. When the device sends a BPDU, the device increments a counter on this port. If the counter reaches the value specified here, then the port stops sending BPDUs. On the one hand, this reduces the load generated by RSTP, and on the other when the device does not receive BPDUs, a communication interruption can be caused. The device decrements the counter by 1 every second. In the following second, the device sends a maximum of 1 new BPDU. BPDU guard Activates/deactivates the BPDU Guard function in the device. With this function, the device helps protect your network from incorrect configurations, attacks with STP-BPDUs, and unwanted topology changes. Possible values: marked The BPDU guard is active. – The device applies the function to manually specified edge ports. For these ports, in the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab the checkbox in the Admin edge port column is marked. – If an edge port receives an STP-BPDU, then the device disables the port. For this port, in the Basic Settings > Port dialog, Configuration tab the checkbox in the Port on column is unmarked. unmarked (default setting) The BPDU guard is inactive. To reset the status of the port to the value forwarding, you proceed as follows: If the port is still receiving BPDUs, then: – In the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab unmark the checkbox in the Admin edge port column. or – In the Switching > L2-Redundancy > Spanning Tree > Global dialog, unmark the BPDU guard checkbox. To re-enable the port again you use the Auto-Disable function. Alternatively, proceed as follows: – Open the Basic Settings > Port dialog, Configuration tab. – Mark the checkbox in the Port on column. BPDU filter (all admin edge ports) Activates/deactivates the STP-BPDU filter on every manually specified edge port. For these ports, in the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab the checkbox in the Admin edge port column is marked. 308 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Spanning Tree > Global ] Possible values: marked The BPDU filter is active on every edge port. The function does not use these ports in Spanning Tree operations. – The device does not send STP-BPDUs on these ports. – The device drops any STP-BPDUs received on these ports. unmarked (default setting) The global BPDU filter is inactive. You have the option to explicitly activate the BPDU filter for single ports. See the Port BPDU filter column in the Switching > L2-Redundancy > Spanning Tree > Port dialog. Auto-disable Activates/deactivates the Auto-Disable function for the parameters that BPDU guard is monitoring on the port. Possible values: marked The Auto-Disable function for the BPDU guard is active. – When the port receives an STP-BPDU, the device disables an edge port. The “Link status” LED for the port flashes 3× per period. – The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently disabled due to the parameters being exceeded. – The Auto-Disable function reactivates the port automatically. For this you go to the Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the relevant port in the Reset timer [s] column. unmarked (default setting) The Auto-Disable function for the BPDU guard is inactive. Root information Bridge ID Displays the bridge ID of the current root bridge. Possible values: <Bridge priority> / <MAC address> Priority Displays the bridge priority of the current root bridge. Possible values: 0..61440 in steps of 4096 Hello time [s] Displays the time in seconds that the root bridge specifies between the sending of two configuration messages (Hello data packets). RM GUI RSP Release 8.1 12/2019 309 Switching [ Switching > L2-Redundancy > Spanning Tree > Global ] Possible values: 1..2 The device uses this specified value. See the Bridge configuration frame. Forward delay [s] Specifies the delay time in seconds set up by the root bridge for status changes. Possible values: 4..30 The device uses this specified value. See the Bridge configuration frame. In the RSTP protocol, the bridges negotiate a status change without a specified delay. The Spanning Tree protocol uses the parameter to delay the status change between the statuses disabled, discarding, learning, forwarding. Max age Specifies the maximum permitted branch length that the root bridge sets up for example, the number of devices to the root bridge. Possible values: 6..40 (default setting: 20) The Spanning Tree protocol uses the parameter to specify the validity of STP-BPDUs in seconds. Topology information Bridge is root Displays if the device currently has the role of the root bridge. Possible values: marked The device currently has the role of the root bridge. unmarked Another device currently has the role of the root bridge. Root port Displays the number of the port from which the current path leads to the root bridge. If the device takes over the role of the root bridge, then the field displays the value 0. Root path cost Specifies the path cost for the path that leads from the root port of the device to the root bridge of the layer 2 network. 310 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Spanning Tree > Global ] Possible values: 0..200000000 If the value 0 is specified, then the device takes over the role of the root bridge. Topology changes Displays how many times the device has put a port into the forwarding status using the Spanning Tree function since the Spanning Tree instance was started. Time since topology change Displays the time since the last topology change. Possible values: <days, hours:minutes:seconds> Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 311 Switching [ Switching > L2-Redundancy > Spanning Tree > MSTP ] 5.9.6.2 Spanning Tree MSTP [ Switching > L2-Redundancy > Spanning Tree > MSTP ] In this dialog you manage the settings of the global and local MST instances. In contrast to the local MST instances, the global MST instance is configured permanently in the device. The global MST instance contains the VLANs that are not explicitly allocated to a local MST instance. The device supports up to 16 local MST instances. To create a local MST instance, click the button. While STP has a single Spanning Tree spanning the network, MSTP lets you set up one Spanning Tree per VLAN or group of VLANs. Thus it is possible to specify several smaller Spanning Trees covering one network. How to help avoid longer convergence times: Only use devices in the network that support RSTP or MSTP. Adjust the following parameters to the topology and number of bridges: – Maximum allowed number of devices to the root bridge Switching > L2-Redundancy > Spanning Tree > Global dialog, Max age field – Maximum allowed number of bridges within the MST region in a branch to the root bridge Switching > L2-Redundancy > Spanning Tree > MSTP dialog, Global CIST parameter frame, Hops (max.) field For bridges in an MST region, specify identical values for the following parameters: Name of the MST region Revision level of the MST region Allocation of the VLANs to the MST instances – Include ports connecting the bridges of an MST region as tagged members in the VLANs set up on the bridges. You thus help avoid potential connection breaks within the MST region when the topology is changed. – Include ports connecting an MST region with other MST regions or with the CST region (boundary ports) as tagged members in the VLANs set up in both regions. You thus help avoid potential connection breaks when topology changes affecting the boundary ports are made. MST region identifier Name Specifies the name of the MST region to which the device belongs. Possible values: Alphanumeric ASCII character string with 1..32 characters Revision level Specifies the version number of the MST region to which the device belongs. Possible values: 0..65535 (default setting: 1) 312 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Spanning Tree > MSTP ] Checksum Displays the MD5 checksum of the MST configuration. Global CIST parameter Hops (max.) Specifies the maximum number of bridges within the MST region in a branch to the root bridge. Possible values: 6..40 (default setting: 20) Attached VLANs Displays the IDs of the VLANs that are assigned only to the global MST instance and to no other local MST instance. Possible values: ID of the statically configured VLANs (default setting: 1) Bridge ID Displays the bridge ID of the device. Possible values: <Bridge priority> / <MAC address> The value is made up as follows: – Value in the Priority field. See the Switching > L2-Redundancy > Spanning Tree > Global dialog, Bridge configuration frame. – MAC address of the device. Root ID Displays the bridge ID of the current CIST root bridge of the whole Layer 2 network. Possible values: <Bridge priority> / <MAC address> The device with the numerically lowest bridge ID takes over the role of the CIST root bridge in the network. The following devices are able to take over the role of the root bridge: Bridges not belonging to any MST region Bridges belonging to the global instance of an MST region In the whole Layer 2 network, the bridges use the time settings of the CIST root bridge, for example Hello time [s]. Regional root ID Displays the Bridge ID of the current root bridge that belongs to the global instance of the MST region to which this device belongs. RM GUI RSP Release 8.1 12/2019 313 Switching [ Switching > L2-Redundancy > Spanning Tree > MSTP ] Possible values: <Bridge priority> / <MAC address> The values in the Regional root ID and Root ID fields are identical when the regional root bridge has the lowest bridge ID in the whole Layer 2 network. Root port Displays the port of the device from which the path leads to the current CIST root bridge of the whole Layer 2 network. Possible values: no Port The device currently has the role of the root bridge. <Port number> The path to the current CIST root bridge of the whole Layer 2 network leads over this port. Root path cost Displays the path cost for the path that leads from the regional root bridge of the MST region to the current CIST root bridge of the whole Layer 2 network. Possible values: 0..200000000 If the value 0 is specified, then the regional root bridge simultaneously has the role of the CIST root bridge. For the devices within an MST region, the Root path cost values are identical. If you do not use MSTP, then the Root path cost values are identical to the root path costs of Spanning Tree or Rapid Spanning Tree. In this case, every device considers itself as an own region. Internal root path cost Displays the internal path cost for the path that leads from the root port of the device to the current regional root bridge of the MST region. Possible values: 0..200000000 If the value 0 is specified, then the local bridge simultaneously has the role of the current regional root bridge. Table MSTI Displays the instance number of the local MST instance. Attached VLANs Displays the IDs of the VLANs that are allocated to this local MST instance. 314 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Spanning Tree > MSTP ] Priority Specifies the bridge priority of the local MST instance. Possible values: 0..61440 in steps of 4096 (default setting: 32768) Assign the lowest numeric priority in this local MST instance to the device to make this device the root bridge. Bridge ID Displays the bridge ID. The device with the numerically lowest bridge ID takes over the role of the MSTI (regional) root bridge in the instance. Possible values: <Bridge priority + Number of the instance> / <MAC address> Sum of the value in the fields Priority and MSTI / MAC address of the device Time since topology change Displays the time that has elapsed since the last topology change within this instance. Topology changes Displays how many times the device has put a port into the forwarding status using the Spanning Tree function since the Spanning Tree instance was started. Topology change Displays whether the device has detected a topology change within the instance. Possible values: true The device has detected a topology change. false The device has not detected a topology change. Root ID Displays the bridge ID of the current root bridge in this instance. Possible values: <Bridge ID> / <MAC address> Root path cost Displays the path cost for the path that leads from the root port of the device to the root bridge of the instance. Possible values: 0..200000000 If the value 0 is specified, then the bridge is simultaneously the root bridge of the instance. RM GUI RSP Release 8.1 12/2019 315 Switching [ Switching > L2-Redundancy > Spanning Tree > MSTP ] Root port Displays the port of the device from which the current path leads to the root bridge of the instance. Possible values: no Port The device currently has the role of the root bridge. <Port number> The path to the current root bridge of the instance leads over this port. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Adds a new table entry. The device supports up to local 16 instances. Configure VLANs Opens the Configure VLANs dialog to allocate VLANs to the local MST instance which is highlighted in the table. 316 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Spanning Tree > Port ] 5.9.6.3 Spanning Tree Port [ Switching > L2-Redundancy > Spanning Tree > Port ] In this dialog, you activate the Spanning Tree function on the ports, specify edge ports, and specify the settings for various protection functions. The dialog contains the following tabs: [CIST] [Guards] [MSTI <MSTI>] [CIST] In this tab, you have the option to activate the Spanning Tree function on the ports individually, specify the settings for edge ports, and view the current values. The abbreviation CIST stands for Common and Internal Spanning Tree. Note: Deactivate the Spanning Tree function on the ports that are participating in other Layer 2 redundancy protocols. Otherwise, it is possible that the redundancy protocols operate differently than intended. This can cause loops. Table Port Displays the port number. STP active Activates/deactivates the Spanning Tree function on the port. Possible values: marked (default setting) unmarked If the Spanning Tree function is enabled in the device and disabled on the port, then the port does not send STP-BPDUs and drops any STP-BPDUs received. Port state Displays the transmission status of the port. Possible values: discarding The port is blocked and forwards only STP-BPDUs. learning The port is blocked, but it learns the MAC addresses of received data packets. forwarding The port forwards data packets. RM GUI RSP Release 8.1 12/2019 317 Switching [ Switching > L2-Redundancy > Spanning Tree > Port ] disabled The port is inactive. See the Basic Settings > Port dialog, Configuration tab. manualFwd The Spanning Tree function is disabled on the port. The port forwards STP-BPDUs. notParticipate The port is not participating in STP. Port role Displays the current role of the port in CIST. Possible values: root Port with the cheapest path to the root bridge. alternate Port with the alternative path to the root bridge (currently blocking). designated Port for the side of the tree averted from the root bridge (currently blocking). backup Port receives STP-BPDUs from its own device. master Port with the cheapest path to the CIST. The port is the CIST root port of the CIST Regional Root. The port is unique in an MST region. disabled The port is inactive. See the Basic Settings > Port dialog, Configuration tab. Port path cost Specifies the path costs of the port. Possible values: 0..200000000 (default setting: 0) When the value is 0, the device automatically calculates the path costs depending on the data rate of the port. Port priority Specifies the priority of the port. Possible values: 16..240 in steps of 16 (default setting: 128) This value represents the first 4 bits of the port ID. Received bridge ID Displays the bridge ID of the device from which this port last received an STP-BPDU. 318 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Spanning Tree > Port ] Possible values: For ports with the designated role, the device displays the information for the STP-BPDU last received by the port. This helps to diagnose the possible STP problems in the network. For the alternate, backup, master, and root port roles, in the stationary condition (static topology) this information is identical to the information of the designated port role. If a port has no connection or if it did not receive any STP-BDPUs yet, then the device displays the values that the port can send with the designated role. Received port ID Displays the port ID of the device from which this port last received an STP-BPDU. Possible values: For ports with the designated role, the device displays the information for the STP-BPDU last received by the port. This helps to diagnose the possible STP problems in the network. For the alternate, backup, master, and root port roles, in the stationary condition (static topology) this information is identical to the information of the designated port role. If a port has no connection or if it did not receive any STP-BDPUs yet, then the device displays the values that the port can send with the designated role. Received path cost Displays the path cost that the higher-level bridge has from its root port to the root bridge. Possible values: For ports with the designated role, the device displays the information for the STP-BPDU last received by the port. This helps to diagnose the possible STP problems in the network. For the alternate, backup, master, and root port roles, in the stationary condition (static topology) this information is identical to the information of the designated port role. If a port has no connection or if it did not receive any STP-BDPUs yet, then the device displays the values that the port can send with the designated role. Received path cost Displays the path cost that the higher-level bridge has from its root port in the local MST instance to the root bridge. Admin edge port Activates/deactivates the Admin edge port mode. If the port is connected to an end device, then use the Admin edge port mode. This setting lets the edge port change faster to the forwarding state after linkup and thus a faster accessibility of the end device. RM GUI RSP Release 8.1 12/2019 319 Switching [ Switching > L2-Redundancy > Spanning Tree > Port ] Possible values: marked The Admin edge port mode is active. The port is connected to an end device. – After the connection is set up, the port changes to the forwarding status without changing to the learning status beforehand. – If the port receives an STP-BPDU and the BPDU Guard function is active, then the device deactivates the port. See the Switching > L2-Redundancy > Spanning Tree > Global dialog. unmarked (default setting) The Admin edge port mode is inactive. The port is connected to another STP bridge. After the connection is set up, the port changes to the learning status before changing to the forwarding status, if applicable. Auto edge port Activates/deactivates the automatic detection of whether you connect an end device to the port. The prerequisite is that the checkbox in the Admin edge port column is unmarked. Possible values: marked (default setting) The automatic detection is active. After the installation of the connection and after 1.5 × Hello time [s], the device sets the port to the forwarding status (default setting 1.5 × 2 s) if the port did not receive any STP-BPDUs during this time. unmarked The automatic detection is inactive. After the installation of the connection, and after Max age the device sets the port to the forwarding status. (default setting: 20 s) Oper edge port Displays whether an end device or an STP bridge is connected to the port. Possible values: marked An end device is connected to the port. The port does not receive any STP-BPDUs. unmarked An STP bridge is connected to the port. The port receives STP-BPDUs. Oper PointToPoint Displays whether the port is connected to an STP device via a direct full-duplex link. Possible values: true The port is connected directly to an STP device via a full-duplex link. The direct, decentralized communication between 2 bridges enables short reconfiguration times. false The port is connected in another way, for example via a half-duplex link or via a hub. Port BPDU filter Activates/deactivates the filtering of STP-BPDUs on the port explicitly. 320 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Spanning Tree > Port ] The prerequisite is that the port is a manually specified edge port. For these ports, the checkbox in the Admin edge port column is marked. Possible values: marked The BPDU filter is active on the port. The function excludes the port from Spanning Tree operations. – The device does not send STP-BPDUs on the port. – The device drops any STP-BPDUs received on the port. unmarked (default setting) The BPDU filter is inactive on the port. You have the option to globally activate the BPDU filter for every edge port. See the Switching > L2-Redundancy > Spanning Tree > Global dialog, Bridge configuration frame. If the BPDU filter (all admin edge ports) checkbox is marked, then the BPDU filter is still active on the port. BPDU filter status Displays whether or not the BPDU filter is active on the port. Possible values: marked The BPDU filter is active on the port as a result of the following settings: – The checkbox in the Port BPDU filter column is marked. and/or – The checkbox in the BPDU filter (all admin edge ports) column is marked. See the Switching > L2-Redundancy > Spanning Tree > Global dialog, Bridge configuration frame. unmarked The BPDU filter is inactive on the port. BPDU flood Activates/deactivates the BPDU flood mode on the port even if the Spanning Tree function is inactive on the port. The prerequisite is that the BPDU flood mode is also active for these ports. Possible values: marked The BPDU flood mode is active. The device floods STP-BPDUs received on the port to the ports for which the Spanning Tree function is inactive. unmarked (default setting) The BPDU flood mode is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 321 Switching [ Switching > L2-Redundancy > Spanning Tree > Port ] [Guards] This tab lets you specify the settings for various protection functions on the ports. Table Port Displays the port number. Root guard Activates/deactivates the monitoring of STP-BPDUs on the port. The prerequisite is that the Loop guard function is inactive. With this setting the device helps you protect your network from incorrect configurations or attacks with STP-BPDUs that try to change the topology. This setting is relevant only for ports with the STP role designated. Possible values: marked The monitoring of STP-BPDUs is active. – If the port receives an STP-BPDU with better path information to the root bridge, then the device discards the STP-BPDU and sets the status of the port to the value discarding instead of root. – If there are no STP-BPDUs with better path information to the root bridge, then the device resets the status of the port after 2 × Hello time [s]. unmarked (default setting) The monitoring of STP-BPDUs is inactive. TCN guard Activates/deactivates the monitoring of "Topology Change Notifications" on the port. With this setting the device helps you protect your network from attacks with STP-BPDUs that try to change the topology. Possible values: marked The monitoring of "Topology Change Notifications" is enabled. – The port ignores the Topology Change flag in received STP-BPDUs. – If the received BPDU contains other information that causes a topology change, then the device processes the BPDU even if the TCN guard is enabled. Example: The device receives better path information for the root bridge. unmarked (default setting) The monitoring of "Topology Change Notifications" is disabled. If the device receives STP-BPDUs with a Topology Change flag, then the device deletes the address table of the port and forwards the Topology Change Notifications. Loop guard Activates/deactivates the monitoring of loops on the port. The prerequisite is that the Root guard function is inactive. With this setting the device helps prevent loops if the port does not receive any more STP-BPDUs. Use this setting only for ports with the STP role alternate, backup or root. 322 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Spanning Tree > Port ] Possible values: marked The monitoring of loops is active. This helps prevent loops for example, if you disable the Spanning Tree function on the remote device or if the connection is interrupted only in the receiving direction. – If the port does not receive any STP-BPDUs for a while, then the device sets the status of the port to the value discarding and the value in the Loop state column to true. – If the port receives STP-BPDUs again, then the device sets the status of the port to a value according to Port role and the value in the Loop state column to false. unmarked (default setting) The monitoring of loops is inactive. If the port does not receive any STP-BPDUs for a while, then the device sets the status of the port to the value forwarding. Loop state Displays whether the loop state of the port is inconsistent. Possible values: true The loop state of the port is inconsistent: – The port is not receiving any STP-BPDUs and the Loop guard function is enabled. – The device sets the state of the port to the value discarding. The device thus helps prevent any potential loops. false The loop state of the port is consistent. The port receives STP-BPDUs. Trans. into loop Displays how many times the device has set the value in the Loop state column from false to true. Trans. out of loop Displays how many times the device has set the value in the Loop state column from true to false. BPDU guard effect Displays whether the port received an STP-BPDU as an edge port. Prerequisite: • The port is a manually specified edge port. In the Port dialog, the checkbox for this port in the Admin edge port column is marked. • In the Switching > L2-Redundancy > Spanning Tree > Global dialog, the BPDU Guard function is active. Possible values: marked The port is an edge port and received an STP-BPDU. The device deactivates the port. For this port, in the Basic Settings > Port dialog, Configuration tab the checkbox in the Port on column is unmarked. unmarked The port is an edge port and has not received any STP-BPDUs, or the port is not an edge port. RM GUI RSP Release 8.1 12/2019 323 Switching [ Switching > L2-Redundancy > Spanning Tree > Port ] To reset the status of the port to the value forwarding, you proceed as follows: If the port is still receiving BPDUs, then: – In the CIST tab, unmark the checkbox in the Admin edge port column. or – In the Switching > L2-Redundancy > Spanning Tree > Global dialog, unmark the BPDU guard checkbox. To activate the port, proceed as follows: – Open the Basic Settings > Port dialog, Configuration tab. – Mark the checkbox in the Port on column. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [MSTI <MSTI>] This tab lets you specify the settings on the ports for path costs and priority in the local MST instance, and to view current values. Table Port Displays the port number. Port state Displays the transmission status of the port. Possible values: discarding The port is blocked and forwards only STP-BPDUs. learning The port is blocked, but it learns the MAC addresses of received data packets. forwarding The port forwards data packets. disabled The port is inactive. See the Basic Settings > Port dialog, Configuration tab. manualFwd The Spanning Tree function is disabled on the port. The port forwards STP-BPDUs. notParticipate The port is not participating in STP. Port role Specifies the current role of the port in the local instance. 324 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Spanning Tree > Port ] Possible values: root Port with the cheapest path to the root bridge. alternate Port with the alternative path to the root bridge (currently interrupted). designated Port for the side of the tree averted from the root bridge. backup Port which receives STP-BPDUs from its own device. master Port with the cheapest path to the CIST. The port is the CIST root port of the CIST Regional Root. The port is unique in an MST region. disabled The port is inactive. See the Basic Settings > Port dialog, Configuration tab. Port path cost Specifies the path costs of the port in the local instance. Possible values: 0..200000000 (default setting: 0) When the value is 0, the device automatically calculates the path costs depending on the data rate of the port. Port priority Specifies the priority of the port in the local instance. Possible values: 16..240 in steps of 16 (default setting: 128) Received bridge ID Displays the bridge ID of the device from which this port last received an STP-BPDU in the local instance. Received port ID Displays the port ID of the device from which this port last received an STP-BPDU. Possible values: For ports with the designated role, the device displays the information for the STP-BPDU last received by the port. This helps to diagnose the possible STP problems in the network. For the alternate, backup, master, and root port roles, in the stationary condition (static topology) this information is identical to the information of the designated port role. If a port has no connection or if it did not receive any STP-BDPUs yet, then the device displays the values that the port can send with the designated role. Received path cost Displays the path cost that the higher-level bridge has from its root port to the root bridge. RM GUI RSP Release 8.1 12/2019 325 Switching [ Switching > L2-Redundancy > Link Aggregation ] Possible values: For ports with the designated role, the device displays the information for the STP-BPDU last received by the port. This helps to diagnose the possible STP problems in the network. For the alternate, backup, master, and root port roles, in the stationary condition (static topology) this information is identical to the information of the designated port role. If a port has no connection or if it did not receive any STP-BDPUs yet, then the device displays the values that the port can send with the designated role. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 5.9.7 Link Aggregation [ Switching > L2-Redundancy > Link Aggregation ] The Link Aggregation function lets you aggregate multiple parallel links. The prerequisite is that the links have the same speed and are full duplex. The advantages compared to conventional connections using a single line are higher availability and a higher transmission bandwidth. The criteria for distributing the load to the parallel links are based on the Hashing option function. The Link Aggregation Control Protocol (LACP) makes it possible to monitor the packet-based continuous link status on the physical ports. LACP also helps ensure that the link partners meet the aggregation prerequisites. If the remote side does not support the Link Aggregation Control Protocol (LACP), then you can use the Static link aggregation function. In this case, the device aggregates the links based on the link, link speed and duplex setting. Configuration Hashing option Specifies which information the device uses to distribute the packets to the physical ports of the LAG interface. The device transmits packets containing the same distribution-relevant information over the same physical port to keep the packet order. This setting overwrites the value specified in the Hashing option column for the port. Possible values: sourceMacVlan The device uses the fields Source MAC address, VLAN ID, EtherType of the packet, and the physical ingress port. destMacVlan The device uses the fields Destination MAC address, VLAN ID, EtherType of the packet, and the physical ingress port. 326 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Link Aggregation ] sourceDestMacVlan (default setting) The device uses the fields Source MAC address, Destination MAC address, VLAN ID, EtherType of the packet, and the physical ingress port. sourceIPsourcePort The device uses the fields Source IP address and Source TCP/UDP port of the packet. destIPdestPort The device uses the fields Destination IP address and Destination TCP/UDP port of the packet. sourceDestIPPort The device uses the fields Source IP address, Destination IP address, Source TCP/UDP port and Destination TCP/UDP port of the packet. Table Trunk port Displays the LAG interface number. Name Specifies the name of the LAG interface. Possible values: Alphanumeric ASCII character string with 1..15 characters Link/Status Displays the current operating state of the LAG interface and the physical ports. Possible values: up (lag/… row) The LAG interface is operational. The prerequisites are: – The Static link aggregation function is active on this LAG interface. or – LACP is active on the physical ports assigned to the LAG interface, see the LACP active column. and The key specified for the LAG interface in the LACP admin key column matches the keys specified for the physical ports in the LACP port actor admin key column. and The number of operational physical ports assigned to the LAG interface is greater than or equal to the value specified in the Active ports (min.) column. up The physical port is operational. down (lag/… row) The LAG interface is down. down The physical port is disabled. or No cable connected or no active link. RM GUI RSP Release 8.1 12/2019 327 Switching [ Switching > L2-Redundancy > Link Aggregation ] Active Activates/deactivates the LAG interface. Possible values: marked (default setting) The LAG interface is active. Consider that the following protocols do not work properly on the physical ports when you activate the LAG interface: – PTP unmarked The LAG interface is inactive. STP active Activates/deactivates the Spanning Tree protocol on this LAG interface. The prerequisite is that you enable the Spanning Tree function globally in the Switching > L2-Redundancy > Spanning Tree > Global dialog. You can also activate/deactivate the Spanning Tree protocol on the LAG interfaces in the Switching > L2-Redundancy > Spanning Tree > Port dialog. Possible values: marked (default setting) The Spanning Tree protocol is active on this LAG interface. unmarked The Spanning Tree protocol is inactive on this LAG interface. Static link aggregation Activates/deactivates the Static link aggregation function on the LAG interface. The device aggregates the assigned physical ports to the LAG interface, even if the remote site does not support LACP. Possible values: marked The Static link aggregation function is active on this LAG interface. The device aggregates an assigned physical port to the LAG interface as soon as the physical port gets a link. The device does not send LACPDUs and discards received LACPDUs. unmarked (default setting) The Static link aggregation function is inactive on this LAG interface. If the connection was successfully negotiated using LACP, then the device aggregates an assigned physical port to the LAG interface. Hashing option Specifies which information the device uses to distribute the packets to the individual physical ports of the LAG interface. This setting has priority over the value selected from the Configuration frame, Hashing option drop-down list. For further information on the values, see the description of the Hashing option drop-down list the Configuration frame. MTU Specifies the maximum allowed size of Ethernet packets on the LAG interface in bytes. Any present VLAN tag is not taken into account. 328 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Link Aggregation ] This setting lets you increase the size of the Ethernet packets for specific applications. Possible values: 1518..12288 (default setting: 1518) With the value 1518, the LAG interface transmits the Ethernet packets up to the following size: – 1518 bytes without VLAN tag (1514 bytes + 4 bytes CRC) – 1522 bytes with VLAN tag (1518 bytes + 4 bytes CRC) Active ports (min.) Specifies the minimum number of physical ports to be active for the LAG interface to stay active. If the number of active physical ports is lower than the specified value, then the device deactivates the LAG interface. If a redundancy function like Spanning Tree or MRP over LAG is active in the device, then you use this function to force the device to switch automatically to the redundant line. Possible values: 1 (default setting) 2 Depending on the hardware: 4 8 32 Type Displays whether the LAG interface is based on the Static link aggregation function or on LACP. Possible values: static The LAG interface is based on the Static link aggregation function. dynamic The LAG interface is based on LACP. Send trap (Link up/down) Activates/deactivates the sending of SNMP traps when the device detects changes in the link up/ down status for this interface. Possible values: marked (default setting) The sending of SNMP traps is active. If the device detects a link up/down status change, then the device sends an SNMP trap. unmarked The sending of SNMP traps is inactive. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. LACP admin key Specifies the LAG interface key. The device uses this key to identify the ports that can be aggregated to the LAG interface. RM GUI RSP Release 8.1 12/2019 329 Switching [ Switching > L2-Redundancy > Link Aggregation ] Possible values: 0..65535 You specify the corresponding value for the physical ports in the LACP port actor admin key column. Port Displays the physical ports number assigned to the LAG interface. Aggregation port status Displays whether the LAG interface aggregates the physical port. Possible values: active The LAG interface aggregates the physical port. inactive The LAG interface does not aggregate the physical port. LACP active Activates/deactivates LACP on the physical port. Possible values: marked (default setting) LACP is active on the physical port. unmarked LACP is inactive on the physical port. LACP port actor admin key Specifies the physical port key. The device uses this key to identify the ports that can be aggregated to the LAG interface. Possible values: 0 The device ignores the key on this physical port when deciding to aggregate the port into the LAG interface. 1..65535 If this value matches the value of the LAG interface specified in the LACP admin key column, then the device only aggregates this physical port to the LAG interface. LACP actor admin state Specifies the actor state values that the LAG interface transmits in the LACPDUs. This lets you control the LACPDU parameters. The device lets you mix the values. In the drop-down list, select one or more values. 330 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Link Aggregation ] Possible values: ACT (LACP_Activity state) When selected, the link transmits the LACPDUs cyclically, otherwise when requested. STO (LACP_Timeout state) When selected, the link transmits the LACPDUs cyclically using the short timeout, otherwise using the long timeout. AGG (Aggregation state) When selected, the device interprets the link as a candidate for aggregation, otherwise as an individual link. For further information on the values, see the standard IEEE 802.1AX-2014. LACP actor oper state Displays the actor state values that the LAG interface transmits in the LACPDUs. Possible values: ACT (LACP_Activity state) When visible, the link transmits the LACPDUs cyclically, otherwise when requested. STO (LACP_Timeout state) When visible, the link transmits the LACPDUs cyclically using the short timeout, otherwise using the long timeout. AGG (Aggregation state) When visible, the device interprets the link as a candidate for aggregation, otherwise as an individual link. SYN (Synchronization state) When visible, the device interprets the link as IN_SYNC, otherwise as OUT_OF_SYNC. COL (Collecting state) When visible, collection of incoming frames is enabled on this link, otherwise disabled. DST (Distributing state) When visible, distribution of outgoing frames is enabled on this link, otherwise disabled. DFT (Defaulted state) When visible, the link uses defaulted operational information, administratively specified for the Partner. Otherwise the link uses the operational information received from a LACPDU. EXP (Expired state) When visible, the link receiver is in the EXPIRED state. LACP partner oper SysID Displays the MAC address of the remote device connected to this physical port. The LAG interface has received this information in a LACPDU from the partner. RM GUI RSP Release 8.1 12/2019 331 Switching [ Switching > L2-Redundancy > Link Aggregation ] LACP partner oper port Displays the port number of the remote device connected to this physical port. The LAG interface has received this information in a LACPDU from the partner. LACP partner oper port state Displays the partner state values that the LAG interface receives in the LACPDUs. Possible values: ACT STO AGG SYN COL DST DFT EXP For further information on the values, see the description of the LACP actor oper state column and the standard IEEE 802.1AX-2014. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new LAG interface entry to the table or to assign a physical port to a LAG interface. In the Trunk port drop-down list, you select the LAG interface number. In the Port drop-down list, you select the number of a physical port to assign to the LAG interface. After you create a LAG interface, the device adds the LAG interface to the table in the Basic Settings > Port dialog, Statisticstab. 332 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > Link Backup ] 5.9.8 Link Backup [ Switching > L2-Redundancy > Link Backup ] With Link Backup, you configure pairs of redundant links. Each pair has a primary port and a backup port. The primary port forwards traffic until the device detects an error. If the device detects an error on the primary port, then the Link Backup function transfers traffic over to the backup port. The dialog also lets you set a fail back option. If you enable the fail back function and the primary port returns to normal operation, then the device first blocks traffic on the backup port and then forwards traffic on the primary port. This process helps protect the device from causing loops in the network. Operation Operation Enables/disables the Link Backup function globally in the device. Possible values: On Enables the Link Backup function. Off (default setting) Disables the Link Backup function. Table Primary port Displays the primary port of the interface pair. When you enable the Link Backup function, this port is responsible for forwarding traffic. Possible values: Physical ports Backup port Displays the backup port on which the device forwards traffic if the device detects an error on the primary port. Possible values: Physical ports except for the port you set as the primary port. Description Specifies the Link Backup pair. Enter a name to identify the Backup pair. Possible values: Alphanumeric ASCII character string with 0..255 characters RM GUI RSP Release 8.1 12/2019 333 Switching [ Switching > L2-Redundancy > Link Backup ] Primary port status Displays the status of the primary port for this Link Backup pair. Possible values: forwarding The link is up, no shutdown, and forwarding traffic. blocking The link is up, no shutdown, and blocking traffic. down The port is either link down, cable unplugged, or disabled in software, shutdown. unknown The Link Backup feature is globally disabled, or the port pair is inactive. Therefore, the device ignores the port pair settings. Backup port status Displays the status of the Backup port for this Link Backup pair. Possible values: forwarding The link is up, no shutdown, and forwarding traffic. blocking The link is up, no shutdown, and blocking traffic. down The port is either link down, cable unplugged, or disabled in the software, shutdown. unknown The Link Backup feature is globally disabled, or the port pair is inactive. Therefore, the device ignores the port pair settings. Fail back Activates/deactivates the automatic fail back. Possible values: marked (default setting) The automatic fail back is active. After the delay timer expires, the backup port changes to blocking and the primary port changes to forwarding. unmarked The automatic fail back is inactive. The backup port continues forwarding traffic even after the primary port re-establishes a link or you manually change the admin status of the primary port from shutdown to no shutdown. Fail back delay [s] Specifies the delay time in seconds that the device waits after the primary port re-establishes a link. Furthermore, this timer also applies when you manually set the admin status of the primary port from shutdown to no shutdown. After the delay timer expires, the backup port changes to blocking and the primary port changes to forwarding. 334 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > FuseNet ] Possible values: 0..3600 (default setting: 30) When set to 0, immediately after the primary port re-establishes a link, the backup port changes to blocking and the primary port changes to forwarding. Furthermore, immediately after you manually set the admin status of from shutdown to no shutdown, the backup port changes to blocking and the primary port changes to forwarding. Active Activates/deactivates the Link Back up pair configuration. Possible values: marked The Link Backup pair is active. The device senses the link and administration status and forwards traffic according to the pair configuration. unmarked (default setting) The Link Backup pair is inactive. The ports forward traffic according to standard switching. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Create Primary port Specifies the primary port of the backup interface pair. During normal operation this port is responsible for forwarding the traffic. Possible values: Physical ports Backup port Specifies the backup port to which the device transfers the traffic to if the device detects an error on the primary port. Possible values: Physical ports except for the port you set as the primary port. 5.9.9 FuseNet [ Switching > L2-Redundancy > FuseNet ] The FuseNet protocols let you couple rings that are operating with one of the following redundancy protocols: MRP Fast MRP (depends on hardware) RM GUI RSP Release 8.1 12/2019 335 Switching [ Switching > L2-Redundancy > FuseNet ] HIPER Ring DLR (depends on hardware) RSTP Note: If you use the Ring/Network Coupling protocol to couple networks, then verify that the networks only contain Hirschmann devices. Use the following table to select the FuseNet coupling protocol to be used in your network: Main Ring Connected Network MRP RSTP HIPER Ring Fast MRP 2) DLR 2) MRP Sub Ring1) Redundant Coupling Protocol Ring/Network Coupling Redundant Coupling Protocol Ring/Network Coupling Ring/Network Coupling Redundant Coupling Protocol Ring/Network Coupling Fast MRP 2) Sub Ring1) Redundant Coupling Protocol Ring/Network Coupling Redundant Coupling Protocol Ring/Network Coupling Ring/Network Coupling Ring/Network Coupling HIPER Ring Sub Ring Redundant Coupling Protocol Ring/Network Coupling Ring/Network Coupling Redundant Coupling Protocol Ring/Network Coupling Redundant Coupling Protocol Ring/Network Coupling DLR 2) Sub Ring Redundant Coupling Protocol Redundant Coupling Protocol Redundant Coupling Protocol – – RSTP Redundant Coupling Protocol – Redundant Coupling Protocol Redundant Coupling Protocol Redundant Coupling Protocol Explanation: – no suitable coupling protocol 1) with MRP configured on different VLANs 2) depending on the device configuration The menu contains the following dialogs: Sub Ring Ring/Network Coupling Redundant Coupling Protocol 336 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > FuseNet > Sub Ring ] 5.9.9.1 Sub Ring [ Switching > L2-Redundancy > FuseNet > Sub Ring ] This dialog lets you set up the device as a subring manager. The Sub Ring function enables you to easily couple network segments to existing redundancy rings. The subring manager (SRM) couples a subring to an existing ring (base ring). In the subring you can use any devices that support MRP as ring participants. These devices do not require a subring manager function. When setting up subrings, remember the following rules: The device supports Link Aggregation in the subring No spanning tree on subring ports Same MRP domain on devices within a subring Different VLANs for base ring and subring Specify the VLAN settings as follows: VLAN X for base ring – on the ring ports of the base ring participants – on the base ring ports of the subring manager VLAN Y for subring – on the ring ports of the subring participants – on the subring ports of the subring manager Note: To help avoid loops, only close the redundant line when the settings are specified in every device participating in the ring. Operation Operation Enables/disables the Sub Ring function. Possible values: On The Sub Ring function is enabled. Off (default setting) The Sub Ring function is disabled. Information Table entries (max.) Displays the maximum number of subrings supported by the device. RM GUI RSP Release 8.1 12/2019 337 Switching [ Switching > L2-Redundancy > FuseNet > Sub Ring ] Table Sub ring ID Displays the unique identifier of this subring. Possible values: 1..8 Name Specifies the optional name of the subring. Possible values: Alphanumeric ASCII character string with 0..255 characters Active Activates/deactivates the subring. Activate the subring when the configuration of every subring device is complete. Close the subring only after activating the Sub Ring function. Possible values: marked The subring is active. unmarked (default setting) The subring is inactive. Configuration status Displays the operational state of the subring configuration. Possible values: noError The device detects an acceptable subring configuration. ringPortLinkError – The ring port has no link. – One of the subring lines is connected to one more port of the device. But the subring line is not connected to one of the ring ports of the device. multipleSRM The subring manager receives packets from more than one subring manager in the subring. noPartnerManager The subring manager receives its own frames. concurrentVLAN The MRP protocol in the base ring uses the VLAN of the subring manager domain. concurrentPort One more redundancy protocol uses the ring port of the subring manager domain. concurrentRedundancy The subring manager domain is inactive because of one more active redundancy protocol. 338 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > FuseNet > Sub Ring ] trunkMember The ring port of the subring manager domain is member of a Link Aggregation connection. sharedVLAN The subring manager domain is inactive because shared VLAN is active and the main ring also uses the MRP protocol. Redundancy available Displays the operational state of the ring redundancy in the subring. Possible values: redGuaranteed Redundancy reserve is available. redNotGuaranteed Loss of redundancy reserve. Port Specifies the port that connects the device to the subring. Possible values: <Port number> SRM mode Specifies the mode of the subring manager. A subring has 2 managers simultaneously that couple the subring to the base ring. As long as the subring is physically closed, 1 manager blocks its subring port. Possible values: manager (default setting) The subring port forwards data packets. When this value is set on both devices that couple the subring to the base ring, the device with the higher MAC address functions as the redundantManager. redundantManager The subring port is blocked while the subring is physically closed. If the subring is interrupted, then the subring port transmits the data packets. When this value is set on both devices that couple the subring to the base ring, the device with the higher MAC address functions as the redundantManager. singleManager Use this value when the subring is coupled to the base ring via one single device. The prerequisite is that there are 2 instances of the subring in the table. Assign this value to both instances. The subring port of the instance with the higher port number is blocked while the subring is physically closed. SRM status Displays the current mode of the subring manager. RM GUI RSP Release 8.1 12/2019 339 Switching [ Switching > L2-Redundancy > FuseNet > Sub Ring ] Possible values: manager The subring port forwards data packets. redundantManager The subring port is blocked while the subring is physically closed. If the subring is interrupted, then the subring port transmits the data packets. singleManager The subring is coupled to the base ring via one single device. The subring port of the instance with the higher port number is blocked while the subring is physically closed. disabled The subring is inactive. Port status Displays the connection status of the subring port. Possible values: forwarding The port is passing frames according to the forwarding behavior of IEEE 802.1D. disabled The port is dropping every frame. blocked The port is dropping every frame with the exception of the following cases: – The port passes frames used by the selected ring protocol specified to pass blocked ports. – The port passes frames from other protocols specified to pass blocked ports. not-connected The port link is down. VLAN Specifies the VLAN to which this subring is assigned. If no VLAN exists under the VLAN ID entered, then the device automatically creates it. Possible values: Available configured VLANs (default setting: 0) If you do not want to use a separate VLAN for this subring, then you leave the entry as 0. Partner MAC Displays the MAC address of the subring manager at the other end of the subring. MRP domain Specifies the MRP domain of the subring manager. Assign the same MRP domain name to every member of a subring. If you only use Hirschmann devices, then you use the default value for the MRP domain; otherwise adjust this value if necessary. With multiple subrings, the function lets you use the same MRP domain name for the subrings. Possible values: Permitted MRP domain names (default setting: 255.255.255.255.255.255.255.255.255.255.255.255.255.255.255.255) Protocol Specifies the protocol. 340 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > FuseNet > Sub Ring ] Possible values: iec-62439-mrp Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 341 Switching [ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ] 5.9.9.2 Ring/Network Coupling [ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ] You use the Ring/Network Coupling function to redundantly couple an existing HIPER ring, MRP ring, or Fast HIPER ring to another network or another ring. Verify that the coupling partners are Hirschmann devices. Note: With two-switch coupling, verify that you have configured a HIPER ring, MRP ring, or Fast HIPER ring before configuring the Ring/Network Coupling function. In the Ring/Network Coupling dialog, you can perform the following tasks: display an overview of the existing Ring/Network Coupling configure a Ring/Network Coupling create a new Ring/Network Coupling delete Ring/Network Coupling enable/disable Ring/Network Coupling When configuring the coupling ports, specify the following settings in the Basic Settings > Port dialog: Port type Bit rate Automatic configuration Port on Manual configuration TX 100 Mbit/s TX Optical Optical 1 Gbit/s 100 Mbit/s 1 Gbit/s unmarked – unmarked – marked marked marked marked 100 Mbit/s FDX – 100 Mbit/s FDX – Note: The operating modes of the port actually available depend on the device configuration. If you configured VLANs, then note the VLAN configuration of the coupling and partner coupling ports. In the Ring/Network Coupling configuration, select the following values for the coupling and partner coupling ports: VLAN ID 1 and Ingress filtering disabled in the port table VLAN membership T in the VLAN Configuration table Independently of the VLAN settings, the device sends the ring coupling frames with VLAN ID 1 and priority 7. Verify that the device sends VLAN 1 frames tagged in the local ring and in the connected network. Tagging the VLAN frames maintains the priority of the ring coupling frames. The Ring/Network Coupling function operates with test packets. The devices send their test packets VLAN-tagged, including the VLAN ID 1 and the highest VLAN priority 7. If the forwarding port is an untagged member in VLAN 1, then the device also sends test packets. Operation Operation Enables/disables the Ring/Network Coupling function. 342 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ] Possible values: On The Ring/Network Coupling function is enabled. Off (default setting) The Ring/Network Coupling function is disabled. Mode Type Specifies the method used to couple the networks together. Possible values: one-switch coupling Lets you specify the port settings in the Coupling port and Partner coupling port frames. two-switch coupling, master Lets you specify the port settings in the Coupling port frame. two-switch coupling, slave Lets you specify the port settings in the Coupling port frame. two-switch coupling with control line, master Lets you specify the port settings in the Coupling port and Control port frames. two-switch coupling with control line, slave Lets you specify the port settings in the Coupling port and Control port frames. Coupling port Port Specifies the port to which you connect the redundant link. Possible values: No port selected. <Port number> If you also have configured ring ports, then specify the coupling and ring ports on different ports. To help prevent continuous loops, the device disables the coupling port in the following cases: disabling the function changing the configuration while the connections are operating on the ports When the device has disabled the coupling port, the Port on checkbox is unmarked in the Basic Settings > Port dialog, Configuration tab. State Displays the status of the selected port. RM GUI RSP Release 8.1 12/2019 343 Switching [ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ] Possible values: active The port is active. standby The port is in stand-by mode. not-connected The port is not connected. not-applicable The port is incompatible with the configured control mode. Partner coupling port Port Specifies the port on which you connect the partner port. Possible values: No port selected. <Port number> If you also have configured ring ports, then specify the coupling and ring ports on different ports. State Displays the status of the selected port. Possible values: active The port is active. standby The port is in stand-by mode. not-connected The port is not connected. not-applicable The port is incompatible with the configured control mode. IP address Displays the IP address of the partner, when the devices are connected. The prerequisite is that you select a two-switch coupling method and enable the partner in the network. Control port Port Displays the port on which you connect the control line. 344 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ] Possible values: No port selected. <Port number> State Displays the status of the selected port. Possible values: active The port is active. standby The port is in stand-by mode. not-connected The port is not connected. not-applicable The port is incompatible with the configured control mode. Configuration Redundancy mode Enables/disables the device to respond to a failure in the remote ring or network. Possible values: redundant ring/network coupling Either the main line or the redundant line is active. Both lines are not active simultaneously. If the device detects that the link is down between the devices in the connected network, then the standby device keeps the redundant port in the standby mode. extended redundancy The main line and the redundant line are active simultaneously. If the device detects a problem in the connection between the devices in the connected network, then the standby device forwards data on the redundant port. With the setting you can maintain continuity in the remote network. Note: During the reconfiguration period, package duplications can occur. Therefore, if your application is able to detect package duplications, then you can select this setting. Coupling mode The settings in this frame allow you to couple a specific type of network. RM GUI RSP Release 8.1 12/2019 345 Switching [ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ] Possible values: ring coupling The device couples redundant rings. The device lets you couple rings that use the following redundancy protocols: – HIPER ring – Fast HIPER ring – MRP ring network coupling The device couples network segments. The function lets you couple mesh and bus networks together. Information Redundancy available Displays whether or not the redundancy is available. When a component of the ring is down, the redundant line takes over its function. Possible values: redGuaranteed The redundancy is available. redNotGuaranteed The redundancy is unavailable. Configuration failure You have configured the function incorrectly, or there is no ring port connection. Possible values: noError slaveCouplingLinkError The coupling line is not connected to the coupling port of the slave device. Instead, the coupling line is connected to another port of the slave device. slaveControlLinkError The control port of the slave device has no data link. masterControlLinkError The control line is not connected to the control port of the master device. Instead, the control line is connected to another port of the master device. twoSlaves The control line connects two slave devices. localPartnerLinkError The partner coupling line is not connected to the partner coupling port of the slave device. Instead, the partner coupling line is connected to another port of the slave device in one-switch coupling mode. localInvalidCouplingPort In one-switch coupling mode, the coupling line is not connected on the same device as the partner line. Instead, the coupling line is connected to another device. couplingPortNotAvailable The coupling port is not available because the module to which the port refers is not available or the port does not exist on this module. 346 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ] controlPortNotAvailable The control port is not available because the module to which the port refers is not available or the port does not exist on this module. partnerPortNotAvailable The partner coupling port is not available because the module to which the port refers is not available or the port does not exist on this module. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Disables the redundancy function and resets the parameters in the dialog to the default setting. RM GUI RSP Release 8.1 12/2019 347 Switching [ Switching > L2-Redundancy > FuseNet > RCP ] 5.9.9.3 Redundant Coupling Protocol [ Switching > L2-Redundancy > FuseNet > RCP ] A ring topology provides short transition times with a minimal use of resources. However, to couple these rings redundantly to a higher-level network is more of a challenge. When you want to use a standard protocol such as MRP for the ring redundancy and RSTP to couple the rings together, the Redundant Coupling Protocol helps provide options for you. Do not use the following redundancy procedures and settings together on the ports of the RCP primary and secondary ring: Sub Ring Ring/Network Coupling Operation Operation Enables/disables the RCP function. Possible values: On The RCP function is enabled. Off (default setting) The RCP function is disabled. Primary ring/network / Secondary ring/network If the device operates as slave (value in the Role field is slave), then do not activate the Static query port mode for the ports on the secondary ring/network. Inner port Specifies the inner port number in the primary ring. The port is directly connected to the partner bridge. Possible values: - (default setting) No port selected. <Port number> Outer port Specifies the outer port number in the primary ring. Possible values: - (default setting) No port selected. <Port number> 348 RM GUI RSP Release 8.1 12/2019 Switching [ Switching > L2-Redundancy > FuseNet > RCP ] Coupler configuration Role Specifies the role of the local device. Possible values: master The device operates as master. slave The device operates as slave. auto (default setting) The device automatically selects its role as master or slave. Current role Displays the current role of the local device. The value can be different from the configured role: If you configured both partner bridges as auto, then the partner bridge that is currently coupling the instances takes the master role. The other partner bridge takes the slave role. If both partner bridges are configured as master or both as slave, then the partner bridge with the smaller Basis MAC address takes the master role. The other partner bridge takes the slave role. If the protocol is started and the partner bridge cannot be found for a bridge in the configured role master, slave or auto, then the bridge sets its own role to listening. If the device detects a configuration problem for example, the inner ring ports are connected crosswise, then the device sets its role to error. Timeout [ms] Specifies the maximum time, in milliseconds, during which the slave device waits for test packets from the master device on the outer ports before the slave device takes over the coupling. This only applies in the state in which both inner ports of the slave device have lost the connection to the master device. Configure the timeout longer than the longest assumable interruption time for the redundancy protocol of the faster instance. Otherwise, loops can occur. Possible values: 5..60000 (default setting: 250 ) Partner MAC address Displays the basic MAC address of the partner device. Partner IP address Displays the IP address of the partner device. Coupling state Displays the coupling state of the local device. RM GUI RSP Release 8.1 12/2019 349 Switching [ Switching > L2-Redundancy > FuseNet > RCP ] Possible values: forwarding The coupling state of the port is forwarding. blocking The coupling state of the port is blocking. Redundancy state Displays whether or not the redundancy is available. For a master-slave configuration, both bridges display this information. Possible values: redAvailable The redundancy is available. redNotAvailable The redundancy is unavailable. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 350 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Global ] 6 Routing The menu contains the following dialogs: Routing Global Routing Interfaces ARP Router Discovery RIP Open Shortest Path First Routing Table Tracking L3 Relay Loopback Interface Multicast Routing L3-Redundancy NAT 6.1 Routing Global [ Routing > Global ] The Routing menu lets you specify the Routing functions settings for transmitting data on Layer 3 of the ISO/OSI layer model. For security reasons, the following functions are permanently disabled in the device: ICMP Redirects ICMP redirect data packets are able to modify the routing table. The device generally ignores received ICMP redirect data packets. The settings in the Routing > Interfaces > Configuration dialog, column ICMP redirects, have an effect only on the sending of ICMP redirect data packets. In accordance with RFC 2644, the device does not exchange any broadcast data packets from external networks in a local network. This behavior supports you in protecting the devices in the local network against overloading, for example due to so-called smurf attacks. This dialog lets you enable the routing function in the device and to specify further settings. Operation Operation Enables/disables the Routing function in the device. Possible values: On The Routing function is enabled. Also activate the routing function on the router interfaces. See the Routing > Interfaces > Configuration dialog. Off (default setting) The Routing function is disabled. RM GUI RSP Release 8.1 12/2019 351 Routing [ Routing > Global ] Routing profile In the Routing profile frame, you have the option of selecting a routing profile containing specific router settings. Next routing profile Specifies the routing profile that the device loads and applies upon the next restart. A routing profile contains association settings for the internal resources (unicast routes, multicast routes, next-hop table / ARP table). By selecting a preset routing profile you have the option of operating the router with settings especially adapted to your intended use. Possible values: default Sets the preset value for the device. ipv4RoutingDefault (default setting) ipv4RoutingUnicast When you position the mouse pointer over one of the values, a bubble help displays the association settings used in the routing profile. Current routing profile Displays the routing profile that the device loaded during the last restart and is currently applied. ICMP filter In the ICMP filter frame, you have the option of limiting the transmission of ICMP messages on the set up router interfaces. A limitation is meaningful for several reasons: • A large number of “ICMP Error” messages influences the router performance and reduces the available network bandwidth. • Malicious senders use “ICMP Redirect” messages to perform man-in-the-middle attacks or to divert data packets through “black hole” for the purpose of supervision or denial-of-service (DoS). • “ICMP Echo Reply” messages are ping responses which can be misused to discover vulnerable devices and routers in the network. Send echo reply Activates/deactivates the responding to pings on the router interfaces. Possible values: marked (default setting) Responding to pings is active. The device reacts to received “IPv4 Echo Requests” and responds with an “ICMP Echo Reply” message. unmarked Responding to pings is inactive. Send redirects Activates/deactivates the sending of “ICMP Redirect” messages on the router interfaces. 352 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Global ] Possible values: marked (default setting) The sending of “ICMP Redirect” messages is active. In the Routing > Interfaces > Configuration dialog, you have the option of individually activating the sending on every router interface. See the ICMP redirects function. unmarked The sending of “ICMP Redirect” messages is inactive. This setting helps prevent the multiplication of data packets, if both hardware and software functions of the device forward a copy of the same data packet. Rate limit interval [ms] Specifies the time window in milliseconds in which the device sends the number of “ICMP error message” type data packets specified in the Rate limit burst size field. Possible values: 0..2147483647 (default setting: 1000) Rate limit burst size Specifies the number of “ICMP Error” messages that the device sends in the time window specified in the Rate limit interval [ms] field. The limitation contains every “ICMP Error” message on the router interfaces that are set up. Possible values: 1..200 (default setting: 100) The device lets you specify the limitation for a time window of any size desired. In the default setting, the device sends 100 data packets per 1000 ms. You obtain the same result but with a finer granularity using the following settings: • Rate limit interval [ms]=100 Rate limit burst size=10 or • Rate limit interval [ms]=10 Rate limit burst size=1 Configuration File transfer source interface Specifies the interface whose IP address the device uses as source IP address for the following file transfers: • FTP • SCP • SFTP • TFTP Possible values: none (default setting) <Port number> RM GUI RSP Release 8.1 12/2019 353 Routing [ Routing > Interfaces ] Source routing Activates/deactivates the Source routing function. The Source routing function lets the sender of a data packet determine its route through the network. This can lead to an unavoidable security issue. If a sniffer inserts its IP address into the data packets, then he can redirect the data packets to his host. Possible values: marked The Source routing function is active. The device forwards packets which contain Source routing information. If the device is the receiver specified in a packet, the device accepts the packet. unmarked (default setting) The Source routing function is inactive. The device neither forwards nor accepts packets which contain Source routing information. Information Default TTL Displays the fixed TTL value 64 which the device adds to IP packets that the device management sends. TTL (Time To Live, also known as “Hop Count”) identifies the maximum number of steps an IP packet is allowed to perform on the way from the sender to the receiver. Every router on the transmission path reduces the value in the IP packet by 1. If a router receives a data packet with the TTL value 1, then the router discards the IP packet. The router reports to the source that it has discarded the IP packet. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 6.2 Routing Interfaces [ Routing > Interfaces ] This menu lets you specify the settings for the router interfaces. The menu contains the following dialogs: Routing Interfaces Configuration 354 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Interfaces > Configuration ] 6.2.1 Routing Interfaces Configuration [ Routing > Interfaces > Configuration ] This dialog lets you specify the settings for the router interfaces. To set up a port-based router interface, edit the table entries. To set up a VLAN-based router interface, use the Wizard window. Table Port Displays the number of the port or VLAN belonging to the router interface. Name Name of the port. Possible values: Alphanumeric ASCII character string with 0..64 characters The following characters are allowed: – <space> – 0..9 – a..z – A..Z – !#$%&'()*+,-./:;<=>?@[\\]^_`{}~ Port on Activates/deactivates the port. Possible values: marked (default setting) The port is active. unmarked The port is inactive. The port does not send or receive any data. Port status Displays the operating state of the port. Possible values: marked The port is enabled. unmarked The port is disabled. IP address Specifies the IP address for the router interface. RM GUI RSP Release 8.1 12/2019 355 Routing [ Routing > Interfaces > Configuration ] Possible values: Valid IPv4 address (default setting: 0.0.0.0) Verify that the IP subnet of the router interface is not overlapping with any subnet connected to another interface of the device: • management port • router interface • loopback interface Netmask Specifies the netmask for the router interface. Possible values: Valid IPv4 netmask (default setting: 0.0.0.0) Routing Activates/deactivates the Routing function on the router interface. Possible values: marked The Routing function is active. – With port-based routing, the device transforms the port into a router interface. Enabling the Routing function removes the port from the VLANs in which it was previously a member. Disabling the Routing function does NOT reestablish the assignment; the port is not a member of any VLAN. – With VLAN-based routing, the device forwards the data packets in the related VLAN. unmarked (default setting) The Routing function is inactive. With VLAN-based routing, the device is still reachable through the router interface if the IP address and netmask have been configured for the router interface. Proxy ARP Activates/deactivates the Proxy ARP function on the router interface. This feature lets you connect devices from other networks as if these devices could be reached in the same network. Possible values: marked The Proxy ARP function is active. The device responds to ARP requests from end devices that are located in other networks. unmarked (default setting) The Proxy ARP function is inactive. Netdirected broadcasts Activates/deactivates the forwarding of netdirected broadcasts to the connected subnet on the router interface. 356 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Interfaces > Configuration ] Possible values: marked Forwarding is active. The router interface forwards netdirected broadcasts to the connected subnet. If the subnet has a direct connection to the Internet, then this setting increases the vulnerability to Denial of Service (DoS) attacks. unmarked (default setting) Forwarding is inactive. MTU value Specifies the maximum allowed size of IP packets on the router interface in bytes. Possible values: 0 Restores the default value (1500). 68..12266 (default setting: 1500) The prerequisite is that on the ports belonging to the router interface you specify the maximum allowed size of Ethernet packets at least 18 bytes larger than specified here. See the Basic Settings > Port dialog, MTU column. ICMP unreachables Activates/deactivates the sending of “ICMP Destination Unreachable” messages on the router interface. Possible values: marked (default setting) The router interface sends “ICMP Destination Unreachable” messages. unmarked The router interface does not send “ICMP Destination Unreachable” messages. ICMP redirects Activates/deactivates the sending of “ICMP Redirect” messages on the router interface. Possible values: marked (default setting) The router interface sends “ICMP Redirect” messages. The prerequisite is that you activate the Send redirects function in the device. See the Routing > Global dialog. unmarked The router interface does not send “ICMP Redirect” messages. RM GUI RSP Release 8.1 12/2019 357 Routing [ Routing > Interfaces > Configuration ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the VLAN ID field, you specify the ID of the VLAN. [Configure VLAN router interface (Wizard)] This Wizard window lets you set up a VLAN-based router interface. To set up a router interface from a VLAN already set up, highlight a VLAN in the table. To set up a router interface from a new VLAN, specify at the bottom of the VLAN ID field the ID of the new VLAN. After closing the Wizard window, click the button to save your settings. [Configure VLAN router interface (Wizard) – Create or select VLAN] Table VLAN ID Displays the ID of the VLANs set up in the device. Name Displays the name of the VLANs set up in the device. Area under the table VLAN ID Specifies the ID of a VLAN that the Wizard window specifies for you. Possible values: 1..4042 358 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Interfaces > Configuration ] [Configure VLAN router interface (Wizard) – Setup VLAN] Area above the table VLAN ID Displays the ID of the VLAN that you have marked or specified on the Create or select VLAN page. Name Specifies the name of the VLAN. Possible values: Alphanumeric ASCII character string with 1..32 characters (0x20..0x7E) including space characters This setting overwrites the setting specified for the port in the Switching > VLAN > Configuration dialog. Table Port Displays the port number. Member Activates/deactivates the VLAN membership of the port. As a VLAN member the port belongs to router interface to be set up. This setting overwrites the setting for the port specified in the Switching > VLAN > Configuration dialog. Possible values: marked The port is a member of the VLAN. unmarked The port is not a member of the VLAN. Untagged Activates/deactivates the transmission of data packets with a VLAN tag on the port. This setting overwrites the setting for the port specified in the Switching > VLAN > Configuration dialog. Possible values: marked The port transmits the data packets without a VLAN tag. Use this setting if the connected device does not evaluate any VLAN tags, for example on end ports. unmarked The port transmits the data packets with a VLAN tag. RM GUI RSP Release 8.1 12/2019 359 Routing [ Routing > ARP ] Port-VLAN ID Specifies the ID of the VLAN which the devices assigns to data packets without a VLAN tag. This setting overwrites the setting for the port specified in the Switching > VLAN > Port dialog, column PortVLAN ID. Possible values: ID of a VLAN you set up (default setting: 1) [Configure VLAN router interface (Wizard) – Setup virtual router port] When you assign ports to the router interface that already transmit data packets in other VLANs, the device displays a message upon closing the Wizard window: If you click the Yes button, then the related ports transmit the data packets from now on only in the router VLAN. In the Switching > VLAN > Configuration dialog, the related ports in the row of the router VLAN have the value U or T, in the rows of other VLANs the value –. If you click the No button, then the related ports transmit the data packets in the router VLAN and in other VLANs. This setting possibly causes undesired behavior. Primary address Address Specifies the primary IP address for the router interface. Possible values: Valid IPv4 address (default setting: 0.0.0.0) Netmask Specifies the primary netmask for the router interface. Possible values: Valid IPv4 netmask (default setting: 0.0.0.0) 6.3 ARP [ Routing > ARP ] The Address Resolution Protocol (ARP) learns the MAC address that belongs to an IP address. The menu contains the following dialogs: ARP Global ARP Current ARP Static 360 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > ARP > Global ] 6.3.1 ARP Global [ Routing > ARP > Global ] This dialog lets you set the ARP parameters and view statistical values. Configuration Aging time [s] Specifies the time in seconds, after which the device removes an entry from the ARP table. When there is data exchange with the associated device within this time period, the time measuring begins from the start again. Possible values: 15..21600 (default setting: 1200) Response timeout [s] Specifies the time in seconds, that the device waits for a response before the query is seen as a failure. Possible values: 1..10 (default setting: 1) Retries Specifies how many times the device repeats a failed query before it discards the query to this address. Possible values: 0..10 (default setting: 4) Dynamic renew Activates/deactivates the query to a device if the aging time is exceeded. Possible values: marked The query is activated. The device sends a new query to a device when its entry has exceeded the aging time. When the query remains unanswered, the device removes the entry from the ARP table. unmarked (default setting) The query is deactivated. Selective learning Activates or deactivates the learning of the IP/MAC address assignment of the sender. RM GUI RSP Release 8.1 12/2019 361 Routing [ Routing > ARP > Global ] Possible values: marked (default setting) Learning is activated. The device learns the IP/MAC address assignment of transmitting equipment only if the ARP query was addressed to the address of the device itself. unmarked Learning is deactivated. The device learns the IP/MAC address assignment of transmitting devices by evaluating the received ARP queries. This does away with time-consuming ARP queries before the device forwards data packets to unknown devices. On the other hand, the device is vulnerable to “ARP cache poisoning” and also learns unnecessary ARP entries, such as from devices that communicate only in the local network. Information Current entries total Displays the number of entries that the ARP table currently contains. Entries (max.) Displays how many entries the ARP table can contain at a maximum. Total entry peaks Displays how many entries the ARP table has already contained at a maximum. When you reset the ARP table, the counter is reset to the value 0. See the Reset ARP table button in the Routing > ARP > Current dialog. Current static entries Displays the number of statically configured entries the ARP table currently contains. See the Routing > ARP > Static dialog. Static entries (max.) Displays the number of statically configured entries the ARP table can contain at a maximum. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 362 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > ARP > Current ] 6.3.2 ARP Current [ Routing > ARP > Current ] This dialog lets you view the ARP table and delete the dynamically configured entries. Table Port Displays the router interface on which the device has learned the IP/MAC address assignment. IP address Displays the IP address of the device that responded to an ARP query on this router interface. MAC address Displays the MAC address of the device that responded to an ARP query on this router interface. Last updated Displays the time in seconds since the current settings of the entry were registered in the ARP table. Type Displays the way in which the ARP entry was set up. Possible values: dynamic Dynamically configured entry. When no traffic with the associated device takes place by the end of the aging time, the device removes this entry from the ARP table. You specify the aging time in the Routing > ARP > Global dialog, field Aging time [s]. static Statically configured entry. When you remove the dynamically configured addresses from the ARP table using the Reset ARP table button, the entry remains. local Identifies the IP/MAC address assignment of the router interface. invalid Invalid entry. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset ARP table Removes the dynamically set up addresses from the ARP table. RM GUI RSP Release 8.1 12/2019 363 Routing [ Routing > ARP > Static ] 6.3.3 ARP Static [ Routing > ARP > Static ] This dialog lets you add to the ARP table IP/MAC address assignments that you have specified yourself. Table IP address Displays the IP address that the device assigns to the adjacent MAC address. MAC address Displays the MAC address that the device assigns to the adjacent IP address. Port Displays the router interface to which the device applies the IP/MAC address assignment. Possible values: <Router interface> The device applies the IP/MAC address assignment to this router interface. no port The IP/MAC address assignment is currently not assigned to a router interface. Active Displays whether the IP/MAC address assignment is active or inactive. Possible values: marked The IP/MAC address assignment is active. The ARP table of the device contains the IP/MAC address assignment as a static entry. unmarked (default setting) The IP/MAC address assignment is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the IP address field, you specify the IP address that the device assigns to the adjacent MAC address. 364 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Router Discovery ] [ARP (Wizard)] The Wizard window lets you add to the ARP table IP/MAC address assignments that you have specified yourself. The prerequisite is that at least one router interface is set up. [ARP (Wizard) – Edit ARP table ] In the fields under the table, specify the IP address and the associated MAC address. To insert the IP/MAC address assignment into the table on the top, click the Add button. After closing the Wizard window, specify in the Port column the router interface. Then enable in the Active column the IP/MAC address assignment. After closing the Wizard window, click the button to save your settings. Table IP address Specifies the IP address. Possible values: Valid IPv4 address MAC address Specifies the MAC address. Possible values: Valid MAC address 6.4 Router Discovery [ Routing > Router Discovery ] The ICMP Router Discovery Protocol (IRDP), described in RFC 1256, lets end devices determine the addresses of the routers available in a subnet. The router sends advertisements to identify itself as a router to the end devices. End devices that support IRDP update their routing table after receiving an advertisement. If a standard gateway was previously entered, then the address learned with the advertisement has a lower priority in the routing table. RM GUI RSP Release 8.1 12/2019 365 Routing [ Routing > Router Discovery ] Table Port Displays the router interface to which the setting applies. Advertise mode Activates/deactivates the router discovery function on the router interface. Possible values: marked The router discovery function is active. The device sends advertisements on the router interface. unmarked (default setting) The router discovery function is inactive. Advertise address Specifies the destination to which the device sends advertisements. Possible values: Broadcast The device sends advertisements to the broadcast address 255.255.255.255. Multicast (default setting) The device sends advertisements to the multicast address 224.0.0.1. Min. advertisement interval [s] Specifies the minimum period in seconds after which the device sends another advertisement. Possible values: 3..1800 (default setting: 450) Max. advertisement interval [s] Specifies the maximum period in seconds after which the device sends another advertisement. The prerequisite is that the value is greater than or equal to the value specified in the Min. advertisement interval [s] column. Possible values: 4..1800 (default setting: 600) Advertisement lifetime [s] Specifies the validity period for the advertisements in seconds. The prerequisite is that the value is greater than or equal to the value specified in the Max. advertisement interval [s] column. Possible values: 4..9000 (default setting: 1800) Preference level Specifies the key figure that an end device uses to decide which gateway to the destination network to use when multiple routers in the subnet identify themselves through IRDP. 366 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Router Discovery ] Possible values: 0..2147483647 (default setting: 0) The higher the specified value, the greater the probability that an end device will use the device as a gateway. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 367 Routing [ Routing > RIP ] 6.5 RIP [ Routing > RIP ] The Routing Information Protocol (RIP) as specified in RFC 2453 is a routing protocol based on the distance vector algorithm using a hop count as the metric to determine the path from source to destination. You use RIP for the dynamic creation of the routing table. RIP uses 2 types of packets to communicate with its neighbor, request packets and response packets. When you first start RIP, the router transmits a request packet out of the RIP enabled interfaces. Routers on which RIP is active transmit response packets back to the request originator. The response packets contain the routing table of each router. The routes transmitted in the response packets include the network address and metric. RIP uses routing by rumor to update the routing tables. Routing by rumor means that the router only exchanges routing information with its neighbors. The dialog contains the following tabs: [Configuration] [Route redistribution] [Statistics] [Configuration] In this tab, you enter both general settings and settings for each port for the routing information protocol. Operation Operation Enables/disables the RIP function on this router. Possible values: On The RIP function is enabled. Off (default setting) The RIP function is disabled. Configuration Auto-summary mode Activates/deactivates the auto summary mode. 368 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > RIP ] Possible values: marked (default setting) The device combines or summarizes, routes advertised by a RIP router whenever possible into aggregates. Summarizing the routes reduces the amount of routing information in the routing table. unmarked The function is inactive. Host routes accept mode Activates/deactivates the host routes accept mode. When you activate the function, RIP lets you specify the host routes. Possible values: marked (default setting) The device enters (learns) the host routes with a 32-bit netmask advertised to this RIP router into its routing table. unmarked The function is inactive. Advertise default route Activates/deactivates the propagation of the default routes learned from other protocols. Possible values: marked The device advertises the default routes learned from other protocols to its neighbors. unmarked (default setting) The function is inactive. Split horizon Activates/deactivates the split horizon mode. You use the split horizon mode to help avoid the count-to-infinity issue. Possible values: none Disables split horizon. simple (default setting) Simple split horizon omits the entries known by a neighbor when sending the routing table to this neighbor. poisonReverse The Poison Reverse split horizon sends the routing table to a neighbor with the entries known by this neighbor, but denotes these entries with the infinity metric. Default metric Specifies the default metric of redistributed routes. Possible values: 0 (default setting) No default metric. RIP propagates the route with metric 1. 1..15 RM GUI RSP Release 8.1 12/2019 369 Routing [ Routing > RIP ] Update interval [s] Specifies the time interval at which the router transfers the entire content of the routing table to the RIP neighbors. The router sets other RIP timers accordingly: • Timeout 6 x update interval • Garbage Collection 10 x update interval Possible values: 0..1000 (default setting: 30) Values below 10 seconds cause an increased network load in larger networks. Preference Specifies the "administrative distance" of the route. The device uses this value instead of the metric, when the metric of the routes is incomparable. Possible values: 1..254 (default setting: 120) In routing decisions, the device gives preference to the route with the smallest value. 255 In routing decisions, the device ignores the route. Table Port Displays the router interface number. Active Activates/deactivates RIP on this router interface. Send version Specifies the RIP version that the router uses on this router interface to send RIP information. Possible values: doNotSend RIP does not send any routing information. ripVersion1 RIP sends information with version 1 as a broadcast. rip1Compatible RIP sends information with version 2 as a broadcast. ripVersion2 (default setting) RIP sends information with version 2 as a multicast. 370 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > RIP ] Receive version Specifies the RIP version that the device accepts on the receiver side. Possible values: rip1 RIP accepts RIP V1 packets. rip2 RIP accepts RIP V2 packets. rip1OrRip2 (default setting) RIP accepts RIP V1 and V2 packets. doNotRecieve The device rejects RIP information. Authentication Specifies the type of authentication used on this interface. Possible values: noAuthentication (default setting) The routers exchange RIP information without authentication. simplePassword The routers exchange RIP information with plain text password authentication. MD5 The routers exchange RIP information with password authentication, whereby the devices transfer the password with md5 encryption. Key Specifies the password for authentication. For communication purposes, the port on the other end requires the same authentication settings. The prerequisite is that, in the Authentication column, you specify the value simplePassword or MD5. Possible values: 0..16 (octets in a string) If you supply a string shorter than 16 octets, then RIP left-justifies and pads the string, on the right with nulls (0x00), to 16 octets. Key identifier Specifies the password identification number for authentication. For communication purposes, the port at the other end requires the same key ID. The prerequisite for changing the value is that, in the Authentication column, you specify the value MD5. Possible values: 0..255 Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 371 Routing [ Routing > RIP ] [Route redistribution] Route distribution describes how RIP propagates routes that RIP transferred from other protocols to other RIP routers. Table Source Displays the source from which RIP takes over routing information: Possible values: connected The route points to networks of local router interfaces where RIP is not enabled. static The route is in the static routing table. ospf The route is from OSPF. Active Activates/deactivates route-redistribution for a particular source protocol. Possible values: marked The router redistributes routes received with this protocol. unmarked (default setting) The device blocks redistribution. Metric Specifies the metric that RIP assigns to the routes from the source. Possible values: 0 (default setting) RIP uses the value specified in the Default metric field. 1..15 Match internal Enables/disables the router to process internal OSPF routes. Possible values: Enabled (default setting) RIP adopts OSPF Intra and OSPF Inter routes. Disabled RIP rejects OSPF Intra and OSPF Inter routes. Match external 1 Enables/disables the router to process external OSPF routes of metric type 1. 372 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > RIP ] Possible values: Enabled RIP adopts OSPF Ext T1 routes. Disabled (default setting) RIP rejects OSPF Ext T1 routes. Match external 2 Enables/disables the router to process external OSPF routes of metric type 2. Possible values: Enabled RIP adopts OSPF Ext T2 routes. Disabled (default setting) RIP rejects OSPF Ext T2 Inter routes. Match NSSAExternal 1 Enables/disables the router to process external OSPF routes of metric type 1. Possible values: Enabled RIP adopts OSPF Intra and OSPF Inter routes. Disabled (default setting) RIP rejects OSPF Intra and OSPF Inter routes. Match NSSAExternal 2 Enables/disables the router to process external OSPF routes of metric type 2. Possible values: Enabled RIP adopts NSSA (Not so Stubby Area) routes. Disabled (default setting) RIP rejects NSSA (Not so Stubby Area) routes. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 373 Routing [ Routing > OSPF ] [Statistics] The RIP statistics tab displays counters that count events relevant to routing. Information Global route changes Displays the number of route changes to the IP Route Database by RIP in the routing table Global queries Displays the number of responses sent to queries from other systems. Table Port Displays the port number. Receive bad packets Displays the number of received routing data packets that the router rejected for various reasons, such as different protocol version, or unknown command type. Receive bad routes Displays the number of routing information messages received, which the router ignored because the input format was invalid. Sent updates Displays the number of routing tables sent with changed routing entries. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 6.6 Open Shortest Path First [ Routing > OSPF ] Open Shortest Path First (OSPF) version 2, is a routing protocol described in RFC 2328, which is applicable to networks with many routers. 374 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF ] In contrast to the hop count based distance-vector routing protocols such as RIP, OSPF provides a link state algorithm. OSPF bases its link state algorithm on link cost meaning that the criteria for the routing decisions are the path costs instead of hop counts. The path cost is calculated as (100 Mbit/s) / (bandwidth in Mbit/s). OSPF also supports Variable Length Subnet Masking (VLSM) or Classless Inter-Domain Routing (CIDR) networks. OSPF convergence of the entire network is slow. However, after implementation the protocol is quick in reacting to topology changes. The convergence time for OSPF is 5 to 15 seconds, depending on the size of the network. OSPF supports networks grouped to "Areas" and thus reduces the administrative effort when maintaining the overall network (OSPF domain). The routers participating in the network know and only manage their own "Area" by flooding Link State Advertisements (LSAs) into the area. Using the LSAs each router builds its own topology database. The Area Border Routers (ABR) flood LSAs in an "Area" informing the local networks about destinations in other areas within the OSPF domain. The Designated Routers (DR) transmit LSAs informing about destinations in other areas. With Hello packets, neighboring routers periodically identify themselves and signal their availability. If a router misses the Hello packets of another router, then after the expiration of the dead-interval timer, the router considers this router as unreachable. The device lets you use the md5 algorithm for data transmission. If you use the md5 mode, then specify the same values in the devices in the same area. Specify the area relevant values connected to the ABRs and ASBRs. OSPF divides routers into the following roles: Designated Router (DR) Backup Designated Router (BDR) Area Border Router (ABR) Autonomous System Boundary Router (ASBR) The menu contains the following dialogs: OSPF Global OSPF Areas OSPF Stub Areas OSPF Not So Stubby Areas OSPF Interfaces OSPF Virtual Links OSPF Ranges OSPF Diagnostics RM GUI RSP Release 8.1 12/2019 375 Routing [ Routing > OSPF > Global ] 6.6.1 OSPF Global [ Routing > OSPF > Global ] This dialog lets you specify the basic OSPF settings. The menu contains the following dialogs: [General] [Configuration] [Redistribution] [General] This tab lets you enable OSPF in the device and to specify network parameters. Operation Operation Enables/disables the OSPF function in the device. Possible values: On The OSPF function is enabled. Off (default setting) The OSPF function is disabled. Configuration Router ID Specifies the unique identifier for the router in the Autonomous System (AS). It influences the election of the Designated Router (DR) and the Backup Designated Router (BDR). Ideally, you use the IP address of a router interface in the device. Possible values: <IP address of an interface> (default setting: 0.0.0.0) External LSDB limit Specifies the maximum number of entries, non-default AS-external-LSAs, that the device saves in the link state database. When this limit is reached, the router enters the overflow state. Possible values: -1 (default setting) The router continues to save entries until the memory is full. 0..2147483647 The device saves up to the specified number of entries. Specify the same value in the routers on the OSPF backbone and in any regular OSPF area. 376 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Global ] External LSAs Displays the current number of entries, non-default AS-external-LSAs, that the device currently holds in the link state database. Autocost reference bandwidth Specifies a reference for router interface bandwidth calculations, in Mbps. You use this value for metric calculations. Possible values: 1..4294967 (default setting: 100) Paths (max.) Displays the maximum number of ECMP routes that OSPF adds to the routing table when multiple routes exist for a subnet with same path costs, but different next hops. Default metric Specifies the default metric value for OSPF. Possible values: 0 (default setting) OSPF automatically assigns a cost of 20 for routes learned from external sources (static or directly connected). 1..16777214 Send trap Activates/deactivates the sending of SNMP traps when the device detects a OSPF parameter change. Possible values: marked The sending of SNMP traps is active. If the device detects changes in the OSPF parameters, then the device sends an SNMP trap. unmarked (default setting) The sending of SNMP traps is inactive. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. Shortest path first Delay time [s] Specifies the delay time, in seconds, between when the router receives a topology change and when it starts an SPF calculation. Possible values: 0..65535 (default setting: 5) The value 0 means that the router immediately begins the SPF calculation after receiving the topology change. RM GUI RSP Release 8.1 12/2019 377 Routing [ Routing > OSPF > Global ] Hold time [s] Specifies the minimum time, in seconds, between consecutive SPF calculations. Possible values: 0..65535 (default setting: 10) The value 0 means that after the router completes an SPF calculation it immediately begins the next consecutive SPF calculation. Exit overflow interval [s] Specifies the number of seconds, after entering the overflow state, that a router attempts to leave the overflow state. When the router leaves the overflow state, the router transmits new non-default AS-external-LSAs. Possible values: 0..2147483647 (default setting: 0) The value 0 means that the router remains in the Overflow-State until restarted. Information ASBR status Displays whether the device operates as an Autonomous System Boundary Router (ASBR). Possible values: marked The router is an ASBR. unmarked The router functions in a role other than the role of an ASBR. ABR status Displays whether the device operates as an Area Border Router (ABR). Possible values: marked The router is a ABR. unmarked The router functions in a role other than the role of an ABR. External LSA checksum Displays the link state checksums of the external LSAs contained in the link state database. This value helps to determine when changes occur in a link state database of the router, and to compare the link state database to other routers. New LSA originated Displays the number of new link state advertisements originated on this router. The router increments this number each time it originates a new Link State Advertisement (LSA). 378 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Global ] LSAs received Displays the number of LSAs received that the router determined to be new instances. This number also excludes newer instances of self-originated LSAs. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Configuration] This dialog lets you specify the following settings: the manner in which the device calculates the path costs how OSPF handles default routes the type of route OSPF uses for the path-cost calculation RFC 1583 compatibility The Network Working Group is continually developing the OSPF function improving and adding parameters. This router provides parameters in accordance with RFC 2328. With parameters in this dialog, you make the router compatible with routers developed under RFC 1583. Activating the compatibility function lets you install this device in a network containing routers developed under RFC 1583. RFC 1583 compatibility Enables/disabled the device to be compatible with routers developed under RFC 1583. In order to minimize the chance of routing loops, set this function to the same value on the OSPF enabled routers in an OSPF domain. Possible values: On (default setting) Enable the function when routers are present in the domain without software containing the external path preference functionality described in RFC 2328. Off Disable the function when every router present in the domain has software containing the external path preference functionality described in RFC 2328. Preferences The preferences in this dialog are metrics values which the device uses as a tie breaker between identical routes with different distance types. For example, when a route is inside the local area (intra-area) and the other is outside the local area (inter-area or external). If the metric values are the same for intra, inter and external, then the order of preference is intra, inter then external. OSPF considers routes specified with a preference value of 255 as unreachable. RM GUI RSP Release 8.1 12/2019 379 Routing [ Routing > OSPF > Global ] Preference (intra) Specifies the "administrative distance" between routers within the same area (intra-area OSPF routes). Possible values: 1..255 (default setting: 110) Preference (inter) Specifies the "administrative distance" between routers in different areas (inter-area OSPF routes). Possible values: 1..255 (default setting: 110) Preference (external) Specifies the "administrative distance" between routers external to the areas (external OSPF routes). Possible values: 1..255 (default setting: 110) Default route Advertise Activates/deactivates OSPF advertisements of default routes learned from other protocols. For example, area border routers of stub areas advertise a default route into the stub area through summary link advertisements. When you configure the router as an AS boundary router, it advertises the default route in AS external link advertisements. Possible values: marked The router advertises default routes. unmarked (default setting) The router suppresses advertisements of default routes. Advertise always Displays whether the router constantly advertises 0.0.0.0/0 as the default route. When routers forward an IP packet, the router constantly forwards the packet to the best matching destination address. A default route with a destination address of 0.0.0.0 and a mask of 0.0.0.0 is a match for every IP destination address. Matching every IP destination address lets an AS boundary router operate as a gateway for destinations outside of the AS. Possible values: marked The router constantly advertises 0.0.0.0/0 as the default route. unmarked (default setting) The device uses the settings specified in the Advertise parameter. 380 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Global ] Metric Specifies the metric of the default route, which OSPF advertises when learned from other protocols. Possible values: 0 The device uses the value specified in the Default metric field. 1..16777214 Metric type Displays the metric type of the default route which OSPF advertises when learned from another protocol. Possible values: externalType1 Includes both the external path cost from the ABR to the ASBR that originated the route plus the internal path cost to the ABR that advertised the route in the local area. externalType2 (default setting) Includes only the external path cost. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Redistribution] A router with a disabled OSPF function on a routed interface does not propagate the network of this interface on its other interfaces. Thus, the network cannot be reached. To propagate such networks, enable the Redistribution for "connected" networks. Redistribution is helpful in cases where multiple network administrators manage different departments, or in multi-vendor networks with multiple protocols. OSPF redistribution lets you convert route information such as cost and distance to a destination from other protocols into OSPF. To help prevent routes from double redistribution and thus preventing a possible loop, use the Tag function. This function marks the routes redistributed from other protocols into OSPF. Then on the other routers in the network, create an ACL active to deny the tagged number. To specify exactly which routes the device distributes in OSPF, create ACL permit rules. The number of routes that the device learns through OSPF is limited to the size of the routing table. Table Source Displays the source protocol, from which OSPF redistributes routes. This object also acts as the identifier for the table entry. RM GUI RSP Release 8.1 12/2019 381 Routing [ Routing > OSPF > Global ] Activating a row lets the device redistribute routes from the specific source protocol into OSPF. Possible values: connected The router is directly connected to the route. static A network administrator has specified the route in the router. rip The router has learned the route using the RIP protocol. Active Activates/deactivates route redistribution from the source protocol into OSPF. Possible values: marked Redistribution of routes learned from the source protocol is active. unmarked (default setting) OSPF route redistribution is inactive. Metric Specifies the metric value for routes redistributed from this protocol. Possible values: 0 (default setting) The device uses the value specified in the Default metric field. 1..16777214 Metric type Specifies the route metric type which OSPF redistributes from other source protocols. Possible values: externalType1 This metric type includes both the external path cost from the ABR to the ASBR that originated the route plus the internal path cost to the ABR that advertised the route in the local area. externalType2 (default setting) This metric type is only that of the external path cost. Tag Specifies a tag for routes redistributed into OSPF. When you set a route tag, OSPF assigns the value to every redistributed route from this source protocol. This function is useful when 2 or more border routers connect an autonomous system to an external network. To help prevent double redistribution, specify the same value in every border router when redistributing the same protocol. Possible values: 0..4294967295 (default setting: 0) Subnets Activates/deactivates subnet route redistribution into OSPF. 382 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Global ] OSPF only redistributes classful routes into the OSPF domain. In order to redistribute subnet routes into OSPF activate the subnet parameter. Possible values: marked (default setting) The router redistributes classful and subnet routes into OSPF. unmarked The router redistributes only classful routes into OSPF. ACL group name Specifies the name of the Access Control List created to filter routes received from the specified source protocol. To help prevent double redistribution and eventual loops, create an access list denying redistribution of routes originating in another protocol. Specify the access list ID, then activate the function in the ACL active column. When filtering redistributed routes, the device uses the source address. Possible values: - (default setting) No Access Control List assigned. <Group name> (IPv4) You specify the Access Control Lists in the Network Security > ACL > IPv4 Rule dialog. ACL active Activates/deactivates Access Control List filtering for this source protocol. Possible values: marked The router filters redistribution of routes according to the specified Access Control List. unmarked (default setting) The router ignores Access Control List filtering for this source protocol. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 383 Routing [ Routing > OSPF > Areas ] 6.6.2 OSPF Areas [ Routing > OSPF > Areas ] OSPF supports networks divided into "Areas" and thus reduces the administrative effort when maintaining the network. The routers participating in the network know and only manage their own "Area" by flooding Link State Advertisements (LSAs) into the area. Using the LSAs each router builds its own topology database. The device lets you specify up to a total of 15 OSPF Areas. Table Area ID Displays the area ID. Area type Specifies the import policy of AS external LSAs for the area which determines the Area Type. OSPF import policies apply to external routes only. An external route is a route that is outside the OSPF autonomous system. Possible values: area (default setting) The router imports type 5 AS external LSAs into the area. stub area The router ignores type 5 AS external LSAs. nssa The router translates type 7AS external LSAs into type 5 NSSA summary LSAs and imports them into the area. SPF runs Displays the number of times that the router calculated the intra-area routing table using the link state database of this area. The router uses Dijkstra's algorithm for route calculation. Area border router Displays the total number of ABRs reachable within this area. The number of reachable routers is initially 0. OSPF calculates the number in each SPF Pass. AS boundary router Displays the total number of ASBRs reachable within this area. The number of reachable ASBRs is initially 0. OSPF calculates the number in each SPF Pass. Area LSAs Displays the total number of link state advertisements in the link state database of this area, excluding AS External LSAs. 384 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Areas ] Area LSA checksum Displays the total number of LS checksums contained in the LS database of this area. This sum excludes type 5 external LSAs. You use the sum to determine if there has been a change in an LS database of a router, and to compare the LS database to other routers. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Area ID field you specify the area ID for the new table entry. Possible values: – Octet value displayed like an IPv4 address RM GUI RSP Release 8.1 12/2019 385 Routing [ Routing > OSPF > Stub Areas ] 6.6.3 OSPF Stub Areas [ Routing > OSPF > Stub Areas ] OSPF lets you specify certain areas as stub areas. The Area Border Router (ABR) of a stub area enters the information learned from AS external LSAs in its database without flooding the AS external LSAs across the stub area. The ABR instead sends a summary LSA into the stub area advertising a default route. The default route advertised in the summary LSA pertains only to the particular stub area. When forwarding data to AS external destinations, the routers in a stub area use the default ABR only. Sending a summary LSA containing the default route instead of AS external LSAs reduces the link state database size, and therefore the memory requirements for an internal router of a stub area. The device gives you the following options for creating a Stub Area: Converting an Area to a Stub Area In the Routing > OSPF > Areas dialog, change the value in the Area type column to Stub Area. Creating a new Stub Area In the Routing > OSPF > Areas dialog, create an entry in the table. Change the value in the Area type column to stub area. Table Area ID Displays the area ID for the stub area. Default cost Specifies the external metric value for the metric type. Possible values: 0..16777215 The router sets the default value to equal the lower cost within the area for the metric type. Metric type Specifies the type of metric used for the default route advertised into the area. The border router of a stub area advertises a default route as a network summary LSA. Possible values: OSPF metric (default setting) The ABR advertises the metric as OSPF internal, which is the cost of an intra-area route to the ABR. External type 1 The ABR advertises the metric as External type 1, which is the cost of the OSPF internal metric plus external metric to the ASBR. External type 2 The ABR advertises the metric as External type 2, which is the cost of the external metric to the ASBR. You use this value for NSSAs. Totally stub Activates/deactivates the import of summary LSAs into stub areas. 386 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Stub Areas ] Possible values: marked (default setting) The router does not import area summaries. The stub area relies entirely on the default route. This makes the default route a Totally Stub Area. unmarked The router both summarizes and propagates summary LSAs into the stub area. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 387 Routing [ Routing > OSPF > NSSA ] 6.6.4 OSPF Not So Stubby Areas [ Routing > OSPF > NSSA ] NSSAs are similar to the OSPF stub area. However, NSSAs have the additional capability of importing limited AS external routes. The ABR sends external routes out of the NSSA by converting type 7 AS external LSAs into type 5 AS external LSAs. The ASBR in an NSSA originates type 7 LSAs. The only difference between the type 5 and type 7 LSAs is that the router sets the “N“ bit for NSSAs. Both NSSA neighbors have the "N" bit set. This forms the OSPF neighbor adjacency. Beside the internal data traffic, NSSAs act like transit areas by transport data coming from external sources to other areas within the OSPF domain. The device gives you the following options for creating an NSSA: Converting an Area to an NSSA In the Routing > OSPF > Areas dialog, change the value in the Area type column to nssa. Creating a new NSSA In the Routing > OSPF > Areas dialog, create an entry in the table. Change the value in the Area type column to nssa. Table Area ID Displays the area ID to which the table entries apply. Redistribute Activates/deactivates external route redistribution into the NSSA. Possible values: marked (default setting) The NSSA ASBRs suppress external route redistribution into the NSSA. Furthermore, the ASBR stops to create type 7 external LSAs for external routes. unmarked The NSSA ASBRs redistribute external routes into the NSSA. Originate default info Activates/deactivates the creation of type 7 default LSAs. The prerequisite for the creation of type 7 default LSAs is that the router is an NSSA ABR or ASBR. Possible values: marked The router creates type 7 default LSAs and sends then into the NSSA. unmarked (default setting) The router suppresses type 7 default LSAs. Default metric Specifies the metric value advertised in the type 7 default LSA. 388 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > NSSA ] Possible values: 1..16777214 (default setting: 10) Default metric type Specifies the metric type advertised in the type 7 default LSA. Possible values: ospfMetric The router advertises the metric as OSPF internal, which is the cost of an intra-area route to the ABR. comparable The router advertises the metric as external type 1, which is the cost of the OSPF internal metric plus external metric to the ASBR. nonComparable The router advertises the metric as external type 2, which is the cost of the external metric to the ASBR. Translator role Specifies the ability of an NSSA border router to perform translation of type-7 LSAs into type-5 LSAs. NSSA Area Border Routers receive type-5 LSAs containing information about external routes. The NSSA border routers block the type-5 LSAs from entering into the NSSA. However, using type-7 LSAs the border routers inform each other about external routes. The ABRs then translate the type7 LSAs to type-5 external LSAs and flood the information to the rest of the OSPF network. Possible values: always The router translates type-7 LSAs to type-5 LSAs. When the router receives a type-5 LSAs from another router with a router ID higher then its own, it flushes its type-5 LSAs. candidate (default setting) The router translates type-7 LSAs to type-5 LSAs. To help prevent routing loops, OSPF performs a translator election. When multiple candidates exist, OSPF elects the router with the higher router ID as the translator. Translator status Displays if and how the router is translating type-7 LSAs into type-5 LSAs. Possible values: enabled The Translator role of the router is set to always. elected As a candidate, the NSSA Border router is translating type-7 LSAs into type-5. disabled Another NSSA border router is translating type-7 LSAs into type-5 LSAs. Translator stability interval [s] Specifies the number of seconds after the router loses a translation election that it continues to translate type-7 LSAs into type-5 LSAs. RM GUI RSP Release 8.1 12/2019 389 Routing [ Routing > OSPF > NSSA ] Possible values: 0..65535 (default setting: 40) Translator events Displays the number of translator status changes that have occurred since the last boot-up. Discontinuities in the value of this counter occur while OSPF is disabled and can occur during reinitialization of the management system. Totally NSSA Activates/deactivates importation of summary routes into the NSSA as type 3 summary LSAs. Possible values: marked (default setting) The router suppresses summary route importation making the area a Totally NSSA. unmarked The router imports summary routes into the NSSA as type 3 summary LSAs. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 390 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Interfaces ] 6.6.5 OSPF Interfaces [ Routing > OSPF > Interfaces ] This dialog lets you specify, activate, and display OSPF parameters on the router interfaces. The device uses the OSPF routing protocol to exchange reachability information between the routers. The device uses routing information learned from peers to determine the next hop towards the destination. To route traffic correctly, the router authenticates OSPF protocol exchanges to help prevent malicious or incorrect routing information from getting introduced into the routing table. OSPF supports multiple types of authentication. You configure the type of authentication in use on a per interface basis. The cryptographic authentication option md5, helps protect your network against passive attacks and helps provide significant protection against active attacks. When using the cryptographic authentication option, each router appends a "message digest" to its transmitted OSPF packets. Receivers then use the shared secret key and received digest to verify that each received OSPF packet is authentic. Table Port Displays the interface to which the table entry applies. IP address Displays the IP address of this OSPF interface. Active Activates/deactivates the OSPF administrative status of the interface. Possible values: marked The router advertises the values specified on the interface, and the interface as an OSPF internal route. unmarked (default setting) The interface is external to OSPF. Area ID Specifies the area ID of the domain to which the interface connects. Possible values: <Area ID> You specify the area IDs in the Routing > OSPF > Areas dialog. Priority Specifies the priority of this interface. In multi-access networks, the router uses the value in the Designated Router election algorithm. When a tie occurs, the routers use their router ID as a tie breaker. The highest router ID wins. RM GUI RSP Release 8.1 12/2019 391 Routing [ Routing > OSPF > Interfaces ] Possible values: 0 The router is unable to become the Designated Router on this particular network. 1..255 (default setting: 1) Transmit delay [s] Specifies the estimated number of seconds it takes to transmit a link state update packet over this interface. This setting is useful for low speed links. The timer increases the age of the LS updates to compensate for estimated delays on the interface. Increasing the packet age too much results in a reply that is younger than the original packet. Possible values: 0..3600 (default setting: 1) Retrans interval [s] Specifies the number of seconds between link state advertisement retransmissions for adjacencies belonging to this interface. You also use this value when retransmitting database description and link state request packets. Possible values: 0..3600 (default setting: 5) Hello interval [s] Specifies the number of seconds between Hello packet transmissions on the interface. Set this value the same for the routers attached to a common network. Verify that every router in an area has the same value. Possible values: 1..65535 (default setting: 10) Dead interval [s] Specifies the number of seconds between received Hello packets before a router declares the neighbor router down. Specify the value to a multiple of the Hello interval [s]. Specify the same value for the router interfaces within the same area. Possible values: 1..65535 (default setting: 40) Specify a lower value to get a faster detection of a neighbor in a down state. Note: Lower values are prone to interoperability issues. Status Displays the OSPF interface state. 