Page 1: User Manual
User Manual Basic Configuration Industrial ETHERNET (Gigabit) Switch Power MICE, MACH 4000 Basic - L3P Technical Support Release 4.0 11/07 HAC-Support@hirschmann.de...
Page 2 This publication has been created by Hirschmann Automation and Control GmbH according to the best of our knowledge. Hirschmann reserves the right to change the con- tents of this manual without prior notice. Hirschmann can give no guarantee in respect of the correctness or accuracy of the details in this publication.
Page 3: Table Of Contents
Content Content Content About this Manual Introduction Access to the user interfaces System Monitor Command Line Interface Web-based Interface Entering the IP Parameters IP Parameter Basics 2.1.1 IP address (version 4) 2.1.2 Network mask Entering IP parameters via CLI Entering the IP Parameters via HiDiscovery Loading the system configuration from the ACA System configuration via BOOTP System configuration via DHCP...
Page 4 Content Saving settings 3.2.1 Saving locally (and on the ACA) 3.2.2 Saving in a file on URL 3.2.3 Saving in a binary file on the PC 3.2.4 Saving as a script on the PC Loading software updates Loading the software from the ACA 4.1.1 Selecting the software to be loaded 4.1.2 Starting the software 4.1.3 Performing a cold start...
Page 5 Content Access Control Lists (ACL). 6.6.1 Description of prioritizing with ACLs 6.6.2 Description of IP-based ACLs. 6.6.3 Description of MAC-based ACLs 6.6.4 Configuring IP ACLs 6.6.5 Configuring MAC ACLs 6.6.6 Configuring priorities with IP ACLs 6.6.7 Specifying the sequence of the rules Synchronizing the system time in the network Entering the time SNTP...
Page 6 Content QoS/Priority 8.4.1 Description of Prioritization 8.4.2 VLAN tagging 8.4.3 IP ToS / DiffServ 8.4.4 Management prioritizing 8.4.5 Handling of received priority information 8.4.6 Handling of traffic classes 8.4.7 Setting prioritization Flow control 8.5.1 Description of flow control 8.5.2 Setting the flow control VLANs 8.6.1 Description of VLANs 8.6.2 Configuring VLANs...
Page 7 Content 9.9.1 Description of IP address conflicts 9.9.2 Configuring ACD 9.9.3 Displaying ACD 9.10 Reports 9.11 Monitoring port traffic (port mirroring) Setting up configuration environment Setting up DHCP/BOOTP server Setting up DHCP Server Option 82 tftp server for software updates A.3.1 Setting up the tftp process A.3.2 Software access rights Preparing access via SSH...
Page 8 Content User Manual - Industrial Protocols Release 4.0 11/07...
Page 9: About This Manual
About this Manual About this Manual The “Basic Configuration” user manual contains all the information you need to start operating the switch. It takes you step by step from the first startup operation through to the basic settings for operation in your environment. The following thematic sequence has proven itself in practice: Set up device access for operation by entering the IP parameters Check the status of the software and update it if necessary...
Page 10 About this Manual The "Web-based Interface" reference manual contains detailed information on using the Web interface to operate the individual functions of the switch. The "Command Line Interface" reference manual contains detailed informa- tion on using the Command Line Interface to operate the individual functions of the switch.
Page 11: Key
The designations used in this manual have the following meanings: List Work step Subheading Link Indicates a cross-reference with a stored link Note: A note emphasizes an important fact or draws your attention to a dependency. ASCII representation in user interface Courier Execution in the Web-based Interface user interface Execution in the Command Line Interface user interface...
Page 12 Server PLC - Programmable logic controller I/O - Robot Basic - L3P Release 4.0 11/07...
Page 13: Introduction
Introduction Introduction The switch has been developed for practical application in a harsh industrial environment. Accordingly, the installation process has been kept simple. Thanks to the selected default settings, you only have to enter a few settings before starting to operate the switch. Basic - L3P Release 4.0 11/07...
Page 14 Introduction Basic - L3P Release 4.0 11/07...
Page 15: Access To The User Interfaces
Access to the user interfaces 1 Access to the user interfaces The switch has three user interfaces, which you can access via different in- terfaces: System monitor via the V.24 interface (out-of-band) Command Line Interface (CLI) via the V.24 connection (out-of-band) and Telnet (in-band) Web-based interface via Ethernet (in-band).
Page 16: System Monitor
Access to the user interfaces 1.1 System Monitor 1.1 System Monitor The system monitor enables you to select the software to be loaded perform a software update start the selected software shut down the system monitor delete the configuration saved and display the boot code information.
Page 17 Access to the user interfaces 1.1 System Monitor < PowerMICE MS4128-5 (Boot) Release: 1.00 Build: 2005-09-17 15:36 > Press <1> to enter System Monitor 1 ... Figure 1: Screen display during the boot process Press the <1> key within one second to start system monitor 1. System Monitor (Selected OS: L3P-01.0.00-K16 (2005-10-31 19:32)) Select Boot Operating System...
Page 18: Command Line Interface
Access to the user interfaces 1.2 Command Line Interface 1.2 Command Line Interface The Command Line Interface enables you to use all the functions of the switch via a local or remote connection. The Command Line Interface provides IT specialists with a familiar environ- ment for configuring IT devices.
Page 19 Access to the user interfaces 1.2 Command Line Interface Copyright (c) 2004-2005 Hirschmann Automation and Control GmbH All rights reserved PowerMICE Release L3P-01.0.00-K16 (Build date 2005-10-31 19:32) System Name: PowerMICE Mgmt-IP 149.218.112.105 1.Router-IP: 0.0.0.0 Base-MAC 00:80:63:51:74:00 System Time: 2005-11-01 16:00:59...
Page 20 NOTE: Enter '?' for Command Help. Command help displays all options that are valid for the 'normal' and 'no' command forms. the syntax of a particular command form, please consult the documentation. (Hirschmann PowerMICE) > Figure 4: CLI screen after login Basic - L3P Release 4.0 11/07...
Page 21: Web-Based Interface
Access to the user interfaces 1.3 Web-based Interface 1.3 Web-based Interface The user-friendly Web-based interface gives you the option of operating the Switch from any location in the network via a standard browser such as Mozilla Firefox or Microsoft Internet Explorer. As a universal access tool, the Web browser uses an applet which commu- nicates with the Switch via the Simple Network Management Protocol (SN- MP).
Page 22 Access to the user interfaces 1.3 Web-based Interface Figure 5: Installing Java Start your Web browser. Make sure that you have activated JavaScript and Java in the security settings of your browser. Establish the connection by entering the IP address of the Switch which you want to administer via the Web-based management in the address field of the Web browser.
Page 23 Access to the user interfaces 1.3 Web-based Interface Figure 6: Login window Select the desired language. In the drop-down menu, you select – user, to have read access, or – admin, to have read and write access to the switch. The password "public", with which you have read access, appears in the password field.
Page 24 Access to the user interfaces 1.3 Web-based Interface Basic - L3P Release 4.0 11/07...
Page 25: Entering The Ip Parameters
Entering the IP Parameters 2 Entering the IP Parameters The IP parameters must be entered when the Switch is installed for the first time. The Switch provides 6 options for entering the IP parameters during the first installation: Using the Command Line Interface (CLI). Choose this "out of band" method if you preconfigure your Switch outside its operating environment you do not have network access ("in-band") to the Switch...
Page 26 Entering the IP Parameters If the Switch already has an IP address and can be reached via the network, then the Web-based interface provides you with another option for configur- ing the IP parameters. Basic - L3P Release 4.0 11/07...
Page 27: Ip Parameter Basics
Entering the IP Parameters 2.1 IP Parameter Basics 2.1 IP Parameter Basics 2.1.1 IP address (version 4) The IP addresses consist of 4 bytes. These 4 bytes are written in decimal no- tation, separated by a decimal point. Since 1992, five classes of IP address have been defined in the RFC 1340. Class Network ad- Host address...
Page 28: Network Mask
Entering the IP Parameters 2.1 IP Parameter Basics Net ID - 7 bits Host ID - 24 bits Class A Net ID - 14 bits Host ID - 16 bits Class B Net ID - 21 bits Host ID - 8 bit s Class C Multicast Group ID - 28 bits Class D...
Page 29 Entering the IP Parameters 2.1 IP Parameter Basics Example of a network mask: Decimal notation 255.255.192.0 Binary notation 11111111.11111111.11000000.00000000 Subnetwork mask bits Class B Example of IP addresses with subnetwork assignment when the above sub- net mask is applied: Decimal notation 129.218.65.17 128 <...
Page 30 Entering the IP Parameters 2.1 IP Parameter Basics Example of how the network mask is used In a large network it is possible that gateways and routers separate the management agent from its management station. How does addressing work in such a case? Romeo Juliet Lorenzo...
Page 31 Entering the IP Parameters 2.1 IP Parameter Basics Lorenzo receives the letter and removes the outer envelope. From the in- ner envelope he recognizes that the letter is meant for Juliet. He places the inner envelope in a new outer envelope and searches his address list (the ARP table) for Juliet's MAC address.
Page 32: Entering Ip Parameters Via Cli
Entering the IP Parameters 2.2 Entering IP parameters via CLI 2.2 Entering IP parameters via If you do not configure the system via BOOTP/DHCP, DHCP Option 82, the HiDiscovery protocol or the ACA auto configuration adapter, then you per- form the configuration via the V.24 interface using the CLI. Entering IP addresses Connect the PC with terminal program started to the RJ11 socket...