392 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Interfaces ] Possible values: down (default setting) The interface is in the initial state and is blocking traffic. loopback The interface is a loopback interface of the device. Although packets are not sent out on the loopback interface, the router LSAs continue to advertise the interface address. waiting Applies only to interfaces connected to broadcast and Non-broadcast Multi-access (NBMA) network types. While in this state, the router attempts to identify the state of the network DR and BDR by sending and receiving Hello packets. The wait timer causes the interface to exit the waiting state and select a DR. The period of this timer is the same as the value in the Dead interval [s] field. pointToPoint Applies only to interfaces connected to point-to-point, point-to-multipoint, and virtual link network types. While in this state the interface sends Hello packets every Hello interval [s] and establishes an adjacency with its neighbor. designatedRouter The router is the DR for the multi-access network and establishes adjacencies with the other network routers. backupDesignatedRouter The router is the BDR for the multi-access network and establishes adjacencies with the other network routers. otherDesignatedRouter The router is only a network participant. The router establishes adjacencies only with the DR and BDR and tracks its network neighbors. Designated router Displays the IP address of the Designated Router. Possible values: Valid IPv4 address (default setting: 0.0.0.0) Backup designated router Displays the IP address of the Backup Designated Router. Possible values: Valid IPv4 address (default setting: 0.0.0.0) Events Displays the number of times this OSPF interface changed its state, or the router detected an error. Network type Specifies the OSPF network type of the autonomous system. Possible values: broadcast Use this value for broadcast networks, such as Ethernet and IEEE 802.5. OSPF performs a DR and BDR election with which the non-designated routers form an adjacency. nbma Use this value for non-broadcast multi-access networks such as X.25 and similar technologies. OSPF performs a DR and BDR election to limit the number of adjacencies formed. RM GUI RSP Release 8.1 12/2019 393 Routing [ Routing > OSPF > Interfaces ] pointToPoint Use this value for networks that link only 2 interfaces. pointToMultipoint Use this value when you collect several point-to-point links into a non-broadcast network. Every router in the network transmits Hello packets to other routers in the network, but without having a DR and BDR election. Auth type Specifies the authentication type for an interface. If you specify simple or MD5, then this router requires other routers to pass an authentication process before this router accepts the other routers as neighbors. If you use authentication to help protect your network, then use the same type and key for every router in your autonomous system. Possible values: none (default setting) Network authentication is inactive. simple The router uses clear text authentication. In this case, routers transmit the passwords as clear text. MD5 The router uses the message-digest algorithm MD5 authentication. This type of authentication helps make your network more secure. Auth key Specifies the authentication key. After entering the field displays ***** (asterisk) instead of the authentication key. Possible values: Alphanumeric ASCII character string – with 8 characters if in the Auth type drop-down list the value simple is selected – with 16 characters if in the Auth type drop-down list the value MD5 is selected If you specify a shorter authentication key, then the device fills in the remaining characters with 0. Auth key ID Specifies the MD5 authentication key ID value. The cryptographic authentication option MD5, helps protect your network against passive attacks and helps provide significant protection against active attacks. The prerequisite for changing the value is that, in the Auth type column, you specify the value MD5. Possible values: 0..255 (default setting: 0) Cost Specifies the internal metric. 394 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Interfaces ] OSPF uses link cost as the metric. OSPF also uses the cost of a link to calculate the SPF routes. OSPF prefers the route with the smaller value. The formula to calculate cost is reference bandwidth divided by interface bandwidth. Reference bandwidth is specified in the Autocost reference bandwidth field and is set to 100 Mbit/s by default. See the Routing > OSPF > Global dialog, General tab. Example: The interface bandwidth is 10 Mbit/s. The metric is 100 Mbit/s divided by 10 Mbit/s = 10. Possible values: auto (default setting) OSPF calculates the metric and automatically adjusts the value when the interface bandwidth changes. 1..65535 OSPF uses the value specified here as metric. Calculated cost Displays the metric value which OSPF currently uses for this interface. MTU ignore Activates/deactivates the IP maximum transmission unit (MTU) mismatch detection on this OSPF interface. Possible values: marked Disables the IP MTU check and makes adjacencies possible when the MTU value differs on the interfaces. unmarked (default setting) The router checks if neighbors are using the same MTU value on the interfaces. Fast Hello mode Activates/deactivates the Fast Hello mode on the port. For a ring that contains 8 devices, the function makes it possible for the recovery time to be less than 1.5 seconds for a detected link or router failure. The prerequisite is that you specify a value of 1 second for the following parameters: • Dead interval [s] column • Delay time [s] column in the Routing > OSPF > Global dialog, Shortest path first frame Possible values: marked The device sends the Hello packets every 250 ms, and ignores the value specified in the Hello interval [s] column. unmarked (default setting) The device sends the Hello packets according to the value specified in the Hello interval [s] column. RM GUI RSP Release 8.1 12/2019 395 Routing [ Routing > OSPF > Interfaces ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. 396 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Virtual Links ] 6.6.6 OSPF Virtual Links [ Routing > OSPF > Virtual Links ] OSPF requires that you link every area to the backbone area. The physical location of routers often prohibits a direct link to the backbone. Virtual links allow you to connect physically separated areas to the backbone through a transit area. You specify both routers on the endpoints of a virtual link as ABRs on a point-to-point link. To enter a virtual link in the table, click the button. Table Area ID Displays the area ID for the transit area that the virtual link traverses. Neighbor ID Displays the router ID of the virtual neighbor. The router learns this value from Hello packets received from the virtual neighbor. The value is a static value for virtual adjacencies. Transmit delay [s] Specifies the estimated number of seconds it takes to transmit an LS update packet over this interface. This setting is useful for low speed links. The timer increases the age of the LS updates to compensate for estimated delays on the interface. Increasing the packet age too much results in a reply that is younger than the original packet. Possible values: 0..3600 (default setting: 1) Retrans interval [s] Specifies the number of seconds between the LS advertisement retransmissions for adjacencies belonging to this interface. You also use this value when retransmitting Database Description (DD) and LS Request packets. Possible values: 0..3600 (default setting: 5) Dead interval [s] Specifies the number of seconds between received Hello packets before a router declares the neighbor router down. Specify the value to a multiple of the Hello interval [s]. Specify the same value for the router interfaces within the same area. RM GUI RSP Release 8.1 12/2019 397 Routing [ Routing > OSPF > Virtual Links ] Possible values: 1..65535 (default setting: 40) Specify a lower value to get a faster detection of a neighbor in a down state. Note: Lower values are prone to interoperability issues. Hello interval [s] Specifies the number of seconds between Hello packet transmissions on the interface. Set this value the same for the routers attached to a common network. Possible values: 1..65535 (default setting: 10) Status Displays the OSPF virtual interface state. Possible values: down (default setting) The interface is in the initial state and is blocking traffic. pointToPoint Applies only to interfaces connected to point-to-point, point-to-multipoint, and virtual link network types. While in this state the interface sends Hello packets every Hello interval [s] and establishes an adjacency with its neighbor. Events Displays the number of times this interface changed its state due to a received event. Auth type Specifies the authentication type for a virtual link. If you specify simple or MD5, then this router requires other routers to pass an authentication process before this router accepts the other routers as neighbors. If you use authentication to help protect your network, then use the same type and key for every router in your autonomous system. Possible values: none (default setting) Network authentication is inactive. simple The router uses clear text authentication. In this case, routers transmit the passwords as clear text. MD5 The router uses the message-digest algorithm MD5 authentication. This type of authentication helps make your network more secure. Auth key Specifies the authentication key. After entering the field displays ***** (asterisk) instead of the authentication key. 398 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Virtual Links ] Possible values: Alphanumeric ASCII character string – with 8 characters if in the Auth type drop-down list the value simple is selected – with 16 characters if in the Auth type drop-down list the value MD5 is selected If you specify a shorter authentication key, then the device fills in the remaining characters with 0. Auth key ID Specifies the MD5 authentication key ID value. The cryptographic authentication option md5, helps protect your network against passive attacks and helps provide significant protection against active attacks. The prerequisite for specifying this value is that you specify in the Auth type column the value MD5. Possible values: 0..255 (default setting: 0) Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Area ID drop-down list you select the area ID for the new table entry. In the Neighbor ID field you specify the router ID of the virtual neighbor. RM GUI RSP Release 8.1 12/2019 399 Routing [ Routing > OSPF > Ranges ] 6.6.7 OSPF Ranges [ Routing > OSPF > Ranges ] In large areas, OSPF messages flooded across the network reduce available bandwidth and increase the size of the routing table. A large routing table increases the amount of CPU processing that the router requires to enter the information into the routing table. A large routing table also reduces available memory. To decrease the number of OSPF messages flooded across the network, OSPF lets you create several smaller subnets within a large area. In order to summarize routing information into and out of a subnet, the Area Border Router (ABR) specifies the subnet as a single address range. The ABR advertises each address range as a single route to the external area. The IP address that the ABR advertises for the subnet is an address and mask pair. Unadvertised ranges allow you to hide the existence of subnets from other areas. The router specifies cost of the advertised route as the greater cost in the set component subnets. To enter an address range into the table, click the button. Table Area ID Displays the area ID of the address range. LSDB type Displays the route information aggregated by the address range. Possible values: summaryLink The area range aggregates type 5 route information. nssaExternalLink The area range aggregates type 7 route information. Network Displays the IP address of the subnet of the range. Netmask Displays the netmask of the subnet of the range. Effect Specifies the external advertisement of the subnet ranges. Possible values: advertiseMatching (default setting) The router advertises the range in other areas. doNotAdvertiseMatching The router withholds range advertisement to other external areas. 400 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Ranges ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Area ID drop-down list you select the area ID of the address range. In the LSDB type drop-down list you select the route information aggregated by the address range. Possible values: – summaryLink The area range aggregates type 5 route information. – nssaExternalLink The area range aggregates type 7 route information. In the Network field you specify the IP address for the area subnet. In the Netmask field you specify the netmask for the area subnet. RM GUI RSP Release 8.1 12/2019 401 Routing [ Routing > OSPF > Diagnostics ] 6.6.8 OSPF Diagnostics [ Routing > OSPF > Diagnostics ] To function properly, OSPF relies on 2 basic processes. forming adjacencies after forming adjacencies, the neighboring routers exchange information and update their routing table The statistics displayed in the tabs help you to analyze the OSPF processes. The dialog contains the following tabs: [Statistics] [Link state database] [Neighbors] [Virtual neighbors] [External link state database] [Route] [Statistics] In order to accomplish the 2 basic processes, OSPF routers send and receive various messages containing information to form adjacencies, and update routing tables. The counters in the tab indicate the amount of message traffic transmitted and received on the OSPF interfaces. Link State Acknowledgments (LSAcks) provide a response to a Link State Update (LS update) request as part of the link state exchange process. The Hello messages allow a router to discover other OSPF routers in the area and to establish adjacencies between the neighboring devices. After establishing adjacencies, the routers advertise their credentials for establishing a role as either a Designated Router (DR), a Backup Designated Router (BDR), or only as a participant in the OSPF network. The routers then use the Hello messages to exchange information about the OSPF configuration in the Autonomous System (AS). Database Description (DD) messages contain descriptions of the AS or area topology. The messages also propagate the contents of the link state database for the AS or area from a router to other routers in the area. Link State Requests (LS Request) messages provide a means of requesting updated information about a portion of the Link State Database (LSDB). The message specifies the link or links for which the requesting router requires current information. LS Update messages contain updated information about the state of certain links on the LSDB. The router sends the updates as a response to an LS Request message. The router also broadcast or multicast messages periodically. The router uses the message contents to update the information in the LSDBs of routers that receive them. LSAs contain the local routing information for the OSPF area. The router transmits the LSAs to other routers in an OSPF area and only on interfaces connecting the router to the specific OSPF area. Type 1 LSAs are router LSAs. Each router in an area originates a router-LSA. A single router LSA describes the state and cost of every link in the area. The router floods type 1 LSAs only across its own area. Type 2 LSAs are network LSAs. The DR creates a network LSA from information received in the type 1 LSAs. The DR originates in its own area a network LSA for each broadcast and NBMA network it is connected to. The LSA describes every router attached to the network, including the DR itself. The router floods type 2 LSAs only across its own area. 402 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Diagnostics ] Type 3 LSAs are network summary LSAs. An Area Border Router (ABR) creates a single network summary LSA from information contained in the type 1 and type 2 LSAs received from the DRs. The ABR transmits network summary LSAs describing inter-area destinations. The router floods type 3 LSAs across every area connected to it. Except this is the area for which it generated the Type 3 LSA. Type 4 LSAs are Autonomous System Boundary Router (ASBR) summary LSAs. An ABR creates a single ASBR summary LSA from information contained in the type 1 and type 2 LSAs received from the DRs. The ABR transmits type 4 LSAs to areas different than the area it resides in, to describe the ASBRs from which the ABR received type 5 LSAs. The router floods type 4 LSAs across every area connected to it. Except this is the area for which it generated the Type 4 LSA. Type 5 LSAs are AS external LSAs. The AS boundary routers create the AS external LSAs describing destinations external to the AS. The type 5 LSAs contain information redistributed into OSPF from other routing processes. The router floods type 5 LSAs to every area except stub and NSSA areas. Global LSA retransmitted Displays the total number of LSAs retransmitted since resetting the counters. When the router transmits the same LSA to multiple neighbors, the router increments the count for each neighbor. Hello packets received Displays the total number of OSPFv2 Hello packets received since resetting the counters. Hello packets transmitted Displays the total number of OSPFv2 Hello packets transmitted since resetting the counters. DB description packets received Displays the total number of OSPFv2 Database Description packets received since resetting the counters. DB description packets transmitted Displays the total number of OSPFv2 Database Description packets transmitted since resetting the counters. LS request packets received Displays the total number of OSPFv2 Link State Request packets received since resetting the counters. LS request packets transmitted Displays the total number of OSPFv2 Link State Request packets transmitted since resetting the counters. LS update packets received Displays the total number of OSPFv2 LS Update packets received since resetting the counters. RM GUI RSP Release 8.1 12/2019 403 Routing [ Routing > OSPF > Diagnostics ] LS update packets transmitted Displays the total number of OSPFv2 LS Update packets transmitted since resetting the counters. LS ack update packets received Displays the total number of OSPFv2 LS Acknowledgement packets received since resetting the counters. LS ack update packets transmitted Displays the total number of OSPFv2 LS Acknowledgement packets transmitted since resetting the counters. Max. rate of LSU received in any 5sec Displays the maximum rate of OSPFv2 LS Update packets received over any 5-second interval since resetting the counters. The field displays the rate in packets per second. For example, the number of packets received during the 5-second interval, divided by 5. Max. rate of LSU transmitted in any 5sec Displays the maximum rate of OSPFv2 LS Update packets transmitted over any 5-second interval since resetting the counters. The field displays the rate in packets per second. For example, the number of packets transmitted during the 5-second interval, divided by 5. Type-1 (Router) LSAs received Displays the number of type 1 router LSAs received since resetting the counters. Type-2 (Network) LSAs received Displays the number of type 2 network LSAs received since resetting the counters. Type-3 (Summary) LSAs received Displays the number of type 3 network summary LSAs received since resetting the counters. Type-4 (ASBR) LSAs received Displays the number of type 4 ASBR summary LSAs received since resetting the counters. Type-5 (External) LSAs received Displays the number of type 5 external LSAs received since resetting the counters. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 404 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Diagnostics ] [Link state database] A router maintains a separate link state database for every area to which it belongs. The router adds LSAs to the database in the following cases: When the router receives an LSA, for example during the flooding process. When the router originates the LSA. When a router deletes an LSA from the database, it also removes the LSA from the link state retransmission lists of the other routers in the network. A router deletes an LSA from its database in the following cases: A newer instance overwrites the LSA during the flooding process. The router originates a newer instance of a self-originated LSA. The LSA ages out and the router flushes the LSA from the routing domain. Table Area ID Displays the area ID from which router received the LSA. Type Displays the type of the LSAs received. Each LSA type has a separate advertisement format. Possible values: routerLink The router received the information from another router in the same area. Routers announce their existence and list the links to other routers within the same area using a type 1 LSA. The link state ID is the originating router ID. networkLink The router received the information from a DR on a broadcast segment using a type 2 LSA. The DR compiles the information received in type 1 LSAs and lists the routers linked together by the segment. The link state ID is the IP interface address of the DR. summaryLink The router received the information from an ABR using a type 3 LSA describing routes to networks. ABRs compile information learned from type 1 and type 2 LSAs received from the attached areas before sending the routing information to the other areas. The link state ID is the destination network number which is the results of the summarization process. asSummaryLink The router received the information from an ABR using a type 4 LSA describing routes to ASBRs. ABRs compile information learned from type 1 and type 2 LSAs received from the attached areas before sending the routing information to the other areas. The link state ID is the destination network number. asExternalLink The router received the information from an ASBR using a type 5 LSA describing routes to another AS. The link state ID is the router id of the ASBR. nssaExternalLink The router received the information from a router in a NSSA using a type 7 LSA. RM GUI RSP Release 8.1 12/2019 405 Routing [ Routing > OSPF > Diagnostics ] LSID Displays the Link State ID (LSID) value received in the LSA. The LSID is a field located in the LSA header. The field contains either a router ID or an IP address according to the LSA type. Possible values: <Router ID> Valid IPv4 address Router ID Displays the router ID uniquely identifying the originating router. Sequence Displays the value of the sequence field in an LSA. The router examines the contents or the LS checksum field whenever the LS sequence number field indicates that 2 instances of an LSA are the same. When there is a difference, the router considers the instance with the larger LS checksum to be most recent. Age Displays the age of the link state advertisement in seconds. When the router creates the LSA, the router sets the LS age to the value 0. As the routers transmit the LSA across the network they increment the value by the value specified in the Transmit delay [s] column. If a router receives 2 LSAs for the same segment having identical LS sequence numbers and LS checksums, then the router examines the age of the LSAs. • The router immediately discards LSA with MaxAge. • Otherwise, the router discards the LSA with the smaller age. Checksum Displays the contents of the checksum. The field is a checksum of the complete contents of the LSA, except for the age field. The age field of the advertisement increases as the routers transmit the message across the network. Excluding the age field lets routers transmit the message without needing to update the checksum field. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 406 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Diagnostics ] [Neighbors] The Hello Protocol is responsible for neighbor acquisition, maintenance, and for 2-way communication between neighbors. During the acquisition process, the routers on a segment compare their configurations for compatibility. If the routers are compatible, then the routers form adjacencies. The routers discover their master or slave status using information provided in the Hello packets. After the routers discover their roles, they exchange routing information to synchronize their routing databases. When the routers finish updating their databases, the neighbors are fully adjacent and the LSA lists the adjacency. Table Neighbor ID Displays the router ID of the neighboring router. The router learns this value from Hello packets received from the neighbor. The value is a static value for virtual adjacencies. IP address Displays the IP address of the neighboring router interface attached to the port. When sending unicast protocol packets on this adjacency, the router uses the value as the destination IP address. When the neighboring router is the DR, the router is also used in router LSAs as the link ID for the attached network. The router learns the neighbor IP address when it receives Hello packets from the neighbor. For virtual links, the router learns the neighbor IP address while building the routing table. Interface Displays the interface to which the entries in this row refer. Status Displays the state of the relationship with the neighbor listed in this instance. An event invokes each state change, such as a received Hello packet. This event produces different effects, depending on the current state of the neighbor. Also, depending on the state of neighbor change, the routers initiate a DR election. Possible values: down (default setting) The initial state of a neighbor conversation or a router terminated the conversation due to expiration of the Dead interval [s] timer. attempt The state is only valid for neighbors attached to NBMA networks. The information from the neighbor remains unresolved. The router actively attempts to contact the neighbor by sending the neighbor Hello packets in the interval specified in Hello interval [s]. RM GUI RSP Release 8.1 12/2019 407 Routing [ Routing > OSPF > Diagnostics ] init The router has recently seen a Hello packet from the neighbor. However, the router has only established uni-directional communication with the neighbor. For example, the router ID of this router is missing from the Hello packet of the neighbor. When sending Hello packets, the associated interface lists neighbors in this state or higher. twoWay Communication between the 2 routers is bidirectional. The router verifies the operation by examining the contents of the Hello packet. The routers elect a DR and BDR from the set of neighbors while in or after the 2-way state. exchangeStart The first step in creating an adjacency between the 2 neighboring routers. The goal of this step is to decide which router is the master and to decide upon the initial Sequence number. exchange The router is announcing its entire link state database by sending Database Description (DD) packets to the neighbor. The router explicitly acknowledges each DD packet. Each packet has a sequence number. The adjacencies only allow 1 DD packet to be outstanding at any time. In this state, the router sends LS Request packets asking for up-to-date database information. The adjacencies are fully capable of transmitting and receiving OSPF routing protocol packets. loading The router sends LS Request packets to the neighbor inquiring about the outstanding database updates sent in the exchange state. full The neighboring routers are fully adjacent. The adjacencies now appear in router LSAs and network LSAs. Dead time Displays the amount of time remaining before the router declares the neighbor status as down. The timer initiates the count down after the router receives a Hello packet. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Virtual neighbors] OSPF requires a continuous connection of the Autonomous System backbone area. OSPF also requires that every area has a connection to the backbone area. The physical location of routers often prohibits an area from directly connecting to the backbone area. Virtual links allow you to connect physically separated areas to the backbone area. The ABRs of the backbone area and the physically separated area form a point-to-point link through a transit area. When the ABRs establish an adjacency, the backbone router LSAs include the link and OSPF packets flow over the virtual link. Furthermore, the routing database of each endpoint router includes the link state information of the other endpoint router. Note: The OSPF lets you specify virtual links through every type of area except for stub areas. 408 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Diagnostics ] Table Area ID Displays the transit area ID of the virtual link. Router ID Displays the router ID of the other virtual endpoint ABR. After virtual adjacencies form, the virtual link carries OSPF packets such as Hello packets and LS update packets containing database information. The prerequisite is that the LSAs of the neighbor router contain the router ID of the local router. IP address Displays the IP address of the virtual neighbor. The router uses the IP address to send OSPF packets across the transit network to the virtual neighbor. Options Displays the information contained in the options field of the LSA. This value indicates the capabilities of virtual neighbor. The options field used in the Hello packets allow routers to identify their optional capabilities, and to communicate the capabilities to other routers. This mechanism lets you mix routers of different capabilities within a routing domain. The router supports 4 options by setting the following bits in the options field either high or low depending on the capabilities of the router. The field displays the value by adding the following option bits together. You read the fields from least significant bit to most significant bit. • The routers advertise the ability to process TOS 0 in AS external routes when it sets the E-bit high. The E-bit is the second bit in the options field and represents the value 2^1 or 2. • The routers advertise the ability to process multicast routes when it sets the MC-bit high. The MC-bit is the third bit in the options field and represents the value 2^2 or 4. • The routers advertise the ability to process AS external routes in an NSSA summary with type 7 LSAs when it sets the N/P-bit high. The N/P-bit is the fourth bit in the options field and represents the value 2^3 or 8. • The routers advertise the ability to process demand circuits when it sets the DC-bit high. The DC-bit is the sixth bit in the options field and represents the value 25 or 32. In a special case, the router sets the E-bit low. • The routers advertise the ability to process TOS metrics other than TOS 0 when it sets the E-bit low. The E-bit is the second bit in the options field and when set low, the bit represents the value 0. Possible values: 2,6,10,14,34,38,42,46 The values indicate that the virtual neighbor supports Type of Service metric (TOS) 0 in AS external LSAs. 0,4,8,12,32,36,40,44 The values indicate that the virtual neighbor supports TOS metrics other than TOS 0. RM GUI RSP Release 8.1 12/2019 409 Routing [ Routing > OSPF > Diagnostics ] 4,6,12,14,36,38,44,46 The values indicate that the virtual neighbor supports multicast routing. 8,10,12,14,40,42,44,46 The values indicate that the virtual neighbor supports type 7 LSAs. 32,34,36,38,40,42,44,46 The values indicate that the virtual neighbor supports demand circuits. Status Displays the state of the relationship with the neighbor listed in this instance. An event invokes each state change, such as a received Hello packet. This event produces different effects, depending on the current state of the neighbor. Also, depending on the state of neighbor change, the routers initiate a DR election. Possible values: down (default setting) The initial state of a neighbor conversation or a router terminated the conversation due to expiration of the Dead interval [s] timer. attempt The state is only valid for neighbors attached to NBMA networks. Information from the neighbor remains unresolved. The router actively attempts to contact the neighbor by sending the neighbor Hello packets in the interval specified in Hello interval [s]. init The router has recently seen a Hello packet from the neighbor. However, the router has only established uni-directional communication with the neighbor. For example, the router ID of this router is missing from the Hello packet of the neighbor. When sending Hello packets, the associated interface lists neighbors in this state or higher. twoWay Communication between the 2 routers is bidirectional. The router verifies the operation by examining the contents of the Hello packet. The routers elect a DR and BDR from the set of neighbors while in or after the 2-way state. exchangeStart The first step in creating an adjacency between the 2 neighboring routers. The goal of this step is to decide which router is the master and to decide upon the initial Sequence number. exchange The router is announcing its entire link state database by sending Database Description (DD) packets to the neighbor. The router explicitly acknowledges each DD packet. Each packet has a sequence number. The adjacencies only allow 1 DD packet to be outstanding at any time. In this state, the router sends LS Request packets asking for up-to-date database information. The adjacencies are fully capable of transmitting and receiving OSPF routing protocol packets. loading The router sends LS Request packets to the neighbor inquiring about the outstanding database updates sent in the exchange state. full The neighboring routers are fully adjacent. The adjacencies now appear in router LSAs and network LSAs. Events Displays the number of times this interface changed its state due to a received event such as HelloReceived or 2-way. 410 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > OSPF > Diagnostics ] Length of retransmission queue Displays the length of the retransmission list. In order to flood LSAs out of an interface to the neighbor, the router places the LSAs on the link state retransmission list of the adjacency. To validate LSA flooding, the router retransmits the LSAs until the neighbor acknowledges the LSA reception. You configure the length of time between retransmissions in the Routing > OSPF > Interfaces dialog in the Retrans interval [s] column. Suppressed Hellos Displays whether the router is suppressing Hello packets to the neighbor. Suppressing Hello packet transmission to the neighbor lets demand circuits close, on point-to-point links, during periods of inactivity. In NBMA networks, the periodic transmission of LSAs causes the circuit to remain open. Possible values: marked The router suppresses Hello packets. unmarked The router transmits Hello packets. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [External link state database] The table displays the contents of the external link state database, with an entry for each unique link state ID. External links allow the area to connect to destinations outside of the autonomous system. Routers pass information about the external links throughout the network as link state updates. Table Type Displays the type of the link state advertisement. When the router detects an external link state advertisement, the router enters the information in the table. Possible values: asExternalLink LSID Displays the Link State ID is an LS type-specific field containing either a router ID or an IP address. The value identifies the routing domain described in the advertisement. RM GUI RSP Release 8.1 12/2019 411 Routing [ Routing > OSPF > Diagnostics ] Router ID Displays the router ID uniquely identifying the originating router. Sequence Displays the value of the sequence field in an LSA. The router examines the contents or the LS checksum field whenever the LS sequence number field indicates that 2 instances of an LSA are the same. When there is a difference, the router considers the instance with the larger LS checksum to be most recent. Age Displays the age of the link state advertisement in seconds. When the router creates the LSA, the router sets the LS age to the value 0. As the routers transmit the LSA across the network they increment the value by the value specified in the Transmit delay [s] column. If a router receives 2 LSAs for the same segment having identical LS sequence numbers and LS checksums, then the router examines the age of the LSAs. • • The router immediately discards LSA with MaxAge. Otherwise, the router discards the LSA with the smaller age. Checksum Displays the contents of the checksum. The field is a checksum of the complete contents of the LSA, except for the age field. The age field of the advertisement increases as the routers transmit the message across the network. Excluding the age field lets routers transmit the message without needing to update the checksum field. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Route] The dialog displays the OSPF route information learned from the Link State Advertisements (LSA). Table IP address Displays the IP address of the network or subnet for the route. Netmask Displays the netmask for the network or subnet. 412 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Routing Table ] Metric Displays the route cost, calculated in the SPF algorithm, to reach the network. Type Displays the type of route that was learned from OSPF. Possible values: intra Entry for routes from the OSPF protocol within an area. inter Entry for routes from the OSPF protocol between areas. ext-type1 These routes were imported from an Autonomous System Boundary Router (ASBR) into the OSPF area. These routes use the costs relating to the connection between the ASBR and the route costs includes this device. ext-type2 These routes were imported from an Autonomous System Boundary Router (ASBR) into the OSPF area. These routes do not use the costs relating to the connection between the ASBR and the route costs includes this device. nssa-type1 These routes were imported from an Autonomous System Boundary Router (ASBR) into the Not-So-Stub Area. These routes use the costs relating to the connection between the ASBR and the route costs includes this device. nssa-type2 These routes were imported from an Autonomous System Boundary Router (ASBR) into the Not-So-Stub Area. These routes do not use the costs relating to the connection between the ASBR and the route costs includes this device. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 6.7 Routing Table [ Routing > Routing Table ] This dialog displays the routing table with the routes configured in the device. Using the routing table, the device learns the router interface through which it transfers IP packets that are addressed to recipients in a different network. Configuration Preference Specifies the preference number that the device assigns by default to the newly configured, static routes. RM GUI RSP Release 8.1 12/2019 413 Routing [ Routing > Routing Table ] Possible values: 1..255 (default setting: 1) Routes with a value of 255 will be ignored by the device in the routing decision. Table Port Displays the router interface through which the device is currently transmitting IP packets addressed to the destination network. Possible values: <Router interface> The device uses this router interface to transfer IP packets addressed to the destination network. no port The static route is currently not assigned to a router interface. Network address Displays the address of the destination network. Netmask Displays the netmask. Next hop IP address Displays the IP address of the next router on the path to the destination network. Type Displays the type of the route. Possible values: local The router interface is directly connected to the destination network. remote The router interface is connected to the destination network through a router (Next hop IP address). reject The device discards IP packets addressed to the destination network and informs the sender. other The route is inactive. See the Active checkbox. Protocol Displays the origin of this route. 414 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Routing Table ] Possible values: local The device created this route when setting up the router interface. See the Routing > Interfaces > Configuration dialog. netmgmt A user created this static route with the button. ospf The OSPF function created this route. See the Routing > OSPF dialog. rip The RIP function created this route. See the Routing > RIP dialog. Preference Specifies the "administrative distance" of the route. The device uses this value instead of the metric, when the metric of the routes is incomparable. Possible values: 0 Reserved for routes that the device creates when setting up the router interfaces. These routes have the value local in the Protocol column. 1..254 In routing decisions, the device gives preference to the route with the smallest value. 255 In routing decisions, the device ignores the route. The "administrative distance" can be set for static routes created using the button. Metric Displays the metric of the route. The device transmits the data packets using the route with the smallest value. Last update [s] Displays the time in seconds, since the current settings of the route were entered in the routing table. Track name Specifies the tracking object with which the device links the route. The device automatically activates or deactivates static routes – depending on the link status of an interface or the reachability of a remote router or end device. You set up tracking objects in the Routing > Tracking > Configuration dialog. Possible values: Name of the tracking object, made up of Type and Track ID. – No tracking object selected. This function is used only for static routes. (Column Protocol = netmgmt) RM GUI RSP Release 8.1 12/2019 415 Routing [ Routing > Routing Table ] Active Displays whether the route is active or inactive. Possible values: marked The route is active; the device uses the route. unmarked The route is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create dialog to create a static route. In the Network address field, you specify the address of the destination network. Possible values: – Valid IPv4 address If you specify a default route (0.0.0.0), then you specify a default gateway in the Next hop IP address field. This setting takes precendence over the setting in the following dialog: – Basic Settings > Network dialog, Gateway address field In the Netmask field, you specify the netmask that identifies the network prefix in the address of the destination network. Possible values: – Valid IPv4 netmask In the Next hop IP address field, you specify the IP address of the next router on the path to the destination network. Possible values: – Valid IPv4 address To make a reject type route, specify the value 0.0.0.0 in this field. With this route, the device discards IP packets addressed to the destination network and informs the sender. In the Preference field, you specify the preference number that the device uses to decide which of several existing routes to the destination network it will use. Possible values: – 1..255 In routing decisions, the device gives preference to the route with the smallest value. The default setting is the value specified in the Configuration frame, field Preference. In the Track name field, you specify the tracking object with which the device links the route. Possible values: – – No tracking object selected. – Name of the tracking object, made up of Type and Track ID. 416 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Tracking ] 6.8 Tracking [ Routing > Tracking ] The tracking function lets you monitor what are known as tracking objects. Examples of monitored tracking objects are the link status of an interface or the reachability of a remote router or end device. The device forwards status changes of the tracking objects to the registered applications, for example to the routing table or to a VRRP instance. The applications then react to the status changes: • In the routing table, the device activates/deactivates the route linked to the tracking object. • The VRRP instance linked to the tracking object reduces the priority of the virtual router so that a backup router takes over the role of the master. If you set up the tracking objects in the Tracking Configuration dialog, then you can link applications with the tracking objects: • You link static routes with a tracking object in the Routing > Routing Table dialog, Track name column. • You link virtual routers with a tracking object in the Routing > L3-Redundancy > VRRP > Tracking dialog. Click the button to open the Create window and select the tracking object in the Track name drop-down list. The menu contains the following dialogs: Tracking Configuration Tracking Applications RM GUI RSP Release 8.1 12/2019 417 Routing [ Routing > Tracking > Configuration ] 6.8.1 Tracking Configuration [ Routing > Tracking > Configuration ] In this dialog, you set up the tracking objects. Table Type Specifies the type of the tracking object. Possible values: interface The device monitors the link status of its physical ports or of its link aggregation, LRE or VLAN router interface. ping The device monitors the route to a remote router or end device by means of periodic ping requests. logical The device monitors tracking objects logically linked to each other and thus enables complex monitoring tasks. Track ID Specifies the identification number of the tracking object. Possible values: 1..256 This range is available to every type (interface, ping and logical). Track name Displays the name of the tracking object made up of Type and Track ID. Active Activates/deactivates the monitoring of the tracking object. Possible values: marked Monitoring is active. The device monitors the tracking object. unmarked (default setting) Monitoring is inactive. Description Specifies the description. Here you describe what the device uses the tracking object for. Possible values: Alphanumeric ASCII character string with 0..255 characters 418 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Tracking > Configuration ] Status Displays the monitoring result of the tracking object. Possible values: up The monitoring result is positive: – The link status is active. or – The remote router or end device is reachable. or – The result of the logical link is TRUE. down The monitoring result is negative: – The link status is inactive. or – The remote router or end device is not reachable. or – The result of the logical link is FALSE. notReady The monitoring of the tracking object is inactive. You activate the monitoring in the Active column. Changes Displays the number of status changes since the tracking object has been activated. Last changed Displays the time of the last status change. Send trap Activates/deactivates the sending of an SNMP trap when someone activates or deactivates the tracking object. Possible values: marked If someone activates or deactivates the tracking object in the Active column, then the device sends an SNMP trap. unmarked (default setting) The device does not send an SNMP trap. Port Specifies the interface to be monitored for tracking objects of the interface type. Possible values: <Interface number> Number of the physical ports or of the link aggregation, LRE or VLAN router interface. no Port No tracking object of the interface type. RM GUI RSP Release 8.1 12/2019 419 Routing [ Routing > Tracking > Configuration ] Link up delay [s] Specifies the period in seconds after which the device evaluates the monitoring result as positive. If the link has been active on the interface for longer than the period specified here, then the Status column displays the value up. Possible values: 0..255 – No tracking object of the logical type. Link down delay [s] Specifies the period in seconds after which the device evaluates the monitoring result as negative. If the link has been inactive on the interface for longer than the period specified here, then the Status column displays the value down. Possible values: 0..255 – No tracking object of the interface type. If the link to every aggregated port is interrupted, then Link aggregation, LRE and VLAN router interfaces have a negative monitoring result. If the link to every physical port and link-aggregation interface which is a member of the VLAN is interrupted, then a VLAN router interface has a negative monitoring result. Ping port Specifies the router interface for tracking objects of the ping type through which the device sends the ping request packets. Possible values: <Interface number> Number of the router interface. noName No router interface assigned. – No tracking object of the ping type. IP address Specifies the IP address of the remote router or end device to be monitored. Possible values: Valid IPv4 address – No tracking object of the ping type. Ping interval [ms] Specifies the interval in milliseconds at which the device periodically sends ping request packets. 420 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Tracking > Configuration ] Possible values: 100..20000 (default setting: 1000) If you specify a value <1000, then you can set up a maximum of 16 tracking objects of the ping type. – No tracking object of the ping type. Ping replies to lose Specifies the number of missed responses from the device after which the device evaluates the monitoring result as negative. If the device does not receive a response to its sent ping request packets for the number of times specified here in a row, then the Status column displays the value down. Possible values: 1..10 (default setting: 3) – No tracking object of the ping type. Ping replies to receive Specifies the number of received responses from the device after which the device evaluates the monitoring result as positive. If the device receives a response to its sent ping request packets for the number of times specified here in a row, then the Status column displays the value up. Possible values: 1..10 (default setting: 2) – No tracking object of the ping type. Ping timeout [ms] Specifies the period in milliseconds for which the device waits for a response. If the device does not receive a response within this period, then the device evaluates this as a missed response. See the Ping replies to lose column. Possible values: 10..10000 (default setting: 100) If a large number of ping tracking objects is set up in the device, then specify a sufficiently large value. If more than 100 instances are present, then specify at least 200 ms. – No tracking object of the ping type. Ping TTL Specifies the TTL value in the IP header with which the device sends the ping request packets. TTL (Time To Live, also known as “Hop Count”) identifies the maximum number of steps an IP packet is allowed to perform on the way from the sender to the receiver. Possible values: – No tracking object of the ping type. 1..255 (default setting: 128) RM GUI RSP Release 8.1 12/2019 421 Routing [ Routing > Tracking > Configuration ] Best route Displays the number of the router interface through which the best route leads to the monitoring router or end device. Possible values: <Port number> Number of the router interface. no Port No route exists. – No tracking object of the ping type. Logical operand A Specifies the first operand of the logical link for tracking objects of the logical type. Possible values: Tracking objects set up – No tracking object of the logical type. Logical operand B Specifies the second operand of the logical link for tracking objects of the logical type. Possible values: Tracking objects set up – No tracking object of the logical type. Operator Links the tracking objects specified in the Logical operand A and Logical operand B fields. Possible values: and Logical AND link or Logical OR link – No tracking object of the logical type. 422 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Tracking > Configuration ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Type field, you specify the type of the tracking object. Possible values: – interface The device monitors the link status of its physical ports or of its link aggregation, LRE or VLAN router interface. – ping The device monitors the route to a remote router or end device by means of periodic ping requests. – logical The device monitors tracking objects logically linked to each other and thus enables complex monitoring tasks. In the Track ID field, you specify the identification number of the tracking object. Possible values: – 1..2147483647 RM GUI RSP Release 8.1 12/2019 423 Routing [ Routing > Tracking > Applications ] 6.8.2 Tracking Applications [ Routing > Tracking > Applications ] In this dialog, you see which applications are linked with the tracking objects. The following applications can be linked with tracking objects: • You link static routes with a tracking object in the Routing > Routing Table dialog, Track name column. • You link virtual routers with a tracking object in the Routing > L3-Redundancy > VRRP > Tracking dialog. Click the button top open the Create window and select the tracking object in the Track name drop-down list. Table Type Displays the type of the tracking object. Track ID Displays the identification number of the tracking object. Application Displays the name of the application that is linked with the tracking object. Possible values: Tracking objects of the logical type Static routes Virtual router of a VRRP instance Track name Displays the name of the tracking object made up of Type and Track ID. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 424 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > L3 Relay ] 6.9 L3 Relay [ Routing > L3 Relay ] Clients in a subnet send BOOTP/DHCP broadcasts messages to DHCP servers requesting configuration information such as IP addresses. Routers provide a border for broadcast domains so that BOOTP/DHCP requests remain in the local subnet. The Layer 3 Relay (L3 Relay) function acts as a proxy for clients that require information from a BOOTP/DHCP server in another network. When you configure this device to retrieve IP addresses from a DHCP server located in another subnet, the L3 Relay function lets you forward requests across multiple hops to a server located in another network. Using IP helper addresses and UDP helper ports the L3 Relay forwards DHCP packets between the clients and servers. The IP helper address is the DHCP server IP address. Clients use the UDP helper port to request a type of information such as DNS information on UDP port 53, or DHCP information on UDP port 67. The L3 Relay function provides you the follow advantages over the standard BOOTP/DHCP function: redundancy, when you specify multiple severs to process client requests. load balancing, when you specify multiple interfaces to relay broadcast packets from the client to the servers. central management, useful in large networks. The administrator saves the device configurations on a centrally located server which responds to client requests in multiple subnets. diversity, this function lets you specify up to 512 entries. Operation Operation Enables/disables the L3 Relay function. Possible values: On The L3 Relay function is globally enabled. Off (default setting) The L3 Relay function is globally disabled. Configuration Circuit ID Activates/deactivates the BOOTP/DHCP Circuit ID Option Mode. The device sends circuit ID suboption information, identifying the local agent, to the DHCP server. The DHCP server uses the suboption information to send responses back to the proper agent. RM GUI RSP Release 8.1 12/2019 425 Routing [ Routing > L3 Relay ] Possible values: marked The device adds the circuit ID of the DHCP relay agent to the suboptions for client requests. unmarked (default setting) The device removes the DHCP relay agent circuit ID suboptions from client requests. BOOTP/DHCP wait time (min.) Specifies the minimum amount of time that the device delays forwarding the BOOTP/DHCP request. The end devices send broadcast request on the local network. This setting lest a local server respond to the client request before the router forwards the client request through the interfaces. Possible values: 0..100 (default setting: 0) If a local server is absent from the network, then set the value to 0. BOOTP/DHCP hops (max.) Specifies the maximum number of cascaded devices allowed to forward the BOOTP/DHCP request. If the hop count exceeds the maximum number of hops specified in this field, then the device drops BOOTP requests. Possible values: 0..16 (default setting: 4) Information DHCP client messages received Displays the number of DHCP requests received from the clients. DHCP client messages relayed Displays the number of DHCP requests forwarded to the servers specified in the table. DHCP server messages received Displays the number of DHCP offers received from the servers specified in the table. DHCP server messages relayed Displays the number of DHCP offers forwarded to the clients from the servers specified in the table. UDP messages received Displays the number of UDP requests received from the clients. 426 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > L3 Relay ] UDP messages relayed Displays the number of UDP requests forwarded to the servers specified in the table. Packets with expired TTL Displays the number of UDP packets received with an expired TTL value. Discarded packets Displays the number of UDP packets that device discarded, because the packet matched an active table entry. Table Port Displays the interface to which the table entry applies. UDP port Displays the UDP port for client messages received on this interface for this table entry. The device forwards client DHCP messages matching the UDP port criteria to the IP helper address specified in this table entry. IP address Displays the IP helper address associated with this table entry. Hits Displays the current number of packets that the interface forwards for the specified UDP port in this table entry. Active Activates/deactivates the table entry. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset statistics Resets the table statistics. Create Port Specifies the interface to which the entry applies. RM GUI RSP Release 8.1 12/2019 427 Routing [ Routing > L3 Relay ] Interface configurations take priority over global configurations. If the destination UDP port for a packet matches any entry on an ingress interface, then the device handles the packet according to the interface configuration. If none of the interface entries match the packet, then the device handles the packet according to the global configuration. Possible values: All (default setting) Relay entries with this port value specify a global configuration. <available interfaces> Used to specify interface configurations. UDP port Specifies the helper UDP port criteria for packets received on this interface for this entry. When active, the device forwards packets received with this destination UDP port value to the IP address specified in this entry. Possible values: default (default setting) Equal to UDP port 0. An entry with a UDP port specified as 0 enables the dhcp, time, nameserver, tacacs, dns, tftp, netbios-ns, and netbios-dgm entries. dhcp Equal to UDP port 67. The device forwards DHCP requests for IP address assignment and networking parameters. domain Equal to UDP port 53. The device forwards DNS requests for host name to IP address conversion. isakmp Equal to UDP port 500. The device forwards Internet Security Association and Key Management Protocol requests. The requests specifies procedures and packet formats which establish, negotiate, modify and delete Security Associations. mobile-ip Equal to UDP port 434. The device forwards Home Agent Registration requests. Use this value when you install the device in a network other than the home network. nameserver Equal to UDP port 42. The device forwards Windows Internet Name Service requests. You use the port to copy the NetBIOS name table from 1 Windows server to another. netbios-dgm Equal to UDP port 138. The device forwards NetBIOS Datagram Service requests. The datagram service provides the ability to send a message to a unique name or to a group name. netbios-ns Equal to UDP port 137. The device forwards NetBIOS Name Service requests for name registration and resolution. ntp Equal to UDP port 123. The device forwards Network Time Protocol requests. Use this value for peer-to-peer synchronization where both peers consider the other to be a time source. 428 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > L3 Relay ] pim-auto-rp Equal to UDP port 496. The device forwards Protocol Independent Multicast-Automatic-Rendezvous Point requests. The Rendezvous Point (RP) serves as the root of the shared multicast delivery tree and is responsible for gathering multicast data from different sources, then forwarding the data to the clients. rip Equal to UDP port 520. The device forwards RIP requests and RIP response messages. tacacs Equal to UDP port 49. The device forwards TACACS Login Host Protocol requests for remote authentication and related services for networked access control through a centralized server. tftp Equal to UDP port 69. The device forwards Trivial File Transfer Protocol requests and responses. time Equal to UDP port 37. The device forwards Time Protocol requests. The device forwards client requests to a server that supports the time protocol. The server then responds with a message containing an integer representing the number of seconds since 00:00 1 January, 1900 GMT, and closes the data link. 0..65535 When you know the UDP port number, the device lets you specify the port number directly. IP address Specifies the IP helper address for packets received on this interface. Possible values: Valid IP address An address of 0.0.0.0 identifies the entry as a discard entry. The device drops packets that match a discard entry. You specify discard entries only on the interfaces. RM GUI RSP Release 8.1 12/2019 429 Routing [ Routing > Loopback Interface ] 6.10 Loopback Interface [ Routing > Loopback Interface ] A loopback interface is a virtual network interface without reference to a physical port. Loopback interfaces are constantly available while the device is in operation. The device lets you create router interfaces on the basis of loopback interfaces. Using such a router interface, the device is constantly available, even during periods of inactivity of individual router interfaces. Up to 2 loopback interfaces can be set up in the device. Table Index Displays the number that uniquely identifies the loopback interface. Port Displays the name of the loopback interface. IP address Specifies the IP address for the loopback interface. Possible values: Valid IPv4 address (default setting: 0.0.0.0) Subnet mask Specifies the netmask for the loopback interface. Possible values: Valid IPv4 netmask (default setting: 0.0.0.0) Example: 255.255.255.255 Active Displays whether the loopback interface is active or inactive. Possible values: marked (default setting) The loopback interface is active. When sending SNMP traps, the device uses the IP address of the first loopback interface as the sender. unmarked The loopback interface is inactive. 430 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Loopback Interface ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create dialog to create a loopback interface. In the Index field, you specify the number that uniquely identifies the loopback interface. Possible values: – 1..2 RM GUI RSP Release 8.1 12/2019 431 Routing [ Routing > Multicast Routing ] 6.11 Multicast Routing [ Routing > Multicast Routing ] The menu contains the following dialogs: Multicast Routing Global Multicast Routing Boundary Configuration Multicast Routing Static IGMP 432 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Multicast Routing > Global ] 6.11.1 Multicast Routing Global [ Routing > Multicast Routing > Global ] IP multicast routing is the distribution of IP data packets to multiple participants simultaneously under one IP address. The menu lets you specify and display global settings and static counters of the Multicast Routing function. Here you also display and specify parameters for the IGMP, IGMP Proxy, DVMRP and PIM-SM/PIM-DM protocols. The dialog contains the following tabs: [Configuration] [Statistics] [Configuration] This tab lets you enable IP multicast routing and specify and display global parameters for the function. Operation Operation Enables/disables the Multicast Routing function. Possible values: On The Multicast Routing function is enabled. Off (default setting) The Multicast Routing function is disabled. Configuration DSCP Specifies the DSCP value that the device writes in routed multicast data packets. The DSCP value (Differentiated Services Code Point) corresponds to bits 0 to 5 of the TOS field of a IP data packet. The TOS field (Type of Service) is used to prioritize data packets. Possible values: 0..64 (default setting: 48) The value 64 means that the device leaves the DSCP value of received data packets unchanged. RM GUI RSP Release 8.1 12/2019 433 Routing [ Routing > Multicast Routing > Global ] Information Multicast routing entries Displays the maximum number of entries in the IP multicast routing table. IGMP proxy active Displays whether the IGMP proxy function (Internet Group Management Protocol) is active. Possible values: marked IGMP proxy is active. unmarked IGMP proxy is inactive. Table Port Displays the number of the router interface to which the table entry relates. TTL Specifies the TTL value (Time to Live) for this router interface. The device discards IP multicast data packets whose TTL value is below the specified value. The TTL value is an 8-bit field in the IP data packet. With each hop (the next router on the path to the destination network) the multicast router reduces the TTL value by 1. Possible values: 0 The device forwards every multicast data packet received on this router interface. 