Page 33 'normal' and 'no' command forms. the syntax of a particular command form, please consult the documentation. (Hirschmann PowerMICE) > Change to the Privileged EXEC mode by entering enable and pressing the Enter key. Disable DHCP by entering network protocol none and then pressing the Enter key.
Page 34 (Hirschmann PowerMICE) >en (Hirschmann PowerMICE) #network protocol none (Hirschmann PowerMICE) #network parms 149.218.112.105 255.255.255.0 (Hirschmann PowerMICE) #copy system:running-config nvram:startup-con- Are you sure you want to save? (y/n) y Copy OK: 15811 bytes copied Configuration Saved!
Page 35: Entering The Ip Parameters Via Hidiscovery
Entering the IP Parameters 2.3 Entering the IP Parameters via HiDiscovery 2.3 Entering the IP Parameters via HiDiscovery The HiDiscovery protocol enables you to assign IP parameters to the Switch via the Ethernet. You can easily configure other parameters via the Web-based interface (see the "Web-based Interface"...
Page 36 Entering the IP Parameters 2.3 Entering the IP Parameters via HiDiscovery Figure 10: HiDiscovery When HiDiscovery is started, it automatically searches the network for those devices which support the HiDiscovery protocol. HiDiscovery uses the first PC network card found. If your computer has sev- eral network cards, you can select these in HiDiscovery on the toolbar.
Page 37 Entering the IP Parameters 2.3 Entering the IP Parameters via HiDiscovery Figure 11: HiDiscovery - assigning IP parameters Note: When the IP address is entered, the Switch copies the local configura- tion settings (see on page 53 "Loading/saving settings"). Note: For security reasons, switch off the HiDiscovery function for the device in the Web-based interface, after you have assigned the IP parameters to the device (see page 25 "System configuration via the Web-based...
Page 38: Loading The System Configuration From The Aca
Entering the IP Parameters 2.4 Loading the system configuration from the 2.4 Loading the system configu- ration from the ACA The AutoConfiguration Adapter (ACA) is a device for storing the configuration data of a Switch and storing the Switch software. In the case of a Switch failure, the ACA makes it possible to easily transfer the configuration data by means of a substitute switch of the same type.
Page 39 Entering the IP Parameters 2.4 Loading the system configuration from the Start-up plugged-in? Password im Default Switch and ACA password in identical? switch? Loading configuration Loading configuration from ACA, from local memory, ACA LEDs flashing ACA LEDs flashing synchronously alternately Configuration data loaded Figure 12: Flow chart of loading configuration data from the ACA...
Page 40: System Configuration Via Bootp
Entering the IP Parameters 2.5 System configuration via BOOTP 2.5 System configuration via BOOTP When it is started up via BOOTP (bootstrap protocol), a Switch receives its configuration in accordance with the "BOOTP process" flow chart (see fig. 13). Note: In its delivery state, the Switch gets its configuration data from the DHCP server.
Page 41 Entering the IP Parameters 2.5 System configuration via BOOTP switch_01:ht=ethernet:ha=008063086501:ip=149.218.112.83:tc=.global: switch_02:ht=ethernet:ha=008063086502:ip=149.218.112.84:tc=.global: Lines that start with a '#' character are comment lines. The lines under ".global:" make the configuration of several devices easier. With the template (tc) you allocate the global configuration data (tc=.global:) to each device .
Page 42 Entering the IP Parameters 2.5 System configuration via BOOTP Start-up Load default configuration Switch in initalization Switch runs with settings from local flash Send DHCP DHCP/ BOOTP BOOTP? Requests Reply from Save IP parameter and config file URL DHCP/BOOTP server? locally initialize IP stack with IP parameters...
Page 43 Entering the IP Parameters 2.5 System configuration via BOOTP Load remote Start tftp process configuration from with config URL of DHCP? file URL of DHCP tftp successful? Load transferred config file Save transferred config file local and set boot configuration to local Loading of configurations data...
Page 44 Entering the IP Parameters 2.5 System configuration via BOOTP Note: The loading process started by DHCP/BOOTP (see on page 16 "Sys- tem configuration via BOOTP") shows the selection of "from URL & save lo- cally" in the "Load" frame. If you get an error message when saving a configuration, this could be due to an active loading process.
Page 45: System Configuration Via Dhcp
Entering the IP Parameters 2.6 System configuration via DHCP 2.6 System configuration via DHCP The DHCP (dynamic host configuration protocol) responds similarly to the BOOTP and additionally offers the configuration of a DHCP client via a name instead of via the MAC address. For the DHCP, this name is known as the "client identifier"...
Page 46 Entering the IP Parameters 2.6 System configuration via DHCP The special feature of DHCP in contrast to BOOTP is that the DHCP server can only provide the configuration parameters for a certain period of time ("lease"). When this time period ("lease duration") expires, the DHCP client must attempt to renew the lease or negotiate a new one.
Page 47 Entering the IP Parameters 2.6 System configuration via DHCP host hugo { option dhcp-client-identifier "hugo"; option dhcp-client-identifier 00:68:75:67:6f; fixed-address 149.218.112.83; server-name "149.218.112.11"; filename "/agent/config.dat"; Lines that start with a '#' character are comment lines. The lines preceding the individually listed devices refer to settings that apply to all the following devices.
Page 48: System Configuration Via Dhcp Option
Entering the IP Parameters 2.7 System configuration via DHCP Option 82 2.7 System configuration via DHCP Option 82 As with the classic DHCP, on startup an agent receives its configuration data according to the "BOOTP/DHCP process" flow chart (see fig. 13).
Page 49: System Configuration Via The Web-Based Interface
Entering the IP Parameters 2.8 System configuration via the Web-based in- 2.8 System configuration via the Web-based interface With the Basics:Network dialog you define the source from which the Switch gets its IP parameters after starting, and you assign the IP parameters and VLAN ID and configure the HiDiscovery access.
Page 50 Entering the IP Parameters 2.8 System configuration via the Web-based in- Enter the parameters on the right according to the selected mode. You enter the name applicable to the DHCP protocol in the "Name" line in the system dialog of the Web-based interface. The "VLAN ID"...
Page 51: Faulty Device Replacement
Entering the IP Parameters 2.9 Faulty device replacement 2.9 Faulty device replacement The Switch provides two plug-and-play solutions for replacing a faulty Switch with a Switch of the same type (faulty device replacement): Configuring the new Switch via an AutoConfiguration Adapter (see on page 14 "Loading the system configuration from the ACA") Configuration via DHCP Option 82...
Page 52 Entering the IP Parameters 2.9 Faulty device replacement Basic - L3P Release 4.0 11/07...
Page 53: Loading/Saving Settings
Loading/saving settings 3 Loading/saving settings The Switch saves settings such as the IP parameters and the port configura- tion in the temporary memory. These settings are lost when you switch off or reboot the device. The Switch enables you to save settings from the temporary memory in a non-volatile memory load settings from a non-volatile memory into the temporary memory.
Page 54: Loading Settings
Loading/saving settings 3.1 Loading settings 3.1 Loading settings When it is restarted, the Switch loads its configuration data from the local non-volatile memory, once you have not activated BOOTP/DHCP and no ACA is connected to the Switch. During operation, the Switch allows you to load settings from the following sources: the local non-volatile memory the AutoConfiguration Adapter.
Page 55: Loading From The Local Non-Volatile Memory
Loading/saving settings 3.1 Loading settings 3.1.1 Loading from the local non-volatile memory When loading the configuration data locally, the Switch loads the configura- tion data from the local non-volatile memory if no ACA is connected to the Switch. Select the Basics: Load/Save dialog.
Page 56: Loading From A File
Loading/saving settings 3.1 Loading settings 3.1.3 Loading from a file The Switch allows you to load the configuration data from a file in the con- nected network if there is no AutoConfiguration Adapter connected to the Switch. Select the Basics: Load/Save dialog. In the "Load"...
Page 57 Loading/saving settings 3.1 Loading settings Figure 17: Load/store dialog Switch to the Priviledged EXEC mode. enable The Switch loads the configuration data from a copy tftp://149.218.112.159/ tftp server in the connected network. switch/config.dat nvram:startup-config Note: The loading process started by DHCP/BOOTP (see on page 40 "Sys- tem configuration via BOOTP") shows the selection of "from URL &...
Page 58: Resetting The Configuration To The State On Delivery
Loading/saving settings 3.1 Loading settings 3.1.4 Resetting the configuration to the state on delivery The Switch enables you to reset the current configuration to the state on delivery. The locally saved configuration is kept. reset the Switch to the state on delivery. After the next restart, the IP ad- dress is also in the state on delivery.
Page 59: Saving Settings
Loading/saving settings 3.2 Saving settings 3.2 Saving settings In the "Save" frame, you have the option to save the current configuration on the Switch save the current configuration in binary form in a file under the specified URL, or as an editable and readable script save the current configuration in binary form or as an editable and read- able script on the PC.
Page 60: Saving In A File On Url
Loading/saving settings 3.2 Saving settings 3.2.2 Saving in a file on URL The Switch allows you to save the current configuration data in a file in the connected network. Note: The configuration file includes all configuration data, including the password. Therefore pay attention to the access rights on the tftp server. Select the Basics: Load/Save dialog.