1..255 (default setting: 1) Buttons You find the description of the standard buttons in section “Buttons” on page 15. 434 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Multicast Routing > Global ] [Statistics] This tab lets you display the statistic counters of the multicast routing function. Table Multicast group address Displays the IP address of the multicast group to which the table entry relates. Possible values: Valid IPv4 address Multicast source address Displays the IP address of the multicast source to which the table entry relates. The device identifies the multicast source in combination with the related netmask. Possible values: Valid IPv4 address Upstream neighbor Displays the IP address of the upstream neighbor from which the device receives IP data packets sent to this multicast address. The upstream neighbor for the device is the next participating neighbor in the upstream direction (in the direction of the source of the multicast stream). For example, the device uses the RPF algorithm (Reverse Path Forwarding) to calculate the multicast route and to determine the upstream neighbor. Possible values: Valid IPv4 address The value 0.0.0.0 means that the upstream neighbor is unknown. Port Displays the port number. Outgoing interfaces Displays a list of the outgoing interfaces. Uptime Displays the time that has elapsed since the multicast router last modified the table entry for the port. RM GUI RSP Release 8.1 12/2019 435 Routing [ Routing > Multicast Routing > Global ] Timeout Displays the time remaining until the multicast router deletes the entry for the participant from the group table when the participant is inactive. The value 0 means that there is no time limit for the entry. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 436 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Multicast Routing > Boundary Configuration ] 6.11.2 Multicast Routing Boundary Configuration [ Routing > Multicast Routing > Boundary Configuration ] The multicast boundary function lets you reject selectively IP multicast streams. This dialog lets you specify and display the parameters for restricting the IP multicast streams on specific ports. This restriction includes incoming as well as outgoing data packets. Table Port Displays the port number. On this port the device discards multicast data packets whose address is in the range specified in the fields IP address and Netmask. You specify the value in the Create dialog. IP address Displays the IP address of the multicast group to which this restriction applies. The IP address of the multicast group combined with the associated Netmask specify the range for the multicast restriction. The device discards multicast data packets from this range. You specify the value in the Create dialog. Possible values: 239.0.0.0.. 239.255.255.255 Netmask Displays the netmask of the multicast group to which this restriction applies. The IP address of the multicast group combined with the associated Netmask specify the range for the multicast restriction. The device discards multicast data packets from this range. You specify the value in the Create dialog. Status Specifies the status for processing this table entry. This value determines the procedure the router uses to create new table entries or delete certain entries from the table. RM GUI RSP Release 8.1 12/2019 437 Routing [ Routing > Multicast Routing > Boundary Configuration ] Possible values: active The table entry for the multicast routing restriction is active on this port. The table entry exists and is available for the router to use. notInService (default setting) The table entry for the multicast routing restriction is inactive on this port. The table entry exists, but is unavailable for the router to use. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens a Create window to add a new entry to the table. In the Port field, you specify the port to which the device applies the multicast restriction. In the IP address field, you specify the IP address for the multicast source. In the Netmask field, you specify the netmask for the multicast source. 438 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Multicast Routing > Static ] 6.11.3 Multicast Routing Static [ Routing > Multicast Routing > Static ] The Multicast static routing function lets you specify the route of the multicast data traffic in the network. The device uses the Reverse Path Forwarding (RPF) algorithm to define the path of the multicast data traffic through the multicast routers. The RPF algorithm uses the static entries to calculate the path of the multicast data traffic. This dialog lets you specify and display the parameters for the static multicast routing function. IP address and netmask of the multicast data source RPF address (upstream neighbor of the device) Priority of the static multicast routing entry Table IP address Displays the IP address of the multicast data source. You specify the value in the Create dialog. Netmask Displays the associated netmask for the IP address of the multicast data source. You specify the value in the Create dialog. RPF address Specifies the IP address of the neighbor multicast router in the upstream direction (in the direction of the source of the multicast stream) that the RPF algorithm uses. The upstream neighbor for the device is the next participating neighbor in the upstream direction. Specifying a valid IP address is the prerequisite for having the option of activating the static multicast routing entry. Preference Specifies the priority of this static multicast routing entry with which the device considers this route when selecting the best route. The lower the value, the higher the priority. The value 255 means “not accessible”, the device ignores this route for the transmission of the multicast data traffic. Specifying a valid priority is the prerequisite for having the option of activating the static multicast routing entry. Possible values: 1..255 (default setting: 1) Status Activates/deactivates the static multicast routing entry. RM GUI RSP Release 8.1 12/2019 439 Routing [ Routing > Multicast Routing > IGMP ] The prerequisite for activating the static multicast routing entry is that you specified valid values in the fields RPF address and Preference. Possible values: active The table entry for the static multicast routing is active on this router interface The table entry exists and is available for the router to use. notInService (default setting) The table entry for the static multicast routing is inactive on this port. The table entry exists, but is unavailable for the router to use. If the table entry is unavailable for the router due to missing information or to interruption, then the router displays this value: notReady The device detected unfulfilled conditions on the port or device level. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens a Create window to add a new entry to the table. In the IP address field, you specify the IP address for the multicast data source. In the Netmask field, you specify the netmask for the multicast data source. 6.11.4 IGMP [ Routing > Multicast Routing > IGMP ] The Internet Group Management Protocol (IGMP) enables IPv4 multicasting (group communication), that means the distribution of data packets to multiple participants simultaneously using one IP address. IGMP enables multicast groups to be managed dynamically. The management is carried out by local routers. The participants of a multicast group are connected directly to the local routers. The menu contains the following dialogs: IGMP Configuration IGMP Proxy Configuration IGMP Proxy Database 440 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Multicast Routing > IGMP > Configuration ] 6.11.4.1 IGMP Configuration [ Routing > Multicast Routing > IGMP > Configuration ] The Internet Group Management Protocol (IGMP) lets you manage IP multicast groups dynamically. The participants (hosts) of a multicast use IGMP for logging on and off the multicast router (querier). The device supports the versions IGMPv1, IGMPv2, and IGMPv3. The IGMPv1 and IGMPv2 versions are backward compatible. IGMPv1 Lets participants join a multicast group. In case of inactivity, the multicast router removes the participant from the multicast group after expiration of the timeout. IGMPv2 In addition to IGMPv1, IGMPv2 provides the participant with the opportunity to log off from the multicast group (Leave message). IGMPv3 In addition to IGMPv1 and IGMPv2, IGMPv3 provides the participant with the opportunity to specify the source from which it wishes to receive the multicast stream: – Receive only data packets from certain source addresses – Discard data packets from certain source addresses The multicast routers send queries (periodic requests) to the participants. IGMPv1 and IGMPv2 The participants respond to these queries for one multicast group in each case. The router enters the address of the multicast group into the database. IGMPv3 Participants respond to these queries for one or more multicast groups. The router enters into the database the addresses of the multicast groups as well as the desired source addresses for a multicast stream. IGMP routing uses the following message types to manage multicast groups: Membership Query Queries of the router regarding membership in a group (general queries, queries to groups, queries to groups and to specific source addresses) Membership Report The participant’s responses regarding membership in a group Leave Group Messages from the participant when logging off from a group Operation The dialog contains the following tabs: [Port] [Cache information] [Interface membership] Operation Enables/disables the IGMP function in the device. RM GUI RSP Release 8.1 12/2019 441 Routing [ Routing > Multicast Routing > IGMP > Configuration ] Possible values: On The IGMP function is enabled. Off (default setting) The IGMP function is disabled. [Port] This tab lets you set and monitor the parameters for IGMP routing. Table Port Displays the router interface number. Configure at least one multicast router interface before viewing or configuring parameters for an IGMP-enabled router interface. Otherwise, the device displays a detected error. Querier Displays the IP address of the multicast router (IGMP querier) in the IP subnet to which the selected router interface belongs. Possible values: Valid IPv4 address (default setting: 0.0.0.0) Query interval Specifies the time interval in seconds that the device uses to send IGMP host queries (queries to the IGMP-enabled participants) from this router interface The IGMP-capable network devices in the network respond to the queries with report messages. Possible values: 1..3600 (default setting: 125) Status Activates/deactivates the IGMP routing function. Possible values: active The IGMP routing function is active on this router interface. notInService (default setting) The IGMP routing function is inactive on this router interface. Version Specifies the IGMP version used for this router interface. 442 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Multicast Routing > IGMP > Configuration ] Activate IGMP routing on this router interface before you configure the entry in the Version column. Possible values: 1 Specifies version IGMPv1 for this router interface. 2 Specifies version IGMPv2 for this router interface. 3 (default setting) Specifies version IGMPv3 for this router interface. Max. response time Specifies the maximum query response time in tenths of a second for this router interface for IGMPv2 and IGMPv3. If the router interface responds to the query of the multicast router within this time, then the router interface remains a member of the multicast group. Possible values: 0..255 (default setting: 100) Robustness Specifies the value for the IGMP robustness for this router interface. The robustness lets you adjust the router interface to the expected packet loss in the subnet. The IGMP routing function behaves in a robust manner in regard to the following number of packet losses in the subnet: Robustness minus 1. Possible values: 1..255 (default setting: 2) Use high values for the robustness if you expect a large number of packet losses in a subnet. Last member query interval Specifies the IGMP Last member query interval in tenths of a second, for IGMPv2, IGMPv3. To log off from a multicast group, the participant sends a message to the multicast router (a Leave Group Message). Then the multicast router sends a query to the participant. The value of the parameter specifies the maximum allowable response time to this query for the participant. In addition, this value specifies the time interval between the group-specific queries of the multicast router. Possible values: 0..255 (default setting: 10) Last member queries Displays the number of queries that the multicast router sends if it receives a report for logging off from a multicast group (Leave Group Report). Possible values: 1..20 (default setting: 2) RM GUI RSP Release 8.1 12/2019 443 Routing [ Routing > Multicast Routing > IGMP > Configuration ] Startup queries Displays the number of startup queries (queries in the start-up phase) which the multicast router sends. The intervals between the queries are specified in the Startup query interval column. Possible values: 1..20 (default setting: 2) Startup query interval Displays the time in seconds between successive startup queries (queries in the startup phase) of the multicast router. The number of periodic queries are specified by Startup queries. Possible values: 1..300 (default setting: 31) Querier uptime Displays the time that has elapsed since the multicast router last modified the table entry for the port. Querier expiry time Displays the remaining time until the multicast router deletes the entry for the port from the multicast group table. If the device itself is the querier (multicast router), then the Querier expiry time parameter has the value of 0. Wrong version queries Displays how many times participants attempted to access the port with an IGMP protocol version detected to be incorrect. The prerequisite is that the IGMP routing function is active for this port. You specify the same IGMP version for every router within the network. If the device receives queries with other IGMP versions, then the device reports a detected configuration error. Joins Displays how many IGMP membership reports for a multicast group this router interface has received. The value of the parameter is related to the frequency with which a multicast router adds entries for this router interface to the cache table. The parameter indicates IGMP activity on this router interface. The prerequisite is that the IGMP function is enabled for this router interface. Groups Displays how many multicast groups the cache table currently contains for the multicast router for this router interface. 444 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Multicast Routing > IGMP > Configuration ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Cache information] This tab lets you monitor the parameters from the cache table of the IGMP multicast router. Table Port Displays the router interface number. The prerequisite is that the IGMP routing function is active for this router interface. Address Displays the IP address of the multicast group to which the table entry relates. The prerequisite is that the IGMP routing function is active on this router interface and that the router interface receives IGMP membership reports. Possible values: Valid IPv4 address Last reporter Displays the source IP address from which the device last received an IGMP membership report (report for membership of a multicast group) for this router interface. Possible values: Valid IPv4 address Uptime Displays the time in [hh:mm:ss] that has elapsed since the multicast router created the table entry for this participant. Expiry time Displays the value of the cache timer (time limiter) in [hh:mm:ss]. After this time has elapsed, the multicast router deletes the entry from the cache table. When the device receives an IGMP membership report for this multicast group on this router interface, the device resets the value of this timer. RM GUI RSP Release 8.1 12/2019 445 Routing [ Routing > Multicast Routing > IGMP > Configuration ] V1 host timer Displays the value of the host present timer (time limiter) in [hh:mm:ss] for IGMPv1 participants. This is the time remaining until the local multicast router assumes that none of the participants in the IP subnet connected through this port are active any more. When the multicast router receives IGMP membership reports again (reports on the membership of multicast groups), it resets the value of this timer. As long as the value is greater than null, the multicast router ignores IGMPv2 and IGMPv3 Leave Group messages that it receives on this router interface. V2 host timer Displays the value of the host present timer (time limiter) in [hh:mm:ss] for IGMPv2 participants. This is the time remaining until the local multicast router assumes that none of the stations in the IP subnet connected through this port are active any more. When the multicast router receives IGMP membership reports again (reports on the membership of multicast groups), it resets the value of this timer. As long as the value is greater than null, the multicast router ignores IGMPv3 Leave Group messages that it receives on this router interface. Source filter mode Displays the filter mode provided in the IGMPv3 report for source IP addresses for the multicast group. Possible values: include The participant receives the multicast stream only from specific source IP addresses. exclude The participant receives the multicast stream without specific source IP addresses. NA (default setting) The filter mode for source IP addresses is inactive. The field remains empty. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 446 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Multicast Routing > IGMP > Configuration ] [Interface membership] The table in this tab displays detailed information on the source addresses included in an IGMP multicast group. This information is provided in the IGMPv3 membership reports. Table Port Displays the port number. The prerequisite is that the IGMP function is active for this port. Address Displays the IP address of the multicast group for which the router has received an IGMPv3 membership report on this router interface. The prerequisite is that the IGMP function is active on this port and that the port receives IGMP membership reports. Possible values: Valid IPv4 address Host address Displays the source IP addresses of this multicast group. Possible values: Valid IPv4 address Expire Displays the value of the time limiter in [hh:mm:ss] for this multicast group. This is the time remaining until the multicast router deletes the multicast group entry. When the multicast router receives IGMP membership reports for this source specific multicast again, it resets the value of this timer. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 447 Routing [ Routing > Multicast Routing > IGMP > Proxy Configuration ] 6.11.4.2 IGMP Proxy Configuration [ Routing > Multicast Routing > IGMP > Proxy Configuration ] This dialog lets you configure and monitor the parameters for the IGMP proxy router interface. The multicast router learns information about membership of multicast groups through the IGMP router interface (downstream interface). In this direction, the device operates as a querier. On the IGMP proxy router interface (upstream interface) the device operates as a host and sends IGMP membership reports for the registered multicast groups from the downstream router interfaces. Table Port Displays the number of the upstream router interface on which the IGMP proxy function is active. The prerequisite is that this router interface is not an IGMP downstream router interface. Querier Displays the IP address of the multicast router (IGMP querier) in the IP subnet to which the upstream interface belongs. Possible values: Valid IPv4 address (default setting: 0.0.0.0) V1 querier timer Displays the remaining time in seconds until the device assumes that no IGMPv1 querier is active on the upstream router interfaces. V2 querier timer Displays the remaining time in seconds until the device assumes that no IGMPv2 querier is active on the upstream router interfaces. Version Specifies the IGMP version used for this router interface. Disable IGMP globally before you configure the entry in the Version column. Possible values: 1 Specifies version IGMPv1 for this upstream router interface. 2 Specifies version IGMPv2 for this upstream router interface. 3 (default setting) Specifies version IGMPv3 for this upstream router interface. Robustness Specifies the value for the IGMP robustness for this upstream router interface. 448 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Multicast Routing > IGMP > Proxy Configuration ] The robustness lets you adjust the port to the expected packet loss in the subnet. The IGMP routing function behaves in a robust manner in regard to the following number of packet losses in the subnet: Robustness minus 1. The host repeats the transfer of the status report Robustness minus 1 times. Possible values: 1..255 (default setting: 2) Use high values if you expect a large number of packet losses in a subnet. Unsolicited report interval Specifies the interval in seconds in which the device sends unsolicited reports to the multicast router on the upstream interface. Possible values: 1..260 (default setting: 1) Groups Displays the number of multicast groups for which the upstream router interface sends IGMP membership reports. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Port field, you specify the number of the port on which the IGMP proxy function is active. RM GUI RSP Release 8.1 12/2019 449 Routing [ Routing > Multicast Routing > IGMP > Proxy Database ] 6.11.4.3 IGMP Proxy Database [ Routing > Multicast Routing > IGMP > Proxy Database ] This dialog lets you monitor the parameters for membership of multicast groups and the source list. When registering or de-registering Multicast members on downstream interfaces, the IGMP Proxy device updates the database entries and sends IGMP Membership reports and Leave Group messages. The proxy interface sends this information in the upstream direction. Upon request, the device sends IGMP Membership reports to the upstream interfaces. The dialog contains the following tabs: [Groups] [Source list] [Groups] Table Port Displays the port number to which the table entry relates. IP multicast group address Displays the IP address of the registered multicast group. Possible values: Valid IPv4 multicast address Creation time Displays the time in seconds that has elapsed since the multicast router created the table entry. Last reporter Displays the source IP address of the IGMP proxy router interface from which the device last sent an IGMP membership report in the upstream direction. Possible values: Valid IPv4 multicast address Filter mode Displays the filter mode for source IP addresses for the multicast groups. 450 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > Multicast Routing > IGMP > Proxy Database ] Possible values: include The participant gets the multicast stream only from specific source IP addresses. exclude The participant discards the multicast stream from specific source IP addresses. None (default setting) The filter mode for source IP addresses is inactive. The field remains empty. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Source list] Table Port Displays the router interface number to which the table entry relates. IP address Displays the IP address of the multicast group. Possible values: Valid IPv4 multicast address Host address Displays the source IP addresses of this multicast group. Possible values: Valid IPv4 address Expiry time Displays the value of the time limiter for this multicast group entry. This is the time remaining until the device deletes the entry for this multicast group when the participants of the IGMP router interface are inactive. When the parameter has the value null, the device deletes the entry. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 451 Routing [ Routing > L3-Redundancy ] 6.12 L3-Redundancy [ Routing > L3-Redundancy ] The menu contains the following dialogs: VRRP 6.12.1 VRRP [ Routing > L3-Redundancy > VRRP ] The Virtual Router Redundancy Protocol (VRRP) is a procedure that lets the system react to the failure of a router. You use VRRP in networks with end devices that support 1 entry for the default gateway. If the default gateway fails, then VRRP helps ensure that the end devices find a redundant gateway. Hirschmann has further developed VRRP into the Hirschmann Virtual Router Redundancy Protocol (HiVRRP). With the appropriate configuration, this protocol provides switching times of less than 400 ms. Note: You find detailed information on VRRP in the “Configuration” user manual. The menu contains the following dialogs: VRRP Configuration VRRP Domains VRRP Statistics VRRP Tracking 452 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] 6.12.1.1 VRRP Configuration [ Routing > L3-Redundancy > VRRP > Configuration ] This dialog lets you specify the following settings: up to 8 virtual routers per router interface 1 address per virtual router up to 16 virtual routers per physical router with HiVRRP Operation Operation Enables/disables the VRRP redundancy in the device. Possible values: On The VRRP function is enabled. Off (default setting) The VRRP function is disabled. Information + Configuration Version Specifies the VRRP version. Send trap (VRRP master) Activates/deactivates the sending of SNMP traps when the device is the VRRP master. Possible values: marked The sending of SNMP traps is active. If the device is the VRRP master, then the device sends an SNMP trap. unmarked (default setting) The sending of SNMP traps is inactive. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. Send trap (VRRP authentication failure) Activates/deactivates the sending of SNMP traps when the device receives a VRRP packet including authentication information. Note: The device supports only VRRP packets without authentication information. In order for the device to operate in conjunction with other devices that support VRRP authentication, verify that on those devices the VRRP authentication is not applied. RM GUI RSP Release 8.1 12/2019 453 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] Possible values: marked The sending of SNMP traps is active. If the device receives a VRRP packet including authentication information, then the device sends an SNMP trap. unmarked (default setting) The sending of SNMP traps is inactive. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. Table Port Displays the port number to which the table entry relates. VRID Displays the Virtual Router IDentifier. Active Activates/deactivates the VRRP instance specified in this row. Possible values: marked The VRRP instance is active. unmarked (default setting) The VRRP instance is inactive. Oper status Specifies the row status. The operational state of the related virtual router controls the row status of a currently active row in the table. Possible values: active The instance is available for use. notInService The instance exists in the device, but necessary information is missing and it is unavailable for use. notReady The instance exists in the device, but necessary information is missing and it is unavailable for use. State Displays the VRRP state. 454 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] Possible values: initialize VRRP is in the initialization phase, the function is inactive, or the master router is still unnamed. backup The router sees the possibility of becoming the master router. master The router is the master router. Base priority Specifies the priority of the virtual router. The value differs from Priority if tracked objects are down or the virtual router is the IP address owner. Possible values: 1..254 (default setting: 100) When you configure multiple VRRP routers in a single instance, distribute the priority values uniformly on the routers. For example, assign the priority value of 50 to the primary router, the value of 100 to the next router. Repeat the steps with the value 150, and so on. Priority Specifies the VRRP priority value. The router with the higher priority value takes over the master router role. If the virtual router IP address is the same as an IP address of a router interface, then the router is the “owner” of the IP address. If an IP address owner exists, then VRRP assigns the IP address owner the VRRP priority 255 and declares the router as the master router. Possible values: 1..255 (default setting: 100) When you plan to remove a master router from the network, lower the priority number to force an election, thus reducing the black hole period. Virtual IP address Displays the virtual IP address in the subnet of the primary IP address on the interface. If no match is found, then the device returns an unspecified virtual address. If no virtual address is configured, then 0.0.0.0 is returned. Possible values: Valid IPv4 address VRRP advert interval [ms] Specifies the interval for sending out messages (advertisements) as the master router. Possible values: 1000..255000 (default setting: 1000) Interval for VRRP 100..900 (default setting: 100) Interval for HiVRRP RM GUI RSP Release 8.1 12/2019 455 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] VRRP advert address Specifies the IP address to which the virtual router sends advertisements. Possible values: Valid IPv4 address (default setting: 224.0.0.18) Link-down notify address Specifies the IP address to which the local router sends notifications when changes on the link occur. Sending the notifications informs the back up router that a link on the master router is down reducing failover times. If the virtual router consists of only 2 routers, routers A and B for example, then specify the IP address of the interface on the backup router that is linked to the opposite virtual router interface. For example, when specifying the link down notification address for interface 1/2 on router A, specify the IP address of interface 1/1 on router B. If the virtual router consists of more than 2 routers, then specify the IP address of the interface with the second highest priority that is linked to the other virtual router interface. For example, when specifying the link down notification address for interface 1/2 on router A, specify the IP address of interface 1/1 on router C. Possible values: Valid IP address (default setting: 0.0.0.0) The value 0.0.0.0 suppresses notifications. Preempt mode Activates/deactivates the preempt mode. This setting specifies whether this router, as a backup router, takes over the master router role when the master router has a lower VRRP priority. Possible values: marked (default setting) When you enable the preempt mode, this router takes the master router role from a router with a lower VRRP priority without waiting for an election. unmarked When you disable the Preempt mode, this router assumes the role of a backup router and listens for master router advertisements. After the master down interval expires, without receiving advertisements from the master router, this router participates in the master router election process. Preempt delay [s] Specifies the pre-empt delay time in seconds. 456 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] With the pre-empt mode activated and in collaboration with VRRP tracking, a reassignment of the master router role is possible. However, dynamic routing procedures take a certain amount of time to react to route changes and to refill routing tables. To help avoid the loss of packets during this time, the device lets you specify a pre-empt delay. The delay lets the dynamic routing procedure fill the routing tables before reassignment of the master router role. Possible values: 0..65535 (default setting: 0) Domain ID Specifies the virtual domain in which the router participates. VRRP domains bundle a set of VRRP instances together. The supervisor router sends advertisement packets. The members follow the supervisor. If the loss of a single instance within a domain is likely, then configure the device to send advertisements to the member. Possible values: 0 (default setting) No domain specified. 1..8 Domain role Specifies the role of this router in the virtual domain. Possible values: none (default setting: 0) The router is currently not a domain member. member The router copies the behavior of the supervisor. supervisor The router determines the behavior of the domain. VRRP master candidate Specifies the primary virtual router IP address. When the interface has several specified IP addresses, the parameter lets the user select an IP address as the Master IP address. Possible values: Valid IPv4 address (default setting: 0.0.0.0) The default setting 0.0.0.0 indicates that the router is using the lower IP address as the Master IP address. Master IP address Displays the current master router interface IP address. Possible values: Valid IPv4 address (default setting: 0.0.0.0) RM GUI RSP Release 8.1 12/2019 457 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] Ping answer Activates/deactivates the ping answer function on the virtual router. You use the VRRP ping for connectivity analyses. The prerequisite for allowing the device to answer ping requests from the interfaces is that you activate the function globally. In the Routing > Global dialog, ICMP filter frame, mark the Send echo reply checkbox. Possible values: marked (default setting) The device answers ICMP ping requests. unmarked The device ignores ICMP ping requests. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Port field, you specify the router interface. In the VRID field, you specify the Virtual Route Identifier (VRID). Setting up the VRRP router instance The device lets you set up to 8 virtual routers per router interface. Before you set up a VRRP instance, verify that network routing functions properly and set the IP addresses on the router interfaces used for the VRRP instances. Perform the following steps: In the Routing > L3-Redundancy > VRRP > Configuration dialog, open the Wizard window. In the Wizard window, open the Create or select entry page. – Select a router interface from the Port drop-down list. – Specify the Virtual Router IDentifier in the VRID column. In the Wizard window, open the Edit entry page. – In the Configuration frame, specify the values for the following parameters: Priority Preempt mode Advertisement interval [s] Ping answer Select the VRRP master candidate IP address from the drop-down list. Open the HiVRRP tab. The HiVRRP tab helps you to set up the following parameters: – failover times of less than 3 s, – the routers to use Unicasts to communicate with each other – to set up domains or – to send link-down notifications 458 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] In the Configuration frame, specify the values for the following parameters: – VRRP advert address (IP address of the partner HiVRRP router) – VRRP advert interval [ms] – Link-down notify address (IP address of the second router to which the device sends link-down notifications) You use this function when the virtual router consists of 2 VRRP routers. – Domain ID – Domain role To transfer the settings to the VRRP router interface table, click the Finish button. In the Routing > L3-Redundancy > VRRP > Configuration dialog, select the On radio button in the Operation frame. Then click the button. Editing an existing VRRP router instance In the Routing > L3-Redundancy > VRRP > Configuration dialog, highlight a row in the table and click the button to edit it. As an alternative, double-click a field in the table and edit the entry directly. Or right-click a field and select a value. Deleting a VRRP router instance In the Routing > L3-Redundancy > VRRP > Configuration dialog, highlight a row and click the button. [VRRP configuration (Wizard)] The Wizard window helps you to create a VRRP router instance. Prerequisites: Network routing is functioning correctly. On the interfaces used in the VRRP instance the IP addresses are specified. After closing the Wizard window, click the button to save your settings. [VRRP configuration (Wizard) – Create or select entry] Table Port Displays the router interface number to which the table entry relates. VRID Displays the Virtual Router IDentifier. RM GUI RSP Release 8.1 12/2019 459 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] IP address Displays the primary IP address of the router interface. You specify this address in the Routing > Interfaces > Configuration dialog. Netmask Displays the netmask of primary IP address. You specify this subnet mask in the Routing > Interfaces > Configuration dialog. Area under the table Port Specifies the router interface number to which the table entry relates. Possible values: <Available router interfaces> VRID Specifies the Virtual Router IDentifier. A virtual router uses 00-00-5E-00-01-XX as its MAC address. The value specified here replaces the last octet (XX) in the MAC address. Assign a unique value to every physical router within a virtual router instance. The device changes the effective priority value to 255 for a physical router with the same IP address as the virtual router. Possible values: 1..255 [VRRP configuration (Wizard) – Edit entry – VRRP] Operation Operation Enables/disables the VRRP redundancy in the device. Possible values: On The VRRP function is enabled. Off (default setting) The VRRP function is disabled. 460 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] Information Port Displays the router interface number to which the table entry relates. VRID Displays the Virtual Router IDentifier. Configuration Base priority Specifies the priority of the virtual router. The value differs from Priority if tracked objects are down or the virtual router is the IP address owner. Possible values: 1..254 (default setting: 100) When you configure multiple VRRP routers in a single instance, distribute the priority values uniformly on the routers. For example, assign the priority value of 50 to the primary router, the value of 100 to the next router. Repeat the steps with the value 150, and so on. Priority Specifies the VRRP priority value. The router with the higher priority value takes over the master router role. If the virtual router IP address is the same as an IP address of a router interface, then the router is the “owner” of the IP address. If an IP address owner exists, then the VRRP function assigns the IP address owner the priority value 255 and declares the router as the master router. Possible values: 1..255 (default setting: 100) Disabling or removing an VRRP router, which is in the master role, forces the instance to send an advertisement with priority value 0. This lets the other backup routers know that the master is not participating. Sending a priority value 0 forces a new election. Preempt mode Activates/deactivates the preempt mode. This setting specifies whether this router, as a backup router, takes over the master router role when the master router has a lower VRRP priority. Possible values: marked (default setting) When you enable the Preempt mode, this router takes the master router role from a router with a lower VRRP priority without waiting for an election. unmarked When you disable the Preempt mode, this router assumes the role of a backup router and listens for master router advertisements. After the master down interval expires, without receiving advertisements from the master router, this router participates in the master router election process. RM GUI RSP Release 8.1 12/2019 461 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] Advertisement interval [s] Specifies the interval between master router advertisements in seconds. Possible values: 1..255 (default setting: 1) Note: The longer the advertisement interval, the longer the time for which backup routers wait for a message from the master router before starting a new election process (master down interval). Also, specify the same value on every participant in a given virtual router instance. Ping answer Activates/deactivates the ping answer function in the device. You use the VRRP ping for connectivity analyses. The prerequisite for allowing the device to answer ping requests from the interfaces is that you activate the Send echo reply function globally. In the Routing > Global dialog, ICMP filter frame, mark the Send echo reply checkbox. Possible values: marked (default setting) The Ping answer function in the device is active. The device answers ICMP ping requests. unmarked The Ping answer function in the device is inactive. The device ignores ICMP ping requests. VRRP master candidate Primary virtual router IP address. Physical routers within a virtual router instance use the VRRP IP address to communication with themselves. If the virtual router IP address is the same as an IP address of a router interface, then the router is the “owner” of the IP address and the master router. Possible values: Valid IP address (default setting: 0.0.0.0) [VRRP configuration (Wizard) – Edit entry – HiVRRP ] Information Port Specifies the router interface number to which the table entry relates. Possible values: <Available router interfaces> 462 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] VRID Specifies the Virtual Router IDentifier. A virtual router uses 00-00-5E-00-01-XX as its MAC address. The value specified here replaces the last octet (XX) in the MAC address. Assign a unique value to every physical router within a virtual router instance. The device changes the effective priority value to 255 for a physical router with the same IP address as the virtual router. Possible values: 1..255 Configuration VRRP advert address Specifies the IP address to which the virtual router sends advertisements. Possible values: Valid IPv4 address (default setting: 224.0.0.18) VRRP advert interval [ms] Specifies the interval for sending out messages (advertisements) as the master router. The devices lets you specify up to 16 instances with advertisement intervals between 100 ms and 1000 ms. Possible values: 100..255000 (default setting: 1000) Link-down notify address Specifies the management IP address to which the virtual router sends notifications when changes occur within the virtual router. Possible values: Valid IP address (default setting: 0.0.0.0) Domain ID Specifies the virtual domain in which the router participates. VRRP domains bundle a set of VRRP instances together. The supervisor router sends advertisement packets. The members follow the supervisor. If the loss of a single instance within a domain is likely, then configure the device to send advertisements to the members. Possible values: 0..8 (default setting: 0) The value 0 means „no domain“. Domain role Specifies the role of this router in the virtual domain. RM GUI RSP Release 8.1 12/2019 463 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] Possible values: none (default setting: 0) The router is currently not a domain member. member The router copies the behavior of the supervisor. supervisor The router determines the behavior of the domain. [VRRP configuration (Wizard) – Tracking] Current track entries Type Displays the type of the tracking object. Possible values: interface The device monitors the link status of its physical ports or of its link aggregation, LRE or VLAN router interface. ping The device monitors the route to a remote router or end device by means of periodic ping requests. logical The device monitors tracking objects logically linked to each other and thus enables complex monitoring tasks. Track ID Displays the identification number of the tracking object. Track name Displays the name of the tracking object made up of Type and Track ID. Assigned track entries Track name Displays the name of the tracking object to which the virtual router is linked. If the result for a tracking object is negative, then the VRRP instance reduces the priority of the virtual router. The tracking object is negative for example, if the monitored interface is inactive or the monitored router cannot be reached. 464 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] Possible values: Name of the tracking object, made up of Type and Track ID. Logical trackers, which combine multiple trackers – No tracking object selected. You set up tracking objects in the Routing > Tracking > Configuration dialog. Decrement Specifies the value by which the VRRP instance reduces the priority of the virtual router when the monitoring result is negative. Possible values: 1..253 (default setting: 20) Note: If in the Routing > L3-Redundancy > VRRP > Configuration dialog the value in the Priority column is 255, then the virtual router is the owner of the IP address. In this case the priority of the virtual router remains unchanged. [VRRP configuration (Wizard) – Virtual IP addresses] The device lets you specify up to 8 virtual routers per router interface Each virtual router supports 1 address. Information IP address Displays the primary IP address of the router interface. Multinetting Additional IP address Displays the secondary IP addresses of the router interface. The device lets you specify 1 primary and 1 secondary multinetting addresses per router interface. Additional netmask Displays the subnet mask of the secondary IP addresses. RM GUI RSP Release 8.1 12/2019 465 Routing [ Routing > L3-Redundancy > VRRP > Configuration ] Virtual IP addresses IP address Displays the assigned IP address of the master router within a virtual router. Virtual IP addresses Specifies the virtual IP address to be assigned. To insert the IP address in the IP address table, click the Add button. 466 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > L3-Redundancy > VRRP > Domains ] 6.12.1.2 VRRP Domains [ Routing > L3-Redundancy > VRRP > Domains ] HiVRRP provides various mechanisms to decrease the failover time or reduce the number of multicasts. In an HiVRRP domain, you combine multiple HiVRRP instances of a router into 1 administrative unit. You nominate 1 HiVRRP instance as the supervisor of the HiVRRP domain. This supervisor regulates the behavior of the HiVRRP instances in its domain. The router supports up to 8 domains. If you divide domain instances (members) among different physical router interfaces, then by default, the router monitors supervisor advertisements for interruptions. The checkbox Redundancy check per member is unmarked. You also have the option of monitoring the other data links within the domain for interruptions. If the supervisor is unresponsive, then the other members of the domain start sending HiVRRP messages. In the Redundancy check per member column, you enable the function for a selected domain. With this function, you allow every member of the domain to send HiVRRP messages when detecting data link interruptions. Note: If there is a low probability of a data link interruption, then select a long HiVRRP message interval to minimize the network load. Table Domain ID Displays the virtual domain in which the router participates. VRRP domains bundle a set of VRRP instances together. The supervisor router sends advertisement packets. The members follow the supervisor. If the loss of a single instance within a domain is likely, then configure the device to send advertisements to the members. Possible values: 0..8 (default setting: 0) The value 0 means „no domain“. Status Displays the status of the domain supervisor. Possible values: noError The routers supervisor function is active. supervisorDown The routers supervisor function is inactive. noSupervisor (default setting) The supervisor function is undefined. Supervisor port Displays the supervisor router interface for a VRRP instance. RM GUI RSP Release 8.1 12/2019 467 Routing [ Routing > L3-Redundancy > VRRP > Domains ] Possible values: Available ports Supervisor VRID Displays the VRID of the supervisor. Supervisor status Displays the status of the supervisor. Possible values: initialize VRRP is in the initialization phase. No master has been named yet. backup The router sees the possibility of becoming master. master The router is master. unknown no supervisor. Current priority Displays the current VRRP priority of the domain supervisor. Possible values: 1..255 Redundancy check per member Activates the function for the selected domain. Possible values: marked The device sends advertisement packets even when a virtual router is in the member role. unmarked (default setting) The supervisor of the domain only sends advertisement packets. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 468 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > L3-Redundancy > VRRP > Statistics ] 6.12.1.3 VRRP Statistics [ Routing > L3-Redundancy > VRRP > Statistics ] This dialog displays the number of counters that count events relevant to the VRRP function. Information Checksum errors Displays the number of VRRP messages received with the wrong checksum. Version errors Displays the number of VRRP messages received with an unknown or unsupported version number. VRID errors Displays the number of VRRP messages received with an invalid Virtual Router IDentifier for this virtual router. Table Port Displays the router interface number to which the table entry relates. VRID Displays the Virtual Router IDentifier. Become master Displays the number of times that the device has taken the master role. This entry helps you to analyze the network. When this number is low, your network is relatively stable. Advertise received Displays the number of VRRP advertisements received. Advertise interval errors Displays the number of VRRP advertisements received by the router outside the advertisement interval. The value lets you determine if the routers have the same advertise interval specified across the virtual router instance. Authentication failures Displays the number of VRRP advertisements received with authentication errors. RM GUI RSP Release 8.1 12/2019 469 Routing [ Routing > L3-Redundancy > VRRP > Statistics ] IP TTL errors Displays the number of VRRP advertisements received with an IP TTL not equal to 255. Priority zero packets received Displays the number of VRRP advertisements received with priority 0. Priority zero packets sent Displays the number of VRRP advertisements that the device sent with priority 0. Invalid type packets received Displays the number of VRRP advertisements received with an invalid type. Address list errors Displays the number of VRRP advertisements received for which the address list does not match the address list configured locally for the virtual router. Invalid authentication type Displays the number of VRRP advertisements received with an invalid authentication type. Authentication type mismatch Displays the number of VRRP advertisements received with an incorrect authentication type. Packet length errors Displays the number of VRRP advertisements received with an incorrect packet length. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 470 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > L3-Redundancy > VRRP > Tracking ] 6.12.1.4 VRRP Tracking [ Routing > L3-Redundancy > VRRP > Tracking ] VRRP tracking lets you follow the operation of specific object and react to a change in the object status. The function is periodically notified about the tracked object and displays the changes in the table. The table displays the object statuses as either up, down or notReady. To enter a track object in the table, click the button. Table Port Displays the router interface number of the virtual router. VRID Displays the virtual router ID for this virtual router. Track name Displays the name of the tracking object to which the virtual router is linked. If the result for a tracking object is negative, then the VRRP instance reduces the priority of the virtual router. The tracking object is negative for example, if the monitored interface is inactive or the monitored router cannot be reached. Possible values: Name of the tracking object, made up of Type and Track ID. Logical trackers, which combine multiple trackers – No tracking object selected. You set up tracking objects in the Routing > Tracking > Configuration dialog. Decrement Specifies the value by which the VRRP instance reduces the priority of the virtual router when the monitoring result is negative. Possible values: 1..253 (default setting: 20) Note: If in the Routing > L3-Redundancy > VRRP > Configuration dialog the value in the Priority column is 255, then the virtual router is the owner of the IP address. In this case the priority of the virtual router remains unchanged. Status Displays the monitoring result of the tracking object. RM GUI RSP Release 8.1 12/2019 471 Routing [ Routing > NAT ] Possible values: notReady The tracking object is not operating. up The monitoring result is positive: – The link status is active. or – The remote router or end device is reachable. down The monitoring result is negative: – The link status is inactive. or – The remote router or end device is not reachable. A combination of the up and down trackers. Active Displays whether the monitoring of the tracking object is active or inactive. Possible values: active The monitoring of the tracking object is active. notReady The monitoring of the tracking object is inactive. You activate the monitoring in the Routing > Tracking > Configuration dialog, Active column. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Port VRID drop-down list, you select the interface and router ID of a virtual router that has been set up. In the Track name drop-down list, you select the tracking object with which the device links the virtual router. 6.13 NAT [ Routing > NAT ] The menu contains the following dialogs: 1:1 NAT 472 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > NAT > 1:1 NAT ] 6.13.1 1:1 NAT [ Routing > NAT > 1:1 NAT ] The 1:1 NAT function lets you establish communication links within a local network to devices that are located in other networks. The NAT router virtually “shifts” the devices into the public network. To do this, the NAT router replaces the virtual with the actual IP address in the data packet while sending it. A typical application is connecting some identically structured production cells with the same IP address to a server farm. To use the NAT function, set up a router interface for each network and turn on the routing function in the device. The 1:1 NAT function has the following restrictions: Only supports IPv4 unicasts. Only supports full-duplex mode. Only supported on ports operating with 100 Mbit/s . Note: If you enable the VRRP function and use the same VRID value on multiple VLAN router interfaces, then the 1:1 NAT function is ineffective on these VLAN router interfaces. Note: The NAT function is available for devices with an FPGA (hardware for extended functions). The product code indicates whether your device supports the NAT function. In order to use the functions, load the device software supporting NAT. The menu contains the following dialogs: 1:1 NAT Rule RM GUI RSP Release 8.1 12/2019 473 Routing [ Routing > NAT > 1:1 NAT > Rule ] 6.13.1.1 1:1 NAT Rule [ Routing > NAT > 1:1 NAT > Rule ] In this dialog, you generate, edit and activate the 1:1 NAT rules. The dialog also lets you specify a filter for FTP, ICMP error messages and a public interface. Configuration Application-level gateway Specifies the type of filter used in the application-level gateway for the 1:1 NAT rules. The device supports translation for the control and data protocols of the application-layer. Possible values: none The device does not translates IP addresses. ftp The device translates IP addresses present in the FTP header of the FTP control packets (TCP port 21). icmp The device translates IP addresses present in the ICMP header. ftp/icmp (default setting) The device translates IP addresses present in the FTP header of the FTP control packets and IP addresses present in the ICMP header. Public interface Specifies the public interface. The device applies the 1:1 NAT rules to packets which are addressed to the public interface or which are sent using the public interface. Information 1:1 NAT rules (max.) Displays how many rules can be configured in the device for the 1:1 NAT function. 1:1 NAT rules Displays the number of current 1:1 NAT rules specified in the device. Table Index Displays the index number to which the table entry relates. 474 RM GUI RSP Release 8.1 12/2019 Routing [ Routing > NAT > 1:1 NAT > Rule ] Possible values: 1..255 Rule name Displays the name of the 1:1 NAT rule. To change the name, click the relevant field. Possible values: Alphanumeric ASCII character string with 0..32 characters Destination address Specifies the destination address of the data packets to which the device applies the 1:1 NAT rule. The device sends data packets with this destination address to the destination address specified in the New destination address column. Possible values: Valid IPv4 address The device applies the 1:1 NAT rule only to data packets containing the destination address specified here. Valid IPv4 address and netmask in CIDR notation The device applies the 1:1 NAT rule only to data packets containing a destination address in the subnet specified here. New destination address Specifies the actual IP address of the destination device. The device sends data packets to the destination address specified here. Possible values: Valid IPv4 address The device replaces the destination address in the data packet with this new destination address. Valid IPv4 address and netmask in CIDR notation The device replaces the destination address in the data packet with a destination address in the subnet specified here. Active Activates/deactivates the 1:1 NAT rule. Possible values: marked The rule is active. unmarked (default setting) The rule is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 475 Diagnostics [ Diagnostics > Status Configuration ] 7 Diagnostics The menu contains the following dialogs: Status Configuration System Email Notification Syslog Ports LLDP SFlow Report 7.1 Status Configuration [ Diagnostics > Status Configuration ] The menu contains the following dialogs: Device Status Security Status Signal Contact MAC Notification Alarms (Traps) 476 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Status Configuration > Device Status ] 7.1.1 Device Status [ Diagnostics > Status Configuration > Device Status ] The device status provides an overview of the overall condition of the device. Many process visualization systems record the device status for a device in order to present its condition in graphic form. The device displays its current status as error or ok in the Device status frame. The device determines this status from the individual monitoring results. The device displays detected faults in the Status tab and also in the Basic Settings > System dialog, Device Status frame. The dialog contains the following tabs: [Global] [Port] [Status] [Global] Device status Device status Displays the current status of the device. The device determines the status from the individual monitored parameters. Possible values: error The device displays this value to indicate a detected error in one of the monitored parameters. ok Traps Send trap Activates/deactivates the sending of SNMP traps when the device detects changes in the monitored functions. Possible values: marked The sending of SNMP traps is active. If the device detects a change in the monitored functions, then the device sends an SNMP trap. unmarked (default setting) The sending of SNMP traps is inactive. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. RM GUI RSP Release 8.1 12/2019 477 Diagnostics [ Diagnostics > Status Configuration > Device Status ] Table Temperature Activates/deactivates the monitoring of the temperature in the device. Possible values: marked (default setting) Monitoring is active. If the temperature exceeds or falls below the specified limit, then in the Device status frame, the value changes to error. unmarked Monitoring is inactive. You specify the temperature thresholds in the Basic Settings > System dialog, Upper temp. limit [°C] field and Lower temp. limit [°C] field. Ring redundancy Activates/deactivates the monitoring of the ring redundancy. Possible values: marked Monitoring is active. In the Device status frame, the value changes to error in the following situations: – The redundancy function becomes active (loss of redundancy reserve). – The device is a normal ring participant and detects an error in its settings. unmarked (default setting) Monitoring is inactive. Connection errors Activates/deactivates the monitoring of the link status of the port/interface. Possible values: marked Monitoring is active. If the link interrupts on a monitored port/interface, then in the Device status frame, the value changes to error. In the Port tab, you have the option of selecting the ports/interfaces to be monitored individually. unmarked (default setting) Monitoring is inactive. External memory removal Activates/deactivates the monitoring of the active external memory. Possible values: marked Monitoring is active. If you remove the active external memory from the device, then in the Device status frame, the value changes to error. unmarked (default setting) Monitoring is inactive. 478 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Status Configuration > Device Status ] External memory not in sync Activates/deactivates the monitoring of the configuration profile in the device and in the external memory. Possible values: marked Monitoring is active. In the Device status frame, the value changes to error in the following situations: – The configuration profile only exists in the device. – The configuration profile in the device differs from the configuration profile in the external memory. unmarked (default setting) Monitoring is inactive. Power supply Activates/deactivates the monitoring of the power supply unit. Possible values: marked (default setting) Monitoring is active. If the device has a detected power supply fault, then in the Device status frame, the value changes to error. unmarked Monitoring is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Port] Table Port Displays the port number. Propagate connection error Activates/deactivates the monitoring of the link on the port/interface. RM GUI RSP Release 8.1 12/2019 479 Diagnostics [ Diagnostics > Status Configuration > Device Status ] Possible values: marked Monitoring is active. If the link on the selected port/interface is interrupted, then in the Device status frame, the value changes to error. unmarked (default setting) Monitoring is inactive. This setting takes effect when you mark the Connection errors checkbox in the Global tab. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Status] Table Timestamp Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM. Cause Displays the event which caused the SNMP trap. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 480 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Status Configuration > Security Status ] 7.1.2 Security Status [ Diagnostics > Status Configuration > Security Status ] This dialog gives you an overview of the status of the safety-relevant settings in the device. The device displays its current status as error or ok in the Security status frame. The device determines this status from the individual monitoring results. The device displays detected faults in the Status tab and also in the Basic Settings > System dialog, Security status frame. The dialog contains the following tabs: [Global] [Port] [Status] [Global] Security status Security status Displays the current status of the security-relevant settings in the device. The device determines the status from the individual monitored parameters. Possible values: error The device displays this value to indicate a detected error in one of the monitored parameters. ok Traps Send trap Activates/deactivates the sending of SNMP traps when the device detects changes in the monitored functions. Possible values: marked The sending of SNMP traps is active. If the device detects a change in the monitored functions, then the device sends an SNMP trap. unmarked (default setting) The sending of SNMP traps is inactive. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. RM GUI RSP Release 8.1 12/2019 481 Diagnostics [ Diagnostics > Status Configuration > Security Status ] Table Password default settings unchanged Activates/deactivates the monitoring of the password for the locally set up user accounts user and admin. Possible values: marked (default setting) Monitoring is active. If the password is set to the default setting for the user or admin user accounts, then in the Security status frame, the value changes to error. unmarked Monitoring is inactive. You set the password in the Device Security > User Management dialog. Min. password length < 8 Activates/deactivates the monitoring of the Min. password length policy. Possible values: marked (default setting) Monitoring is active. If the value for the Min. password length policy is less than 8, then in the Security status frame, the value changes to error. unmarked Monitoring is inactive. You specify the Min. password length policy in the Device Security > User Management dialog in the Configuration frame. Password policy settings deactivated Activates/deactivates the monitoring of the Password policies settings. Possible values: marked (default setting) Monitoring is active. If the value for at least one of the following policies is less than 1, then in the Security status frame, the value changes to error. – Upper-case characters (min.) – Lower-case characters (min.) – Digits (min.) – Special characters (min.) unmarked Monitoring is inactive. You specify the policy settings in the Device Security > User Management dialog in the Password policy frame. User account password policy check deactivated Activates/deactivates the monitoring of the Policy check function. 482 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Status Configuration > Security Status ] Possible values: marked Monitoring is active. If the Policy check function is inactive for at least 1 user account, then in the Security status frame, the value changes to error. unmarked (default setting) Monitoring is inactive. You activate the Policy check function in the Device Security > User Management dialog. Telnet server active Activates/deactivates the monitoring of the Telnet server. Possible values: marked (default setting) Monitoring is active. If you enable the Telnet server, then in the Security status frame, the value changes to error. unmarked Monitoring is inactive. You enable/disable the Telnet server in the Device Security > Management Access > Server dialog, Telnet tab. HTTP server active Activates/deactivates the monitoring of the HTTP server. Possible values: marked (default setting) Monitoring is active. If you enable the HTTP server, then in the Security status frame, the value changes to error. unmarked Monitoring is inactive. You enable/disable the HTTP server in the Device Security > Management Access > Server dialog, HTTP tab. SNMP unencrypted Activates/deactivates the monitoring of the SNMP server. RM GUI RSP Release 8.1 12/2019 483 Diagnostics [ Diagnostics > Status Configuration > Security Status ] Possible values: marked (default setting) Monitoring is active. If at least one of the following conditions applies, then in the Security status frame, the value changes to error: – The SNMPv1 function is enabled. – The SNMPv2 function is enabled. – The encryption for SNMPv3 is disabled. You enable the encryption in the Device Security > User Management dialog, in the SNMP encryption type column. unmarked Monitoring is inactive. You specify the settings for the SNMP agent in the Device Security > Management Access > Server dialog, SNMP tab. Access to system monitor with serial interface possible Activates/deactivates the monitoring of the system monitor. When the system monitor is activated, the user has the possibility to change to the system monitor via a serial connection. Possible values: marked Monitoring is active. If you activate the system monitor, then in the Security status frame, the value changes to error. unmarked (default setting) Monitoring is inactive. You activate/deactivate the system monitor in the Diagnostics > System > Selftest dialog. Saving the configuration profile on the external memory possible Activates/deactivates the monitoring of the configuration profile in the external memory. Possible values: marked Monitoring is active. If you activate the saving of the configuration profile in the external memory, then in the Security status frame, the value changes to error. unmarked (default setting) Monitoring is inactive. You activate/deactivate the saving of the configuration profile in the external memory in the Basic Settings > External Memory dialog. Load unencrypted config from external memory Activates/deactivates the monitoring of loading unencrypted configuration profiles from the external memory. 484 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Status Configuration > Security Status ] Possible values: marked (default setting) Monitoring is active. If the settings allow the device to load an unencrypted configuration profile from the external memory, then in the Security status frame, the value changes to error. If the following preconditions are fulfilled, then the Security status frame in the Basic Settings > System dialog, displays an alarm. – The configuration profile stored in the external memory is unencrypted. and – The Config priority column in the Basic Settings > External Memory dialog has the value first. unmarked Monitoring is inactive. Link interrupted on enabled device ports Activates/deactivates the monitoring of the link on the active ports. Possible values: marked Monitoring is active. If the link interrupts on an active port, then in the Security status frame, the value changes to error. In the Port tab, you have the option of selecting the ports to be monitored individually. unmarked (default setting) Monitoring is inactive. Access with HiDiscovery possible Activates/deactivates the monitoring of the HiDiscovery function. Possible values: marked (default setting) Monitoring is active. If you enable the HiDiscovery function, then in the Security status frame, the value changes to error. unmarked Monitoring is inactive. You enable/disable the HiDiscovery function in the Basic Settings > Network dialog. IEC61850-MMS active Activates/deactivates the monitoring of the IEC61850-MMS function. Possible values: marked (default setting) Monitoring is active. If you enable the IEC61850-MMS function, then in the Security status frame, the value changes to error. unmarked Monitoring is inactive. You enable/disable the IEC61850-MMS function in the Industrial Protocols > IEC61850-MMS dialog, Operation frame. RM GUI RSP Release 8.1 12/2019 485 Diagnostics [ Diagnostics > Status Configuration > Security Status ] Modbus TCP active Activates/deactivates the monitoring of the Modbus TCP function. Possible values: marked (default setting) Monitoring is active. If you enable the Modbus TCP function, then in the Security status frame, the value changes to error. unmarked Monitoring is inactive. You enable/disable the Modbus TCP function in the Advanced > Industrial Protocols > Modbus TCP dialog, Operation frame. EtherNet/IP active Activates/deactivates the monitoring of the EtherNet/IP function. Possible values: marked (default setting) Monitoring is active. If you enable the EtherNet/IP function, then in the Security status frame, the value changes to error. unmarked Monitoring is inactive. You enable/disable the EtherNet/IP function in the Advanced > Industrial Protocols > EtherNet/IP dialog, Operation frame. PROFINET active Activates/deactivates the monitoring of the PROFINET function. Possible values: marked (default setting) Monitoring is active. If you enable the PROFINET function, then in the Security status frame, the value changes to error. unmarked Monitoring is inactive. You enable/disable the PROFINET function in the Advanced > Industrial Protocols > PROFINET dialog, Operation frame. Self-signed HTTPS certificate present Activates/deactivates the monitoring of the HTTPS certificate. Possible values: marked (default setting) Monitoring is active. If the HTTPS server uses a self-created digital certificate, then in the Security status frame, the value changes to error. unmarked Monitoring is inactive. 486 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Status Configuration > Security Status ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Port] Table Port Displays the port number. Link interrupted on enabled device ports Activates/deactivates the monitoring of the link on the active ports. Possible values: marked Monitoring is active. If the port is enabled (Basic Settings > Port dialog, Configuration tab, Port on checkbox is marked) and the link is down on the port, then in the Security status frame, the value changes to error. unmarked (default setting) Monitoring is inactive. This setting takes effect when you mark the Link interrupted on enabled device ports checkbox in the Diagnostics > Status Configuration > Security Status dialog, Global tab. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Status] Table Timestamp Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM. Cause Displays the event which caused the SNMP trap. RM GUI RSP Release 8.1 12/2019 487 Diagnostics [ Diagnostics > Status Configuration > Signal Contact ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. 7.1.3 Signal Contact [ Diagnostics > Status Configuration > Signal Contact ] The signal contact is a potential-free relay contact. The device thus lets you perform remote diagnosis. The device uses the relay contact to signal the occurrence of events by opening the relay contact and interrupting the closed circuit. Note: The device can contain several signal contacts. Each contact contains the same monitoring functions. Several contacts allow you to group various functions together providing flexibility in system monitoring. The menu contains the following dialogs: Signal Contact 1 / Signal Contact 2 488 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ] 7.1.3.1 Signal Contact 1 / Signal Contact 2 [ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ] In this dialog you specify the trigger conditions for the signal contact. The signal contact gives you the following options: Monitoring the correct operation of the device. Signaling the device status of the device. Signaling the security status of the device. Controlling external devices by manually setting the signal contacts. The device displays detected faults in the Status tab and also in the Basic Settings > System dialog, Signal contact status frame. The dialog contains the following tabs: [Global] [Port] [Status] [Global] Configuration Mode Specifies which events the signal contact indicates. Possible values: Manual setting (default setting for Signal Contact 2, if present) You use this setting to manually open or close the signal contact, for example to turn on or off a remote device. See the Contact option list. Monitoring correct operation (default setting) Using this setting the signal contact indicates the status of the parameters specified in the table below. Device status Using this setting the signal contact indicates the status of the parameters monitored in the Diagnostics > Status Configuration > Device Status dialog. In addition, you can read the status in the Signal contact status frame. Security status Using this setting the signal contact indicates the status of the parameters monitored in the Diagnostics > Status Configuration > Security Status dialog. In addition, you can read the status in the Signal contact status frame. Device/Security status Using this setting the signal contact indicates the status of the parameters monitored in the Diagnostics > Status Configuration > Device Status and the Diagnostics > Status Configuration > Security Status dialog. In addition, you can read the status in the Signal contact status frame. Contact Toggles the signal contact manually. The prerequisite is that you select in the Mode drop-down list the value Manual setting. RM GUI RSP Release 8.1 12/2019 489 Diagnostics [ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ] Possible values: open The signal contact is opened. close The signal contact is closed. Signal contact status Signal contact status Displays the current status of the signal contact. Possible values: Opened (error) The signal contact is opened. The circuit is interrupted. Closed (ok) The signal contact is closed. The circuit is closed. Trap configuration Send trap Activates/deactivates the sending of SNMP traps when the device detects changes in the monitored functions. Possible values: marked The sending of SNMP traps is active. If the device detects a change in the monitored functions, then the device sends an SNMP trap. unmarked (default setting) The sending of SNMP traps is inactive. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. Monitoring correct operation In the table you specify the parameters that the device monitors. The device signals the occurrence of an event by opening the signal contact. Temperature Activates/deactivates the monitoring of the temperature in the device. 490 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ] Possible values: marked (default setting) Monitoring is active. If the temperature exceeds / falls below the threshold values, then the signal contact opens. unmarked Monitoring is inactive. You specify the temperature thresholds in the Basic Settings > System dialog, Upper temp. limit [°C] field and Lower temp. limit [°C] field. Ring redundancy Activates/deactivates the monitoring of the ring redundancy. Possible values: marked Monitoring is active. The signal contact opens in the following situations: – The redundancy function becomes active (loss of redundancy reserve). – The device is a normal ring participant and detects an error in its settings. unmarked (default setting) Monitoring is inactive. Connection errors Activates/deactivates the monitoring of the link status of the port/interface. Possible values: marked Monitoring is active. If the link interrupts on a monitored port/interface, then the signal contact opens. In the Port tab, you have the option of selecting the ports/interfaces to be monitored individually. unmarked (default setting) Monitoring is inactive. External memory removed Activates/deactivates the monitoring of the active external memory. Possible values: marked Monitoring is active. If you remove the active external memory from the device, then the signal contact opens. unmarked (default setting) Monitoring is inactive. External memory not in sync with NVM Activates/deactivates the monitoring of the configuration profile in the device and in the external memory. RM GUI RSP Release 8.1 12/2019 491 Diagnostics [ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ] Possible values: marked Monitoring is active. The signal contact opens in the following situations: – The configuration profile only exists in the device. – The configuration profile in the device differs from the configuration profile in the external memory. unmarked (default setting) Monitoring is inactive. Power supply Activates/deactivates the monitoring of the power supply unit. Possible values: marked (default setting) Monitoring is active. If the device has a detected power supply fault, then the signal contact opens. unmarked Monitoring is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Port] Table Port Displays the port number. Propagate connection error Activates/deactivates the monitoring of the link on the port/interface. Possible values: marked Monitoring is active. If the link interrupts on the selected port/interface, then the signal contact opens. unmarked (default setting) Monitoring is inactive. This setting takes effect when you mark the Connection errors checkbox in the Global tab. 492 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Status Configuration > MAC Notification ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Status] Table Timestamp Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM. Cause Displays the event which caused the SNMP trap. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 7.1.4 MAC Notification [ Diagnostics > Status Configuration > MAC Notification ] The device lets you track changes in the network using the MAC address of the devices in the network. The device saves the combination of port and MAC address in its MAC address table. If the device (un)learns the MAC address of a (dis)connected device, then the device sends an SNMP trap. This function is intended for ports to which you connect end devices and thus the MAC address changes infrequently. Operation Operation Enables/disables the MAC Notification function in the device. Possible values: On The MAC Notification function is enabled. Off (default setting) The MAC Notification function is disabled. RM GUI RSP Release 8.1 12/2019 493 Diagnostics [ Diagnostics > Status Configuration > MAC Notification ] Configuration Interval [s] Specifies the send interval in seconds. If the device (un)learns the MAC address of a (dis)connected device, then the device sends an SNMP trap after this time. Possible values: 0..2147483647 (default setting: 30) Before sending an SNMP trap, the device registers up to 20 MAC addresses. If the device detects a high number of changes, then the device sends the SNMP trap before the send interval expires. Table Port Displays the port number. Active Activates/deactivates the MAC Notification function on the port. Possible values: marked The MAC Notification function is active on the port. The device sends an SNMP trap in case of one of the following events: – The device learns the MAC address of a newly connected device. – The device unlearns the MAC address of a disconnected device. unmarked (default setting) The MAC Notification function is inactive on the port. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. Last MAC address Displays the MAC address of the device last connected on or disconnected from the port. The device detects the MAC addresses of devices which are connected as follows: • directly connected to the port • connected to the port through other devices in the network Last MAC status Displays the status of the Last MAC address value on this port. 494 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Status Configuration > MAC Notification ] Possible values: added The device detected that another device was connected at the port. removed The device detected that the connected device was removed from the port. other The device did not detect a status. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 495 Diagnostics [ Diagnostics > Status Configuration > Alarms (Traps) ] 7.1.5 Alarms (Traps) [ Diagnostics > Status Configuration > Alarms (Traps) ] The device lets you send an SNMP trap as a reaction to specific events. In this dialog, you specify the trap destinations to which the device sends the SNMP traps. The events for which the device triggers an SNMP trap, you specify, for example, in the following dialogs: in the Diagnostics > Status Configuration > Device Status dialog in the Diagnostics > Status Configuration > Security Status dialog in the Diagnostics > Status Configuration > MAC Notification dialog When loopback interfaces are set up, the device uses the IP address of the 1st loopback interface as the source of the SNMP traps. Otherwise, the device uses the address of the device management. Operation Operation Enables/disables the sending of SNMP traps to the trap destinations. Possible values: On (default setting) The sending of SNMP traps is enabled. Off The sending of SNMP traps is disabled. Table Name Specifies the name of the trap destination. Possible values: Alphanumeric ASCII character string with 1..32 characters Address Specifies the IP address and the port number of the trap destination. Possible values: <Valid IPv4 address>:<port number> Active Activates/deactivates the sending of SNMP traps to this trap destination. 496 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Status Configuration > Alarms (Traps) ] Possible values: marked (default setting) The sending of SNMP traps to this trap destination is active. unmarked The sending of SNMP traps to this trap destination is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Opens the Create window to add a new entry to the table. In the Name field you specify a name for the trap destination. In the Address field you specify the IP address and the port number of the trap destination. If you choose not to enter a port number, then the device automatically adds the port number 162. RM GUI RSP Release 8.1 12/2019 497 Diagnostics [ Diagnostics > System ] 7.2 System [ Diagnostics > System ] The menu contains the following dialogs: System Information Hardware State Configuration Check IP Address Conflict Detection ARP Selftest 498 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > System > System Information ] 7.2.1 System Information [ Diagnostics > System > System Information ] This dialog displays the current operating condition of individual components in the device. The displayed values are a snapshot; they represent the operating condition at the time the dialog was loaded to the page. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Save system information Opens the HTML page in a new web browser window or tab. You can save the HTML page on your PC using the appropriate web bowser command. RM GUI RSP Release 8.1 12/2019 499 Diagnostics [ Diagnostics > System > Hardware State ] 7.2.2 Hardware State [ Diagnostics > System > Hardware State ] This dialog provides information about the distribution and state of the flash memory of the device. Information Uptime Displays the total operating time of the device since it was delivered. Possible values: ..d ..h ..m ..s Day(s) Hour(s) Minute(s) Second(s) Table Flash region Displays the name of the respective memory area. Description Displays a description of what the device uses the memory area for. Flash sectors Displays how many sectors are assigned to the memory area. Sector erase operations Displays how many times the device has overwritten the sectors of the memory area. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 500 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > System > Configuration Check ] 7.2.3 Configuration Check [ Diagnostics > System > Configuration Check ] The device lets you compare the settings in the device with the settings in its neighboring devices. For this purpose, the device uses the information that it received from its neighboring devices through topology recognition (LLDP). The dialog lists the deviations detected, which affect the performance of the communication between the device and the recognized neighboring devices. You update the content of the table by clicking the button. When the table remains empty, the configuration check was successful and the settings in the device are compatible with the settings in the detected neighboring devices. If you have set up more than 39 VLANs in the device, then the dialog constantly displays a warning. The reason is the limited number of possible VLAN data sets in LLDP packets with a maximum length. The device compares the first 39 VLANs automatically. If you have set up 40 or more VLANs in the device, then check the congruence of the further VLANs manually, if necessary. Note: A neighboring device without LLDP support, which forwards LLDP packets, can be the cause of equivocal messages in the dialog. This occurs if the neighboring device is a hub or a switch without management, which ignores the IEEE 802.1D-2004 standard. In this case, the dialog displays the devices recognized and connected to the neighboring device as connected to the device itself, even though they are connected to the neighboring device. Summary You also find this information when you position the mouse pointer over the Toolbar in the top part of the Navigation area. button in the Error Displays the number of errors that the device detected during the configuration check. Warning Displays the number of warnings that the device detected during the configuration check. Information Displays the amount of information that the device detected during the configuration check. Table When you highlight a row in the table, the device displays additional information in the area beneath it. ID Displays the rule ID of the deviations having occurred. The dialog combines several deviations with the same rule ID under one rule ID. RM GUI RSP Release 8.1 12/2019 501 Diagnostics [ Diagnostics > System > Configuration Check ] Level Displays the level of deviation between the settings in this device and the settings in the detected neighboring devices. The device differentiates between the following access statuses: INFORMATION The performance of the communication between the two devices is not impaired. WARNING The performance of the communication between the two devices is possibly impaired. ERROR The communication between the two devices is impaired. Message Displays the information, warnings and errors having occurred more precisely. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 502 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > System > IP Address Conflict Detection ] 7.2.4 IP Address Conflict Detection [ Diagnostics > System > IP Address Conflict Detection ] Using the IP Address Conflict Detection function the device verifies that its IP address is unique in the network. For this purpose, the device analyzes received ARP packets. In this dialog you specify the procedure with which the device detects address conflicts and specify the required settings for this. The device displays detected address conflicts in the table in the Management tab. When the device detects an address conflicts on its router interfaces, the device displays the most recent address conflict in the Routing tab. When the device detects an address conflict, the status LED of the device flashes red 4 times. The dialog contains the following tabs: [Management] [Routing] [Management] Operation Operation Enables/disables the IP Address Conflict Detection function. Possible values: On (default setting) The IP Address Conflict Detection function is enabled. The device verifies that its IP address is unique in the network. Off The IP Address Conflict Detection function is disabled. Configuration Detection mode Specifies the procedure with which the device detects address conflicts. RM GUI RSP Release 8.1 12/2019 503 Diagnostics [ Diagnostics > System > IP Address Conflict Detection ] Possible values: active and passive (default setting) The device uses active and passive address conflict detection. active Active address conflict detection. The device actively helps avoid communicating with an IP address that already exists in the network. The address conflict detection begins as soon as you connect the device to the network or change its IP parameters. – The device sends 4 ARP probe data packets at the interval specified in the Detection delay [ms] field. If the device receives a response to these data packets, then there is an address conflict. – If the device does not detect an address conflict, then it sends 2 gratuitous ARP data packets as an announcement. The device also sends these data packets when the address conflict detection is disabled. – If the IP address already exists in the network, then the device changes back to the previously used IP parameters (if possible). If the device receives its IP parameters from a DHCP server, then it sends a DHCPDECLINE message back to the DHCP server. – After the period specified in the Release delay [s] field, the device checks if the address conflict still exists. When the device detects 10 address conflicts one after the other, the device extends the waiting time to 60 s for the next check. – When the device resolves the address conflict, the device management returns to the network again. passive Passive address conflict detection. The device analyzes the data traffic in the network. If another device in the network is using the same IP address, then the device initially “defends” its IP address. The device stops sending if the other device keeps sending with the same IP address. – As a “defence” the device sends gratuitous ARP data packets. The device repeats this procedure for the number of times specified in the Address protections field. – If the other device continues sending with the same IP address, then after the period specified in the Release delay [s] field, the device periodically checks if the address conflict still exists. – When the device resolves the address conflict, the device management returns to the network again. Send periodic ARP probes Activates/deactivates the periodic address conflict detection. Possible values: marked (default setting) The periodic address conflict detection is active. – The device periodically sends an ARP probe data packet every 90 to 150 seconds and waits for the time specified in the Detection delay [ms] field for a response. – If the device detects an address conflict, then the device applies the passive detection mode function. If the Send trap function is active, then the device sends an SNMP trap. unmarked The periodic address conflict detection is inactive. Detection delay [ms] Specifies the period in milliseconds for which the device waits for a response after sending a ARP data packets. Possible values: 20..500 (default setting: 200) 504 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > System > IP Address Conflict Detection ] Release delay [s] Specifies the period in seconds after which the device checks again whether the address conflict still exists. Possible values: 3..3600 (default setting: 15) Address protections Specifies how many times the device sends gratuitous ARP data packets in the passive detection mode to “defend” its IP address. Possible values: 0..100 (default setting: 3) Protection interval [ms] Specifies the period in milliseconds after which the device sends gratuitous ARP data packets again in the passive detection mode to “defend” its IP address. Possible values: 20..5000 (default setting: 200) Send trap Activates/deactivates the sending of SNMP traps when the device detects address conflicts. Possible values: marked The sending of SNMP traps is active. If the device detects an address conflict, then the device sends an SNMP trap. unmarked (default setting) The sending of SNMP traps is inactive. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. Information Conflict detected Displays whether an address conflict currently exists. Possible values: marked The device detects an address conflict. unmarked The device does not detect an address conflict. RM GUI RSP Release 8.1 12/2019 505 Diagnostics [ Diagnostics > System > IP Address Conflict Detection ] Table Timestamp Displays the time at which the device detected an address conflict. Port Displays the number of the port on which the device detected the address conflict. IP address Displays the IP address that is causing the address conflict. MAC address Displays the MAC address of the device with which the address conflict exists. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Routing] Configuration Send trap Activates/deactivates the sending of SNMP traps if address conflicts are detected. Possible values: marked If the device detects an address conflict, then the device sends an SNMP trap. unmarked (default setting) The sending of SNMP traps is deactivated. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. Information The device continues to display the information in this frame, even if the last address conflict that the device has detected is no longer present. To reset the values, click the Reset routing statistics item. button and then the IP address conflict detected Displays whether the device has detected an address conflict. 506 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > System > IP Address Conflict Detection ] Possible values: marked The device has detected an address conflict. unmarked The device has not detected an address conflict. IP address Displays the IP address that has caused the address conflict. MAC address Displays the MAC address of the device that has caused the address conflict. Time since last conflict Displays the time that has elapsed since the device has detected the address conflict. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset routing statistics Resets the values in the Information frame. Run routing conflict detection Starts the detection on its router interfaces. The device sends a broadcast on the router interfaces. The device then analyzes the received ARP packets. RM GUI RSP Release 8.1 12/2019 507 Diagnostics [ Diagnostics > System > ARP ] 7.2.5 ARP [ Diagnostics > System > ARP ] This dialog displays the MAC and IP addresses of the neighboring devices connected to the device management. Table Port Displays the port number. IP address Displays the IP address of a device that responded to an ARP query to this device. MAC address Displays the MAC address of a device that responded to an ARP query to this device. Last updated Displays the time in seconds since the current settings of the entry were registered in the ARP table. Type Displays the type of the ARP entry. Possible values: static Static ARP entry. When the ARP table is deleted, the device keeps the ARP entry. dynamic Dynamic ARP entry. When the Aging time [s] has been exceeded and the device does not receive any data from this device during this time, the device deletes the ARP entry. local IP and MAC address of the device management. Active Displays that the ARP table contains the IP/MAC address assignment as an active entry. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset ARP table Removes the dynamically set up addresses from the ARP table. 508 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > System > Selftest ] 7.2.6 Selftest [ Diagnostics > System > Selftest ] This dialog lets you do the following: Activate/deactivate the RAM test when the device is being started. Enable/disable the option of entering the system monitor upon the system start. Specify how the device behaves in the case of an error. Configuration If the device does not detect any readable configuration profile when restarting, then the following settings block your access to the device permanently. SysMon1 is available checkbox is unmarked. Load default config on error checkbox is unmarked. This is the case, for example, if the password of the configuration profile that you are loading differs from the password set in the device. To have the device unlocked again, contact your sales partner. RAM test Activates/deactivates the RAM memory check during the restart. Possible values: marked (default setting) The RAM memory check is activated. During the restart, the device checks the RAM memory. unmarked The RAM memory check is deactivated. This shortens the start time for the device. SysMon1 is available Activates/deactivates the access to the system monitor during the restart. Possible values: marked (default setting) The device lets you open the system monitor during the restart. unmarked The device starts without the option of opening to the system monitor. Among other things, the system monitor lets you update the device software and to delete saved configuration profiles. Load default config on error Activates/deactivates the loading of the default settings if the device does not detect any readable configuration profile when restarting. RM GUI RSP Release 8.1 12/2019 509 Diagnostics [ Diagnostics > System > Selftest ] Possible values: marked (default setting) The device loads the default settings. unmarked The device interrupts the restart and stops. The access to the device management is possible only using the Command Line Interface through the serial interface. To regain the access to the device through the network, open the system monitor and reset the settings. Upon restart, the device loads the default settings. Table In this table you specify how the device behaves in the case of an error. Cause Error causes to which the device reacts. Possible values: task The device detects errors in the applications executed, for example if a task terminates or is not available. resource The device detects errors in the resources available, for example if the memory is becoming scarce. software The device detects software errors, for example error in the consistency check. hardware The device detects hardware errors, for example in the chip set. Action Specifies how the device behaves if the adjacent event occurs. Possible values: reboot (default setting) The device triggers a restart. logOnly The device registers the detected error in the log file. See the Diagnostics > Report > System Log dialog. sendTrap The device sends an SNMP trap. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 510 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Email Notification ] 7.3 Email Notification [ Diagnostics > Email Notification ] The device lets you inform multiple recipients by email about events that have occurred. The device sends the emails immediately or periodically depending on the event severity. Usually you specify events with a high severity to be sent immediately. You can specify multiple recipients to which the device sends the emails either immediately or periodically. The menu contains the following dialogs: Email Notification Global Email Notification Recipients Email Notification Mail Server RM GUI RSP Release 8.1 12/2019 511 Diagnostics [ Diagnostics > Email Notification > Global ] 7.3.1 Email Notification Global [ Diagnostics > Email Notification > Global ] In this dialog, you specify the sender settings. Also, you specify for which event severities the device sends the emails immediately and for which periodically. Operation Operation Enables/disables the sending of emails: Possible values: On The sending of emails is enabled. Off (default setting) The sending of emails is disabled. Certificate The device can send messages to a server over unsecured networks. To help deny a “man in the middle” attack, request that the Certificate Authority creates a certificate for the server. Configure the server to use the certificate. Transfer the certificate onto the device. If you specify the settings for the mail servers, then use the IP address or DNS name provided as Common Name or Subject Alternative Name in the certificate. Otherwise the certificate validation will fail. URL Specifies the path and file name of the certificate. The device accepts certificates with the following properties: • X.509 format • .PEM file name extension • Base64-coded, enclosed by -----BEGIN CERTIFICATE----and -----END CERTIFICATE----For security reason, we recommend to constantly use a certificate which is signed by a certification authority. The device gives you the following options for copying the certificate to the device: Import from the PC When the certificate is located on your PC or on a network drive, drag and drop the certificate in the area. Alternatively click in the area to select the certificate. Import from an FTP server When the certificate is on a FTP server, specify the URL for the file in the following form: ftp://<user>:<password>@<IP address>:<port>/<path>/<file name> 512 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Email Notification > Global ] Import from a TFTP server When the certificate is on a TFTP server, specify the URL for the file in the following form: tftp://<IP address>/<path>/<file name> Import from an SCP or SFTP server When the certificate is on an SCP or SFTP server, you specify the URL for the file in the following form: – scp:// or sftp://<IP address>/<path>/<file name> When you click the Start button, the device displays the Credentials window. There you enter User name and Password, to log on to the server. – scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name> Start Copies the certificate specified in the URL field to the device. Sender Address Specifies the email address of the device. The device sends the emails using this email address as the sender. Possible values: Alphanumeric ASCII character string with 0..255 characters (default setting: [email protected]) Notification immediate Here you specify the settings for emails which the device sends immediately. Severity Specifies the minimum severity of events for which the device immediately sends an email. If an event of this severity occurs, or of a more urgent severity, then the device sends an email to the recipients. Possible values: emergency alert (default setting) critical error warning notice informational debug Subject Specifies the subject of the email. RM GUI RSP Release 8.1 12/2019 513 Diagnostics [ Diagnostics > Email Notification > Global ] Possible values: Alphanumeric ASCII character string with 0..255 characters Notification periodic Here you specify the settings for emails which the device sends periodically. Severity Specifies the minimum severity of events for which the device periodically sends an email. If an event of this severity occurs, or of a more urgent severity, then the device registers the event in the buffer. The device sends the buffer content periodically or when the buffer overflows. If an event of a less urgent severity occurs, then the device does not register the event in the buffer. Possible values: emergency alert critical error warning (default setting) notice informational debug Subject Specifies the subject of the email. Possible values: Alphanumeric ASCII character string with 0..255 characters Sending interval [min] Specifies the send interval in minutes. If the device has registered at least 1 event, then the device sends an email with the log file after the time expires. Possible values: 30..1440 (default setting: 30) Send Sends an email immediately with the buffer content and clears the buffer. 514 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Email Notification > Global ] Information Sent messages Displays how many times the device has successfully sent an email to the mail server. Undeliverable messages Displays how many times the device has unsuccessfully tried to send an email to the mail server. Time of the last messages sent Displays the date and time at which the device has last sent an email to the mail server. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Clear email notification statistics Resets the counters in the Information frame to 0. Meaning of the event severities Severity Meaning emergency Device not ready for operation critical Critical status warning Warning alert Immediate user intervention required error Error status notice Significant, normal status debug Debug message informational Informal message RM GUI RSP Release 8.1 12/2019 515 Diagnostics [ Diagnostics > Email Notification > Recipients ] 7.3.2 Email Notification Recipients [ Diagnostics > Email Notification > Recipients ] In this dialog, you specify the recipients to which the device sends the emails. The device lets you specify up to 10 recipients. Table Index Displays the index number to which the table entry relates. Notification type Specifies whether the device sends the emails to this recipient immediately or periodically. Possible values: immediate The device sends the emails to this recipient immediately. periodic The device sends the emails to this recipient periodically. Address Specifies the email address of the recipient. Possible values: Valid email address with up to 255 characters Active Activates/deactivates the informing of the recipient. Possible values: marked (default setting) The informing of the recipient is active. unmarked The informing of the recipient is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 516 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Email Notification > Mail Server ] 7.3.3 Email Notification Mail Server [ Diagnostics > Email Notification > Mail Server ] In this dialog, you specify the settings for the mail servers. The device supports encrypted and unencrypted connections to the mail server. Table Index Displays the index number to which the table entry relates. Description Specifies the name of the server. Possible values: Alphanumeric ASCII character string with 0..255 characters IP address Specifies the IP address or the DNS name of the server. Possible values: Valid IPv4 address (default setting: 0.0.0.0) DNS name in the format domain.tld or host.domain.tld If you specify a DNS name, then also enable the Client function in the Advanced > DNS > Client > Global dialog. If you establish encrypted connections using the certificate, then verify that the DNS name is equal to the server DNS name mentioned in the certificate. Destination TCP port Specifies the TCP port of the server. Possible values: 1..65535 (default setting: 25) Exception: Port 2222 is reserved for internal functions. Frequently used TCP-Ports: • SMTP 25 • Message Submission 587 Encryption Specifies the protocol which encrypts the connection between the device and the mail server. Possible values: none (default setting) The device establishes an an unencrypted connection to the server. tlsv1 The device establishes an encrypted connection to the server using the startTLS extension. RM GUI RSP Release 8.1 12/2019 517 Diagnostics [ Diagnostics > Email Notification > Mail Server ] User name Specifies the user name of the account which the device uses to authenticate on the mail server. Possible values: Alphanumeric ASCII character string with 0..255 characters Password Specifies the password of the account which the device uses to authenticate on the mail server. Possible values: Alphanumeric ASCII character string with 0..255 characters Timeout [s] Specifies the time in seconds after which the device sends an email again. The prerequisite is that the device has failed to send the complete email due to a connection error. Possible values: 1..15 (default setting: 3) Active Activates/deactivates the use of the mail server. Possible values: marked The mail server is active. The device sends emails to this mail server. unmarked (default setting) The mail server is inactive. The device does not send emails to this mail server. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Connection test Opens the Connection test dialog to send a test email. If the mail server settings are correct, then the selected recipients receive a test email. In the Recipient field, you specify to which recipients the device sends the test email: – immediate The device sends the test email to the recipients to which the device sends emails immediately. – periodic The device sends the test email to the recipients to which the device sends emails periodically. In the Message text field, you specify the text of the test email. 518 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Syslog ] 7.4 Syslog [ Diagnostics > Syslog ] The device lets you report selected events, independent of the severity of the event, to different syslog servers. In this dialog, you specify the settings for this function and manage up to 8 syslog servers. Operation Operation Enables/disables the sending of events to the syslog servers. Possible values: On The sending of events is enabled. The device sends the events specified in the table to the specified syslog servers. Off (default setting) The sending of events is disabled. Certificate The device can send messages to a server over unsecured networks. To help deny a “man in the middle” attack, request that the Certificate Authority creates a certificate for the server. Configure the server to use the certificate. Transfer the certificate onto the device. If you specify the parameters on the server, then verify that you specify the IP address and DNS name provided in the certificate as the Common Name or Subject Alternative Name. Otherwise the certificate validation will fail. Note: In order for the changes to take effect after loading a new certificate, restart the Syslog function. URL Specifies the path and file name of the certificate. The device accepts certificates with the following properties: • X.509 format • .PEM file name extension • Base64-coded, enclosed by -----BEGIN CERTIFICATE----and -----END CERTIFICATE----For security reason, we recommend to constantly use a certificate which is signed by a certification authority. RM GUI RSP Release 8.1 12/2019 519 Diagnostics [ Diagnostics > Syslog ] The device gives you the following options for copying the certificate to the device: Import from the PC When the certificate is located on your PC or on a network drive, drag and drop the certificate in the area. Alternatively click in the area to select the certificate. Import from an FTP server When the certificate is on a FTP server, specify the URL for the file in the following form: ftp://<user>:<password>@<IP address>:<port>/<path>/<file name> Import from a TFTP server When the certificate is on a TFTP server, specify the URL for the file in the following form: tftp://<IP address>/<path>/<file name> Import from an SCP or SFTP server When the certificate is on an SCP or SFTP server, you specify the URL for the file in the following form: – scp:// or sftp://<IP address>/<path>/<file name> When you click the Start button, the device displays the Credentials window. There you enter User name and Password, to log on to the server. – scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name> Start Copies the certificate specified in the URL field to the device. Table Index Displays the index number to which the table entry relates. When you delete a table entry, this leaves a gap in the numbering. When you create a new table entry, the device fills the first gap. Possible values: 1..8 IP address Specifies the IP address of the syslog server. Possible values: Valid IPv4 address (default setting: 0.0.0.0) Destination UDP port Specifies the TCP or UDP port on which the syslog server expects the log entries. Possible values: 1..65535 (default setting: 514) Transport type Specifies the transport type the device uses to send the events to the syslog server. 520 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Syslog ] Possible values: udp (default setting) The device sends the events over the UDP port specified in the Destination UDP port column. tls The device sends the events over TLS on the TCP port specified in the Destination UDP port column. Min. severity Specifies the minimum severity of the events. The device sends a log entry for events with this severity and with more urgent severities to the syslog server. Possible values: emergency alert critical error warning (default setting) notice informational debug Type Specifies the type of the log entry transmitted by the device. Possible values: systemlog (default setting) audittrail Active Activates/deactivates the transmission of events to the syslog server: marked The device sends events to the syslog server. unmarked (default setting) The transmission of events to the syslog server is deactivated. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 521 Diagnostics [ Diagnostics > Ports ] 7.5 Ports [ Diagnostics > Ports ] The menu contains the following dialogs: SFP TP cable diagnosis Port Monitor Auto-Disable Port Mirroring 522 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Ports > SFP ] 7.5.1 SFP [ Diagnostics > Ports > SFP ] This dialog lets you look at the SFP transceivers currently connected to the device and their properties. Table The table displays valid values if the device is equipped with SFP transceivers. Port Displays the port number. Module type Type of the SFP transceiver, for example M-SFP-SX/LC. Serial number Displays the serial number of the SFP transceiver. Connector type Displays the connector type. Supported Displays whether the device supports the SFP transceiver. Temperature [°C] Operating temperature of the SFP transceiver in °Celsius. Tx power [mW] Transmission power of the SFP transceiver in mW. Rx power [mW] Receiving power of the SFP transceiver in mW. Tx power [dBm] Transmission power of the SFP transceiver in dBm. Rx power [dBm] Receiving power of the SFP transceiver in dBm. RM GUI RSP Release 8.1 12/2019 523 Diagnostics [ Diagnostics > Ports > SFP ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. 524 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Ports > TP cable diagnosis ] 7.5.2 TP cable diagnosis [ Diagnostics > Ports > TP cable diagnosis ] This feature tests the cable attached to an interface for short or open circuit. The table displays the cable status and estimated length. The device also displays the individual cable pairs connected to the port. When the device detects a short circuit or an open circuit in the cable, it also displays the estimated distance to the problem. Note: This test interrupts traffic on the port. Information Port Displays the port number. Status Status of the Virtual Cable Tester. Possible values: active Cable testing is in progress. To start the test, click the button and then the Start cable diagnosis... item. This action opens the Select port dialog. success The device displays this entry after performing a successful test. failure The device displays this entry after an interruption in the test. uninitialized The device displays this entry while in standby. Table Cable pair Displays the cable pair to which this entry relates. The device uses the first PHY index supported to display the values. Result Displays the results of the cable test. Possible values: normal The cable is functioning properly. open There is a break in the cable causing an interruption. RM GUI RSP Release 8.1 12/2019 525 Diagnostics [ Diagnostics > Ports > TP cable diagnosis ] short Wires in the cable are touching together causing a short circuit. unknown The device displays this value for untested cable pairs. The device displays different values than expected in the following cases: • If no cable is connected to the port, then the device displays the value unknown instead of open. • If the port is deactivated, then the device displays the value short. Min. length Displays the minimum estimated length of the cable in meters. If the cable length is unknown or in the Information frame the Status field displays the value active, failure or uninitialized, then the device displays the value 0. Max. length Displays the maximum estimated length of the cable in meters. If the cable length is unknown or in the Information frame the Status field displays the value active, failure or uninitialized, then the device displays the value0. Distance [m] Displays the estimated distance in meters from the end of the cable to the failure location. If the cable length is unknown or in the Information frame the Status field displays the value active, failure or uninitialized, then the device displays the value 0. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Start cable diagnosis... Opens the Select port dialog. In the Port drop-down list you select the port to be tested. Use for copper-based ports only. To initiate the cable test on the selected port, click the Ok button. 526 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Ports > Port Monitor ] 7.5.3 Port Monitor [ Diagnostics > Ports > Port Monitor ] The Port Monitor function monitors the adherence to the specified parameters on the ports. If the Port Monitor function detects that the parameters are being exceeded, then the device performs an action. To apply the Port Monitor function, proceed as follows: Global tab Enable the Operation function in the Port Monitor frame. Activate for each port those parameters that you want the Port Monitor function to monitor. Link flap, CRC/Fragments and Overload detection tabs Specify the threshold values for the parameters for each port. Link speed/Duplex mode detection tab Activate the allowed combinations of speed and duplex mode for each port. Global tab Specify for each port an action that the device carries out if the Port Monitor function detects that the parameters have been exceeded. Auto-disable tab Mark the Auto-disable checkbox for the monitored parameters if you have specified the autodisable action at least once. The dialog contains the following tabs: [Global] [Auto-disable] [Link flap] [CRC/Fragments] [Overload detection] [Link speed/Duplex mode detection] [Global] In this tab, you enable the Port Monitor function and specify the parameters that the Port Monitor function is monitoring. Also specify the action that the device carries out if the Port Monitor function detects that the parameters have been exceeded. Operation Operation Enables/disables the Port Monitor function globally. Possible values: On The Port Monitor function is enabled. Off (default setting) The Port Monitor function is disabled. RM GUI RSP Release 8.1 12/2019 527 Diagnostics [ Diagnostics > Ports > Port Monitor ] Table Port Displays the port number. Link flap on Activates/deactivates the monitoring of link flaps on the port. Possible values: marked Monitoring is active. – The Port Monitor function monitors link flaps on the port. – If the device detects too many link flaps, then the device executes the action specified in the Action column. – On the Link flap tab, specify the parameters to be monitored. unmarked (default setting) Monitoring is inactive. CRC/Fragments on Activates/deactivates the monitoring of CRC/fragment errors on the port. Possible values: marked Monitoring is active. – The Port Monitor function monitors CRC/fragment errors on the port. – If the device detects too many CRC/fragment errors, then the device executes the action specified in the Action column. – On the CRC/Fragments tab, specify the parameters to be monitored. unmarked (default setting) Monitoring is inactive. Duplex mismatch detection active Activates/deactivates the monitoring of duplex mismatches on the port. Possible values: marked Monitoring is active. – The Port Monitor function monitors duplex mismatches on the port. – If the device detects a duplex mismatch, then the device executes the action specified in the Action column. unmarked (default setting) Monitoring is inactive. Overload detection on Activates/deactivates the overload detection on the port. 528 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Ports > Port Monitor ] Possible values: marked Monitoring is active. – The Port Monitor function monitors the data load on the port. – If the device detects a data overload on the port, then the device executes the action specified in the Action column. – On the Overload detection tab, specify the parameters to be monitored. unmarked (default setting) Monitoring is inactive. Link speed/Duplex mode detection on Activates/deactivates the monitoring of the link speed and duplex mode on the port. Possible values: marked Monitoring is active. – The Port Monitor function monitors the link speed and duplex mode on the port. – If the device detects an unpermitted combination of link speed and duplex mode, then the device executes the action specified in the Action column. – On the Link speed/Duplex mode detection tab, specify the parameters to be monitored. unmarked (default setting) Monitoring is inactive. Active condition Displays the monitored parameter that led to the action on the port. Possible values: No monitored parameter. The device does not carry out any action. Link flap Too many link changes in the observed period. CRC/Fragments Too many CRC/fragment errors in the observed period. Duplex mismatch Duplex mismatch detected. Overload detection Overload detected in the observed period. Link speed/Duplex mode detection Impermissible combination of speed and duplex mode detected. Action Specifies the action that the device carries out if the Port Monitor function detects that the parameters have been exceeded. RM GUI RSP Release 8.1 12/2019 529 Diagnostics [ Diagnostics > Ports > Port Monitor ] Possible values: disable port The device disables the port and sends an SNMP trap. The “Link status” LED for the port flashes 3× per period. – To re-enable the port, highlight the port and click the button and then the Reset item. – If the parameters are no longer being exceeded, then the Auto-Disable function enables the relevant port again after the specified waiting period. The prerequisite is that on the Autodisable tab the checkbox for the monitored parameter is marked. send trap The device sends an SNMP trap. The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics > Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination. auto-disable (default setting) The device disables the port and sends an SNMP trap. The “Link status” LED for the port flashes 3× per period. The prerequisite is that on the Auto-disable tab the checkbox for the monitored parameter is marked. – The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently disabled due to the parameters being exceeded. – The Auto-Disable function reactivates the port automatically. For this you go to the Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the relevant port in the Reset timer [s] column. Port status Displays the operating state of the port. Possible values: up The port is enabled. down The port is disabled. notPresent Physical port unavailable. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters in the following dialogs: Diagnostics > Ports > Port Monitor dialog – Link flap tab – CRC/Fragments tab – Overload detection tab Diagnostics > Ports > Auto-Disable dialog 530 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Ports > Port Monitor ] [Auto-disable] In this tab, you activate the Auto-Disable function for the parameters monitored by the Port Monitor function. Table Reason Displays the parameters monitored by the Port Monitor function. Mark the adjacent checkbox so that the Port Monitor function carries out the auto-disable action if it detects that the monitored parameters have been exceeded. Auto-disable Activates/deactivates the Auto-Disable function for the adjacent parameters. Possible values: marked The Auto-Disable function for the adjacent parameters is active. If the adjacent parameters are exceeded and the value auto-disable is specified in the Action column, then the device carries out the Auto-Disable function. unmarked (default setting) The Auto-Disable function for the adjacent parameters is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters in the following dialogs: Diagnostics > Ports > Port Monitor dialog – Link flap tab – CRC/Fragments tab – Overload detection tab Diagnostics > Ports > Auto-Disable dialog [Link flap] In this tab, you specify individually for every port the following settings: The number of link changes. The period during which the Port Monitor function monitors a parameter to detect discrepancies. RM GUI RSP Release 8.1 12/2019 531 Diagnostics [ Diagnostics > Ports > Port Monitor ] You also see how many link changes the Port Monitor function has detected up to now. The Port Monitor function monitors those ports for which the checkbox in the Link flap on column is marked on the Global tab. Table Port Displays the port number. Sampling interval [s] Specifies in seconds, the period during which the Port Monitor function monitors a parameter to detect discrepancies. Possible values: 1..180 (default setting: 10) Link flaps Specifies the number of link changes. If the Port Monitor function detects this number of link changes in the monitored period, then the device performs the specified action. Possible values: 1..100 (default setting: 5) Last sampling interval Displays the number of errors that the device has detected during the period that has elapsed. Total Displays the total number of errors that the device has detected since the port was enabled. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters in the following dialogs: Diagnostics > Ports > Port Monitor dialog – Link flap tab – CRC/Fragments tab – Overload detection tab Diagnostics > Ports > Auto-Disable dialog 532 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Ports > Port Monitor ] [CRC/Fragments] In this tab, you specify individually for every port the following settings: The fragment error rate. The period during which the Port Monitor function monitors a parameter to detect discrepancies. You also see the fragment error rate that the device has detected up to now. The Port Monitor function monitors those ports for which the checkbox in the CRC/Fragments on column is marked on the Global tab. Table Port Displays the port number. Sampling interval [s] Specifies in seconds, the period during which the Port Monitor function monitors a parameter to detect discrepancies. Possible values: 5..180 (default setting: 10) CRC/Fragments count [ppm] Specifies the fragment error rate (in parts per million). If the Port Monitor function detects this fragment error rate in the monitored period, then the device performs the specified action. Possible values: 1..1000000 (default setting: 1000) Last active interval [ppm] Displays the fragment error rate that the device has detected during the period that has elapsed. Total [ppm] Displays the fragment error rate that the device has detected since the port was enabled. RM GUI RSP Release 8.1 12/2019 533 Diagnostics [ Diagnostics > Ports > Port Monitor ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters in the following dialogs: Diagnostics > Ports > Port Monitor dialog – Link flap tab – CRC/Fragments tab – Overload detection tab Diagnostics > Ports > Auto-Disable dialog [Overload detection] In this tab, you specify individually for every port the following settings: The load threshold values. The period during which the Port Monitor function monitors a parameter to detect discrepancies. You also see the number of data packets that the device has detected up to now. The Port Monitor function monitors those ports for which the checkbox in the Overload detection on column is marked on the Global tab. The Port Monitor function does not monitor any ports that are members of a link aggregation group or PRP/HSR subscribers. Table Port Displays the port number. Traffic type Specifies the type of data packets that the device considers when monitoring the load on the port. Possible values: all The Port Monitor function monitors Broadcast, Multicast and Unicast packets. bc (default setting) The Port Monitor function monitors only Broadcast packets. bc-mc The Port Monitor function monitors only Broadcast and Multicast packets. Threshold type Specifies the unit for the data rate. 534 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Ports > Port Monitor ] Possible values: pps (default setting) packets per second kbps kbit per second The prerequisite is that the value in the Traffic type column = all. Lower threshold Specifies the lower threshold value for the data rate. The Auto-Disable function enables the port again only when the load on the port is lower than the value specified here. Possible values: 0..10000000 (default setting: 0) Upper threshold Specifies the upper threshold value for the data rate. If the Port Monitor function detects this load in the monitored period, then the device performs the specified action. Possible values: 0..10000000 (default setting: 0)) Interval [s] Specifies in seconds, the period that the Port Monitor function observes a parameter to detect that a parameter is being exceeded. Possible values: 1..20 (default setting: 1) Packets Displays the number of Broadcast, Multicast and Unicast packets that the device has detected during the period that has elapsed. Broadcast packets Displays the number of Broadcast packets that the device has detected during the period that has elapsed. Multicast packets Displays the number of Multicast packets that the device has detected during the period that has elapsed. Kbit/s Displays the data rate in Kbits per second that the device has detected during the period that has elapsed. RM GUI RSP Release 8.1 12/2019 535 Diagnostics [ Diagnostics > Ports > Port Monitor ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters in the following dialogs: Diagnostics > Ports > Port Monitor dialog – Link flap tab – CRC/Fragments tab – Overload detection tab Diagnostics > Ports > Auto-Disable dialog [Link speed/Duplex mode detection] In this tab, you activate the allowed combinations of speed and duplex mode for each port. The Port Monitor function monitors those ports for which the checkbox in the Link speed/Duplex mode detection on column is marked on the Global tab. The Port Monitor function monitors only enabled physical ports. Table Port Displays the port number. 10 Mbit/s HDX Activates/deactivates the port monitor to accept a half-duplex and 10 Mbit/s data rate combination on the port. Possible values: marked The port monitor takes into consideration the speed and duplex combination. unmarked If the port monitor detects the speed and duplex combination on the port, then the device executes the action specified in the Global tab. 10 Mbit/s FDX Activates/deactivates the port monitor to accept a full-duplex and 10 Mbit/s data rate combination on the port. 536 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Ports > Port Monitor ] Possible values: marked The port monitor takes into consideration the speed and duplex combination. unmarked If the port monitor detects the speed and duplex combination on the port, then the device executes the action specified in the Global tab. 100 Mbit/s HDX Activates/deactivates the port monitor to accept a half-duplex and 100 Mbit/s data rate combination on the port. Possible values: marked The port monitor takes into consideration the speed and duplex combination. unmarked If the port monitor detects the speed and duplex combination on the port, then the device executes the action specified in the Global tab. 100 Mbit/s FDX Activates/deactivates the port monitor to accept a full-duplex and 100 Mbit/s data rate combination on the port. Possible values: marked The port monitor takes into consideration the speed and duplex combination. unmarked If the port monitor detects the speed and duplex combination on the port, then the device executes the action specified in the Global tab. 1,000 Mbit/s FDX Activates/deactivates the port monitor to accept a full-duplex and 1 Gbit/s data rate combination on the port. Possible values: marked The port monitor takes into consideration the speed and duplex combination. unmarked If the port monitor detects the speed and duplex combination on the port, then the device executes the action specified in the Global tab. RM GUI RSP Release 8.1 12/2019 537 Diagnostics [ Diagnostics > Ports > Port Monitor ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters in the following dialogs: Diagnostics > Ports > Port Monitor dialog – Link flap tab – CRC/Fragments tab – Overload detection tab Diagnostics > Ports > Auto-Disable dialog 538 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Ports > Auto-Disable ] 7.5.4 Auto-Disable [ Diagnostics > Ports > Auto-Disable ] The Auto-Disable function lets you disable monitored ports automatically and enable them again as you desire. For example, the Port Monitor function and selected functions in the Network Security menu use the Auto-Disable function to disable ports if monitored parameters are exceeded. If the parameters are no longer being exceeded, then the Auto-Disable function enables the relevant port again after the specified waiting period. The dialog contains the following tabs: [Port] [Status] [Port] This tab displays which ports are currently disabled due to the parameters being exceeded. If the parameters are no longer being exceeded and you specify a waiting period in the Reset timer [s] column, then the Auto-Disable function automatically enables the relevant port again. Table Port Displays the port number. Reset timer [s] Specifies the waiting period in seconds, after which the Auto-Disable function enables the port again. Possible values: 0 (default setting) The timer is inactive. The port remains disabled. 30..4294967295 If the parameters are no longer being exceeded, then the Auto-Disable function enables the port again after the waiting period specified here. Error time Displays when the device disabled the port due to the parameters being exceeded. Remaining time [s] Displays the remaining time in seconds, until the Auto-Disable function enables the port again. Component Displays the software component in the device that disabled the port. RM GUI RSP Release 8.1 12/2019 539 Diagnostics [ Diagnostics > Ports > Auto-Disable ] Possible values: PORT_MON Port Monitor See the Diagnostics > Ports > Port Monitor dialog. PORT_ML Port Security See the Network Security > Port Security dialog. DHCP_SNP DHCP Snooping See the Network Security > DHCP Snooping dialog. DOT1S BPDU guard See the Switching > L2-Redundancy > Spanning Tree > Global dialog. DAI Dynamic ARP Inspection See the Network Security > Dynamic ARP Inspection dialog. Reason Displays the monitored parameter that led to the port being disabled. Possible values: none No monitored parameter. The port is enabled. link-flap Too many link changes. See the Diagnostics > Ports > Port Monitor dialog, Link flap tab. crc-error Too many CRC/fragment errors. See the Diagnostics > Ports > Port Monitor dialog, CRC/Fragments tab. duplex-mismatch Duplex mismatch detected. See the Diagnostics > Ports > Port Monitor dialog, Global tab. dhcp-snooping Too many DHCP packages from untrusted sources. See the Network Security > DHCP Snooping > Configuration dialog, Port tab. arp-rate Too many ARP packages from untrusted sources. See the Network Security > Dynamic ARP Inspection > Configuration dialog, Port tab. bpdu-rate STP-BPDUs received. See the Switching > L2-Redundancy > Spanning Tree > Global dialog. mac-based-port-security Too many data packets from undesired senders. See the Network Security > Port Security dialog. overload-detection Overload. See the Diagnostics > Ports > Port Monitor dialog, Overload detection tab. speed-duplex Impermissible combination of speed and duplex mode detected. See the Diagnostics > Ports > Port Monitor dialog, Link speed/Duplex mode detection tab. Active Displays whether the port is currently disabled due to the parameters being exceeded. 540 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Ports > Auto-Disable ] Possible values: marked The port is currently disabled. unmarked The port is enabled. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Status] This tab displays the monitored parameters for which the Auto-Disable function is activated. Table Reason Displays the parameters that the device monitors. Mark the adjacent checkbox so that the Auto-Disable function disables and, when applicable, enables the port again if the monitored parameters are exceeded. Category Displays which function the adjacent parameter belongs to. Possible values: port-monitor The parameter belongs to the Port Monitor function. See the Diagnostics > Port > Port Monitor dialog. network-security The parameter belongs to the functions in the Network Security menu. l2-redundancy The parameter belongs to the L2-Redundancy functions. See the Switching > L2-Redundancy dialog. Auto-disable Displays whether the Auto-Disable function is activated/deactivated for the adjacent parameter. Possible values: marked The Auto-Disable function for the adjacent parameters is active. The Auto-Disable function disables and, when applicable, enables the relevant port again if the monitored parameters are exceeded. unmarked (default setting) The Auto-Disable function for the adjacent parameters is inactive. RM GUI RSP Release 8.1 12/2019 541 Diagnostics [ Diagnostics > Ports > Auto-Disable ] Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters in the following dialogs: Diagnostics > Ports > Port Monitor dialog – Link flap tab – CRC/Fragments tab – Overload detection tab Diagnostics > Ports > Auto-Disable dialog 542 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Ports > Port Mirroring ] 7.5.5 Port Mirroring [ Diagnostics > Ports > Port Mirroring ] The Port Mirroring function lets you copy received and sent data packets from selected ports to a destination port. You can watch and process the data stream using an analyzer or an RMON probe, connected to the destination port. The data packets remain unmodified on the source port. Note: To enable the access to the device management using the destination port, mark the checkbox Allow management in the Destination port frame before you enable the Port Mirroring function. Operation Operation Enables/disables the Port Mirroring function. Possible values: On The Port Mirroring function is enabled. The device copies the data packets from the selected source ports to the destination port. Off (default setting) The Port Mirroring function is disabled. Destination port Primary port Specifies the destination port. Suitable ports are those ports that are not used for the following purposes: • Source port • L2 redundancy protocols • Port-based router interface Possible values: no Port (default setting) No destination port selected. <Port number> Number of the destination port. The device copies the data packets from the source ports to this port. On the destination port, the device adds a VLAN tag to the data packets that the source port transmits. The destination port transmits unmodified the data packets that the source port receives. Note: The destination port needs sufficient bandwidth to absorb the data stream. If the copied data stream exceeds the bandwidth of the destination port, then the device discards surplus data packets on the destination port. RM GUI RSP Release 8.1 12/2019 543 Diagnostics [ Diagnostics > Ports > Port Mirroring ] Allow management Activates/deactivates the access to the device management using the destination port. Possible values: marked The access to the device management using the destination port is active. The device lets users have access to the device management using the destination port without interrupting the active Port Mirroring session. – The device duplicates multicasts, broadcasts and unknown unicasts on the destination port. – The VLAN settings on the destination port remain unchanged. The prerequisite for access to the device management using the destination port is that the destination port is not a member of the VLAN of the device management. unmarked (default setting) The access to the device management using the destination port is inactive. The device prohibits the access to the device management using the destination port. VLAN mirroring The VLAN mirroring function lets you copy ingress data packets in a specific VLAN to the selected destination port. The device forwards the data stream out of the specified destination port. Note: The VLAN mirroring function is only available on the primary port. Source VLAN ID Specifies the VLAN from which the device mirrors data to the destination port. Possible values: 0 (default setting) Disables the VLAN mirroring function. 2..4042 The device lets you specify a VLAN only if no source port is specified. RSPAN The RSPAN (Remote Switched Port Analyzer) function extends the mirroring function by allowing the device to forward the monitored data across multiple devices, on a specific VLAN, to a single destination. Note: If you use the device on the path between the source and destination device, then specify in the VLAN ID field the VLAN needed to use the RSPAN function. For this, the Port Mirroring function is not required and remains disabled. Note: The RSPAN function is only available on the primary port. Source VLAN ID Specifies the source VLAN from which the device mirrors data to the destination VLAN. 544 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Ports > Port Mirroring ] Possible values: 0 (default setting: 0) The source VLAN is inactive. 2..4042 Mirrored ports cannot be members of the RSPAN VLAN. VLAN ID Specifies the VLAN that the device uses to tag and forward mirrored data. Possible values: 0 (default setting: 0) The RSPAN VLAN is inactive. 2..4042 The device uses the value to tag and forward mirrored data. Destination VLAN ID Specifies the VLAN that the device uses to forward the network traffic to the destination device. Possible values: 0 (default setting: 0) The destination VLAN is inactive. 2..4042 The device uses this value to tag data and to forward the network traffic to the destination device. Table Source port Specifies the port number. Possible values: <Port number> Enabled Activates/deactivates the copying of the data packets from this source port to the destination port. RM GUI RSP Release 8.1 12/2019 545 Diagnostics [ Diagnostics > Ports > Port Mirroring ] Possible values: marked The copying of the data packets is active. The port is specified as a source port. unmarked (default setting) The copying of the data packets is inactive. (Grayed-out display) It is not possible to copy the data packets for this port. Possible causes: – The port is already specified as a destination port. – The port is a logical port, not a physical port. Note: The device lets you activate every physical port as source port except for the destination port. Type Specifies which data packets the device copies to the destination port. Possible values: none (default setting) No data packets. tx Data packets that the source port transmits. rx Data packets that the source port receives. txrx Data packets that the source port transmits and receives. Note: With the txrx setting the device copies transmitted and received data packets. The destination ports needs at least a bandwidth that corresponds to the sum of the send and receive channel of the source ports. For example, for similar ports the destination port is at 100 % capacity when the send and receive channel of a source port are at 50 % capacity respectively. On the destination port, the device adds a VLAN tag to the data packets that the source port transmits. The destination port transmits unmodified the data packets that the source port receives. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset config Resets the settings in the dialog to the default settings and transfers the changes to the volatile memory of the device (RAM). 546 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > LLDP ] 7.6 LLDP [ Diagnostics > LLDP ] The device lets you gather information about neighboring devices. For this, the device uses the Link Layer Discovery Protocol (LLDP). This information enables a network management station to map the structure of your network. This menu lets you configure the topology discovery and to display the information received in table form. The menu contains the following dialogs: LLDP Configuration LLDP Topology Discovery RM GUI RSP Release 8.1 12/2019 547 Diagnostics [ Diagnostics > LLDP > Configuration ] 7.6.1 LLDP Configuration [ Diagnostics > LLDP > Configuration ] This dialog lets you configure the topology discovery for every port. Operation Operation Enables/disables the LLDP function. Possible values: On (default setting) The LLDP function is enabled. The topology discovery using LLDP is active in the device. Off The LLDP function is disabled. Configuration Transmit interval [s] Specifies the interval in seconds at which the device transmits LLDP data packets. Possible values: 5..32768 (default setting: 30) Transmit interval multiplier Specifies the factor for determining the time-to-live value for the LLDP data packets. Possible values: 2..10 (default setting: 4) The time-to-live value coded in the LLDP header results from multiplying this value with the value in the Transmit interval [s] field. Reinit delay [s] Specifies the delay in seconds for the reinitialization of a port. Possible values: 1..10 (default setting: 2) If in the Operation column the value Off is specified, then the device tries to reinitialize the port after the time specified here has elapsed. 548 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > LLDP > Configuration ] Transmit delay [s] Specifies the delay in seconds for transmitting successive LLDP data packets after configuration changes in the device occur. Possible values: 1..8192 (default setting: 2) The recommended value is between a minimum of 1 and a maximum of a quarter of the value in the Transmit interval [s] field. Notification interval [s] Specifies the interval in seconds for transmitting LLDP notifications. Possible values: 5..3600 (default setting: 5) After transmitting a notification trap, the device waits for a minimum of the time specified here before transmitting the next notification trap. Table Port Displays the port number. Operation Specifies whether the port transmits and receives LLDP data packets. Possible values: transmit The port transmits LLDP data packets but does not save any information about neighboring devices. receive The port receives LLDP data packets but does not transmit any information to neighboring devices. receive and transmit (default setting) The port transmits LLDP data packets and saves information about neighboring devices. disabled The port does not transmit LLDP data packets and does not save information about neighboring devices. Notification Activates/deactivates the LLDP notifications on the port. Possible values: marked LLDP notifications are active on the port. unmarked (default setting) LLDP notifications are inactive on the port. RM GUI RSP Release 8.1 12/2019 549 Diagnostics [ Diagnostics > LLDP > Configuration ] Transmit port description Activates/deactivates the transmitting of a TLV (Type Length Value) with the port description. Possible values: marked (default setting) The transmitting of the TLV is active. The device transmits the TLV with the port description. unmarked The transmitting of the TLV is inactive. The device does not transmit a TLV with the port description. Transmit system name Activates/deactivates the transmitting of a TLV (Type Length Value) with the device name. Possible values: marked (default setting) The transmitting of the TLV is active. The device transmits the TLV with the device name. unmarked The transmitting of the TLV is inactive. The device does not transmit a TLV with the device name. Transmit system description Activates/deactivates the transmitting of the TLV (Type Length Value) with the system description. Possible values: marked (default setting) The transmitting of the TLV is active. The device transmits the TLV with the system description. unmarked The transmitting of the TLV is inactive. The device does not transmit a TLV with the system description. Transmit system capabilities Activates/deactivates the transmitting of the TLV (Type Length Value) with the system capabilities. Possible values: marked (default setting) The transmitting of the TLV is active. The device transmits the TLV with the system capabilities. unmarked The transmitting of the TLV is inactive. The device does not transmit a TLV with the system capabilities. Neighbors (max.) Limits the number of neighboring devices to be recorded for this port. Possible values: 1..50 (default setting: 10) 550 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > LLDP > Configuration ] FDB mode Specifies which function the device uses to record neighboring devices on this port. Possible values: lldpOnly The device uses only LLDP data packets to record neighboring devices on this port. macOnly The device uses learned MAC addresses to record neighboring devices on this port. The device uses the MAC address only if there is no other entry in the address table (FDB, Forwarding Database) for this port. both The device uses LLDP data packets and learned MAC addresses to record neighboring devices on this port. autoDetect (default setting) If the device receives LLDP data packets at this port, then the device operates the same as with the lldpOnly setting. Otherwise, the device operates the same as with the macOnly setting. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 551 Diagnostics [ Diagnostics > LLDP > Topology Discovery ] 7.6.2 LLDP Topology Discovery [ Diagnostics > LLDP > Topology Discovery ] Devices in networks send notifications in the form of packets which are also known as "LLDPDU" (LLDP data units). The data that is sent and received via LLDPDU are useful for many reasons. Thus the device detects which devices in the network are neighbors and via which ports they are connected. The dialog lets you display the network and to detect the connected devices along with their specific features. The dialog contains the following tabs: [LLDP] [LLDP-MED] [LLDP] This tab displays the collected LLDP information for the neighboring devices. This information enables a network management station to map the structure of your network. When devices both with and without an active topology discovery function are connected to a port, the topology table hides the devices without active topology discovery. When only devices without active topology discovery are connected to a port, the table contains one line for this port to represent every device. This line contains the number of connected devices. The Forwarding Database (FDB) address table contains MAC addresses of devices that the topology table hides for the sake of clarity. When you use 1 port to connect several devices, for example via a hub, the table contains 1 line for each connected device. Table Port Displays the port number. Neighbor identifier Displays the chassis ID of the neighboring device. This can be the basis MAC address of the neighboring device, for example. FDB Displays whether or not the connected device has active LLDP support. 552 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > LLDP > Topology Discovery ] Possible values: marked The connected device does not have active LLDP support. The device uses information from its address table (FDB, Forwarding Database) unmarked (default setting) The connected device has active LLDP support. Neighbor IP address Displays the IP address with which the access to the neighboring device management is possible. Neighbor port description Displays a description for the port of the neighboring device. Neighbor system name Displays the device name of the neighboring device. Neighbor system description Displays a description for the neighboring device. Port ID Displays the ID of the port through which the neighboring device is connected to the device. Autonegotiation supported Displays whether the port of the neighboring device supports autonegotiation. Autonegotiation Displays whether autonegotiation is enabled on the port of the neighboring device. PoE supported Displays whether the port of the neighboring device supports Power over Ethernet (PoE). PoE enabled Displays whether Power over Ethernet (PoE) is enabled on the port of the neighboring device. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 553 Diagnostics [ Diagnostics > LLDP > Topology Discovery ] [LLDP-MED] LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between endpoint devices and network devices. It specifically provides support for VoIP applications. In this support rule, it provides an additional set of common advertisement, Type Length Value (TLV), messages. The device uses the TLVs for capabilities discovery such as network policy, Power over Ethernet, inventory management and location information. Table Port Displays the port number. Device class Displays the device class of the remotely connected device. A value of notDefined indicates that the device has capabilities not covered by any of the LLDPMED classes. A value of endpointClass1..3 indicates that the device has "endpoint class 1..3" capabilities. A value of networkConnectivity indicates that the device has network connectivity device capabilities. VLAN ID Displays the extension of the VLAN Identifier for the remote system connected to this port, as defined in IEEE 802.3. The device uses a value from 1 through 4042 to specify a valid Port VLAN ID. The device displays the value 0 for priority tagged packets. This means that only the 802.1D priority is significant and the device uses the default VLAN ID of the ingress port. Priority Displays the value of the 802.1D priority which is associated with the remote system connected to the port. DSCP Displays the value of the Differentiated Service Code Point (DSCP) which is associated with the remote system connected to the port. Unknown bit status Displays the unknown bit status of incoming traffic. A value of true indicates that the network policy for the specified application type is currently unknown. In this case, the VLAN ID ignores the Layer 2 priority and value of the DSCP field. A value of false indicates a specified network policy. 554 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > SFlow ] Tagged bit status Displays the tagged bit status. A value of true indicates that the application uses a tagged VLAN. A value of false indicates that for the specific application the device uses untagged VLAN operation. In this case, the device ignores both the VLAN ID and the Layer 2 priority fields. The DSCP value, however, is relevant. Hardware revision Displays the vendor-specific hardware revision string as advertised by the remote endpoint. Firmware revision Displays the vendor-specific firmware revision string as advertised by the remote endpoint. Software revision Displays the vendor-specific software revision string as advertised by the remote endpoint. Serial number Displays the vendor-specific serial number as advertised by the remote endpoint. Manufacturer name Displays the vendor-specific manufacturer name as advertised by the remote endpoint. Model name Displays the vendor-specific model name as advertised by the remote endpoint. Asset ID Displays the vendor-specific asset tracking identifier as advertised by the remote endpoint. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 7.7 SFlow [ Diagnostics > SFlow ] sFlow is a standard protocol for monitoring networks. The device contains the sFlow feature which gives you visibility into network activity, allowing for effective management and control of network resources. RM GUI RSP Release 8.1 12/2019 555 Diagnostics [ Diagnostics > SFlow ] The sFlow monitoring system consists of an sFlow agent and a central sFlow collector. The agent uses the following forms of sampling: statistical packet-based sampling of packet flows time-based sampling of counters The device combines both types of samples into datagrams. sFlow uses the datagrams to forward the sampled traffic statistics to an sFlow collector for analysis. In order to perform packet flow sampling, you configure an instance with a sampling rate. You then configure the instance with a polling interval for counter sampling. The menu contains the following dialogs: SFlow Configuration SFlow Receiver 556 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > SFlow > Configuration ] 7.7.1 SFlow Configuration [ Diagnostics > SFlow > Configuration ] This dialog displays device parameters and lets you set up sFlow instances. The dialog contains the following tabs: [Global] [Sampler] [Poller] [Global] Information Version Displays the MIB version, the organization responsible for agent implementation, and the device software revision. IP address Displays the IP address associated with the agent providing SNMP connectivity. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Sampler] Table Port Displays the physical source of data for the sampler. Receiver Displays the receiver index associated with the sampler. Sampling rate Specifies the static sampling rate for the sampling of the packets from this source. RM GUI RSP Release 8.1 12/2019 557 Diagnostics [ Diagnostics > SFlow > Configuration ] Possible values: 0 (default setting) Deactivates the sampling. 256..65535 When the ports receive data, the device increments to the set value and then samples the data. Max. header size [byte] Specifies the maximum header size in bytes copied from a sampled packet. Possible values: 20..256 (default setting: 128) Buttons You find the description of the standard buttons in section “Buttons” on page 15. [Poller] Table Port Displays the physical source of data for the poller counter. Receiver Displays the receiver index associated with the query counter. Possible values: 0..8 (default setting: 0) Interval [s] Specifies the maximum number of seconds between successive samples of the counters which are associated with this data source. Possible values: 0..86400 (default setting: 0) A sampling interval with the value 0 deactivates the sampling of the counters. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 558 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > SFlow > Receiver ] 7.7.2 SFlow Receiver [ Diagnostics > SFlow > Receiver ] In order to help avoid a condition where 2 persons or organizations attempt to assume control of the same sampler, the person or organization sets both the Name and Timeout [s] parameters in the same SNMP set request. When releasing a sampler, the controlling person or organization deletes the value in the Name column. The controlling person or organization also restores the other parameters in this row to their default settings. Table Index Displays the index number to which the table entry relates. Name Specifies the name of the person or company which uses the entry. An empty field indicates that the entry is currently unused. Edit this field before making changes to other sampler parameters. Possible values: Alphanumeric ASCII character string with 0..127 characters Timeout [s] Displays the time, in seconds, remaining before the sampler is released and stops sampling. Datagram size [byte] Specifies the maximum number of data bytes that are sent in one sample datagram. Possible values: 200..3996 (default setting: 1400) IP address Specifies the IP address of the sFlow collector. Possible values: Valid IPv4 address (default setting: 0.0.0.0) Destination UDP port Specifies the number of the UDP port for sFlow datagrams. Possible values: 1..65535 (default setting: 6343) Exception: Port 2222 is reserved for internal functions. RM GUI RSP Release 8.1 12/2019 559 Diagnostics [ Diagnostics > Report ] Datagram version Displays the version of sFlow datagrams requested. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 7.8 Report [ Diagnostics > Report ] The menu contains the following dialogs: Report Global Persistent Logging System Log Audit Trail 560 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Report > Global ] 7.8.1 Report Global [ Diagnostics > Report > Global ] The device lets you log specific events using the following outputs: on the console on one or more syslog servers on a connection to the Command Line Interface set up using SSH on a connection to the Command Line Interface set up using Telnet In this dialog, you specify the required settings. By assigning the severity you specify which events the device registers. The dialog lets you save a ZIP archive with system information on your PC. Console logging Operation Enables/disables the Console logging function. Possible values: On The Console logging function is enabled. The device logs the events on the console. Off (default setting) The Console logging function is disabled. Severity Specifies the minimum severity for the events. The device logs events with this severity and with more urgent severities. The device outputs the messages on the serial interface. Possible values: emergency alert critical error warning (default setting) notice informational debug RM GUI RSP Release 8.1 12/2019 561 Diagnostics [ Diagnostics > Report > Global ] Buffered logging The device buffers logged events in 2 separate storage areas so that the log entries for urgent events are kept. This dialog lets you specify the minimum severity for events that the device buffers in the storage area with a higher priority. Severity Specifies the minimum severity for the events. The device buffers log entries for events with this severity and with more urgent severities in the storage area with a higher priority. Possible values: emergency alert critical error warning (default setting) notice informational debug SNMP logging When you enable the logging of SNMP requests, the device sends these as events with the preset severity notice to the list of syslog servers. The preset minimum severity for a syslog server entry is critical. To send SNMP requests to a syslog server, you have a number of options to change the default settings. Select the ones that meet your requirements best. Set the severity for which the device creates SNMP requests as events to warning or error and change the minimum severity for a syslog entry for one or more syslog servers to the same value. You also have the option of creating a separate syslog server entry for this. When you set the severity for SNMP requests to critical or higher. The device then sends SNMP requests as events with the severity critical or higher to the syslog servers. When you set the minimum severity for one or more syslog server entries to notice or lower. Then it is possible that the device sends many events to the syslog servers. Log SNMP get request Enables/disables the logging of SNMP Get requests. Possible values: On The logging is enabled. The device registers SNMP Get requests as events in the syslog. In the Severity get request drop-down list, you select the severity for this event. Off (default setting) The logging is disabled. 562 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Report > Global ] Log SNMP set request Enables/disables the logging of SNMP Set requests. Possible values: On The logging is enabled. The device registers SNMP Set requests as events in the syslog. In the Severity set request drop-down list, you select the severity for this event. Off (default setting) The logging is disabled. Severity get request Specifies the severity of the event that the device registers for SNMP Get requests. Possible values: emergency alert critical error warning notice (default setting) informational debug Severity set request Specifies the severity of the event that the device registers for SNMP Set requests. Possible values: emergency alert critical error warning notice (default setting) informational debug CLI logging Operation Enables/disables the CLI logging function. RM GUI RSP Release 8.1 12/2019 563 Diagnostics [ Diagnostics > Report > Global ] Possible values: On The CLI logging function is enabled. The device logs every command received using the Command Line Interface. Off (default setting) The CLI logging function is disabled. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Download support information Generates a ZIP archive which the web browser lets you download from the device. The ZIP archive contains system information about the device. You will find an explanation of the files contained in the ZIP archive in the following section. Support Information: Files contained in ZIP archive File name Format Comments audittrail.html HTML defaultconfig.xml script XML TEXT runningconfig.xml XML supportinfo.html systeminfo.html TEXT HTML systemlog.html HTML Contains the chronological recording of the system events and saved user changes in the Audit Trail. Contains the configuration profile with the default settings. Contains the output of the command show running-config script. Contains the configuration profile with the current operating settings. Contains device internal service information. Contains information about the current settings and operating parameters. Contains the logged events in the Log file. See the Diagnostics > Report > System Log dialog. Meaning of the event severities Severity Meaning emergency Device not ready for operation critical Critical status warning Warning alert Immediate user intervention required error Error status notice Significant, normal status debug Debug message informational Informal message 564 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Report > Persistent Logging ] 7.8.2 Persistent Logging [ Diagnostics > Report > Persistent Logging ] The device lets you save log entries permanently in a file in the external memory. Therefore, even after the device is restarted you have access to the log entries. In this dialog, you limit the size of the log file and specify the minimum severity for the events to be saved. When the log file reaches the specified size, the device archives this file and saves the following log entries in a newly created file. In the table the device displays you the log files held in the external memory. As soon as the specified maximum number of files has been attained, the device deletes the oldest file and renames the remaining files. This helps ensure that there is enough memory space in the external memory. Note: Verify that an external memory is connected. To verify if an external memory is connected, see the Status column in the Basic Settings > External Memory dialog. We recommend to monitor the external memory connection using the Device Status function, see the External memory removal parameter in the Diagnostics > Status Configuration > Device Status dialog. Operation Operation Enables/disables the Persistent Logging function. Only activate this function if the external memory is available in the device. Possible values: On (default setting) The Persistent Logging function is enabled. The device saves the log entries in a file in the external memory. Off The Persistent Logging function is disabled. Configuration Max. file size [kbyte] Specifies the maximum size of the log file in KBytes. When the log file reaches the specified size, the device archives this file and saves the following log entries in a newly created file. Possible values: 0..4096 (default setting: 1024) The value 0 deactivates saving of log entries in the log file. Files (max.) Specifies the number of log files that the device keeps in the external memory. RM GUI RSP Release 8.1 12/2019 565 Diagnostics [ Diagnostics > Report > Persistent Logging ] As soon as the specified maximum number of files has been attained, the device deletes the oldest file and renames the remaining files. Possible values: 0..25 (default setting: 4) The value 0 deactivates saving of log entries in the log file. Severity Specifies the minimum severity of the events. The device saves the log entry for events with this severity and with more urgent severities in the log file in the external memory. Possible values: emergency alert critical error warning (default setting) notice informational debug Log file target Specifies the external memory device for logging. Possible values: sd External SD memory (ACA31) Table Index Displays the index number to which the table entry relates. Possible values: 1..25 The device automatically assigns this number. File name Displays the file name of the log file in the external memory. Possible values: messages messages.X 566 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Report > Persistent Logging ] File size [byte] Displays the size of the log file in the external memory in bytes. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Delete persistent log file Removes the log files from the external memory. RM GUI RSP Release 8.1 12/2019 567 Diagnostics [ Diagnostics > Report > System Log ] 7.8.3 System Log [ Diagnostics > Report > System Log ] The device logs device-internal events in a log file (System Log). This dialog displays the log file (System Log). The dialog lets you save the log file in HTML format on your PC. In order to search the log file for search terms, use the search function of your web browser. The log file is kept until a restart is performed in the device. After the restart the device creates the file again. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Save log file Opens the HTML page in a new web browser window or tab. You can save the HTML page on your PC using the appropriate web bowser command. Delete log file Removes the logged events from the log file. 568 RM GUI RSP Release 8.1 12/2019 Diagnostics [ Diagnostics > Report > Audit Trail ] 7.8.4 Audit Trail [ Diagnostics > Report > Audit Trail ] This dialog displays the log file (Audit Trail). The dialog lets you save the log file as an HTML file on your PC. In order to search the log file for search terms, use the search function of your web browser. The device logs system events and writing user actions in the device. This lets you keep track of WHO changes WHAT in the device and WHEN. The prerequisite is that the user role auditor or administrator is assigned to your user account. The device logs the following user actions, among others: A user logging on via Command Line Interface (local or remote) A user logging off manually Automatic logging off of a user in the Command Line Interface after a specified period of inactivity Device restart Locking of a user account due to too many unsuccessful logon attempts Locking of the access to the device management due to unsuccessful logon attempts Commands executed in the Command Line Interface, apart from show commands Changes to configuration variables Changes to the system time File transfer operations, including firmware updates Configuration changes via HiDiscovery Firmware updates and automatic configuration of the device via the external memory Opening and closing of SNMP via an HTTPS tunnel The device does not log passwords. The logged entries are write-protected and remain saved in the device after a restart. Note: During the restart, access to the system monitor is possible using the default settings of the device. If an attacker gains physical access to the device, then he is able to reset the device settings to its default values using the system monitor. After this, the device and log file are accessible using the standard password. Take appropriate measures to restrict physical access to the device. Otherwise, deactivate access to the system monitor. See the Diagnostics > System > Selftest dialog, SysMon1 is available checkbox. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Save audit trail file Opens the HTML page in a new web browser window or tab. You can save the HTML page on your PC using the appropriate web bowser command. RM GUI RSP Release 8.1 12/2019 569 Advanced [ Advanced > DHCP L2 Relay ] 8 Advanced The menu contains the following dialogs: DHCP L2 Relay DHCP Server DNS Industrial Protocols Command Line Interface 8.1 DHCP L2 Relay [ Advanced > DHCP L2 Relay ] A network administrator uses the DHCP L2 Relay Agent to add DHCP client information. L3 Relay Agents and DHCP servers need the DHCP client information to assign an IP address and a configuration to the clients. When active, the relay adds Option 82 information configured in this dialog to the packets before it relays DHCP requests from the clients to the server. The Option 82 fields provide unique information about the client and relay. This unique identifier consists of a Circuit ID for the client and a Remote ID for the relay. In addition to the type, length, and multicast fields, the Circuit ID includes the VLAN ID, unit number, slot number, and port number for the connected client. The Remote ID consists of a type and length field and either a MAC address, IP address, client identifier, or a user-defined device description. A client identifier is the user-defined system name for the device. The menu contains the following dialogs: DHCP L2 Relay Configuration DHCP L2 Relay Statistics 570 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > DHCP L2 Relay > Configuration ] 8.1.1 DHCP L2 Relay Configuration [ Advanced > DHCP L2 Relay > Configuration ] This dialog lets you activate the relay function on an interface and VLAN. When you activate this function on a port, the device either relays the Option 82 information or drops the information on untrusted ports. Furthermore, the device lets you specify the remote identifier. The dialog contains the following tabs: [Interface] [VLAN ID] Operation Operation Enables/disables the DHCP L2 Relay function of the device globally. Possible values: On Enables the DHCP Layer 2 Relay function of the device. Off (default setting) Disables the DHCP Layer 2 Relay function of the device. [Interface] Table Port Displays the port number. Active Activates/deactivates the DHCP L2 Relay function on the port. The prerequisite is that you enable the function globally. Possible values: marked The DHCP L2 Relay function is active. unmarked (default setting) The DHCP L2 Relay function is inactive. Trusted port Activates/deactivates the secure DHCP L2 Relay mode for the corresponding port. RM GUI RSP Release 8.1 12/2019 571 Advanced [ Advanced > DHCP L2 Relay > Configuration ] Possible values: marked The device accepts DHCP packets with Option 82 information. unmarked (default setting) The device discards DHCP packets received on non-secure ports that contain Option 82 information. Buttons You find the description of the standard buttons in section “Buttons” on page 15. [VLAN ID] Table VLAN ID VLAN to which the table entry relates. Active Activates/deactivates the DHCP Layer 2 Relay function on the VLAN. The prerequisite is that you enable the function globally. Possible values: marked The DHCP Layer 2 Relay function is active. unmarked (default setting) The DHCP Layer 2 Relay function is inactive. Circuit ID Activates or deactivates the addition of the Circuit ID to the Option 82 information. Possible values: marked (default setting) Enables Circuit ID and Remote ID to be sent together. unmarked The device sends only the Remote ID. Remote ID type Specifies the components of the Remote ID for this VLAN. 572 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > DHCP L2 Relay > Configuration ] Possible values: ip Specifies the IP address of the device as Remote ID. mac (default setting) Specifies the MAC address of the device as Remote ID. client-id Specifies the system name of the device as Remote ID. other When you use this value, enter in the Remote ID column user-defined information. Remote ID Displays the Remote ID for the VLAN. When you specify the value other in the Remote ID type column, specify the identifier. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 573 Advanced [ Advanced > DHCP L2 Relay > Statistics ] 8.1.2 DHCP L2 Relay Statistics [ Advanced > DHCP L2 Relay > Statistics ] The device monitors the traffic on the ports and displays the results in tabular form. This table is divided into various categories to aid you in traffic analysis. Table Port Displays the port number. Untrusted server messages with Option 82 Displays the number of DHCP server messages received with Option 82 information on the untrusted interface. Untrusted client messages with Option 82 Displays the number of DHCP client messages received with Option 82 information on the untrusted interface. Trusted server messages without Option 82 Displays the number of DHCP server messages received without Option 82 information on the trusted interface. Trusted client messages without Option 82 Displays the number of DHCP client messages received without Option 82 information on the trusted interface. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Reset Resets the entire table. 574 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > DHCP Server ] 8.2 DHCP Server [ Advanced > DHCP Server ] With the DHCP server, you manage a database of available IP addresses and configuration information. When the device receives a request from a client, the DHCP server validates the DHCP client network, and then leases an IP address. When activated, the DHCP server also allocates configuration information appropriate for that client. The configuration information specifies, for example, which IP address, DNS server and the default route a client uses. The DHCP server assigns an IP address to a client for a user-defined interval. The DHCP client is responsible for renewing the IP address before the interval expires. When the DHCP client is unable to renew the address, the address returns to the pool for reassignment. The menu contains the following dialogs: DHCP Server Global DHCP Server Pool DHCP Server Lease Table RM GUI RSP Release 8.1 12/2019 575 Advanced [ Advanced > DHCP Server > Global ] 8.2.1 DHCP Server Global [ Advanced > DHCP Server > Global ] Activate the function either globally or per port according to your requirements. Operation Operation Enables/disables the DHCP server function of the device globally. Possible values: On Off (default setting) Table Port Displays the port number. DHCP server active Activates/deactivates the DHCP server function on this port. The prerequisite is that you enable the function globally. Possible values: marked (default setting) The DHCP server function is active. unmarked The DHCP server function is inactive. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 576 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > DHCP Server > Pool ] 8.2.2 DHCP Server Pool [ Advanced > DHCP Server > Pool ] Assign an IP address to an end device or switch connected to a port or included in a VLAN. The DHCP server provides IP address pools from which it allocates IP addresses to clients. A pool consists of a list of entries. Specify an entry as static to a specific IP address, or as dynamic to an IP address range. The device accommodates up to 128 pools. With static allocation, the DHCP server assigns an IP address to a specific client. The DHCP server identifies the client using a unique hardware ID. A static address entry contains 1 IP address. You apply this IP address to every port or to a specific port of the device. For static allocation, enter an IP address for allocation in the IP address field, and leave the Last IP address column empty. Enter a hardware ID with which the DHCP server uniquely identifies the client. This ID is either a MAC address, a Client ID, a Remote ID, or a Circuit ID. When a client contacts the device with a known hardware ID, the DHCP server allocates the static IP address. In dynamic allocation, when a DHCP client makes contact on a port, the DHCP server assigns an available IP address from a pool for this port. For dynamic allocation, create a pool for the ports by assigning an IP address range. Specify the first and last IP addresses for the IP address range. Leave the MAC address, Client ID, Remote ID and Circuit ID fields empty. You have the option of creating multiple pool entries. This lets you create an IP address range that contains gaps. This dialog displays the different information that is required for the assignment of an IP address for a port or a VLAN. Use the entry. button to add an entry. The device adds a writable and readable Table Index Displays the index number to which the table entry relates. Active Activates/deactivates the DHCP server function on this port. Possible values: marked The DHCP server function is active. unmarked (default setting) The DHCP server function is inactive. IP address Specifies the IP address for static IP address assignment. When using dynamic IP address assignment, this value specifies the start of the IP address range. Possible values: Valid IPv4 address RM GUI RSP Release 8.1 12/2019 577 Advanced [ Advanced > DHCP Server > Pool ] Last IP address When using dynamic IP address assignment, this value specifies the end of the IP address range. Possible values: Valid IPv4 address Port Displays the port number. VLAN ID Displays the VLAN to which the table entry relates. A value of 1 corresponds to the default device management VLAN. Possible values: 1..4042 MAC address Specifies the MAC address of the device leasing the IP address. Possible values: Valid Unicast MAC address Specify the value with a colon separator, for example 00:11:22:33:44:55. – For the IP address assignment, the server ignores this variable. DHCP relay Specifies the IP address of the DHCP relay through which the clients transmit their requests to the DHCP server. When the DHCP server receives the client's request through another DHCP relay, it ignores this request. Possible values: Valid IPv4 address IP address of the DHCP relay. – Between the client and the DHCP server there is no DHCP relay. Client ID Specifies the identification of the client device leasing the IP address. Possible values: 1..80 bytes (format XX XX .. XX) – For the IP address assignment, the server ignores this variable. Remote ID Specifies the identification of the remote device leasing the IP address. 578 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > DHCP Server > Pool ] Possible values: 1..80 bytes (format XX XX .. XX) – For the IP address assignment, the server ignores this variable. Circuit ID Specifies the Circuit ID of the device leasing the IP address. Possible values: 1..80 bytes (format XX XX .. XX) – For the IP address assignment, the server ignores this variable. Hirschmann device Activates/deactivates Hirschmann multicasts. If the device in this IP address range serves only Hirschmann devices, then activate this function. Possible values: marked In this IP address range, the device serves only Hirschmann devices. Hirschmann multicasts are activated. unmarked (default setting) In this IP address range, the device serves the devices of different manufacturers. Hirschmann multicasts are deactivated. Configuration URL Specifies the protocol to be used as well as the name and path of the configuration file. Possible values: Alphanumeric ASCII character string with 0..70 characters Example: tftp://192.9.200.1/cfg/config.xml When you leave this field blank, the device leaves this option field blank in the DHCP message. Lease time [s] Specifies the lease time in seconds. Possible values: 1..4294967294 (default setting: 86400) 4294967295 Use this value for assignments unlimited in time and for assignments via BOOTP. Default gateway Specifies the IP address of the default gateway. A value of 0.0.0.0 disables the attachment of the option field in the DHCP message. Possible values: Valid IPv4 address RM GUI RSP Release 8.1 12/2019 579 Advanced [ Advanced > DHCP Server > Pool ] Netmask Specifies the mask of the network to which the client belongs. A value of 0.0.0.0 disables the attachment of the option field in the DHCP message. Possible values: Valid IPv4 netmask WINS server Specifies the IP address of the Windows Internet Name Server which converts NetBIOS names. A value of 0.0.0.0 disables the attachment of the option field in the DHCP message. Possible values: Valid IPv4 address DNS server Specifies the IP address of the DNS server. A value of 0.0.0.0 disables the attachment of the option field in the DHCP message. Possible values: Valid IPv4 address Hostname Specifies the hostname. When you leave this field blank, the device leaves this option field blank in the DHCP message. Possible values: Alphanumeric ASCII character string with 0..64 characters Buttons You find the description of the standard buttons in section “Buttons” on page 15. 580 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > DHCP Server > Lease Table ] 8.2.3 DHCP Server Lease Table [ Advanced > DHCP Server > Lease Table ] This dialog displays the status of IP address leasing on a per port basis. Table Port Displays the port number to which the address is currently being leased. IP address Displays the leased IP address to which the entry refers. Status Displays the lease phase. According to the standard for DHCP operations, there are 4 phases to leasing an IP address: Discovery, Offer, Request, and Acknowledgement. Possible values: bootp A DHCP client is attempting to discover a DHCP server for IP address allocation. offering The DHCP server is validating that the IP address is suitable for the client. requesting A DHCP client is acquiring the offered IP address. bound The DHCP server is leasing the IP address to a client. renewing The DHCP client is requesting an extension to the lease. rebinding The DHCP server is assigning the IP address to the client after a successful renewal. declined The DHCP server denied the request for the IP address. released The IP address is available for other clients. Remaining lifetime Displays the time remaining on the leased IP address. Leased MAC address Displays the MAC address of the device leasing the IP address. Gateway Displays the Gateway IP address of the device leasing the IP address. RM GUI RSP Release 8.1 12/2019 581 Advanced [ Advanced > DNS ] Client ID Displays the client identifier of the device leasing the IP address. Remote ID Displays the remote identifier of the device leasing the IP address. Circuit ID Displays the Circuit ID of the device leasing the IP address. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 8.3 DNS [ Advanced > DNS ] The menu contains the following dialogs: DNS Client 8.3.1 DNS Client [ Advanced > DNS > Client ] DNS (Domain Name System) is a service in the network that translates host names into IP addresses. This name resolution lets you contact other devices using their host names instead of their IP addresses. The Client function enables the device to send requests for resolving hostnames in IP addresses to a DNS server. The menu contains the following dialogs: DNS Client Global DNS Client Current DNS Client Static DNS Client Static Hosts 582 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > DNS > Client > Global ] 8.3.1.1 DNS Client Global [ Advanced > DNS > Client > Global ] In this dialog, you enable the Client function and the Cache function. Operation Operation Enables/disables the Client function. Possible values: On The Client function is enabled. The device sends requests for resolving hostnames in IP addresses to a DNS server. Off (default setting) The Client function is disabled. Cache Cache Enables/disables the Cache function. Possible values: On (default setting) The Cache function is enabled. The device temporarily saves up to 128 DNS server responses (hostname and corresponding IP address) in the cache. When the cache contains a matching entry, the host name of a new request the device resolves itself. This makes sending a new query to the DNS server unnecessary. Off The Cache function is disabled. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Flush cache Removes every entry from the DNS cache. RM GUI RSP Release 8.1 12/2019 583 Advanced [ Advanced > DNS > Client > Current ] 8.3.1.2 DNS Client Current [ Advanced > DNS > Client > Current ] This dialog displays to which DNS servers the device sends requests for resolving hostnames in IP addresses. Table Index Displays the sequential number of the DNS server. Address Displays the IP address of the DNS server. The device forwards requests for resolving host names in IP addresses to the DNS server with this IP address. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 584 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > DNS > Client > Static ] 8.3.1.3 DNS Client Static [ Advanced > DNS > Client > Static ] In this dialog, you specify the DNS servers to which the device forwards requests for resolving host names in IP addresses. The device lets you specify up to 4 IP addresses yourself or to transfer the IP addresses from a DHCP server. Configuration Configuration source Specifies the source from which the device obtains the IP address of DNS servers to which the device addresses requests. Possible values: user The device uses the IP addresses specified in the table. mgmt-dhcp (default setting) The device uses the IP addresses which the DHCP server delivers to the device. Domain name Specifies the domain name according to RFC1034 which the device adds to hostnames without a domain suffix. Possible values: Alphanumeric ASCII character string with 0..255 characters Request timeout [s] Specifies the time interval in seconds for sending again a request to the server. Possible values: 0 Deactivates the function. The device does not send a request to the server again. 1..3600 (default setting: 3) Request retransmits Specifies, how many times the device retransmits a request. The prerequisite is that, in the Request timeout [s] field, you specify a value >0. Possible values: 0..100 (default setting: 2) RM GUI RSP Release 8.1 12/2019 585 Advanced [ Advanced > DNS > Client > Static ] Table Index Displays the sequential number of the DNS server. The device lets you specify up to 4 DNS servers. Address Specifies the IP address of the DNS server. Possible values: Valid IPv4 address (default setting: 0.0.0.0) Active Activates/deactivates the table entry. The device sends requests to the DNS server configured in the first active table entry. When the device does not receive a response from this server, it sends requests to the DNS server configured in the next active table entry. Possible values: marked The DNS client sends requests to this DNS server. Prerequisites: Enable the DNS-client function in the Advanced > DNS > Global dialog. Select in the Configuration frame, Configuration source drop-down-list the value user. unmarked (default setting) The device does not send requests to this DNS server. Buttons You find the description of the standard buttons in section “Buttons” on page 15. 586 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > DNS > Client > Static Hosts ] 8.3.1.4 DNS Client Static Hosts [ Advanced > DNS > Client > Static Hosts ] This dialog lets you specify up to 64 hostnames which you link with one IP address each. Upon a request for resolving hostnames in IP addresses, the device searches this table for a corresponding entry. When the device does not find a corresponding entry, it forwards the request. Table Index Displays the index number to which the table entry relates. Possible values: 1..64 Name Specifies the hostname. Possible values: Alphanumeric ASCII character string with 0..255 characters IP address Specifies the IP address under which the host is reachable. Possible values: Valid IPv4 address Active Activates/deactivates the table entry. Possible values: marked The device resolves a request for the host name for this entry. unmarked After receiving a request for this host name, the device sends a request to one of the configured name servers for resolution. Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 587 Advanced [ Advanced > Industrial Protocols ] 8.4 Industrial Protocols [ Advanced > Industrial Protocols ] The menu contains the following dialogs: IEC61850-MMS Modbus TCP EtherNet/IP PROFINET 588 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > Industrial Protocols > IEC61850-MMS ] 8.4.1 IEC61850-MMS [ Advanced > Industrial Protocols > IEC61850-MMS ] The IEC61850-MMS is a standardized industrial communication protocol from the International Electrotechnical Commission (IEC). For example, automatic switching equipment uses this protocol when communicating with power station equipment. The packet orientated protocol defines a uniform communication language based on the transport protocol, TCP/IP. The protocol uses a Manufacturing Message Specification (MMS) server for client server communications. The protocol includes functions for SCADA, Intelligent Electronic Device (IED) and the network control systems. Note: IEC61850/MMS does not provide any authentication mechanisms. If the write access for IEC61850/MMS is activated, then every client that can access the device using TCP/IP is capable of changing the settings of the device. This in turn can result in an incorrect configuration of the device and to failures in the network. Activate the write access only if you have taken additional measures (for example Firewall, VPN, etc.) to reduce possible unauthorized access. This dialog lets you specify the following MMS server settings: Activates/deactivates the MMS server. Activates/deactivates the write access to the MMS server. The MMS server TCP Port. The maximum number of MMS server sessions. Operation Operation Enables/disables the IEC61850-MMS server. Possible values: On The IEC61850-MMS server is enabled. Off (default setting) The IEC61850-MMS server is disabled. The IEC61850 MIBs stay accessible. Configuration Write access Activates/deactivates the write access to the MMS server. RM GUI RSP Release 8.1 12/2019 589 Advanced [ Advanced > Industrial Protocols > IEC61850-MMS ] Possible values: marked The write access to the MMS server is activated. This setting lets you change the device settings using the IEC 61850 MMS protocol. unmarked (default setting) The write access to the MMS server is deactivated. The MMS server is accessible as read-only. Technical key Specifies the IED name. The IED name is eligible independently of the system name. Possible values: Alphanumeric ASCII character string with 0..32 characters The following characters are allowed: – _ – 0..9 – a..z – A..Z (default setting: KEY) To get the MMS server to use the IED name, click the connection to connected clients is then interrupted. button and restart the MMS server. The TCP port Specifies TCP port for MMS server access. Possible values: 1..65535 (default setting: 102) Exception: Port 2222 is reserved for internal functions. Note: The server restarts automatically after you change the port. In the process, the device terminates open connections to the server. Sessions (max.) Specifies the maximum number of MMS server connections. Possible values: 1..15 (default setting: 5) Information Status Displays the current IEC61850-MMS server status. Possible values: unavailable starting running 590 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > Industrial Protocols > IEC61850-MMS ] stopping halted error Active sessions Displays the number of active MMS server connections. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Download Copies the ICD file to your PC. RM GUI RSP Release 8.1 12/2019 591 Advanced [ Advanced > Industrial Protocols > Modbus TCP ] 8.4.2 Modbus TCP [ Advanced > Industrial Protocols > Modbus TCP ] Modbus TCP is a protocol used for Supervisory Control and Data Acquisition (SCADA) system integration. Modbus TCP is a vendor-neutral protocol used to monitor and control industrial automation equipment such as Programmable Logic Controllers (PLC), sensors and meters. This dialog lets you specify the parameters of the protocol. To monitor and control the parameters of the device, you need Human-Machine Interface (HMI) software and the memory mapping table. Refer to the tables located in the Industrial Protocol user manual for the supported objects and memory mapping. The dialog lets you enable the function, activate the write access, control which TCP port the Human-Machine Interface (HMI) polls for data. You can also specify the number of sessions allowed to be open at the same time. Note: Activating the Modbus TCP write-access can cause an unavoidable security risk, because the protocol does not authenticate user access. To help minimize the unavoidable security risks, specify the IP address range located in the Device Security > Management Access dialog. Enter only the IP addresses assigned to your devices before enabling the function. Furthermore, the default setting for monitoring function activation in the Diagnostics > Status Configuration > Security Status dialog, Global tab, is active. Operation Operation Enables/disables the Modbus TCP server in the device. Possible values: On The Modbus TCP server is enabled. Off (default setting) The Modbus TCP server is disabled. Configuration Write access Activates/deactivates the write access to the Modbus TCP parameters. Note: Activating the Modbus TCP write-access can cause an unavoidable security risk, because the protocol does not authenticate user access. 592 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > Industrial Protocols > Modbus TCP ] Possible values: marked (default setting) The Modbus TCP server read/write access is active. This lets you change the device configuration using the Modbus TCP protocol. unmarked The Modbus TCP server read-only access is active. TCP port Specifies the TCP port number that the Modbus TCP server uses for communication. Possible values: <TCP Port number> (default setting: 502) Specifying 0 is not allowed. Sessions (max.) Specifies the maximum number of concurrent sessions that the Modbus TCP server maintains. Possible values: 1..5 (default setting: 5) Buttons You find the description of the standard buttons in section “Buttons” on page 15. RM GUI RSP Release 8.1 12/2019 593 Advanced [ Advanced > Industrial Protocols > PROFINET ] 8.4.3 PROFINET [ Advanced > Industrial Protocols > PROFINET ] This dialog lets you configure the PROFINET protocol on this device used in conjunction with PROFINET Controllers and PROFINET devices. The device bases the PROFINET function on the Siemens V2.2 PROFINET stack for common Ethernet controllers. The PROFINET protocol implemented in the device conforms to Class B for real time responses according to IEC 61158. Functions that directly affect the PROFINET function require the following default values to be changed. If you have obtained the device as a specially available PROFINET variant, then these values are already predefined: PROFINET Advanced > Industrial Protocols > PROFINET dialog • Operation frame Operation = On • Configuration frame Name of station field = <empty> Network Basic Settings > Network dialog • Management interface frame IP address assignment radio button = Local • HiDiscovery protocol v1/v2 frame Access drop-down list = readOnly • IP parameter frame IP address field = 0.0.0.0 Netmask field = 0.0.0.0 Gateway address field = 0.0.0.0 VLAN Switching > Global dialog • Configuration frame VLAN unaware mode checkbox = marked LLDP Diagnostics > LLDP > Configuration dialog • Configuration frame Transmit interval [s] field = 5 Transmit delay [s] field = 1 Operation Operation Enables/disables the PROFINET function in the device. 594 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > Industrial Protocols > PROFINET ] Possible values: On The PROFINET function is enabled. Off (default setting) The PROFINET function is disabled. Configuration Name of station Specifies the name of the device. Possible values: Alphanumeric ASCII character string with 0..240 characters The device prohibits you from using a number as the first character. Information Active application relations Displays how many application relations are active. Table Port Displays the port number. DCP mode Specifies the data stream direction on the port to monitor for DCP packets. The Programmable Logic Controller (PLC) detects PROFINET devices using the Discovery and Configuration Protocol (DCP). RM GUI RSP Release 8.1 12/2019 595 Advanced [ Advanced > Industrial Protocols > PROFINET ] The DCP identify request packets are multicast, the responses from the agents are unicast. Regardless of the settings, the device forwards the received DCP packets to other ports whose setting is either egress or both. Management Management none none DCP none DCP ingress ingress egress DCP Management Management none ingress none egress DCP DCP DCP egress both both egress ingress both DCP both ingress egress both DCP Possible values: none The agent does not respond to packets received on this port. The port does not forward packets received on other ports. ingress The agent responds to packets received on this port. The port does not forward packets received on other ports. egress The agent does not respond to packets received on this port. The port forwards packets received on other ports. both (default setting) The agent responds to packets received on this port. The port forwards packets received on other ports. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Download GSDML file Copies the GSDML file onto your PC. 596 RM GUI RSP Release 8.1 12/2019 Advanced [ Advanced > Industrial Protocols > EtherNet/IP ] 8.4.4 EtherNet/IP [ Advanced > Industrial Protocols > EtherNet/IP ] This dialog lets you activate the EtherNet/IP protocol, to change the SET/GET capability and to download the EDS file from the device. Operation Operation Enables/disables the EtherNet/IP function in the device. Possible values: On The EtherNet/IP function is enabled. Off (default setting) The EtherNet/IP function is disabled. The device continues to read the EtherNet/IP data. Configuration Write access Activates/deactivates the read/write capability of the EtherNet/IP protocol. Possible values: marked The EtherNet/IP protocol accepts set/get requests. unmarked (default setting) The EtherNet/IP protocol accepts only get requests. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Download EDS file Copies the following information in a zip file onto your PC: Electronic Data Sheet (EDS) with device related information device icon RM GUI RSP Release 8.1 12/2019 597 Advanced [ Advanced > CLI ] 8.5 Command Line Interface [ Advanced > CLI ] This dialog lets you access the device using the Command Line Interface. The prerequisites are: In the device, enable the SSH server in the Device Security > Management Access > Server dialog, tab SSH. On your workstation, install a SSH-capable client application which registers a handler for URLs starting with ssh:// in your operating system. Buttons You find the description of the standard buttons in section “Buttons” on page 15. Open SSH connection Opens the SSH-capable client application. When you click the button, the web application passes the URL of the device starting with ssh:// and the user name of the currently logged on user. If the web browser finds a SSH-capable client application, then the SSH-capable client establishes a connection to the device using the SSH protocol. 598 RM GUI RSP Release 8.1 12/2019 Index A Index 0-9 1to1 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 802.1D/p mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87, 129 A Access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Access restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Address conflict detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23, 503 Aging time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198, 508 Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356, 360, 503 ARP inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360, 508 Audit trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569 Authentication history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Authentication list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Auto disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124, 162, 172, 174, 308, 530, 531, 539 Auto summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 B Boundary clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 C Cable diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19, 39, 91, 108, 109, 486, 512, 519 CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Command line interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Community names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Configuration check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Configuration profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14, 29 Context menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Counter reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Count-to-infinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 D Daylight saving time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Device software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Device software backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Device status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17, 477 DHCP L2 relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 DHCP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Distance vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 DLR (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 DNS cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583 DNS client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583 Domain name system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 DSCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Dynamic ARP inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 RM GUI RSP Release 8.1 12/2019 599 Index E EAPOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Egress rate limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Email notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 ENVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27, 29, 34, 40, 478, 484, 491, 566 EtherNet/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486, 597 Event severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515, 564 External memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27, 29, 34, 40, 566 F FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Fast MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276, 335 FDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Filter MAC addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104, 108 Flash memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27, 500 Flow control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 G GARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 230 322 232 H Hardware clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Hardware state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500 HiDiscovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22, 485, 569 HIPER ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 HiVRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452, 453, 467 Host key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Host routes accept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 HSR (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499, 568 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 HTTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 I IAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87, 145 ICMP redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351, 357 IEC61850-MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485, 589 IEEE 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Industrial HiVision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10, 100 Ingress filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Ingress rate limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Integrated authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87, 145 IP access restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 IP address conflict detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 IP DSCP mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 IPv4 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 600 RM GUI RSP Release 8.1 12/2019 Index L L2 relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 L3 relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Link aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Link backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 Load/save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51, 568 Login banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117, 120 Loopback interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 M MAC Address Conflict Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 MAC address table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 MAC flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 MAC rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 MAC spoof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Mail notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 Management access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22, 111 Management VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Manufacturing message specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589 Media redundancy protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 MMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589 Modbus TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486, 592 MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 MRP-IEEE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 MSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Multicast routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 MVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 N NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Network load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 NVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13, 14, 21, 27, 34 O OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 RM GUI RSP Release 8.1 12/2019 601 Index P Parallel redundancy protocol (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83, 482 Password length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83, 482 Persistent logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 Port clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Port configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133, 235 Port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 Port monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Port priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Port VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Port-based access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Power supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19, 479, 492 Pre-Login banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Priority queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 PROFINET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486, 594 Proxy ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 PRP (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Q Queue management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 R RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87, 146 RAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 RAM test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Rate limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 RCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Redundant coupling protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425, 570 Request interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Ring structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Ring/Network coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 RIP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 RNC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Root bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Route distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Router discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Router interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263, 355 Routing information protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Routing profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Routing table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 RSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304, 305 602 RM GUI RSP Release 8.1 12/2019 Index S Secure shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Security status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18, 481 Self-test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Serial interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515, 564 sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 SFP module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Signal contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18, 488 SNMP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100, 483 SNMP traps . . . . . . . . . . . . . 46, 125, 305, 329, 377, 419, 453, 477, 481, 490, 496, 505, 506, 530 SNMPv1/v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 SNTP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 SNTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Software backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Software update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Spanning tree protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 SSH server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Subring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Switch dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 System information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 System log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 System monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 System time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 T Technical questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Telnet server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101, 483 Temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20, 478, 490 Threshold values network load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Time profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Time to live . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Topology discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552 Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417, 471 Training courses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Transparent clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Trap destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 Traps . . . . . . . . . . . . . . . . . . 46, 125, 305, 329, 377, 419, 453, 477, 481, 490, 496, 505, 506, 530 Trust mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 TTL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Twisted pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 U Unaware mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 User administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 RM GUI RSP Release 8.1 12/2019 603 Index V Virtual local area network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Virtual router redundancy protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452 VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22, 260 VLAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 VLAN ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 VLAN unaware mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452 VRRP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 VRRP tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 W Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29, 33 Web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106, 107 Z ZIP archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 604 RM GUI RSP Release 8.1 12/2019 Further support B Further support Technical questions For technical questions, please contact any Hirschmann dealer in your area or Hirschmann directly. You find the addresses of our partners on the Internet at www.hirschmann.com. A list of local telephone numbers and email addresses for technical support directly from Hirschmann is available at hirschmann-support.belden.com. This site also includes a free of charge knowledge base and a software download section. Technical Documents The current manuals and operating instructions for Hirschmann products are available at doc.hirschmann.com. Hirschmann Competence Center The Hirschmann Competence Center is ahead of its competitors on three counts with its complete range of innovative services: Consulting incorporates comprehensive technical advice, from system evaluation through network planning to project planning. Training offers you an introduction to the basics, product briefing and user training with certification. You find the training courses on technology and products currently available at www.hicomcenter.com. Support ranges from the first installation through the standby service to maintenance concepts. With the Hirschmann Competence Center, you decided against making any compromises. Our client-customized package leaves you free to choose the service components you want to use. RM GUI RSP Release 8.1 12/2019 605 Readers’ Comments C Readers’ Comments What is your opinion of this manual? We are constantly striving to provide as comprehensive a description of our product as possible, as well as important information to assist you in the operation of this product. Your comments and suggestions help us to further improve the quality of our documentation. Your assessment of this manual: Very Good Good Satisfactory Mediocre Poor Precise description O O O O O Readability O O O O O Understandability O O O O O Examples O O O O O Structure O O O O O Comprehensive O O O O O Graphics O O O O O Drawings O O O O O Tables O O O O O Did you discover any errors in this manual? If so, on what page? Suggestions for improvement and additional information: 606 RM GUI RSP Release 8.1 12/2019 Readers’ Comments General comments: Sender: Company / Department: Name / Telephone number: Street: Zip code / City: E-mail: Date / Signature: Dear User, Please fill out and return this page as a fax to the number +49 (0)7127/14-1600 or per mail to Hirschmann Automation and Control GmbH Department 01RD-NT Stuttgarter Str. 45-51 72654 Neckartenzlingen Germany RM GUI RSP Release 8.1 12/2019 607 User Manual Configuration Rail Switch Power HiOS-3S UM Config RSP Release 8.1 12/2019 Technical support https://hirschmann-support.belden.com The naming of copyrighted trademarks in this manual, even when not specially indicated, should not be taken to mean that these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may be freely used by anyone. © 2019 Hirschmann Automation and Control GmbH Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation of a backup copy of the software for your own use. The performance features described here are binding only if they have been expressly agreed when the contract was made. This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give no guarantee in respect of the correctness or accuracy of the information in this document. Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated operating software. In addition, we refer to the conditions of use specified in the license contract. You can get the latest version of this manual on the Internet at the Hirschmann product site (www.hirschmann.com). Hirschmann Automation and Control GmbH Stuttgarter Str. 45-51 72654 Neckartenzlingen Germany 2019-12-05 UM Config RSP Release 8.1 12/2019 Contents Contents Safety instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 About this Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1 1.1 1.2 1.2.1 1.2.2 1.2.3 1.2.4 1.2.5 1.2.6 1.2.7 1.2.8 1.2.9 1.2.10 1.2.11 1.2.12 1.2.13 1.2.14 1.3 1.3.1 1.3.2 User interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing the data connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Access to the Command Line Interface using Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Access to the Command Line Interface using SSH (Secure Shell) . . . . . . . . . . . . . . . . . . . . . . Access to the Command Line Interface using the serial interface . . . . . . . . . . . . . . . . . . . . . . . . User rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mode-based command hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Executing the commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Structure of a command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examples of commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Input prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Key combinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data entry elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Service Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Functional scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting the System Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 15 16 16 16 19 21 23 24 27 28 30 31 33 34 35 37 40 40 40 2 2.1 2.1.1 2.1.2 2.1.3 2.2 2.3 2.3.1 2.3.2 2.4 2.5 2.6 2.7 2.7.1 Specifying the IP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP parameter basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP address (version 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Netmask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Classless Inter-Domain Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying the IP parameters using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . Specifying the IP parameters using HiDiscovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying the IP parameters using the Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . . Specifying the IP parameters using BOOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying the IP parameters using DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Management address conflict detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active and passive detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 42 42 43 45 46 48 49 49 51 52 53 55 55 3 3.1 3.2 3.2.1 3.2.2 3.2.3 3.2.4 Access to the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . First login (Password change) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing authentication lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adjust the settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 56 57 57 57 58 59 UM Config RSP Release 8.1 12/2019 3 Contents 3.3 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.4 3.4.1 3.4.2 3.5 3.5.1 3.5.2 User management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Access roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Default setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing default passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up a new user account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deactivating the user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adjusting policies for passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Coordination with the server administrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMPv1/v2 access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMPv3 access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 61 63 63 64 65 66 67 68 68 69 72 72 73 4 4.1 4.2 4.2.1 4.2.2 4.2.3 4.2.4 4.3 4.3.1 4.3.2 4.3.3 4.4 4.4.1 4.4.2 Managing configuration profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Detecting changed settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Saving the settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Saving the configuration profile in the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Saving the configuration profile in the external memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Backup the configuration profile on a remote server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exporting a configuration profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Loading settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Activating a configuration profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Loading the configuration profile from the external memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . Importing a configuration profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reset the device to the factory defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the Graphical User Interface or Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . Using the System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 74 75 75 77 77 78 80 80 81 83 85 85 85 5 5.1 5.2 5.3 5.3.1 5.3.2 5.4 Loading software updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software update from the PC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software update from a server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software update from the external memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manually—initiated by the administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatically—initiated by the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Loading a previous software version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 87 88 89 89 89 91 6 6.1 6.2 6.3 6.3.1 Configuring the ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling/disabling the port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting the operating mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Link monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 92 93 94 94 7 7.1 7.2 7.3 7.4 7.5 7.6 7.7 Assistance in the protection from unauthorized access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Changing the SNMPv1/v2 community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Disabling SNMPv1/v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Disabling HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Disabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Disabling the HiDiscovery access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Activating the IP access restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Adjusting the session timeouts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 4 UM Config RSP Release 8.1 12/2019 Contents 8 8.1 8.2 8.2.1 8.2.2 8.2.3 8.2.4 8.2.5 8.3 Controlling the data traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Helping protect against unauthorized access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating and editing IPv4 rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating and configuring an IP ACL using the Command Line Interface. . . . . . . . . . . . . . . . . . Creating and editing MAC rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating and configuring a MAC ACL using the Command Line Interface . . . . . . . . . . . . . . . . Assigning ACLs to a port or VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MAC authentication bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 105 107 108 109 110 110 111 112 9 9.1 9.1.1 9.1.2 9.2 9.2.1 9.2.2 9.2.3 9.3 9.3.1 9.3.2 9.3.3 9.3.4 9.3.5 Synchronizing the system time in the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basic settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting the time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic daylight saving time changeover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining settings of the SNTP client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying SNTP server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of clocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Best Master Clock algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Delay measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PTP domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using PTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 113 114 115 116 117 118 119 120 120 121 121 122 122 10 10.1 10.1.1 10.1.2 10.1.3 10.2 10.2.1 10.2.2 10.3 10.4 10.4.1 10.4.2 10.4.3 10.4.4 10.4.5 10.4.6 10.4.7 10.4.8 10.5 10.5.1 10.5.2 Network load control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Direct packet distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Learning MAC addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aging of learned MAC addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Static address entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multicasts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example of a Multicast application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rate limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . QoS/Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description of prioritization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Handling of received priority information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLAN tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP ToS (Type of Service) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Handling of traffic classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Queue management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Management prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Flow control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Halfduplex or fullduplex link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up the Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 123 123 123 124 126 126 126 131 132 132 133 133 134 135 136 139 139 144 144 145 11 11.1 11.1.1 11.1.2 11.2 11.3 VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examples of VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Guest VLAN / Unauthenticated VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RADIUS VLAN assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 147 147 150 156 158 UM Config RSP Release 8.1 12/2019 5 Contents 11.4 11.5 11.6 11.7 11.8 Creating a Voice VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MAC based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP subnet based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protocol-based VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLAN unaware mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 160 161 162 163 12 12.1 12.1.1 12.1.2 12.1.3 12.2 12.2.1 12.2.2 12.2.3 12.2.4 12.2.5 12.2.6 12.3 12.3.1 12.3.2 12.4 12.4.1 12.4.2 12.4.3 12.4.4 12.4.5 12.5 12.5.1 12.5.2 12.6 12.6.1 12.6.2 12.6.3 12.6.4 12.6.5 12.7 12.7.1 12.7.2 12.7.3 12.8 12.8.1 12.8.2 12.8.3 12.8.4 12.8.5 12.8.6 12.8.7 12.8.8 12.8.9 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Topology vs. Redundancy Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network topologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Redundancy Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Combinations of Redundancies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Media Redundancy Protocol (MRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reconfiguration time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advanced mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prerequisites for MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MRP over LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HIPER Ring Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANS on the HIPER Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HIPER Ring over LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Parallel Redundancy Protocol (PRP) (depends on hardware) . . . . . . . . . . . . . . . . . . . . . . . . Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LRE functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PRP Network Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connecting RedBoxes and DANPs to a PRP network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . High-availability Seamless Redundancy (HSR) (depends on hardware) . . . . . . . . . . . . . . . . Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HSR Network Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Device Level Ring (DLR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Device Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Error Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Neighbor Check process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sign On Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rules for Creating the Tree Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Rapid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Spanning Tree Priority Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fast reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . STP compatibility mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ring only mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RSTP over HSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 164 164 166 167 168 168 169 169 169 171 175 179 179 180 181 181 181 182 183 184 186 186 187 194 194 196 197 198 199 201 202 205 207 210 210 211 212 212 212 213 215 218 219 6 UM Config RSP Release 8.1 12/2019 Contents 12.9 12.9.1 12.9.2 12.10 12.10.1 12.10.2 12.11 12.12 12.12.1 12.12.2 12.12.3 12.13 12.13.1 12.14 12.14.1 12.14.2 12.15 12.15.1 Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Methods of Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Link Aggregation Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Link Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fail Back Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FuseNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subring description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subring example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subring example configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subring with LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ring/Network Coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Methods of Ring/Network Coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prepare the Ring/Network Coupling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application example for RCP coupling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 220 221 222 222 222 224 225 225 227 228 230 230 234 234 235 248 250 13 13.1 13.2 13.2.1 13.2.2 13.2.3 13.3 13.3.1 13.3.2 13.3.3 13.3.4 13.4 13.4.1 13.5 13.5.1 13.5.2 13.5.3 13.5.4 13.6 13.6.1 13.6.2 13.6.3 13.6.4 13.6.5 13.7 13.7.1 13.7.2 13.7.3 13.7.4 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing - Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Net-directed Broadcasts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Static Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port-based Router Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLAN-based Router-Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration of a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Static route tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NAT – Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1:1 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interface tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ping tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logical tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP/HiVRRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HiVRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HiVRRP Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP with load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP with Multinetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maximum Network Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General Properties of RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 253 254 255 257 257 259 259 261 264 267 273 274 276 276 277 278 278 286 286 289 292 296 297 298 299 300 301 301 UM Config RSP Release 8.1 12/2019 7 Contents 13.8 13.8.1 13.8.2 13.8.3 13.8.4 13.8.5 13.8.6 13.8.7 13.9 13.9.1 13.9.2 13.10 13.10.1 13.10.2 13.10.3 13.11 OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF-Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General Operation of OSPF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up the Adjacency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synchronization of the LSDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Route Calculation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Limiting the distribution of the routes using an ACL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protocol-based VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration of the Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multicast Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multicast Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multicast Group Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scoping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Entering the IP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 305 310 311 312 313 314 317 328 328 329 332 333 334 336 337 14 14.1 14.1.1 14.1.2 14.1.3 14.1.4 14.2 14.2.1 14.2.2 14.2.3 14.3 14.3.1 14.3.2 14.3.3 14.4 14.4.1 14.4.2 14.5 14.6 14.6.1 14.7 14.8 14.9 14.9.1 14.9.2 14.10 14.11 14.11.1 14.11.2 14.11.3 14.11.4 14.11.5 14.11.6 14.11.7 Operation diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sending SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . List of SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP traps for configuration activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP trap setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ICMP messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring the Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Events which can be monitored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying the Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Events which can be monitored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying the Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Out-of-Band signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Controlling the Signal contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring the Device and Security Statuses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port status indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port event counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Detecting non-matching duplex modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auto-Disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying the SFP status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topology discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying the Topology discovery results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LLDP-Med . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Detecting loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Email Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specify the sender address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specify the triggering events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Change the send interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specify the recipients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specify the mail server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enable/disable the function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Send a test email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 340 341 342 342 343 344 344 345 346 347 347 348 350 351 351 352 355 356 356 358 360 361 361 362 363 364 364 364 366 366 367 367 368 8 UM Config RSP Release 8.1 12/2019 Contents 14.12 14.12.1 14.12.2 14.12.3 14.12.4 14.12.5 14.13 14.14 14.14.1 14.14.2 14.14.3 14.15 14.16 14.17 Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Global settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Syslog over TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network analysis with TCPdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring the data traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLAN mirroring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote SPAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Self-test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Copper cable test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network monitoring with sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 369 371 372 372 374 375 376 376 377 379 391 393 394 15 15.1 15.1.1 15.1.2 15.1.3 15.2 15.2.1 15.2.2 15.3 15.3.1 15.4 15.4.1 15.4.2 15.5 15.5.1 15.5.2 15.5.3 15.5.4 Advanced functions of the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the device as a DHCP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP Addresses assigned per port or per VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP server static IP address example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP server dynamic IP address range example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP L2 Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Circuit and Remote IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP L2 Relay configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the device as a DNS client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a DNS server example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring GMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MRP-IEEE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MRP operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MRP timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MVRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 396 396 397 398 399 399 400 402 403 404 404 405 406 406 406 407 408 16 16.1 16.1.1 16.1.2 16.2 16.2.1 16.2.2 16.2.3 16.3 16.3.1 16.3.2 16.4 16.4.1 16.4.2 Industry Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IEC 61850/MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Switch model for IEC 61850. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Integration into a Control System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modbus TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Client/Server Modbus TCP/IP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Supported Functions and Memory Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EtherNet/IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Integration into a Control System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EtherNet/IP Entity Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PROFINET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Integration into a Control System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PROFINET Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 412 412 413 415 415 415 418 420 420 422 441 442 448 A A.1 A.2 Setting up the configuration environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Setting up a DHCP/BOOTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Setting up a DHCP server with Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 UM Config RSP Release 8.1 12/2019 9 Contents A.3 A.3.1 A.3.2 A.3.3 A.4 A.4.1 A.4.2 Preparing access via SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Generating a key in the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Loading your own key onto the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing the SSH client program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTPS certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTPS certificate management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Access through HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 461 462 462 464 465 466 B B.1 B.2 B.3 B.4 B.5 B.6 B.7 B.8 B.9 B.10 Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Literature references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Management Information Base (MIB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . List of RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Underlying IEEE Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Underlying IEC Norms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Underlying ANSI Norms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Technical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Copyright of integrated Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Abbreviations used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 467 468 469 472 475 476 477 478 479 480 C Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 D Further support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 E Readers’ Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 10 UM Config RSP Release 8.1 12/2019 Safety instructions Safety instructions WARNING UNCONTROLLED MACHINE ACTIONS To avoid uncontrolled machine actions caused by data loss, configure all the data transmission devices individually. Before you start any machine which is controlled via data transmission, be sure to complete the configuration of all data transmission devices. Failure to follow these instructions can result in death, serious injury, or equipment damage. UM Config RSP Release 8.1 12/2019 11 About this Manual About this Manual The “Configuration” user manual contains the information you need to start operating the device. It takes you step by step from the first startup operation through to the basic settings for operation in your environment. The “Installation” user manual contains a device description, safety instructions, a description of the display, and the other information that you need to install the device. The “Graphical User Interface” reference manual contains detailed information on using the graphical user interface to operate the individual functions of the device. The “Command Line Interface” reference manual contains detailed information on using the Command Line Interface to operate the individual functions of the device. The Industrial HiVision Network Management software provides you with additional options for smooth configuration and monitoring: Auto-topology discovery Browser interface Client/server structure Event handling Event log Simultaneous configuration of multiple devices Graphical user interface with network layout SNMP/OPC gateway 12 UM Config RSP Release 8.1 12/2019 Key Key The designations used in this manual have the following meanings: List Work step Link Cross-reference with link Note: A note emphasizes a significant fact or draws your attention to a dependency. Courier Representation of a CLI command or field contents in the graphical user interface Execution in the Graphical User Interface Execution in the Command Line Interface UM Config RSP Release 8.1 12/2019 13 Introduction Introduction The device has been developed for use in a harsh industrial environment. Accordingly, the installation process has been kept simple. Thanks to the selected default settings, you only have to enter a few settings before starting to operate the device. 14 UM Config RSP Release 8.1 12/2019 User interfaces 1.1 Graphical User Interface 1 User interfaces The device lets you specify the settings of the device using the following user interfaces. Table 1: 1.1 User interfaces for accessing the device management User interface Can be reached through … Prerequisite Graphical User Interface Ethernet (In-Band) Web browser Command Line Interface Ethernet (In-Band) Serial interface (Out-of-Band) Terminal emulation software System monitor Serial interface (Out-of-Band) Terminal emulation software Graphical User Interface System requirements To open the Graphical User Interface, you need the desktop version of a web browser with HTML5 support. Note: Third-party software such as web browsers validate certificates based on criteria such as their expiration date and current cryptographic parameter recommendations. Old certificates can cause errors for example, when they expire or cryptographic recommendations change. To solve validation conflicts with third-party software, transfer your own up-to-date certificate onto the device or regenerate the certificate with the latest firmware. Starting the Graphical User Interface The prerequisite for starting the Graphical User Interface is that the IP parameters are configured in the device. See “Specifying the IP parameters” on page 42. Start your web browser. Type the IP address of the device in the address field of the web browser. Use the following form: https://xxx.xxx.xxx.xxx The web browser sets up the connection to the device and displays the Login page. When you want to change the language of the Graphical User Interface, click the appropriate link in the top right corner of the Login page. Enter the user name. Enter the password. Click the Login button. The web browser displays the Graphical User Interface. UM Config RSP Release 8.1 12/2019 15 User interfaces 1.2 Command Line Interface 1.2 Command Line Interface The Command Line Interface enables you to use the functions of the device through a local or remote connection. The Command Line Interface provides IT specialists with a familiar environment for configuring IT devices. As an experienced user or administrator, you have knowledge about the basics and about using Hirschmann devices. 1.2.1 Preparing the data connection Information for assembling and starting up your device can be found in the “Installation” user manual. Connect the device with the network. The prerequisite for a successful data connection is the correct setting of the network parameters. You can access the user interface of the Command Line Interface for example, with the freeware program PuTTY. This program is provided on the product CD. Install the PuTTY program on your computer. 1.2.2 Access to the Command Line Interface using Telnet Telnet connection using Windows Telnet is only installed as standard in Windows versions before Windows Vista. Proceed as follows: Start the Command Prompt program on your computer. Enter the command telnet <IP_address>. Figure 1: 16 Command Prompt: Setting up the Telnet connection to the device UM Config RSP Release 8.1 12/2019 User interfaces 1.2 Command Line Interface Telnet connection using PuTTY Proceed as follows: Start the PuTTY program on your computer. Figure 2: PuTTY input screen In the Host Name (or IP address) field you enter the IP address of your device. The IP address consists of 4 decimal numbers with values from 0 to 255. The 4 decimal numbers are separated by points. To select the connection type, select the Telnet radio button in the Connection type range. Click the Open button to set up the data connection to your device. The Command Line Interface appears on the screen with a window for entering the user name. The device enables up to 5 users to have access to the Command Line Interface at the same time. Note: This device is a security-relevant product. Change the password during the first startup procedure. Enter the user name. The default user name is admin. Press the <Enter> key. Enter the password. The default password is private. Press the <Enter> key. UM Config RSP Release 8.1 12/2019 17 User interfaces 1.2 Command Line Interface Copyright (c) 2011-2019 Hirschmann Automation and Control GmbH All rights reserved RSP20 Release 8.1 (Build date 2019-02-05 19:17) System Name Management IP Subnet Mask Base MAC System Time : : : : : RSP-ECE555015560 192.168.1.5 255.255.255.0 EC:E5:55:01:02:03 2019-01-01 17:39:01 NOTE: Enter '?' for Command Help. Command help displays all options that are valid for the particular mode. For the syntax of a particular command form, please consult the documentation. RSP> Figure 3: 18 Start screen of the Command Line Interface UM Config RSP Release 8.1 12/2019 User interfaces 1.2 Command Line Interface 1.2.3 Access to the Command Line Interface using SSH (Secure Shell) In the following example we use the PuTTY program. Another option to access your device using SSH is the OpenSSH Suite. Proceed as follows: Start the PuTTY program on your computer. Figure 4: PuTTY input screen In the Host Name (or IP address) field you enter the IP address of your device. The IP address consists of 4 decimal numbers with values from 0 to 255. The 4 decimal numbers are separated by points. To specify the connection type, select the SSH radio button in the Connection type range. After selecting and setting the required parameters, the device enables you to set up the data connection using SSH. UM Config RSP Release 8.1 12/2019 19 User interfaces 1.2 Command Line Interface Click the Open button to set up the data connection to your device. Depending on the device and the time at which SSH was configured, setting up the connection takes up to a minute. When you first login to your device, towards the end of the connection setup, the PuTTY program displays a security alert message and lets you check the fingerprint of the key. Figure 5: Security alert prompt for the fingerprint Check the fingerprint. This helps protect yourself from unwelcome guests. When the fingerprint matches the fingerprint of the device key, click the Yes button. The device lets you display the finger prints of the device keys with the command show ssh or in the Device Security > Management Access > Server dialog, SSH tab. The Command Line Interface appears on the screen with a window for entering the user name. The device enables up to 5 users to have access to the Command Line Interface at the same time. Enter the user name. The default user name is admin. Press the <Enter> key. Enter the password. The default password is private. Press the <Enter> key. Note: This device is a security-relevant product. Change the password during the first startup procedure. 