Page 61: Saving In A Binary File On The Pc
Loading/saving settings 3.2 Saving settings 3.2.3 Saving in a binary file on the PC The Switch allows you to save the current configuration data in a binary file on your PC. Select the Basics: Load/Save dialog. In the "Save" frame, click "on the PC (binary)". In the save dialog, enter the name of the file in which you want the Switch to save the configuration file.
Page 62 Loading/saving settings 3.2 Saving settings Basic - L3P Release 4.0 11/07...
Page 63: Loading Software Updates
Loading software updates 4 Loading software updates Hirschmann never stops working on improving the performance of its prod- ucts. So it is possible that you may find a more up to date release of the Switch software on the Hirschmann Internet site (www.hirschmann.com) than the release saved on your Switch.
Page 64 Loading software updates Loading the software The Switch gives you three options for loading the software: From the ACA 21 USB (out-of-band) Via tftp from a tftp server (in-band) Via a file selection dialog from your PC. Note: The existing configuration of the Switch is still there after the new software is installed.
Page 65: Loading The Software From The Aca
Loading software updates 4.1 Loading the software from the ACA 4.1 Loading the software from the ACA You can connect the ACA 21-USB to a USB port of your PC like a conven- tional USB stick and copy the Switch software into the main directory of the ACA 12-USB.
Page 66: Selecting The Software To Be Loaded
Loading software updates 4.1 Loading the software from the ACA 4.1.1 Selecting the software to be loaded In this menu item of the system monitor, you select one of two possible soft- ware releases that you want to load. The following window appears on the screen: Select Operating System Image (Available OS: Selected: 1.00 (2004-08-26 07:15), Backup: 1.00 (2004-08-26 07...
Page 67: Starting The Software
Loading software updates 4.1 Loading the software from the ACA Test stored images in USB memory Select 4 to check whether the images of the software stored in the ACA 21-USB contain valid codes. Apply and store selection Select 5 to confirm the software selection and to save it. Cancel selection Select 6 to leave this dialog without making any changes.
Page 68: Loading The Software From The Tftp Server
Loading software updates 4.2 Loading the software from the tftp server 4.2 Loading the software from the tftp server For a tftp update, you need a tftp server on which the software to be loaded is stored (see on page 210 "tftp server for software updates").
Page 69 Loading software updates 4.2 Loading the software from the tftp server Figure 19: Software update dialog After successfully loading it, you activate the new software: Select the dialog Basic Settings:Restart and perform a cold start. After booting the Switch, click "Reload" in your browser to access the Switch again.
Page 70: Loading The Software Via File Selection
Loading software updates 4.3 Loading the software via file selection 4.3 Loading the software via file selection For an update via a file selection window, the Switch software must be on a drive that you can access via your PC. Select the Basics:Software dialog.
Page 71: Configuring The Ports
Configuring the ports 5 Configuring the ports The port configuration consists of: Switching the port on and off Selecting the operating mode Activating the display of connection error messages Configuring Power over ETHERNET. Switching the port on and off In the state on delivery, all the ports are switched on. For a higher level of access security, switch off the ports at which you are not making any con- nection.
Page 72: Configuring Power Over Ethernet
The Switch therefore assumes for now a "nominal system power" of 60 Watt per PoE media module. System power for MACH 4000: The Switch provides the nominal system power for the sum of all PoE ports plus a surplus. Should the connected devices require more power than is provided by the system, the Switch then disables the ports.
Page 73 Configuring the ports With "Function on/off" you turn the PoE on or off. With "Send Trap" you can get the Switch to send a trap in the follow- ing cases: – If a value exceeds/falls below the performance threshold. – If the PoE supply voltage is switched on/off at at least one port. Enter the power threshold in "Threshold".
Page 74 In the "Port on" column, you can enable/disable PoE at this port. The "Status" column indicates the PoE status of the port. In the "Priority" column (MACH 4000), set the PoE priority of the port to "low", "high" or "critical".
Page 75: Protection From Unauthorized Access
Protection from unauthorized access 6 Protection from unauthorized access Protect your network from unauthorized access. The Switch provides you with the following functions for protecting against unauthorized access. Password for SNMP access Telnet/Web/SSH access disabling HiDiscovery function disabling Port access control via IP or MAC address Port authentication according to 802.1X Access Control Lists (ACL).
Page 76: Password For Snmp Access
Protection from unauthorized access 6.1 Password for SNMP access 6.1 Password for SNMP access 6.1.1 Description of password for SNMP access A network management station communicates with the Switch via the Simple Network Management Protocol (SNMP). Every SNMP packet contains the IP address of the sending computer and the password with which the sender of the packet wants to access the Switch MIB.
Page 77: Entering The Password For Snmp Access
Protection from unauthorized access 6.1 Password for SNMP access 6.1.2 Entering the password for SNMP access Select the Security:Password / SNMPv3 access dialog. This dialog gives you the option of changing the read and read/write passwords for access to the Switch via the Web-based interface/CLI/ SNMP.
Page 78 Protection from unauthorized access 6.1 Password for SNMP access Figure 21: Password dialog Basic - L3P Release 4.0 11/07...
Page 79 Protection from unauthorized access 6.1 Password for SNMP access Important: If you do not know a password with read/write access, you will not have write access to the Switch! Note: After changing the password for write access, restart the Web in- terface in order to access the Switch.
Page 80 Protection from unauthorized access 6.1 Password for SNMP access Password Password with which this computer can access the Switch. This password is independent of the SNMPv2 password. IP address IP address of the computer that can access the Switch. IP mask IP mask for the IP address Access The access mode determines whether the computer has...
Page 81: Telnet/Web/Ssh Access
Protection from unauthorized access 6.2 Telnet/Web/SSH access 6.2 Telnet/Web/SSH access 6.2.1 Description of Telnet access The Telnet server of the Switch allows you to configure the Switch by using the Command Line Interface (in-band). You can deactivate the Telnet server to prevent Telnet access to the Switch.
Page 82: Description Of Ssh Access
Protection from unauthorized access 6.2 Telnet/Web/SSH access After the Web server has been switched off, it is no longer possible to login via a Web browser. The login in the open browser window remains active. Note: The Command Line Interface and this dialog allow you to reactivate the Telnet server.
Page 83: Enabling/Disabling Telnet/Web/Ssh Access
Protection from unauthorized access 6.2 Telnet/Web/SSH access 6.2.4 Enabling/disabling Telnet/Web/SSH access Select the Security:Telnet/Web/SHH access dialog. Disable the server to which you want to refuse access. Switch to the Priviledged EXEC mode. enable Enable Telnet server. transport input telnet Disable Telnet server. no transport input telnet Enable Web server.
Page 84: Disabling The Hidiscovery Function
Protection from unauthorized access 6.3 Disabling the HiDiscovery function 6.3 Disabling the HiDiscovery function 6.3.1 Description of the HiDiscovery protocol The HiDiscovery protocol allows you to assign the Switch an IP address based on its MAC address (see on page 35 "Entering the IP Parameters via HiDiscovery").
Page 85: Port Access Control
Protection from unauthorized access 6.4 Port access control 6.4 Port access control 6.4.1 Port access control The Switch protects every port from unauthorized access. Depending on your selection, the Switch checks the MAC address or the IP address of the connected device.
Page 86: Defining Port Access Control
Protection from unauthorized access 6.4 Port access control 6.4.2 Defining port access control Select the Security:Port Security dialog. First select whether you want MAC-based or IP-based port security. If you have selected MAC-based security, you enter the MAC ad- dresses of the devices with which a data exchange at this port is per- mitted in the "Allowed Mac Address"...
Page 87 Protection from unauthorized access 6.4 Port access control Figure 23: Port Security dialog Note: This entry in the port configuration table is part of the configura- tion (see on page 53 "Loading/saving settings") and is saved together with the configuration. Note: An alarm (trap) can only be sent if at least one recipient is entered under "Trap settings"...
Page 88: Port Authentication According To 802.1X
Protection from unauthorized access 6.5 Port authentication according to 802.1X 6.5 Port authentication accord- ing to 802.1X 6.5.1 Description of port authentication according to 802.1X The port-based network access control is a method described in norm IEEE 802.1X to protect IEEE 802 networks from unauthorized access. The proto- col controls the access at a port by authenticating and authorizing a device that is connected to this port of the Switch.
Page 89: Authentication Process
Protection from unauthorized access 6.5 Port authentication according to 802.1X 6.5.2 Authentication process A supplicant attempts to communicate via a Switch port. The Switch requests authentication from the supplicant. At this time, only EAPOL traffic is allowed between the supplicant and the Switch. The supplicant replies with its identification data.
Page 90: Setting 802.1X
Protection from unauthorized access 6.5 Port authentication according to 802.1X 6.5.4 Setting 802.1X Configurating the RADIUS server Select the Security:802.1x Port Authentication:RADIUS Server dialog. This dialog allows you to enter the data for one, two or three RADIUS servers. Click "Create entry" to open the dialog window for entering the IP ad- dress of a RADIUS server.
Page 91: Access Control Lists (Acl)
Protection from unauthorized access 6.6 Access Control Lists (ACL). 6.6 Access Control Lists (ACL). You can use Access Control Lists (ACL) to filter out, forward, divert or prior- itize data packets as they are received. The Switch provides MAC-based ACLs and IP-based ACLs.
Page 92: Description Of Prioritizing With Acls
Protection from unauthorized access 6.6 Access Control Lists (ACL). Note: With Power MICE and MACH 4000, you can use either MAC-based or IP-based ACLs for each interface. With MACH 4002-24G/48G, you can use both MAC-based and IP-based ACLs for each interface.
Page 93: Description Of Ip-Based Acls
Protection from unauthorized access 6.6 Access Control Lists (ACL). 6.6.2 Description of IP-based ACLs. The Switch differentiates between standard and extended IP-based ACLs. ACLs with an ID number (ACL ID) 1 to 99 are standard IP-based ACLs and 100 to 199 are extended IP-based ACLs. Standard IP-based ACLs provide the following criteria for filtering: IP source address with network mask All data packets (match every)
Page 94: Description Of Mac-Based Acls
Protection from unauthorized access 6.6 Access Control Lists (ACL). Note: IP address masks in the rules of ACLs are inverse. This means that if you want to mask a single IP address, you select the net- work mask 0.0.0.0. 6.6.3 Description of MAC-based ACLs While you use an ID number to identify IP-based ACLs, you use a unique name of your choice to identify MAC-based ACLs.
Page 95: Configuring Ip Acls
Protection from unauthorized access 6.6 Access Control Lists (ACL). PERMIT Source MAC: ANY Destination MAC: 01:15:4E:00:00:00 Destination MAC mask: 00:00:00:00:00:03 CLI command in the Config-mac-access mode: permit any 01:15:4E:00:00:00 00:00:00:00:00:03 Note: MAC address masks in the rules of ACLs are inverse. This means that if you want to mask a single MAC address, you select the network mask 00:00:00:00:00:00.
Page 96 Protection from unauthorized access 6.6 Access Control Lists (ACL). Create the extended ACL 100 with the first rule. access-list 100 deny ip This denies data traffic from IP source address 10.0.1.11 0.0.0.0 10.0.1.11 to the IP destination address 10.0.1.158. 10.0.1.158 0.0.0.0 Add another rule to the ACL 100.
Page 97: Configuring Mac Acls
Protection from unauthorized access 6.6 Access Control Lists (ACL). 6.6.5 Configuring MAC ACLs Example: MAC ACL Filtering AppleTalk and IPX from the entire network. Switch to the Priviledged EXEC mode. enable Switch to the Configuration mode. configure Create the extended ACL "ipx-apple". mac access-list extended ipx-apple Add the rule "deny IPX"...
Page 98: Configuring Priorities With Ip Acls
Protection from unauthorized access 6.6 Access Control Lists (ACL). 6.6.6 Configuring priorities with IP ACLs Example: Prioritizing Multicast streams. Assign priority 6 to the Multicast streams with the IP Multicast destination addresses 239.1.1.1 to 239.1.1.255 and Assign priority 5 to the Multicast streams with the IP Multicast destination addresses 237.1.1.1 to 237.1.1.255 and Switch to the Priviledged EXEC mode.
Page 99 Protection from unauthorized access 6.6 Access Control Lists (ACL). Switch to the Priviledged EXEC mode. enable Switch to the Configuration mode. configure Create the extended ACL 104 with the first rule. access-list 104 permit udp This rule assigns priority 5 to all SNMP packets any any eq snmp assign with the UDP destination port (=161).
Page 100: Specifying The Sequence Of The Rules
Protection from unauthorized access 6.6 Access Control Lists (ACL). 6.6.7 Specifying the sequence of the rules The sequence of the ACLs determines their usage. The first list that applies is used, and all subsequent rules are ignored. You can influence the se- quence by assigning the sequence number.
Page 101: Synchronizing The System Time In The Network
Synchronizing the system time in the 7 Synchronizing the system time in the network The actual meaning of the term "real time" depends on the time requirements of the application. The Switch provides two options with different levels of accuracy for synchro- nizing the time in your network.
Page 102: Entering The Time
Synchronizing the system time in the 7.1 Entering the time 7.1 Entering the time If no reference clock is available, you have the option of entering the system time in a Switch and then using it like a reference clock.(see on page 6 "Con- figuring SNTP")(see on page 15 "Configuring PTP") Note: When setting the time in zones with summer and winter times, make an adjustment for the local offset.
Page 103 Synchronizing the system time in the 7.1 Entering the time The "Local Offset" is for displaying/entering the time difference be- tween the local time and the "IEEE 1588 / SNTP time". With "Set off- set from PC", the Switch determines the time zone on your PC and uses it to calculate the local time difference.
Page 104: Sntp
Synchronizing the system time in the 7.2 SNTP 7.2 SNTP 7.2.1 Description of SNTP The Simple Network Time Protocol (SNTP) enables you to synchronize the system time in your network. The Switch supports the SNTP Server and SNTP Client functions. The SNTP server makes the UTC (Universal Time Coordinated) available.
Page 105: Preparing The Sntp Coordination
Synchronizing the system time in the 7.2 SNTP 7.2.2 Preparing the SNTP coordination To get an overview of how the time is passed on, draw a network plan with all the devices participating in PTP. When planning, bear in mind that the accuracy of the time depends on the signal runtime.
Page 106: Configuring Sntp
Synchronizing the system time in the 7.2 SNTP 7.2.3 Configuring SNTP Select the Time:SNTP dialog. Configuration SNTP Client and Server In this frame you switch the SNTP function on/off. When it is switched off, the SNTP server does not send any SNTP packets or respond to any SNTP requests.
Page 107 Synchronizing the system time in the 7.2 SNTP In "VLAN ID" you specify the VLAN to which the switch may period- ically send SNTP packages. In "Anycast send interval" you specify the interval at which the Switch sends SNTP packets (valid entries: 1 second to 3600 sec- onds, on delivery: 120 seconds).
Page 108 Synchronizing the system time in the 7.2 SNTP Configuration SNTP Client In "External server address" you enter the IP address of the SNTP server from which the Switch periodically requests the sys- tem time. In "Redundant server address" you enter the IP address of the SNTP server from which the Switch periodically requests the sys- tem time, if it does not receive a response to a request from the "External server address"...
Page 109 Synchronizing the system time in the 7.2 SNTP Switch 149.218.112.1 149.218.112.2 149.218.112.3 Function Server destination address 0.0.0.0 0.0.0.0 0.0.0.0 Server VLAN ID Send interval Client external server address 149.218.112.0 149.218.112.1 149.218.112.2 Request interval Accept broadcasts Table 6: Settings for the example (see fig.
Page 110: Precision Time Protocol
Synchronizing the system time in the 7.3 Precision Time Protocol 7.3 Precision Time Protocol 7.3.1 Description of PTP functions Precise time management is required for running time-critical applications via a LAN. The IEEE 1588 standard with the Precision Time Protocol (PTP) describes a procedure that assumes one clock is the most accurate and thus enables precise synchronization of all clocks in an LAN.
Page 111 Synchronizing the system time in the 7.3 Precision Time Protocol Stratum Specification number For temporary, special purposes, in order to assign a better value to one clock than to all other clocks in the network. Indicates the reference clock with the highest degree of accuracy. A stratum 1 clock can be both a boundary clock and an ordinary clock.
Page 112 Synchronizing the system time in the 7.3 Precision Time Protocol Reference Local (Master clock) (Slave clock) Delay + Jitter Delay + Jitter Delay + Jitter Precision Time Protocol (Application Layer) UDP User Datagramm Protocol (Transport Layer) Internet Protocol (Network Layer) MAC Media Access Control Physical Layer Figure 28: Delay and jitter problems when synchronizing clocks...
Page 113 Synchronizing the system time in the 7.3 Precision Time Protocol Reference (Grandmaster Clock) Switch Ordinary Clock Ordinary Clock Slave Master Boundary Clock Figure 29: Boundary clock Independently of the physical communication paths, the PTP provides logical communication paths which you define by setting up PTP subdomains. Sub- domains are used to form groups of clocks that are time-independent from the rest of the domain.
Page 114: Preparing The Ptp Configuration
Synchronizing the system time in the 7.3 Precision Time Protocol Ordinary Clock Reference (Grandmaster Clock) Switch PTP Subdomain 1 Boundary Clock PTP Subdomain 2 Figure 30: PTP Subdomains 7.3.2 Preparing the PTP configuration After the function is activated, the PTP takes over the configuration automat- ically.
Page 115: Configuring Ptp
Synchronizing the system time in the 7.3 Precision Time Protocol Enable the PTP function on all devices whose time you want to synchro- nize using PTP. If no reference clock is available, you specify a Switch as the reference clock and set its system time as accurately as possible. 7.3.3 Configuring PTP In the Time:PTP:Global dialog, you can enable/disable the function and make PTP settings on the MS20/30 and Power MICE devices which are...
Page 116 Synchronizing the system time in the 7.3 Precision Time Protocol Figure 31: PTP Global dialog Application example: PTP is used to synchronize the time in the network. As an SNTP client, the left Switch gets the time from the NTP server via SNTP. The Switch assigns clock stratum "2"...