20 UM Config RSP Release 8.1 12/2019 User interfaces 1.2 Command Line Interface login as: admin [email protected]’s password: Copyright (c) 2011-2019 Hirschmann Automation and Control GmbH All rights reserved RSP20 Release 8.1 (Build date 2019-02-05 19:17) System Name Management IP Subnet Mask Base MAC System Time : : : : : RSP-ECE555015560 192.168.1.5 255.255.255.0 EC:E5:55:01:02:03 2019-01-01 17:39:01 NOTE: Enter '?' for Command Help. Command help displays all options that are valid for the particular mode. For the syntax of a particular command form, please consult the documentation. RSP> Figure 6: 1.2.4 Start screen of the Command Line Interface Access to the Command Line Interface using the serial interface The serial interface is used to locally connect an external network management station (VT100 terminal or PC with terminal emulation). The interface lets you set up a data connection to the Command Line Interface and to the system monitor. VT 100 terminal settings Speed Data Stopbit Handshake Parity UM Config RSP Release 8.1 12/2019 9600 bit/s 8 bit 1 bit off none 21 User interfaces 1.2 Command Line Interface Proceed as follows: Connect the device to a terminal using the serial interface. Alternatively connect the device to a COM port of your PC using terminal emulation based on VT100 and press any key. Alternatively you set up the serial data connection to the device with the serial interface using the PuTTY program. Press the <Enter> key. Figure 7: Serial data connection with the serial interface using the PuTTY program Press any key on your terminal keyboard a number of times until the login screen indicates the CLI mode. Enter the user name. The default user name is admin. Press the <Enter> key. Enter the password. The default password is private. Press the <Enter> key. Note: This device is a security-relevant product. Change the password during the first startup procedure. 22 UM Config RSP Release 8.1 12/2019 User interfaces 1.2 Command Line Interface Copyright (c) 2011-2019 Hirschmann Automation and Control GmbH All rights reserved RSP20 Release 8.1 (Build date 2019-02-05 19:17) System Name Management IP Subnet Mask Base MAC System Time : : : : : RSP-ECE555015560 192.168.1.5 255.255.255.0 EC:E5:55:01:02:03 2019-01-01 17:39:01 NOTE: Enter '?' for Command Help. Command help displays all options that are valid for the particular mode. For the syntax of a particular command form, please consult the documentation. RSP> Figure 8: 1.2.5 Start screen of the Command Line Interface User rights The device functions available to you as a user depend on your access role. When you are logged on to the user interface with a specific access role, the functions of the access role are available to you. The commands available to you as a user, also depend on the Command Line Interface mode in which you are currently working. See “Mode-based command hierarchy” on page 24. UM Config RSP Release 8.1 12/2019 23 User interfaces 1.2 Command Line Interface Access roles The user interface offers the following access roles: Operator Table 2: 1.2.6 User Auditor Administrator Access roles and scope of user authorizations Access role User authorizations User Users logged on with the access role User are authorized to monitor the device. Auditor Users logged on with the access role Auditor are authorized to monitor the device and to save the log file in the Diagnostics > Report > Audit Trail dialog. Operator Users logged on with the access role Operator are authorized to monitor the device and to change the settings – with the exception of security settings for device access. Administrator Users logged on with the access role Administrator are authorized to monitor the device and to change the settings. Unauthorized Unauthorized users are blocked, and the device rejects the user login. Assign this value to temporarily lock the user account. If a detected error occurs during an access role change, then the device assigns this access role to the user account. Mode-based command hierarchy In the Command Line Interface, the commands are grouped in the related modes, according to the type of the command. Every command mode supports specific Hirschmann software commands. The commands available to you as a user depend on your privilege level (administrator, operator, guest, auditor). They also depend on the mode in which you are currently working. When you switch to a specific mode, the commands of the mode are available to you. The User Exec mode commands are an exception. The Command Line Interface enables you to execute these commands in the Privileged Exec mode, too. 24 UM Config RSP Release 8.1 12/2019 User interfaces 1.2 Command Line Interface The following figure displays the modes of the Command Line Interface. ROOT Login Limited functionality User Exec Mode Enable Basic functions, basic settings Interface Figure 9: Exit Exit Vlan database Global Configuration Mode <slot/port> Configurations on one or several ports The User Exec commands are available in Privileged Exec Mode, too. Privileged Exec Mode Configure Advanced configurations Logout Exit VLAN Database Mode VLAN configurations Exit Interface Range Mode Structure of the Command Line Interface The Command Line Interface supports, depending on the user level, the following modes: User Exec mode When you login to the Command Line Interface, you enter the User Exec mode. The User Exec mode contains a limited range of commands. Command prompt: (RSP) > Privileged Exec mode To access the entire range of commands, you enter the Privileged Exec mode. If you login as a privileged user, then you are able to enter the Privileged Exec mode. In the Privileged Exec mode, you are able to execute the User Exec mode commands, too. Command prompt:(RSP) # VLAN mode The VLAN mode contains VLAN-related commands. Command prompt: (RSP) (VLAN)# UM Config RSP Release 8.1 12/2019 25 User interfaces 1.2 Command Line Interface Global Config mode The Global Config mode lets you perform modifications to the current configuration. This mode groups general setup commands. Command prompt: (RSP) (config)# Interface Range mode The commands in the Interface Range mode affect a specific port, a selected group of multiple ports or all port of the device. The commands modify a value or switch a function on/off on one or more specific ports. – All physical ports in the device Command prompt: (RSP) ((interface) all)# Example: When you switch from the Global Config mode to the Interface Range mode, the command prompt changes as follows: (RSP) (config)#interface all (RSP) ((Interface)all)# – A single port on one interface Command prompt: (RSP) (interface <slot/port>)# Example: When you switch from the Global Config mode to the Interface Range mode, the command prompt changes as follows: (RSP) (config)#interface 2/1 (RSP) (interface 2/1)# – A range of ports on one interface Command prompt: (RSP) (interface <interface range> )# Example: When you switch from the Global Config mode to the Interface Range mode, the command prompt changes as follows: (RSP) (config)#interface 1/2-1/4 (RSP) ((Interface)1/2-1/4)# – A list of single ports Command prompt: (RSP) (interface <interface list>)# Example: When you switch from the Global Config mode to the Interface Range mode, the command prompt changes as follows: (RSP) (config)#interface 1/2,1/4,1/5 (RSP) ((Interface)1/2,1/4,1/5)# – A list of port ranges and single ports Command prompt: (RSP) (interface <complex range>)# Example: When you switch from the Global Config mode to the Interface Range mode, the command prompt changes as follows: (RSP) (config)#interface 1/2-1/4,1/6-1/9 (RSP) ((Interface)1/2-1/4,1/6-1/9) The following table displays the command modes, the command prompts (input request characters) visible in the corresponding mode, and the option with which you quit this mode. Table 3: Command modes Command mode Access method User Exec mode First access level. Perform basic tasks and list system information. Quit or start next mode To quit you enter logout: (RSP) >logout Are you sure (Y/N) ?y Privileged Exec From the User Exec mode, you enter To quit the Privileged Exec mode and mode the command enable: return to the User Exec mode, you enter exit: (RSP) >enable (RSP) # 26 (RSP) #exit (RSP) > UM Config RSP Release 8.1 12/2019 User interfaces 1.2 Command Line Interface Table 3: Command modes Command mode Access method VLAN mode From the Privileged Exec mode, you To end the VLAN mode and return to the enter the command vlan database: Privileged Exec mode, you enter exit or press Ctrl Z. (RSP) #vlan database (RSP) (Vlan)# Global Config mode Quit or start next mode (RSP) (Vlan)#exit (RSP) # From the Privileged Exec mode, you To quit the Global Config mode and enter the command configure: return to the Privileged Exec mode, you enter exit: (RSP) #configure (RSP) (config)# (RSP) (config)#exit (RSP) >enable (RSP) #configure (RSP) (config)# (RSP) #exit (RSP) > From the User Exec mode, you enter (RSP) # the command enable, and then in To then quit the Privileged Exec mode Privileged Exec mode, enter the and return to the User Exec mode, you command Configure: enter exit again: Interface Range From the Global Config mode you mode enter the command interface {all|<slot/port>|<interface range> |<interface list>|<complex range>}. To quit the Interface Range mode and return to the Global Config mode, you enter exit. To return to the Privileged Exec mode, you press Ctrl Z. (RSP) (config)#interface <slot/port> (RSP) (interface slot/port)#exit (RSP) (interface slot/port)# (RSP) # When you enter a question mark (?) after the prompt, the Command Line Interface displays a list of the available commands and a short description of the commands. (RSP)> cli enable help history logout ping show telnet Set the CLI preferences. Turn on privileged commands. Display help for various special keys. Show a list of previously run commands. Exit this session. Send ICMP echo packets to a specified IP address. Display device options and settings. Establish a telnet connection to a remote host. (RSP)> Figure 10: Commands in the User Exec mode 1.2.7 Executing the commands Syntax analysis When you login to the Command Line Interface, you enter the User Exec mode. The Command Line Interface displays the prompt (RSP)> on the screen. UM Config RSP Release 8.1 12/2019 27 User interfaces 1.2 Command Line Interface When you enter a command and press the <Enter> key, the Command Line Interface starts the syntax analysis. The Command Line Interface searches the command tree for the desired command. When the command is outside the Command Line Interface command range, a message informs you of the detected error. Example: The user wants to execute the show the <Enter> key. system info command, but enters info without f and presses The Command Line Interface then displays a message: (RSP)>show system ino Error: Invalid command 'ino' Command tree The commands in the Command Line Interface are organized in a tree structure. The commands, and where applicable the related parameters, branch down until the command is completely defined and therefore executable. The Command Line Interface checks the input. When you entered the command and the parameters correctly and completely, you execute the command with the <Enter> key. After you entered the command and the required parameters, the other parameters entered are treated as optional parameters. When one of the parameters is unknown, the Command Line Interface displays a syntax message. The command tree branches for the required parameters until the required parameters have reached the last branch in the structure. With optional parameters, the command tree branches until the required parameters and the optional parameters have reached the last branch in the structure. 1.2.8 Structure of a command This section describes the syntax, conventions and terminology, and uses examples to represent them. Format of commands Most of the commands include parameters. When the command parameter is missing, the Command Line Interface informs you about the detection of an incorrect command syntax. This manual displays the commands and parameters in the Courier font. 28 UM Config RSP Release 8.1 12/2019 User interfaces 1.2 Command Line Interface Parameters The sequence of the parameters is relevant for the correct syntax of a command. Parameters are required values, optional values, selections, or a combination of these things. The representation indicates the type of the parameter. Table 4: Parameter and command syntax <command> Commands in pointed brackets (<>) are obligatory. [command] Commands in square brackets ([]) are optional. <parameter> Parameters in pointed brackets (<>) are obligatory. [parameter] Parameters in square brackets ([]) are optional. ... An ellipsis (3 points in sequence without spaces) after an element indicates that you can repeat the element. [Choice1 | Choice2] A vertical line enclosed in brackets indicates a selection option. Select one value. Elements separated by a vertical line and enclosed in square brackets indicate an optional selection (Option1 or Option2 or no selection). {list} Curved brackets ({}) indicate that a parameter is to be selected from a list of options. {Choice1 | Choice2} Elements separated by a vertical line and enclosed in curved brackets ({}) indicate an obligatory selection option (option1 or option2). [param1 {Choice1 | Choice2}] Displays an optional parameter that contains an obligatory selection. <a.b.c.d> Small letters are wild cards. You enter parameters with the notation a.b.c.d with decimal points (for example IP addresses) <cr> You press the <Enter> key to create a line break (carriage return). The following list displays the possible parameter values within the Command Line Interface: Table 5: UM Config RSP Parameter values in the Command Line Interface Value Description IP address This parameter represents a valid IPv4 address. The address consists of 4 decimal numbers with values from 0 to 255. The 4 decimal numbers are separated by a decimal point. The IP address 0.0.0.0 is a valid entry. MAC address This parameter represents a valid MAC address. The address consists of 6 hexadecimal numbers with values from 00 to FF. The numbers are separated by a colon, for example, 00:F6:29:B2:81:40. string User-defined text with a length in the specified range, for example a maximum of 32 characters. character string Use double quotation marks to indicate a character string, for example “System name with space character”. number Whole integer in the specified range, for example 0..999999. date Date in format YYYY-MM-DD. time Time in format HH:MM:SS. Release 8.1 12/2019 29 User interfaces 1.2 Command Line Interface Network addresses Network addresses are a requirement for establishing a data connection to a remote work station, a server, or another network. You distinguish between IP addresses and MAC addresses. The IP address is an address allocated by the network administrator. The IP address is unique in one network area. The MAC addresses are assigned by the hardware manufacturer. MAC addresses are unique worldwide. The following table displays the representation and the range of the address types: Table 6: Address Type Format and range of network addresses Format IP Address nnn.nnn.nnn.nnn MAC Address Range Example nnn: 0 to 255 (decimal) 192.168.11.110 mm:mm:mm:mm:m mm: 00 to ff (hexadecimal m:mm number pairs) A7:C9:89:DD:A9:B3 Strings A string is indicated by quotation marks. For example, “System name with space character”. Space characters are not valid user-defined strings. You enter a space character in a parameter between quotation marks. Example: *(RSP)#cli prompt Device name Error: Invalid command 'name' *(RSP)#cli prompt 'Device name' *(Device name)# 1.2.9 Examples of commands Example 1: clear arp-table-switch Command for clearing the ARP table of the management agent (cache). clear arp-table-switch is the command name. The command is executable without any other parameters by pressing the <Enter> key. Example 2: radius server timeout Command to configure the RADIUS server timeout value. (RSP) (config)#radius server timeout <1..30> Timeout in seconds (default: 5). 30 UM Config RSP Release 8.1 12/2019 User interfaces 1.2 Command Line Interface radius server timeout is the command name. The parameter is required. The value range is 1..30. Example 3: radius server auth modify <1..8> Command to set the parameters for RADIUS authentication server 1. (RSP) (config)#radius server auth modify 1 [name] RADIUS authentication server name. [port] RADIUS authentication server port. (default: 1812). [msgauth] Enable or disable the message authenticator attribute for this server. [primary] Configure the primary RADIUS server. [status] Enable or disable a RADIUS authentication server entry. [secret] Configure the shared secret for the RADIUS authentication server. [encrypted] Configure the encrypted shared secret. <cr> Press Enter to execute the command. radius server auth modify is the command name. The parameter <1..8> (RADIUS server index) is required. The value range is 1..8 (integer). The parameters [name], [port], [msgauth], [primary], [status], [secret] and [encrypted] are optional. 1.2.10 Input prompt Command mode With the input prompt, the Command Line Interface displays which of the three modes you are in: (RSP) > User Exec mode (RSP) # Privileged Exec mode (RSP) (config)# Global Config mode (RSP) (Vlan)# VLAN Database mode (RSP) ((Interface)all)# Interface Range mode / All ports of the device (RSP) ((Interface)2/1)# Interface Range mode / A single port on one interface (RSP) ((Interface)1/2-1/4)# Interface Range mode / A range of ports on one interface (RSP) ((Interface)1/2,1/4,1/5)# Interface Range mode / A list of single ports (RSP) ((Interface)1/1-1/2,1/4-1/6)# Interface Range mode / A list of port ranges and single ports UM Config RSP Release 8.1 12/2019 31 User interfaces 1.2 Command Line Interface Asterisk, pound sign and exclamation point Asterisk * An asterisk * in the first or second position of the input prompt displays you that the settings in the volatile memory and the settings in the non-volatile memory are different. In your configuration, the device has detected modifications which have not been saved. *(RSP)> Pound sign # A pound sign # at the beginning of the input prompt displays you that the boot parameters and the parameters during the boot phase are different. *#(RSP)> Exclamation point ! An exclamation point ! at the beginning of the input prompt displays: the password for the user or admin user account corresponds with the default setting. !(RSP)> Wildcards The device lets you change the command line prompt. The Command Line Interface supports the following wildcards: Table 7: Using wildcards within the Command Line Interface input prompt Wildcard Description %d System date %t System time %i IP address of the device %m MAC address of the device %p Product name of the device !(RSP)>enable !(RSP)#cli prompt %i !192.168.1.5#cli prompt (RSP)%d !*(RSP)2019-01-27#cli prompt (RSP)%d%t !*(RSP)2019-01-2715:45:41#cli prompt %m !*AA:BB:CC:DD:EE:FF# 32 UM Config RSP Release 8.1 12/2019 User interfaces 1.2 Command Line Interface 1.2.11 Key combinations The following key combinations make it easier for you to work with the Command Line Interface: Table 8: Key combinations in the Command Line Interface Key combination Description CTRL + H, Backspace Delete previous character CTRL + A Go to beginning of line CTRL + E Go to end of line CTRL + F Go forward one character CTRL + B Go backward one character CTRL + D Delete current character CTRL + U, X Delete to beginning of line CTRL + K Delete to end of line CTRL + W Delete previous word CTRL + P Go to previous line in history buffer CTRL + R Rewrite or paste the line CTRL + N Go to next line in history buffer CTRL + Z Return to root command prompt CTRL + G Aborts running tcpdump session Tab, <SPACE> Command line completion Exit Go to next lower command prompt ? List choices The Help command displays the possible key combinations in Command Line Interface on the screen: UM Config RSP Release 8.1 12/2019 33 User interfaces 1.2 Command Line Interface (RSP) #help HELP: Special keys: Ctrl-H, BkSp Ctrl-A .... Ctrl-E .... Ctrl-F .... Ctrl-B .... Ctrl-D .... Ctrl-U, X .. Ctrl-K .... Ctrl-W .... Ctrl-P .... Ctrl-R .... Ctrl-N .... Ctrl-Z .... Ctrl-G .... Tab, <SPACE> Exit .... ? .... delete previous character go to beginning of line go to end of line go forward one character go backward one character delete current character delete to beginning of line delete to end of line delete previous word go to previous line in history buffer rewrites or pastes the line go to next line in history buffer return to root command prompt aborts running tcpdump session command-line completion go to next lower command prompt list choices (RSP) # Figure 11: Listing the key combinations with the Help command 1.2.12 Data entry elements Command completion To simplify typing commands, the Command Line Interface lets you use command completion (Tab Completion). Thus you are able to abbreviate key words. Type in the beginning of a keyword. When the characters entered identify a keyword, the Command Line Interface completes the keyword after you press the tab key or the space key. When there is more than one option for completion, enter the letter or the letters necessary for uniquely identifying the keyword. Press the tab key or the space key again. After that, the system completes the command or parameter. When you make a non-unique entry and press <Tab> or <Space> twice, the Command Line Interface provides you with a list of options. On a non-unique entry and pressing <Tab> or <Space>, the Command Line Interface completes the command up to the end of the uniqueness. When several commands exist and you press <Tab> or <Space> again, the Command Line Interface provides you with a list of options. Example: (RSP) (Config)#lo (RSP) (Config)#log logging logout When you enter lo and <Tab> or <Space>, the Command Line Interface completes the command up to the end of the uniqueness to log. When you press <Tab> or <Space> again, the Command Line Interface provides you with a list of options (logging logout). 34 UM Config RSP Release 8.1 12/2019 User interfaces 1.2 Command Line Interface Possible commands/parameters You can obtain a list of the commands or the possible parameters by entering help or ?, for example by entering (RSP) >show ? When you enter the command displayed, you get a list of the parameters available for the command show. When you enter the command without space character in front of the question mark, the device displays the help text for the command itself: !*#(RSP)(Config)#show? show 1.2.13 Display device options and settings. Use cases Saving the Configuration To help ensure that your password settings and your other configuration changes are kept after the device is reset or after an interruption of the voltage supply, you save the configuration. To save your current configuration, you proceed as follows: Enter enable to switch to the Privileged Exec mode. Enter the following command: save [profile] Execute the command by pressing the <Enter> key. UM Config RSP Release 8.1 12/2019 35 User interfaces 1.2 Command Line Interface Syntax of the „radius server auth add“ command Use this command to add a RADIUS authentication server. Mode: Global Config mode Privilege Level: Administrator Format: radius server auth add <1..8> ip <a.b.c.d> [name <string>] [port <1..65535>] [name]: RADIUS authentication server [port]: RADIUS authentication server – – name. port (default: 1813). Parameter Meaning Possible values <1..8> RADIUS server index. 1..8 <a.b.c.d> RADIUS accounting server IP address. IP address <string> Enter a user-defined text, max. 32 characters. <1..65535> Enter port number between 1 and 65535. 1..65535 Mode and Privilege Level: The prerequisite for executing the command: You are in the Global Config mode. See “Modebased command hierarchy” on page 24. The prerequisite for executing the command: You have the Administrator access role. Syntax of commands and parameters: See “Structure of a command” on page 28. Examples for executable commands: radius server auth add 1 ip 192.168.30.40 radius server auth add 2 ip 192.168.40.50 radius server auth add 3 ip 192.168.50.60 radius server auth add 4 ip 192.168.60.70 36 name radiusserver2 port 1813 name radiusserver4 port 1814 UM Config RSP Release 8.1 12/2019 User interfaces 1.2 Command Line Interface 1.2.14 Service Shell The Service Shell is for service purposes only. The Service Shell lets users have access to internal functions of the device. When you need assistance with your device, the service personnel use the Service Shell to monitor internal conditions for example, the switch or CPU registers. Do not execute internal functions without service technician instructions. Executing internal functions such as deleting the content of the non-volatile memory (NVM) possibly leads to inoperability of your device. Start the Service Shell The prerequisite is that you are in User Exec mode: (RSP) > Perform the following steps: Enter enable and press the <Enter> key. To reduce the effort when typing: – Enter e and press the <Tab> key. Enter serviceshell start and press the <Enter> key. To reduce the effort when typing: – Enter ser and press the <Tab> key. – Enter s and press the <Tab> key. !RSP >enable !*RSP #serviceshell start WARNING! The service shell offers advanced diagnostics and functions. Proceed only when instructed by a service technician. You can return to the previous mode using the 'exit' command. BusyBox v1.31.0 (2019-09-05 12:17:22 UTC) built-in shell (ash) Enter 'help' for a list of built-in commands. !/mnt/fastpath # Working with the Service Shell When the Service Shell is active, the timeout of the Command Line Interface is inactive. To help prevent configuration inconsistencies, end the Service Shell before any other user starts transferring a new configuration to the device. UM Config RSP Release 8.1 12/2019 37 User interfaces 1.2 Command Line Interface Display the Service Shell commands The prerequisite is that you already started the Service Shell. Perform the following steps: Enter help and press the <Enter> key. /mnt/fastpath # help Built-in commands: -----------------. : [ [[ alias bg break cd chdir command continue echo eval exec exit export false fg getopts hash help history jobs kill let local pwd read readonly return set shift source test times trap true type ulimit umask unalias unset wait /mnt/fastpath # End the Service Shell Perform the following steps: Enter exit and press the <Enter> key. Deactivate the Service Shell permanently in the device When you deactivate the Service Shell, you are still able to configure the device, but you limit the service personnel to system diagnostics. The service technician has no possibility to access internal functions of your device. The deactivation is irreversible, the Service Shell remains permanently deactivated. In order to reactivate the Service Shell, the device requires disassembly by the manufacturer. The prerequisites are: • The Service Shell is not started. • You are in User Exec mode: (RSP) > Perform the following steps: Enter enable and press the <Enter> key. To reduce the effort when typing: – Enter e and press the <Tab> key. 38 UM Config RSP Release 8.1 12/2019 User interfaces 1.2 Command Line Interface Enter serviceshell deactivate and press the <Enter> key. To reduce the effort when typing: – Enter ser and press the <Tab> key. – Enter dea and press the <Tab> key. This step is irreversible! Press the <Y> key. !RSP >enable !*RSP #serviceshell deactivate Notice: If you continue, then the Service Shell is permanently deactivated. This step is irreversible! For details, refer to the Configuration Manual. Are you sure (Y/N) ? UM Config RSP Release 8.1 12/2019 39 User interfaces 1.3 System monitor 1.3 System monitor The System Monitor lets you set basic operating parameters before starting the operating system. 1.3.1 Functional scope In the System Monitor, you carry out the following tasks, for example: Managing the operating system and verifying the software image Updating the operating system Starting the operating system Deleting configuration profiles, resetting the device to the factory defaults Checking boot code information 1.3.2 Starting the System Monitor Prerequisite: Terminal cable for connecting the device to your PC (available as an optional accessory). PC with VT100 terminal emulation (such as the PuTTY program) or serial terminal Perform the following steps: Use the terminal cable to connect the serial interface of the device with the COM port of the PC. Start the VT100 terminal emulation on the PC. Specify the following transmission parameters: VT 100 terminal settings Speed Data Stopbit Handshake Parity 9600 bit/s 8 bit 1 bit off none Set up a connection to the device. Turn on the device. When the device is already on, reboot it. The screen displays the following message after rebooting: Press <1> to enter System Monitor 1. Press the <1> key within 3 seconds. The device starts the System Monitor. The screen displays the following view: 40 UM Config RSP Release 8.1 12/2019 User interfaces 1.3 System monitor System Monitor 1 (Selected OS: ...-8.1 (2019-02-05 19:17)) 1 2 3 4 5 q Manage operating system Update operating system Start selected operating system Manage configurations Show boot code information End (reset and reboot) sysMon1> Figure 12: System Monitor 1 screen display Select a menu item by entering the number. To leave a submenu and return to the main menu of System Monitor 1, press the <ESC> key. UM Config RSP Release 8.1 12/2019 41 Specifying the IP parameters 2.1 IP parameter basics 2 Specifying the IP parameters When you install the device for the first time, enter the IP parameters. The device provides the following options for entering the IP parameters during the first installation: Entry using the Command Line Interface. When you preconfigure your device outside its operating environment, or restore the network access (“In-Band”) to the device, choose this “Out-of-Band” method. Entry using the HiDiscovery protocol. When you have a previously installed network device or you have another Ethernet connection between your PC and the device, you choose this “In-Band” method. Configuration using the external memory. When you are replacing a device with a device of the same type and have already saved the configuration in the external memory, you choose this method. Using BOOTP. To configure the installed device using BOOTP, you choose this “In-Band” method. You need a BOOTP server for this method. The BOOTP server assigns the configuration data to the device using its MAC address. The DHCP mode is the default mode for the configuration data reference. Configuration using DHCP. To configure the installed device using DHCP, you choose this “In-Band” method. You need a DHCP server for this method. The DHCP server assigns the configuration data to the device using its MAC address or its system name. Configuration using the Graphical User Interface. When the device already has an IP address and is reachable using the network, the Graphical User Interface provides you with another option for configuring the IP parameters. 2.1 IP parameter basics 2.1.1 IP address (version 4) The IP addresses consist of 4 bytes. Write these 4 bytes in decimal notation, separated by a decimal point. RFC 1340 written in 1992, defines 5 IP Address classes. Table 9: 42 IP address classes Class Network address Host address Address range A 1 Byte 3 Bytes 0.0.0.0 to 127.255.255.255 B 2 Bytes 2 Bytes 128.0.0.0 to 191.255.255.255 C 3 Bytes 1 Byte 192.0.0.0 to 223.255.255.255 D 224.0.0.0 to 239.255.255.255 E 240.0.0.0 to 255.255.255.255 UM Config RSP Release 8.1 12/2019 Specifying the IP parameters 2.1 IP parameter basics The first byte of an IP address is the network address. The worldwide leading regulatory board for assigning network addresses is the IANA ("Internet Assigned Numbers Authority"). When you require an IP address block, contact your Internet Service Provider (ISP). Your ISP contacts their local higher-level organization to reserve an IP address block: APNIC (Asia Pacific Network Information Center) Asia/Pacific Region ARIN (American Registry for Internet Numbers) Americas and Sub-Sahara Africa LACNIC (Regional Latin-American and Caribbean IP Address Registry) Latin America and some Caribbean Islands RIPE NCC (Réseaux IP Européens) Europe and Surrounding Regions 0 Net ID - 7 bits Host ID - 24 bits Net ID - 14 bits Host ID - 16 bits Class A I 0 I I 0 I I I 0 Multicast Group ID - 28 bits Class D I I I I reserved for future use - 28 b its Class E Net ID - 21 bits Host ID - 8 bit s Class B Class C Figure 13: Bit representation of the IP address When the first bit of an IP address is a zero, it belong to class A for example, the first octet is less than 128. When the first bit of an IP address is a one and the second bit is a zero, it belongs to class B for example, the first octet is between 128 and 191. When the first 2 bits of an IP address are a one, it belongs to class C for example, the first octet is higher than 191. Assigning the host address (host ID) is the responsibility of the network operator. The network operator alone is responsible for the uniqueness of the assigned IP addresses. 2.1.2 Netmask Routers and Gateways subdivide large networks into subnetworks. The netmask asssigns the IP addresses of the individual devices to a particular subnetwork. You perform subnetwork division using the netmask in much the same way as the division of the network addresses (net id) into classes A to C. Set the bits of the host address (host id) that represent the mask to one. Set the remaining host address bits to zero (see the following examples). Example of a subnet mask: Decimal notation 255.255.192.0 Binary notation 11111111.11111111.11000000.00000000 Subnetwork mask bits Class B UM Config RSP Release 8.1 12/2019 43 Specifying the IP parameters 2.1 IP parameter basics Example of applying the subnet mask to IP addresses for subnetwork assignment: Decimal notation 129.218.65.17 128 < 129 191 › Class B Binary notation 10000001.11011010.01000001.00010001 Subnetwork 1 Network address Decimal notation 129.218.129.17 128 < 129 191 › Class B Binary notation 10000001.11011010.10000001.00010001 Subnetwork 2 Network address Example of how the netmask is used In a large network it is possible that Gateways and routers separate the management agent from its network management station. How does addressing work in such a case? Romeo Juliet Lorenzo LAN 1 LAN 2 Figure 14: The management agent is separated from its network management station by a router The network management station “Romeo” wants to send data to the management agent “Juliet”. Romeo knows Juliet's IP address and also knows that the router “Lorenzo” knows the way to Juliet. Romeo therefore puts his message in an envelope and writes Juliet's IP address as the destination address; for the source address he writes his own IP address on the envelope. Romeo then places this envelope in a second one with Lorenzo's MAC address as the destination and his own MAC address as the source. This process is comparable to going from Layer 3 to Layer 2 of the ISO/OSI base reference model. Finally, Romeo puts the entire data packet into the mailbox which is comparable to going from Layer 2 to Layer 1, that means to sending the data packet over the Ethernet. 44 UM Config RSP Release 8.1 12/2019 Specifying the IP parameters 2.1 IP parameter basics Lorenzo receives the letter, removes the outer envelope and recognizes from the inner envelope that the letter is meant for Juliet. He places the inner envelope in a new outer envelope and searches his address list (the ARP table) for Juliet's MAC address; he writes her MAC address on the outer envelope as the destination address and his own MAC address as the source address. He then places the entire data packet in the mail box. Juliet receives the letter and removes the outer envelope. She finds the inner envelope with Romeo's IP address. Opening the inner envelope and reading its contents corresponds to transferring the message to the higher protocol layers of the ISO/OSI layer model. Juliet would now like to send a reply to Romeo. She places her reply in an envelope with Romeo's IP address as destination and her own IP address as source. But where is she to send the answer? For she did not receive Romeo's MAC address. It was lost, because Lorenzo replaced the outer envelope. In the MIB, Juliet finds Lorenzo listed under the variable hm NetGatewayIPAddr as a means of communicating with Romeo. She therefore puts the envelope with the IP addresses in a further envelope with Lorenzo's MAC destination address. The letter now travels back to Romeo via Lorenzo, the same way the first letter traveled from Romeo to Juliet. 2.1.3 Classless Inter-Domain Routing Class C with a maximum of 254 addresses was too small, and class B with a maximum of 65534 addresses was too large for most users. Resulting in an ineffective usage of the available class B addresses. Class D contains reserved Multicast addresses. Class E is for experimental purposes. A nonparticipating Gateway ignores experimental datagrams with these destination addresses. Since 1993, RFC 1519 has been using Classless Inter-Domain Routing (CIDR) to provide a solution. CIDR overcomes these class boundaries and supports classless address ranges. With CIDR, you enter the number of bits that designate the IP address range. You represent the IP address range in binary form and count the mask bits that designate the netmask. The mask bits equal the number of bits used for the subnet in a given IP address range. Example: IP address, decimal Network mask, decimal IP address, binary 192.168.112.1 192.168.112.127 255.255.255.128 11000000 10101000 01110000 00000001 11000000 10101000 01110000 01111111 25 mask bits CIDR notation: 192.168.112.0/25 Mask bits The term “supernetting” refers to combing a number of class C address ranges. Supernetting enables you to subdivide class B address ranges to a fine degree. UM Config RSP Release 8.1 12/2019 45 Specifying the IP parameters 2.2 Specifying the IP parameters using the Command Line Interface 2.2 Specifying the IP parameters using the Command Line Interface There are several methods you enter the system configuration, either using BOOTP/DHCP, the HiDiscovery protocol, the external memory. You have the option of performing the configuration over the serial interface using the Command Line Interface. The device lets you specify the IP parameters using the HiDiscovery protocol or using the Command Line Interface over the serial interface. Entering IP addresses Connect the PC with terminal program started to the RJ11 socket Command Line Interface starts after key press Log in and change to the Privileged EXEC Mode Enter and save IP parameters End of entering IP addresses Figure 15: Flow chart for entering IP addresses 46 UM Config RSP Release 8.1 12/2019 Specifying the IP parameters 2.2 Specifying the IP parameters using the Command Line Interface Note: If a terminal or PC with terminal emulation is unavailable in the vicinity of the installation location, you can configure the device at your own workstation, then take it to its final installation location. Set up a connection to the device. The start screen appears. Deactivate DHCP. Enter the IP parameters. Local IP address In the default setting, the local IP address is 0.0.0.0. Netmask When you divided your network into subnetworks, and these are identified with a netmask, enter the netmask here. In the default setting, the local netmask is 0.0.0.0. IP address of the Gateway. This entry is only required, in cases where the device and the network management station or TFTP server are located in different subnetworks (see on page 44 “Example of how the netmask is used”). Specify the IP address of the Gateway between the subnetwork with the device and the path to the network management station. In the default setting, the IP address is 0.0.0.0. Save the configuration specified using copy config running-config nvm. enable Change to the Privileged EXEC mode. network protocol none Deactivating DHCP. network parms 10.0.1.23 255.255.255.0 Assign the device the IP address 10.0.1.23 and the netmask 255.255.255.0. You have the option of also assigning a Gateway address. copy config running-config nvm Save the current settings in the non-volatile memory (nvm) in the “selected” configuration profile. After entering the IP parameters, you easily configure the device using the Graphical User Interface. UM Config RSP Release 8.1 12/2019 47 Specifying the IP parameters 2.3 Specifying the IP parameters using HiDiscovery 2.3 Specifying the IP parameters using HiDiscovery The HiDiscovery protocol enables you to assign IP parameters to the device using the Ethernet. You easily configure other parameters using the Graphical User Interface. Install the HiDiscovery software on your PC. The software is on the product DVD supplied with the device. To install it, you start the installation program on the DVD. Start the HiDiscovery program. Figure 16: HiDiscovery When HiDiscovery is started, HiDiscovery automatically searches the network for those devices which support the HiDiscovery protocol. HiDiscovery uses the first network interface found for the PC. When your computer has several network cards, you can select the one you desire in the HiDiscovery toolbar. HiDiscovery displays a line for every device that responds to a HiDiscovery protocol inquiry. HiDiscovery enables you to identify the devices displayed. Select a device line. To set the LEDs to flashing for the selected device, click the Signal button on the tool bar. To stop the flashing, click the Signal button again. By double-clicking a line, you open a window in which you specify the device name and the IP parameter. Figure 17: HiDiscovery – assigning IP parameters 48 UM Config RSP Release 8.1 12/2019 Specifying the IP parameters 2.3 Specifying the IP parameters using HiDiscovery Note: Disable the HiDiscovery function in the device, after you have assigned the IP parameters to the device. Note: Save the settings so that you will still have the entries after a restart. 2.3.1 Relay When you connect the management station to a switching subnetwork, the HiDiscovery requests collect information from the devices located in that subnetwork. The HiDiscovery Relay lets you discover and set IP parameters on devices in other subnetworks. The HiDiscovery function and the HiDiscovery Relay are independent from each other. You can enable the HiDiscovery Relay without enabling the HiDiscovery function. When you activate the relay with the function disabled, the device forwards the requests to other subnetworks, but does not respond to requests. The HiDiscovery Relay is active in the default setting. Note: When you activate the HiDiscovery Relay, the device forwards requests received on the router interfaces only to other router interfaces. A loopback interface is an internal virtual router interface. If you connect the management station to a loopback interface, then the device does not forward the request to the other connected subnetworks. The device does not forward responses received on a router interface to the subnetwork of the management station. 2.3.2 Example configuration 192.168.47.0 192.168.45.0 Sw A Sw C 192.168.46.0 Sw B Rt A Rt B Sw D Figure 18: Management station connected to a switch. To poll devices in the 192.168.47.0 subnetwork use the following steps on both Rt A and Rt B. With the relay activated on router Rt A, the device forwards the requests packets into the 192.168.47.0 subnetwork. With the relay activated on router Rt B, the device returns the responses from the 192.168.47.0 subnetwork back to the management station. When the HiDiscovery Relay is inactive on either router, the management station only displays the devices located in the 192.168.45.0 subnetwork. UM Config RSP Release 8.1 12/2019 49 Specifying the IP parameters 2.3 Specifying the IP parameters using HiDiscovery The prerequisite for these steps is that you already configured the device as a router and installed it in a network. Open the Basic Settings > Network dialog. In the HiDiscovery protocol v1/v2 frame, mark the Relay status checkbox. 50 enable Change to the Privileged EXEC mode. network hidiscovery relay Activating the HiDiscovery relay. UM Config RSP Release 8.1 12/2019 Specifying the IP parameters 2.4 Specifying the IP parameters using the Graphical User Interface 2.4 Specifying the IP parameters using the Graphical User Interface Perform the following steps: Open the Basic Settings > Network dialog. In this dialog you first specify the source from which the device gets its IP parameters after starting. You also define the VLAN in which the device management can be accessed, configure the HiDiscovery access and allocate manual IP parameters. In the Management interface frame you first specify where the device gets its IP parameters from: In the BOOTP mode, the configuration is using a BOOTP or DHCP server on the basis of the MAC address of the device. In the DHCP mode, the configuration is using a DHCP server on the basis of the MAC address or the name of the device. In the Local mode, the device uses the network parameters from the internal device memory. Note: When you change the allocation mode of the IP address, the device activates the new mode immediately after you click the button. In the VLAN ID column you specify the VLAN in which the device management can be accessed over the network. Note here that you can only access the device management using ports that are members of the relevant VLAN. The MAC address field displays the MAC address of the device with which you access the device over the network. In the HiDiscovery protocol v1/v2 frame you specify the settings for accessing the device using the HiDiscovery software. The HiDiscovery protocol lets you allocate an IP address to the device on the basis of its MAC address. Activate the HiDiscovery protocol if you want to allocate an IP address to the device from your PC with the HiDiscovery software. If required, you enter the IP address, the netmask and the Gateway in the IP parameter frame. To save the changes temporarily, click the UM Config RSP Release 8.1 12/2019 button. 51 Specifying the IP parameters 2.5 Specifying the IP parameters using BOOTP 2.5 Specifying the IP parameters using BOOTP With the BOOTP function activated the device sends a boot request message to the BOOTP server. The boot request message contains the Client ID configured in the Basic Settings > Network dialog. The BOOTP server enters the Client ID into a database and assigns an IP address. The server answers with a boot reply message. The boot reply message contains the assigned IP address. 52 UM Config RSP Release 8.1 12/2019 Specifying the IP parameters 2.6 Specifying the IP parameters using DHCP 2.6 Specifying the IP parameters using DHCP The DHCP (Dynamic Host Configuration Protocol) is a further development of BOOTP, which it has replaced. The DHCP additionally lets the configuration of a DHCP client using a name instead of using the MAC address. For the DHCP, this name is known as the “Client Identifier” in accordance with RFC 2131. The device uses the name entered under sysName in the system group of the MIB II as the Client Identifier. You can change the system name using the graphic user interface (see dialog Basic Settings > System), the Command Line Interface or SNMP. The device sends its system name to the DHCP server. The DHCP server then uses the system name to allocate an IP address as an alternative to the MAC address. In addition to the IP address, the DHCP server sends the netmask the default Gateway (if available) the TFTP URL of the configuration file (if available). The device applies the configuration data to the appropriate parameters. When the DHCP Sever assigns the IP address, the device permanently saves the configuration data in non-volatile memory. Table 10: DHCP options which the device requests Options Meaning 1 Subnet Mask 2 Time Offset 3 Router 4 Time server 12 Host Name 42 NTP server 61 Client Identifier 66 TFTP Server Name 67 Bootfile Name The advantage of using DHCP instead of BOOTP is that the DHCP server can restrict the validity of the configuration parameters (“Lease”) to a specific time period (known as dynamic address allocation). Before this period (“Lease Duration”) elapses, the DHCP client can attempt to renew this lease. Alternatively, the client can negotiate a new lease. The DHCP server then allocates a random free address. To help avoid this, DHCP servers provide the explicit configuration option of assigning a specific client the same IP address based on a unique hardware ID (known as static address allocation). In the default setting, DHCP is activated. As long as DHCP is activated, the device attempts to obtain an IP address. When the device cannot find a DHCP server after restarting, it will not have an IP address. The Basic Settings > Network dialog lets you activate or deactivate DHCP. Note: When using Industrial HiVision network management, verify that DHCP allocates the original IP address to every device. UM Config RSP Release 8.1 12/2019 53 Specifying the IP parameters 2.6 Specifying the IP parameters using DHCP The appendix contains an example configuration of the BOOTP/DHCP-server. Example of a DHCP-configuration file: # /etc/dhcpd.conf for DHCP Daemon # subnet 10.1.112.0 netmask 255.255.240.0 { option subnet-mask 255.255.240.0; option routers 10.1.112.96; } # # Host berta requests IP configuration # with her MAC address # host berta { hardware ethernet 00:80:63:08:65:42; fixed-address 10.1.112.82; } # # Host hugo requests IP configuration # with his client identifier. # host hugo { # option dhcp-client-identifier "hugo"; option dhcp-client-identifier 00:68:75:67:6f; fixed-address 10.1.112.83; server-name "10.1.112.11"; filename "/agent/config.dat"; } Lines beginning with the # character, contain comments. The lines preceding the individually listed devices refer to settings that apply to the following device. The fixed-address line assigns a permanent IP address to the device. For further information, please refer to the DHCP server manual. 54 UM Config RSP Release 8.1 12/2019 Specifying the IP parameters 2.7 Management address conflict detection 2.7 Management address conflict detection You assign an IP address to the device using several different methods. This function helps the device detect IP address conflicts on a network after boot up and the device also checks periodically during operation. This function is described in RFC 5227. When enabled, the device sends an SNMP trap informing you that it detected an IP address conflict. The following list contains the default settings for this function: • Operation: On • Detection mode: active and passive • Send periodic ARP probes: marked • Detection delay [ms]: 200 • Release delay [s]: 15 • Address protections: 3 • Protection interval [ms]: 200 • Send trap: marked 2.7.1 Active and passive detection Actively checking the network helps prevent the device from connecting to the network with a duplicate IP address. After connecting the device to a network or after configuring the IP address, the device immediately checks whether its IP address exists within the network. To check the network for address conflicts, the device sends 4 ARP probes with the detection delay of 200 ms into the network. When the IP address exists, the device attemps to return to the previous configuration, and make another check after the configured release delay time. When you disable active detection, the device sends 2 gratuitous APR announcements in 2 s intervals. Using the ARP announcements with passive detection enabled, the device polls the network to determine whether there is an address conflict. After resolving an address conflict or after expired release delay time, the device reconnects to the network. Following 10 detected conflicts, when the configured release delay interval is less than 60 s, the device sets the release delay interval to 60 s. After the device performs active detection or you disable the active detection function, with passive detection enabled the device listens on the network for other devices using the same IP address. When the device detects a duplicate IP address, it initially defends its address by employing the ACD mechanism in the passive detection mode and sends out gratuitous ARPs. The number of protections that the device sends and the protection interval are configurable. To resolve conflicts, if the remote device remains connected to the network, then the network interface of the local device disconnects from the network. When a DHCP server assigns an IP address to the device and an address conflict occurs, the device returns a DHCP decline message. The device uses the ARP probe method. This has the following advantages: ARP caches on other devices remain unchanged the method is robust through multiple ARP probe transmissions UM Config RSP Release 8.1 12/2019 55 Access to the device 3.1 First login (Password change) 3 Access to the device 3.1 First login (Password change) To help prevent undesired access to the device, it is imperative that you change the default password during initial setup. Perform the following steps: Open the Graphical User Interface, the Command Line Interface, or HiView the first time you log on to the device. Log on to the device with the default password. The device prompts you to type in a new password. Type in your new password. To help increase security, choose a password that contains at least 8 characters which includes upper-case characters, lower-case characters, numerical digits, and special characters. When you log on to the device with the Command Line Interface, then the device prompts you to confirm your new password. Log on to the device again with your new password. Note: If you lost your password, then use the System Monitor to reset the password. For further information see: hirschmann-support.belden.com. 56 UM Config RSP Release 8.1 12/2019 Access to the device 3.2 Authentication lists 3.2 Authentication lists When a user accesses the device using a specific connection, the device verifies the credentials of the user in an authentication list which contains the policies that the device applies for authentication. The prerequisite for a user's access to the device management is that at least one policy is assigned to the authentication list of the application through which access is performed. 3.2.1 Applications The device provides an application for each type of connection through which someone accesses the device: Access to the Command Line Interface using a serial connection: Console(V.24) Access to the Command Line Interface using SSH: SSH Access to the Command Line Interface using Telnet: Telnet Access to the Graphical User Interface: WebInterface The device also provides an application to control the access to the network from connected end devices using port-based access control: 8021x 3.2.2 Policies When a user logs in with valid login data, the device lets the user have access to its device management. The device authenticates the users using the following policies: User management of the device LDAP RADIUS When the end device logs in with valid login data, the device lets the connected end devices have access to the network with the port-based access control according to IEEE 802.1X. The device authenticates the end devices using the following policies: RADIUS IAS (Integrated Authentication Server) The device gives you the option of a fall-back solution. For this, you specify more than one policy in the authentication list. When authentication is unsuccessful using the current policy, the device applies the next specified policy. UM Config RSP Release 8.1 12/2019 57 Access to the device 3.2 Authentication lists 3.2.3 Managing authentication lists You manage the authentication lists in the Graphical User Interface or in the Command Line Interface. Perform the following steps: Open the Device Security > Authentication List dialog. The dialog displays the authentication lists that are set up. show authlists Displays the authentication lists that are set up. Deactivate the authentication list for those applications by means of which no access to the device is performed, for example 8021x. In the Active column of the authentication list defaultDot1x8021AuthList, unmark the checkbox. To save the changes temporarily, click the authlists disable defaultDot1x8021AuthList 58 button. Deactivates the authentication list defaultDot1x8021AuthList. UM Config RSP Release 8.1 12/2019 Access to the device 3.2 Authentication lists 3.2.4 Adjust the settings Example: Set up a separate authentication list for the application WebInterface which is by default included in the authentication list defaultLoginAuthList. The device forwards authentication requests to a RADIUS server in the network. As a fall-back solution, the device authenticates users using the local user management. Perform the following steps: Create an authentication list loginGUI. Open the Device Security > Authentication List dialog. Click the button. The dialog displays the Create window. Enter a meaningful name in the Name field. In this example, enter the name loginGUI. Click the Ok button. The device adds a new table entry. enable Change to the Privileged EXEC mode. configure Change to the Configuration mode. authlists add loginGUI Creates the authentication list loginGUI. Select the policies for the authentication list loginGUI. In the Policy 1 column, select the value radius. In the Policy 2 column, select the value local. In the Policy 3 to Policy 5 columns, select the value reject to help prevent further fall-back. In the Active column, mark the checkbox. To save the changes temporarily, click the button. authlists set-policy loginGUI radius local reject reject reject Assigns the policies radius, local and reject to the authentication list loginGUI. show authlists Displays the authentication lists that are set up. authlists enable loginGUI Activates the authentication list loginGUI. Assign an application to the authentication list loginGUI. In the Device Security > Authentication List dialog, highlight the authentication list loginGUI. Click the button and then the Allocate applications item. The dialog displays the Allocate applications window. In the left column, highlight the application WebInterface. UM Config RSP Release 8.1 12/2019 59 Access to the device 3.2 Authentication lists Click the button. The right column now displays the application WebInterface. Click the Ok button. The dialog displays the updated settings: – The Dedicated applications column of authentication list loginGUI displays the application WebInterface. – The Dedicated applications column of authentication list defaultLoginAuthList does not display the application WebInterface anymore. To save the changes temporarily, click the Displays the applications and the allocated lists. show appllists appllists set-authlist loginGUI 60 button. WebInterface Assigns the loginGUI application to the authentication list WebInterface. UM Config RSP Release 8.1 12/2019 Access to the device 3.3 User management 3.3 User management When a user logs in with valid login data, the device lets the user have access to its device management. The device authenticates the users either using the local user management or with a RADIUS server in the network. To get the device to use the user management, assign the local policy to an authentication list, see the Device Security > Authentication List dialog. In the local user management, you manage the user accounts. One user account is usually allocated to each user. 3.3.1 Access roles The device lets you use a role-based authorization model to specifically control the access to the device management. Users to whom a specific authorization profile is allocated are allowed to use commands and functions from the same authorization profile or a lower one. The device uses the authorization profiles on every application with which the device management can be accessed. UM Config RSP Release 8.1 12/2019 61 Access to the device 3.3 User management Every user account is linked to an access role that regulates the access to the individual functions of the device. Depending on the planned activity for the respective user, you assign a pre-defined access role to the user. The device differentiates between the following access roles. Table 11: Access roles for user accounts 62 Role Description Authorized for the following activities Administrator The user is authorized to monitor and administer the device. All activities with read/write access, including the following activities reserved for an administrator: Add, modify or delete user accounts Activate, deactivate or unlock user accounts Change every password Configure password management Set or change system time Load files to the device, for example device configurations, certificates or software images Reset settings and security-related settings to the state on delivery Configure RADIUS server and authentication lists Apply scripts using the Command Line Interface Enable/disable CLI logging and SNMP logging External memory activation and deactivation System monitor activation and deactivation Enable/disable the services for the access to the device management (for example SNMP). Configure access restrictions to the Graphical User Interface or the Command Line Interface based on the IP addresses Operator The user is authorized to All activities with read/write access, with the monitor and configure the exception of the above-named activities, which are device - with the exception of reserved for an administrator: security-related settings. Auditor The user is authorized to monitor the device and to save the log file in the Diagnostics > Report > Audit Trail dialog. Guest The user is authorized to Monitoring activities with read access. monitor the device - with the exception of security-related settings. Unauthorized No access to the device No activities allowed. possible. As an administrator you assign this access role to temporarily lock a user account. If an administrator assigns a different access role to the user account and an error occurs, then the device assigns this access role to the user account. Monitoring activities with read access. UM Config RSP Release 8.1 12/2019 Access to the device 3.3 User management 3.3.2 Managing user accounts You manage the user accounts in the Graphical User Interface or in the Command Line Interface. Perform the following steps: Open the Device Security > User Management dialog. The dialog displays the user accounts that are set up. Displays the user accounts that are set up. show users 3.3.3 Default setting In the state on delivery, the user accounts admin and user are set up in the de
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project