Page 117 Synchronizing the system time in the 7.3 Precision Time Protocol Reference Switch mit (Grandmaster Clock) RT-Modul Switch mit 10.0.1.116 RT-Modul 10.0.1.112 10.0.1.2 Boundary Clock Ordinary Clock Switch ohne Switch ohne RT-Modul RT-Modul 10.0.1.105 10.0.1.106 Figure 32: Example of PTP synchronization Switch 10.0.1.112 10.0.1.116...
Page 118: Interaction Of Ptp And Sntp
Synchronizing the system time in the 7.4 Interaction of PTP and SNTP 7.4 Interaction of PTP and SNTP According to PTP and SNTP, both protocols can exist in parallel in the same network. However, since both protocols effect the system time of the device, situations may occur in which the two protocols compete with each other.
Page 119 Synchronizing the system time in the 7.4 Interaction of PTP and SNTP Switch 149.218.112.1 149.218.112.2 149.218.112.3 Operation Clock Mode ptp-mode- ptp-mode- ptp-mode- boundary-clock boundary-clock boundary-clock Preferred Master false false false SNTP Operation Server destination address 224.0.1.1 224.0.1.1 224.0.1.1 Server VLAN ID Send interval Client external server address 149.218.112.0 0.0.0.0...
Page 120 Synchronizing the system time in the 7.4 Interaction of PTP and SNTP Basic - L3P Release 4.0 11/07...
Page 121: Network Load Control
Network load control 8 Network load control To optimize the data transmission, the Switch provides you with the following functions for controlling the network load: Settings for direct packet distribution (MAC address filter) Multicast settings Rate limiter Prioritization - QoS Flow control Virtual LANs Basic - L3P...
Page 122: Direct Packet Distribution
Network load control 8.1 Direct packet distribution 8.1 Direct packet distribution With direct packet distribution, you protect the Switch from unnecessary net- work loads. The Switch provides you with the following functions for direct packet distribution: Store-and-forward Multi-address capability Aging of learned addresses Static address entries Disabling the direct packet distribution 8.1.1 Store-and-forward...
Page 123: Aging Of Learned Addresses
Network load control 8.1 Direct packet distribution The Switch can learn up to 8000 addresses. This is necessary if more than one terminal device is connected to one or more ports. It is thus possible to connect several independent subnetworks to the Switch. 8.1.3 Aging of learned addresses The Switch monitors the age of the learned addresses.
Page 124: Entering Static Address Entries
Network load control 8.1 Direct packet distribution 8.1.4 Entering static address entries One of the most important functions of a Switch is the filter function. It selects data packets according to defined patterns, known as filters. These patterns are assigned distribution rules. This means that a data packet received by a Switch at a port is compared with the patterns.
Page 125: Disabling The Direct Packet Distribution
Network load control 8.1 Direct packet distribution Select the Switching:Filters for MAC Addresses dialog. Each row of the filter table represents one filter. Filters specify the way in which data packets are sent. They are set automatically by the Switch (learned status) or created manually.
Page 126: Multicast Application
Network load control 8.2 Multicast application 8.2 Multicast application 8.2.1 Description of the Multicast application The data distribution in the LAN differentiates between three distribution classes on the basis of the addressed recipients: Unicast - one recipient Multicast - a group of recipients Broadcast - every recipient that can be reached In the case of a Multicast address, the Switches forward all data packets with a Multicast address to all ports.
Page 127: Example Of A Multicast Application
Network load control 8.2 Multicast application 8.2.2 Example of a Multicast application The cameras for monitoring machines normally transmit their images to mon- itors located in the machine room and to the monitoring room. In an IP trans- mission, a camera sends its image data with a Multicast address via the network.
Page 128: Description Of Igmp Snooping
Network load control 8.2 Multicast application 8.2.3 Description of IGMP Snooping The Internet Group Management Protocol (IGMP) describes the distribution of Multicast information between routers and terminal devices on the Layer 3 level. Routers with an active IGMP function periodically send queries to find out which IP Multicast group members are connected to the LAN.
Page 129 Network load control 8.2 Multicast application Devices that want to receive data packets with a Multicast address as the destination address use the GMRP to perform the registration of the Multi- cast address. For a Switch, registration involves entering the Multicast ad- dress in the filter table.
Page 130: Setting Up The Multicast Application
Network load control 8.2 Multicast application 8.2.5 Setting up the Multicast application Select the Switching:Multicasts dialog. Global settings "IGMP Snooping" allows you to enable IGMP Snooping globally for the entire switch. If IGMP Snooping is disabled, then the Switch does not evaluate Query and Report packets received, it sends (floods) received data packets with a Multicast address as the destination address to all ports.
Page 131 Network load control 8.2 Multicast application Unknown Multicasts In this frame you can determine how the Switch in IGMP mode sends packets with an unknown MAC/IP Multicast address that was not learned through IGMP Snooping. "Send to Query Ports". The Switch sends the packets with an unknown MAC/IP Multicast address to all query ports.
Page 132 Network load control 8.2 Multicast application Settings per port (table) IMGP on per port This table column enables you to enable/disable the IGMP for each port when the global IGMP Snooping is enabled. Disabling the IGMP at a port prevents registration for this port. IGMP Forward All per port This table column enables you to enable/disable the "Forward All"...
Page 133 Network load control 8.2 Multicast application GMRP per Port This table column enables you to enable/disable the GMRP for each port when the global GMRP is enabled. When you disable the GMRP at a port, no registrations can be made for this port, and GMRP packets cannot be sent out of this port.
Page 134 Network load control 8.2 Multicast application Figure 35: IGMP/GMRP dialog Basic - L3P Release 4.0 11/07...
Page 135: Rate Limiter
Network load control 8.3 Rate Limiter 8.3 Rate Limiter 8.3.1 Description of the Rate Limiter To ensure reliable data exchange during heavy traffic, the Switch can limit the traffic. Entering a limit rate for each port specifies the amount of traffic the Switch is permitted to transmit and receive.
Page 136 Network load control 8.3 Rate Limiter Setting options per port: Ingress Limiter Rate for the packet types selected in the Ingress Lim- iter frame: = 0, no ingress limit at this port. > 0, maximum outgoing traffic rate in kbit/s that is allowed to be sent at this port.
Page 137: Qos/Priority
Network load control 8.4 QoS/Priority 8.4 QoS/Priority 8.4.1 Description of Prioritization This function prevents time-critical data traffic such as language/video or real-time data from being disrupted by less time-critical data traffic during pe- riods of heavy traffic. By assigning high traffic classes for time-critical data and low traffic classes for less time-critical data, you ensure optimal data flow for time-critical data traffic.
Page 138: Vlan Tagging
Network load control 8.4 QoS/Priority VLAN priority based on IEEE 802.1Q/ 802.1D (Layer 2) Type of Service (ToS) or DiffServ (DSCP) for IP packets (Layer 3) 8.4.2 VLAN tagging The VLAN tag is integrated into the MAC data frame for the VLAN and Prior- itization functions in accordance with the IEEE 802.1 Q standard.
Page 139 8.4 QoS/Priority Note: Network protocols and redundancy mechanisms use the highest traffic classes 3 (RS20/30/40, MS20/30, MACH 1000, OCTOPUS) and 7 (Power MICE, MACH 4000). Therefore, you select other traffic classes for applica- tion data. 42-1500 Octets min. 64, max. 1522 Octets...
Page 140: Ip Tos / Diffserv
Network load control 8.4 QoS/Priority Although VLAN prioritizing is widespread in the industry sector, it has a num- ber of limitations: The additional 4-byte VLAN tag enlarges the data packets. With small data packets, this leads to a larger bandwidth load. End-to-end prioritizing requires the VLAN tags to be transmitted to the en- tire network, which means that all network components must be VLAN-ca- pable.
Page 141: Differentiated Services
Network load control 8.4 QoS/Priority Bits (0-2): IP Precedence Defined Bits (3-6): Type of Service Defined Bit (7) 111 - Network Control 0000 - [all normal] 0 - Must be zero 110 - Internetwork Control 1000 - [minimize delay] 101 - CRITIC / ECP 0100 - [maximize throughput] 100 - Flash Override 0010 - [maximize reliability]...
Page 142 Network load control 8.4 QoS/Priority Default Forwarding/Best Effort: No particular prioritizing. The PHB class selector assigns the 7 possible IP precedence values from the old ToS field to specific DSCP values, thus ensuring the downwards compatibility. ToS Meaning Precedence Value Assigned DSCP Network Control CS7 (111000) Internetwork Control...
Page 143: Management Prioritizing
Network load control 8.4 QoS/Priority 8.4.4 Management prioritizing In order for you to have full access to the management of the Switch, even when there is a high network load, the Switch enables you to prioritize man- agement packets. In prioritizing management packets (SNMP, Telnet, etc.), the Switch sends the management packets with priority information.
Page 144: Handling Of Traffic Classes
Network load control 8.4 QoS/Priority 8.4.6 Handling of traffic classes For the handling of traffic classes, the Switch provides: Strict Priority Weighted Fair Queuing Strict Priority combined with Weighted Fair Queuing Default setting: Strict Priority. Description of Strict Priority With the Strict Priority setting, the Switch first transmits all data packets that have a higher traffic class before transmitting a data packet with the next highest traffic class.
Page 145 Network load control 8.4 QoS/Priority Maximum bandwidth By entering a maximum bandwidth you can limit the bandwidth for each traffic class to a maximum value, regardless of whether you selected "Weighted Fair Queuing" or "Strict Priority". Weighted Fair Queuing (see page 24) requires that the maximum bandwidth is at least as big as the minimum bandwidth.
Page 146: Setting Prioritization
Network load control 8.4 QoS/Priority 8.4.7 Setting prioritization Assigning the port priority Select the QoS/Priority:Port Configuration dialog. In the "Port Priority" column, you can specify the priority (0-7) with which the Switch sends data packets which it receives without a VLAN tag at this port Note: If you have set up VLANs, pay attention to the "Transparent mode"...
Page 147 User Priority Traffic Class ------------- ------------- Always assign the port priority to received data packets (Power MICE and MACH 4000) Switch to the Priviledged EXEC mode. enable Switch to the Configuration mode. configure Switch to the Interface Configuration mode of interface 1/1 interface 1/1.
Page 148: Traffic Shaping
Network load control 8.4 QoS/Priority Always assign the DSCP priority to received IP data pack- ets for each interface (Power MICE and MACH 4000) Switch to the Priviledged EXEC mode. enable Switch to the Configuration mode. configure Switch to the interface configuration mode of inter- interface 6/1 face 6/1.
Page 149 Network load control 8.4 QoS/Priority Assigns the weighting to the Weighted Fair Queu- cos-queue min-bandwidth 10 ing traffic classes. In the case of Strict Priority, be- 10 15 15 20 30 0 0 cause the Switch first transmits all the data packets with a high priority, you can enter the weighting 0 for the Strict Priority traffic classes and distribute 100% among the remaining traffic classes.
Page 150 Network load control 8.4 QoS/Priority Interface........1/2 Interface Shaping Rate......50 Queue Id Min. Bandwidth Max. Bandwidth Scheduler Type -------- -------------- -------------- -------------- Weighted Weighted Weighted Weighted Weighted Weighted Strict Strict Configuring Layer 2 management priority Configure the VLAN ports to which the Switch sends management packets as a member of the VLAN that sends data packets with a tag (see on page 38 "Configuring VLANs").
Page 151 Network load control 8.4 QoS/Priority Configuring Layer 3 management priority Select the QoS/Priority:Global dialog. In the line IP-DSCP value for management packets you enter the IP-DSCP value with which the Switch sends management pack- ets. Switch to the Priviledged EXEC mode. enable Assign the value cs7 to the management priority so network priority ip-dscp...
Page 152: Flow Control
Network load control 8.5 Flow control 8.5 Flow control 8.5.1 Description of flow control Flow control is a mechanism which acts as an overload protection for the Switch. During periods of heavy traffic, it holds off additional traffic from the network.
Page 153 Network load control 8.5 Flow control Port 1 Port 4 Switch Port 2 Port 3 Workstation 1 Workstation 2 Workstation 3 Workstation 4 Figure 40: Example of flow control Flow control with a full duplex link In the example (see fig. 40) there is a full duplex link between Workstation 2 and the Switch.
Page 154: Setting The Flow Control
Network load control 8.5 Flow control 8.5.2 Setting the flow control Select the Basics:Port Configuration dialog. In the "Flow Control on" column, you checkmark this port to specify that flow control is active here. You also activate the global "Flow Control"...
Page 155: Vlans
Network load control 8.6 VLANs 8.6 VLANs 8.6.1 Description of VLANs A virtual LAN (VLAN) consists of a group of network participants in one or more network segments who can communicate with each other as if they be- longed to the same LAN. VLANs are based on logical (instead of physical) links and are flexible ele- ments in the network design.
Page 156 Network load control 8.6 VLANs VLAN Gelb VLAN Grün MACH 3002 VLAN Grün VLAN Gelb MICE VLAN Gelb VLAN Grün Figure 41: Example of a VLAN Key words often used in association with VLANs are: Ingress rule The ingress rules stipulate how incoming data is to be handled by the Switch.
Page 157 Network load control 8.6 VLANs Egress rule The egress rules stipulate how outgoing data is to be handled by the Switch. VLAN identifier The assignment to a VLAN is effected via a VLAN ID. Every VLAN exist- ing in a network is identified by an ID. This ID must be unique, i.e. every ID may only be assigned once in the network.
Page 158: Configuring Vlans
VLAN ID "0" remains in the packet, regardless of set- ting of the port VLAN ID in the "VLAN Port" dialog. Note: For Power MICE and MACH 4000 in "Transparent mode", the de- vices ignore the VLAN tag when receiving. Set the VLAN membership of the ports of all VLANs to untagged.
Page 159 MICE (from rel. 3.0) or Power MICE MS 20, MS 30 MACH 1000 MACH 4000 MACH 3000 (from rel. 3.3) OCTOPUS Note: In the HIPER-Ring configuration, select for the ring ports VLAN ID 1 and "Ingress Filtering" in the port table and VLAN membership U in the static VLAN table.
Page 160 Network load control 8.6 VLANs Note: In the Network/Ring Coupling configuration, select for the cou- pling and partner coupling ports VLAN ID 1 and "Ingress Filtering" in the port table and VLAN membership U in the static VLAN table. Basic - L3P Release 4.0 11/07...
Page 161: Example Of A Simple Vlan
Network load control 8.6 VLANs 8.6.3 Example of a simple VLAN The following example provides a quick introduction to configuring a VLAN as it is often done in practice. The configuration is performed step by step. 149.218.112.76 VLAN Brown ID = 1 Network VLAN Yellow VLAN Green...
Page 162 Network load control 8.6 VLANs Figure 43: Creating a VLAN Figure 44: Entering a VLAN ID Basic - L3P Release 4.0 11/07...
Page 163 Network load control 8.6 VLANs Repeat the Creating a VLAN and Entering a VLAN ID steps for all VLANs. Figure 45: Assigning a VLAN any name and saving it Basic - L3P Release 4.0 11/07...
Page 164 Network load control 8.6 VLANs Figure 46: Defining the VLAN membership of the ports. Ports 1.1 to 1.3 are assigned to the terminal devices of the Yellow VLAN, and ports 2.1 to 2.4 are assigned to terminal devices of the Green VLAN.
Page 165 Network load control 8.6 VLANs Figure 47: Saving the VLAN configuration Figure 48: Assigning the VLAN ID, Acceptable Frame Types and Ingress Filter- ing to the ports and saving Basic - L3P Release 4.0 11/07...
Page 166 Network load control 8.6 VLANs Ports 1.1 to 1.3 are assigned to the terminal devices of the Yellow VLAN and thus to VLAN ID 2, and ports 2.1 to 2.4 are assigned to terminal de- vices of the Green VLAN and thus to VLAN ID 3. Because terminal de- vices usually do not sent data packets with a tag, you select the admitAll setting here.
Page 167 Network load control 8.6 VLANs Figure 50: Saving the configuration to non-volatile memory Basic - L3P Release 4.0 11/07...
Page 168 Network load control 8.6 VLANs Basic - L3P Release 4.0 11/07...
Page 169: Operation Diagnosis
Operation diagnosis 9 Operation diagnosis The Switch provides you with the following diagnostic tools for the operation diagnosis: Sending traps Monitoring device status Out-of-band signaling via signal contact Port status indication Event counter at port level SFP status indication TP cable diagnostics Topology discovery Reports Monitoring the data traffic of a port (port mirroring)
Page 170: Sending Traps
Operation diagnosis 9.1 Sending traps 9.1 Sending traps If unusual events occur during normal operation of the Switch, they are re- ported immediately to the management station. This is done by means of what are called traps - alarm messages - that bypass the polling procedure ("Polling"...
Page 171: Snmp Trap Listing
Operation diagnosis 9.1 Sending traps 9.1.1 SNMP trap listing All the possible traps that the Switch can send are listed in the following table. Trap name Meaning authenticationFailure is sent if a station attempts to access an agent without permission. coldStart is sent for both cold and warm starts during the boot process after successful management initialization.
Page 172: Snmp Traps When Booting
Operation diagnosis 9.1 Sending traps 9.1.2 SNMP traps when booting The Switch sends the ColdStart trap during every booting. Basic - L3P Release 4.0 11/07...
Page 173: Configuring Traps
Operation diagnosis 9.1 Sending traps 9.1.3 Configuring traps Select the Diagnostics:Alarms (Traps) dialog. This dialog allows you to determine which events trigger an alarm (trap) and where these alarms should be sent. Select "Create entry". In the "Address" column, enter the IP address of the management station to which the traps should be sent.
Page 174 Operation diagnosis 9.1 Sending traps The events which can be selected are: Name Meaning Authentication The switch has rejected an unauthorized access attempt (see the Access for IP Addresses and Port Security dialog). Cold Start The Switch has been switched on. Link Down At one port of the switch, the link to the device connected there has been interrupted.
Page 175: Monitoring The Device Status
The removal of a module (for modular devices). The removal of the ACA. Failure of a fan (MACH 4000). The defective link status of at least one port. With the Switch, the indica- tion of link status can be masked by the management for each port...
Page 176: Configuring The Device Status
Operation diagnosis 9.2 Monitoring the device status Note: With non-redundant voltage supply, the Switch reports the absence of a supply voltage. You can prevent this message by feeding the supply volt- age over both inputs, or by switching off the monitoring (see on page 12 "Monitoring correct operation via the signal contact").
Page 177 Operation diagnosis 9.2 Monitoring the device status Time of the oldest existing alarm Cause of the oldest existing alarm Symbol indicates the Device Status Figure 52: Device status and alarm display Switch to the Priviledged EXEC mode. exit Display the device status and the setting for the show device-status device status determination.
Page 178: Out-Of-Band Signaling
Operation diagnosis 9.3 Out-of-band signaling 9.3 Out-of-band signaling The signal contact is used to control external devices and monitor the oper- ation of the Switch, thus enabling remote diagnostics. A break in contact is reported via the potential-free signal contact (relay con- tact, closed circuit): Incorrect supply voltage, the failure of at least one of the two supply voltages,...
Page 179: Controlling The Signal Contact
Operation diagnosis 9.3 Out-of-band signaling 9.3.1 Controlling the signal contact With this mode you can remotely control every signal contact individually. Application options: Simulation of an error during SPS error monitoring. Remote control of a device via SNMP, such as switching on a camera. Select the Diagnostics:Signal Contact 1/2) dialog.
Page 180: Monitoring Correct Operation Via The Signal Contact
Operation diagnosis 9.3 Out-of-band signaling 9.3.2 Monitoring correct operation via the signal contact Configuring the operation monitoring Select the Diagnostics:Signal Contact dialog. Select "Monitoring correct operation" in the "Mode signal contact" frame to use the contact for operation monitoring. In the "Monitoring correct operation" frame, you select the events you want to monitor.
Page 181: Monitoring The Device Status Via The Signal Contact
Operation diagnosis 9.3 Out-of-band signaling Figure 53: Signal contact dialog Switch to the Priviledged EXEC mode. exit Displays the status of the operation monitoring show signal-contact 1 and the setting for the status determination. 9.3.3 Monitoring the device status via the signal contact The "Device Status"...
Page 182: Port Status Indication
Operation diagnosis 9.4 Port status indication 9.4 Port status indication Select the Basics:System dialog. The device view shows the Switch with the current configuration. The symbols underneath the device view represent the status of the individ- ual ports. Figure 54: Meaning of the symbols: The port (10, 100 Mbit/s, 1, 10 Gbit/s) is enabled and the connection is OK.
Page 183: Event Counter At Port Level
Operation diagnosis 9.5 Event counter at port level 9.5 Event counter at port level The port statistics table enables experienced network administrators to iden- tify possible problems in the network. This table shows you the contents of various event counters. In the Restart menu item, you can reset all the event counters to zero using "Warm start", "Cold start"...
Page 184 Operation diagnosis 9.5 Event counter at port level Figure 55: Port Statistics dialog Basic - L3P Release 4.0 11/07...
Page 185: Displaying The Sfp Status
Operation diagnosis 9.6 Displaying the SFP status 9.6 Displaying the SFP status The SFP status display allows you to look at the current connections to the SFP modules and their properties. The properties include: module type support provided in media module temperature in degrees Celsius transmission power in milliwatts reception power in milliwatts...
Page 186: Tp Cable Diagnosis
Operation diagnosis 9.7 TP cable diagnosis 9.7 TP cable diagnosis The TP cable diagnosis allows you to check the connected cables for short circuits or interruptions. Note: While the check is being carried out, the data traffic at this port is sus- pended.
Page 187: Topology Discovery
Operation diagnosis 9.8 Topology discovery 9.8 Topology discovery 9.8.1 Description of topology discovery IEEE 802.1AB describes the Link Layer Discovery Protocol (LLDP). LLDP enables the user to have automatic topology recognition for his LAN. A device with active LLDP sends its own connection and management information to neighboring devices of the shared LAN, once these devices have also activated LLDP.
Page 188: Displaying The Topology Discovery
LLDP packets. Thus a non-LLDP-capable device between two LLDP-capa- ble devices prevents LLDP information exchange between these two devic- es. To get around this, Hirschmann Switches send and receive additional LLDP packets with the Hirschmann Multicast MAC address 01:80:63:2F:FF:0B. Hirschmann Switches with the LLDP function are thus also able to exchange LLDP information with each other via devices that are not LLDP-capable.
Page 189 Operation diagnosis 9.8 Topology discovery This dialog allows you to switch on/off the topology discovery function (LLDP). The topology table shows you the collected information for neighboring devices. This information enables the network manage- ment station to map the structure of your network. The option "Show LLDP entries exclusively"...
Page 190 Operation diagnosis 9.8 Topology discovery If several devices are connected to one port, for example via a hub, the table will contain one line for each connected device. devices with active topology discovery function and devices without active topology discovery function are connected to a port, the topology table hides the devices without active topology discovery.
Page 191: Detecting Ip Address Conflicts
Operation diagnosis 9.9 Detecting IP address conflicts 9.9 Detecting IP address con- flicts 9.9.1 Description of IP address conflicts By definition, each IP address may only be assigned once within a subnet- work. Should two or more devices erroneously share the same IP address within one subnetwork, this will inevitably lead to malfunctions, including communication disruptions with devices that have this IP address.In his In- ternet draft, Stuart Cheshire describes a mechanism that industrial Ethernet...
Page 192: Configuring Acd
Operation diagnosis 9.9 Detecting IP address conflicts 9.9.2 Configuring ACD Select the Diagnostics:IP Address Conflict Detection dialog. With "Status" you enable/disable the IP address conflict detection or select the operating mode (see table 18). 9.9.3 Displaying ACD Select the Diagnostics:IP Address Conflict Detection dialog. Basic - L3P Release 4.0 11/07...
Page 193 Operation diagnosis 9.9 Detecting IP address conflicts This dialog logs the IP address conflicts that the Switch detects if it detects a conflict with its IP address. For each conflict, the Switch logs: the time the conflicting IP address the MAC address of the device with which the IP address conflict- For each IP address, the Switch logs a line with the last conflict that occurred.
Page 194: Reports
Operation diagnosis 9.10 Reports 9.10Reports The following reports are available for the diagnostics: Log file The log file is an HTML file in which the switch writes all the important de- vice-internal events System information. The system information is an HTML file containing all system-relevant da- System information.
Page 195 Operation diagnosis 9.10 Reports Index IP Address Severity Port Status ----- ----------------- ---------- ---- ------------- 10.0.1.159 error Active Basic - L3P Release 4.0 11/07...
Page 196: Monitoring Port Traffic (Port Mirroring)
Operation diagnosis 9.11 Monitoring port traffic (port mirroring) 9.11Monitoring port traffic (port mirroring) In port mirroring, the valid data packets of one port, the source port, are cop- ied to another, the destination port. The data traffic at the source port is not influenced by port mirroring.
Page 197 Operation diagnosis 9.11 Monitoring port traffic (port mirroring) Select the source port whose data traffic you want to observe. Select the destination port to which you have connected your man- agement tool. Select "enabled" to switch on the function. The "Delete" button in the dialog allows you to reset all the port mirroring settings of the device to the state on delivery.
Page 198 Operation diagnosis 9.11 Monitoring port traffic (port mirroring) Basic - L3P Release 4.0 11/07...
Page 199: A Setting Up Configuration Environment
Setting up configuration environment A Setting up configuration environment Basic - L3P Release 4.0 11/07...
Page 200: Setting Up Dhcp/Bootp Server
Setting up configuration environment A.1 Setting up DHCP/BOOTP server A.1 Setting up DHCP/BOOTP server On the CD-ROM supplied with the Switch you will find the software for a DHCP server from the software development company IT-Consulting Dr. Herbert Hanewinkel. You can test the software for 30 calendar days from the date of the first installation, and then decide whether you want to purchase a license.
Page 201 Setting up configuration environment A.1 Setting up DHCP/BOOTP server Figure 62: DHCP setting To enter the configuration profiles, select Options:Configuration Profiles in the menu bar. Enter the name of the new configuration profile and click Add. Figure 63: Adding configuration profiles Enter the network mask and click Accept.
Page 202 Setting up configuration environment A.1 Setting up DHCP/BOOTP server Figure 64: Network mask in the configuration profile Select the Boot tab page. Enter the IP address of your tftp server. Enter the path and the file name for the configuration file. Click Apply and then OK.
Page 203 Setting up configuration environment A.1 Setting up DHCP/BOOTP server Add a profile for each device type. If devices of the same type have different configurations, then you add a profile for each configuration. To complete the addition of the configuration profiles, click OK. Figure 66: Managing configuration profiles To enter the static addresses, click Static in the main window.
Page 204 Setting up configuration environment A.1 Setting up DHCP/BOOTP server Figure 68: Adding static addresses Enter the MAC address of the Switch. Enter the IP address of the Switch. Select the configuration profile of the Switch. Click Apply and then OK. Figure 69: Entries for static addresses Add an entry for each device that will get its parameters from the DHCP server.
Page 205 Setting up configuration environment A.1 Setting up DHCP/BOOTP server Figure 70: DHCP server with entries Basic - L3P Release 4.0 11/07...
Page 206: Setting Up Dhcp Server Option
Setting up configuration environment A.2 Setting up DHCP Server Option 82 A.2 Setting up DHCP Server Option 82 On the CD-ROM supplied with the Switch you will find the software for a DHCP server from the software development company IT-Consulting Dr. Herbert Hanewinkel.
Page 207 Setting up configuration environment A.2 Setting up DHCP Server Option 82 Figure 72: DHCP setting To enter the static addresses, click New. Figure 73: Adding static addresses Select Circuit Identifier and Remote Identifier. Basic - L3P Release 4.0 11/07...
Page 208 ID cl: length of the circuit ID hh: Hirschmann ID: 01 if a Hirschmann Switch is connected to the port, otherwise 00. vvvv: VLAN ID of the DHCP request (default: 0001 = VLAN 1) ss: socket of Switch at which the module with that port is located to which the device is connected.
Page 209 Setting up configuration environment A.2 Setting up DHCP Server Option 82 Figure 75: Entering the addresses Switch (Option 82) h H h H MACH 3002 MICE MAC-Adresse = IP = 00:80:63:10:9a:d7 149.218.112.100 DHCP-Server IP = 149.218.112.1 IP = 149.218.112.100 Figure 76: Application example of using Option 82 Basic - L3P Release 4.0 11/07...
Page 210: Tftp Server For Software Updates
Setting up configuration environment A.3 tftp server for software updates A.3 tftp server for software updates On delivery, the Switch software is held in the local flash memory. The Switch boots the software from the flash memory. Software updates can be performed via a tftp server. This presupposes that a tftp server has been installed in the connected network and that it is active.
Page 211: Setting Up The Tftp Process
Setting up configuration environment A.3 tftp server for software updates A.3.1 Setting up the tftp process General prerequisites: The local IP address of the Switch and the IP address of the tftp server or the gateway are known to the Switch. The TCP/IP stack with tftp is installed on tftp server.
Page 212 Setting up configuration environment A.3 tftp server for software updates Note: The command "ps" does not always show the tftp daemon, al- though it is actually running. Special steps for HP workstations: During installation on an HP workstation, enter the user tftp in the file /etc/passwd.
Page 213 Setting up configuration environment A.3 tftp server for software updates Checking the tftp process Edit the file /etc/inetd.conf Is tftp* commented out? Delete the comment character »#« from this line Re-initialize inetd.conf by entering kill-1 PID Problems with the tftp server? cd /tftpboot/mice tftp <tftp-Servername>...
Page 214: Software Access Rights
Setting up configuration environment A.3 tftp server for software updates A.3.2 Software access rights The agent needs read permission for the tftp directory on which the Switch software is stored. Example of a UNIX tftp server Once the Switch software has been installed, the tftp server should have the following directory structure with the stated access rights: File name Access...
Page 215: Preparing Access Via Ssh
Setting up configuration environment A.4 Preparing access via SSH A.4 Preparing access via SSH To be able to access the Switch via SSH, you will need: a key to install the key on the Switch to enable access via SSH on the Switch and a program for executing the SSH protocol on your computer.
Page 216: Uploading The Key
Setting up configuration environment A.4 Preparing access via SSH Figure 78: PuTTY key generator The OpenSSH Suite offers experienced network administrators a further op- tion for generating the key. To generate the key, enter the following com- mand: ssh-keygen(.exe) -q -t rsa1 -f rsa1.key -C '' -N '' A.4.2 Uploading the key The Command Line Interface enables you to upload the SSH key to the Switch.
Page 217: Access Via Ssh
Setting up configuration environment A.4 Preparing access via SSH Store the key file on your tftp server. With the enable command, you switch to the privileged EXEC mode. With the command "no ip ssh", deactivate the SSH function on the Switch before you transfer the key to the Switch.
Page 218 Setting up configuration environment A.4 Preparing access via SSH Figure 79: Security alert prompt for the fingerprint Check the fingerprint to protect yourself from unwelcome guests. Your fin- gerprint is located in the "Key" frame of the PuTTY key generator (see fig.
Page 219 Setting up configuration environment A.4 Preparing access via SSH The OpenSSH Suite offers experienced network administrators a further op- tion of accessing your Switch via SSH. To set up the connection, enter the following command: ssh admin@149.218.112.53 -cdes admin represents the user name 149.218.112.53 is the IP address of your Switch -cdes specifies the encryption for SSHv1 Basic - L3P...
Page 220 Setting up configuration environment A.4 Preparing access via SSH Basic - L3P Release 4.0 11/07...
Page 221: B General Information
General information B General information Basic - L3P Release 4.0 11/07...
Page 222: Management Information Base (Mib)
General information B.1 Management Information Base (MIB) B.1 Management Information Base (MIB) The Management Information Base (MIB) is designed in the form of an ab- stract tree structure. The branching points are the object classes. The "leaves" of the MIB are called generic object classes.
Page 223 General information B.1 Management Information Base (MIB) Vendor = manufacturer (Hirschmann) Definition of the syntax terms used: Integer An integer in the range 0 - 2 IP address xxx.xxx.xxx.xxx (xxx = integer in the range 0-255) MAC address 12-digit hexadecimal number in accor-...
Page 224 7 udp 11 snmp 16 rmon 17 dot1dBridge 26 snmpDot3MauMGT Figure 81: Tree structure of the Hirschmann MIB A complete description of the MIB can be found on the CD-ROM included with the device. Basic - L3P Release 4.0 11/07...
Page 225: Abbreviations Used
General information B.2 Abbreviations used B.2 Abbreviations used AutoConfiguration Adapter Access Control List BOOTP Bootstrap Protocol Command Line Interface DHCP Dynamic Host Configuration Protocol) Forwarding Database GARP General Attribute Registration Protocol GMRP GARP Multicast Registration Protocol http Hypertext Transfer Protocol ICMP Internet Control Message Protocol IGMP...
Page 226: List Of Rfc's
General information B.3 List of RFC's B.3 List of RFC's RFC 768 (UDP) RFC 783 (TFTP) RFC 791 (IP) RFC 792 (ICMP) RFC 793 (TCP) RFC 826 (ARP) RFC 854 (Telnet) RFC 855 (Telnet Option) RFC 951 (BOOTP) RFC 1112 (IGMPv1) RFC 1157 (SNMPv1) RFC 1155 (SMIv1) RFC 1212 (Concise MIB Definitions)
Page 227 General information B.3 List of RFC's RFC 2574 (User Based Security Model for SNMP v3) RFC 2575 (View Based Access Control Model for SNMP) RFC 2576 (Coexistence between SNMP v1,v2 & v3) RFC 2578 (SMI v2) RFC 2579 (Textual Conventions for SMI v2) RFC 2580 (Conformance statements for SMI v2) RFC 2613 (SMON) RFC 2618 (RADIUS Authentication Client MIB)
Page 228: Based Specifications And Standards
IEEE 802.3 - 2002 Ethernet IEEE 802.3 ac VLAN Tagging IEEE 802.3 ad Link Aggregation with Static LAG and LACP support (Power MICE and MACH 4000) IEEE 802.3 x Flow Control IEEE 802.1 af Power over Ethernet Basic - L3P...
Page 229: Technical Data
General information B.5 Technical Data B.5 Technical Data VLAN VLAN ID 1 to 4042 (MACH 4000: 3966) Number of VLANs max. 256 simultaneously per Switch max. 256 simultaneously per port Number of VLANs in GMRP in VLAN 1 max. 256 simultaneously per Switch max.
Page 230: Copyright Of Integrated Software
General information B.6 Copyright of integrated software B.6 Copyright of integrated software B.6.1 Bouncy Castle Crypto APIs (Java) The Legion Of The Bouncy Castle Copyright (c) 2000 The Legion Of The Bouncy Castle (http://www.bouncycastle.org) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies...
Page 231: Lvl7 Systems, Inc
General information B.6 Copyright of integrated software B.6.2 LVL7 Systems, Inc. (c) Copyright 1999-2006 LVL7 Systems, Inc. All Rights Reserved. Basic - L3P Release 4.0 11/07...
Page 232: Reader´s Comments
General information B.7 Reader´s comments B.7 Reader´s comments What is your opinion of this manual? We are always striving to provide as comprehensive a description of our product as possible, as well as important information that will ensure trouble-free operation. Your comments and sug- gestions help us to further improve the quality of our documentation.
Page 233 Zip code / City: Date / Signature: Dear User, Please fill out and return this page by fax to the number +49 (0)7127/14-1798 or by mail to Hirschmann Automation and Control GmbH Department AMM Stuttgarter Str. 45-51 72654 NeckartenzlingenGermany Germany Basic - L3P...
Page 234 General information B.7 Reader´s comments Basic - L3P Release 4.0 11/07...
Page 235: C Index
Index C Index 38, 54, 55, 65, 67, 174 Data transfer parameter Access Destination address 124, 125, 129 Access Control Lists Destination address field Access rights 60, 76 Destination port Access security Destination table Device status DHCP 25, 33, 48, 54 Address conflict DHCP client Address Conflict Detection...
Page 236 Index Object description IANA Object ID IEEE 1588 time Operating mode IEEE 802.1 Q Operation monitoring IEEE 802.1X Option 82 25, 48, 206 IEEE MAC address Ordinary clock IGMP Overload protection IGMP Snooping 126, 128 Industry protocols Ingress Filter Password 19, 22, 60, 77, 79 Ingress filter Ingress rules...
Page 237 Index Router trap Trap Destination Table Trivial File Transfer Protocol Segmentation trust dot1p Service trust ip-dscp Service provider Type field Set time from PC Type of Service Signal contact 72, 174, 178, 180 Signal runtime Signaling relay Simple Network Time Protocol Unicast Simple PTP mode Universal Time Coordinated...
Page 238 Index User Manual - Industrial Protocols Release 4.0 11/07...
Page 239: D Further Support
Further support D Further support Technical questions and training courses In the event of technical queries, please talk to the Hirschmann contract partner responsible for looking after your account or directly to the Hirschmann office. You can find the addresses of our contract partners on the Internet: www.hirschmann-ac.com.

This manual is also suitable for:

Power mice

Hirschmann MACH 4000 User Manual

1 Access to the User Interfaces

2 Entering the IP Parameters

3 Loading/Saving Settings

4 Loading Software Updates

5 Configuring the Ports

6 Protection from Unauthorized Access

7 Synchronizing the System Time in the Network

8 Network Load Control

9 Operation Diagnosis

Quick Links

User Manual

Basic Configuration

Related Manuals for Hirschmann MACH 4000

Summary of Contents for Hirschmann MACH 4000

This manual is also suitable for:

Table of Contents