Hirschmann Power MICE User Manual
  1. Manuals
  2. Brands
  3. Hirschmann Manuals
  4. Network Router
  5. Power MICE
  6. User manual

Hirschmann Power MICE User Manual

Basic configuration. industrial ethernet gigabit switch
Hide thumbs Also See for Power MICE:
Table of Contents

Advertisement

Quick Links

See also: Programming Manual , Reference Manual
User Manual
Basic Configuration
Industrial ETHERNET Gigabit Switch
Power MICE, MACH 4000
Basic - L3P
Technical Support
Release 3.1 06/07
HAC-Support@hirschmann.de

Advertisement

Table of Contents
loading

Related Manuals for Hirschmann Power MICE

Summary of Contents for Hirschmann Power MICE

  • Page 1 User Manual Basic Configuration Industrial ETHERNET Gigabit Switch Power MICE, MACH 4000 Basic - L3P Technical Support Release 3.1 06/07 HAC-Support@hirschmann.de...
  • Page 2 This publication has been created by Hirschmann Automation and Control GmbH according to the best of our knowledge. Hirschmann reserves the right to change the contents of this manual without prior notice. Hirschmann can give no guarantee in respect of the correctness or accuracy of the details in this publication.

  • Page 3: Table Of Contents

    Contents Contents Contents About this Manual Introduction Access to the user interfaces System monitor Command Line Interface Web based Interface Entering the IP parameters Basics IP parameter 2.1.1 IP address (version 4) 2.1.2 Network mask 2.1.3 Example of how the network mask is used Entering the IP parameters via CLI Entering the IP parameters via HiDiscovery Loading the system configuration from the ACA...
  • Page 4 Contents Loading/saving settings Loading settings 3.1.1 Loading from the local non-volatile memory 3.1.2 Loading from the AutoConfiguration Adapter 3.1.3 Loading from a file 3.1.4 Resetting the configuration to the state on delivery Saving settings 3.2.1 Saving Locally (and on the ACA) 3.2.2 Saving into a file on URL 3.2.3 Saving into a binary file on the PC 3.2.4 Saving as script on the PC...
  • Page 5 Contents Port Authentication 6.5.1 Description Port-Based Network Access Control (802.1X) 6.5.2 Authentication process 6.5.3 Preparing the switch for the 802.1X port authentication 6.5.4 Setting 802.1X Access Control Lists (ACL) 6.6.1 Description of IP-based ACLs 6.6.2 Description of MAC-based ACLs 6.6.3 Configuring IP ACLs 6.6.4 Configuring MAC ACLs 6.6.5 Configuring priorities with IP ACLs 6.6.6 Specifying the sequence of the rules...
  • Page 6 Contents Rate Limiter 8.3.1 Description Rate Limiter 8.3.2 Setting Rate Limiter for MACH 4000 and Power MICE Prioritization 8.4.1 Description Prioritization 8.4.2 Tagging 8.4.3 IP ToS / DiffServ 8.4.4 Handling of received priority information 8.4.5 Handling of priority classes 8.4.6 Setting Prioritization Flow control 8.5.1 Description Flow control...
  • Page 7 A.3.2 Software access rights Preparing for access via SSH A.4.1 Creating a key A.4.2 Uploading the key A.4.3 Access via SSH Appendix B:General Information Hirschmann Competence Management Information BASE MIB Used abbreviations List of RFC's Based IEEE standards Technical Data Copyright of integrated software B.8.1 Bouncy Castle Crypto APIs (Java)
  • Page 8 Contents Appendix C:Index Basic - L3P Release 3.1 06/07...

  • Page 9: About This Manual

    About this Manual About this Manual The “Basic Configuration” user manual contains all the information you need to start operating the switch. It takes you step by step from the first startup operation through to the basic settings for operation in your environment. The following thematic sequence has proven itself in practice: Set up device access for operation by entering the IP parameters Check the status of the software and update it if necessary...
  • Page 10 About this Manual You will find detailed descriptions of how to operate the individual functions in the “Web-based Interface” and “Command Line Interface” reference manuals. If you use Network Management Software HiVision you have further opportunities to: have an event logbook. configure the „System Location“...

  • Page 11: Key

    The designations used in this manual have the following meanings: List V Work step Subheading Indicates a cross-reference with a stored link. Note: A note emphasizes an important fact or draws your attention to a dependency. Courier font ASCII representation in user interface Execution in the Web-based Interface user interface Execution in the Command Line Interface user interface Symbols used:...
  • Page 12 A random computer Configuration computer Server Basic - L3P Release 3.1 06/07...

  • Page 13: Introduction

    Introduction Introduction The Switch has been developed for practical application in a harsh industrial environment. Accordingly, the installation process has been kept simple. Thanks to the selected default settings, you only have to enter a few settings before starting to operate the Switch. Basic - L3P Release 3.1 06/07...
  • Page 14 Introduction Basic - L3P Release 3.1 06/07...

  • Page 15: Access To The User Interfaces

    Access to the user interfaces 1 Access to the user interfaces The Switch has three user interfaces, which you can access via different interfaces: System monitor via the V.24 interface (out-of-band) Command Line Interface (CLI) via the V.24 connection (out-of-band) and Telnet (in-band) Web-based interface via Ethernet (in-band) Basic - L3P...

  • Page 16: System Monitor

    Access to the user interfaces 1.1 System monitor 1.1 System monitor The system monitor enables you to select the boot operating software, update the operating software, start the selected operating software, end the system monitor, erase the saved configuration and show the bootcode information.
  • Page 17 Access to the user interfaces 1.1 System monitor < PowerMICE MS4128-5 (Boot) Release: 1.00 Build: 2005-09-17 15:36 > Press <1> to enter System Monitor 1 ... Fig. 1: Screenshot during the boot process V Press within one second the <1> key to start system monitor 1. Basic - L3P Release 3.1 06/07...
  • Page 18 Access to the user interfaces 1.1 System monitor System Monitor (Selected OS: L3P-01.0.00-K16 (2005-10-31 19:32)) Select Boot Operating System Update Operating System Start Selected Operating System End (reset and reboot) Erase main configuration file sysMon1> Fig. 2: System monitor 1 screen display V Select the desired menu by entering the number.

  • Page 19: Command Line Interface

    Access to the user interfaces 1.2 Command Line Interface 1.2 Command Line Interface The Command Line Interface allows you to use all device functions via a local or a remote connection. The command line interface provides IT specialists with a familiar environ- ment for configuring IT devices.
  • Page 20 Access to the user interfaces 1.2 Command Line Interface Copyright (c) 2004-2005 Hirschmann Automation and Control GmbH All rights reserved PowerMICE Release L3P-01.0.00-K16 (Build date 2005-10-31 19:32) System Name: PowerMICE Mgmt-IP 149.218.112.105 1.Router-IP: 0.0.0.0 Base-MAC 00:80:63:51:74:00 System Time: 2005-11-01 16:00:59 User: Fig.
  • Page 21 NOTE: Enter '?' for Command Help. Command help displays all options that are valid for the 'normal' and 'no' command forms. the syntax of a particular command form, please consult the documentation. (Hirschmann PowerMICE) > Fig. 4: CLI screen after login Basic - L3P...

  • Page 22: Web Based Interface

    Access to the user interfaces 1.3 Web based Interface 1.3 Web based Interface The user-friendly Web-based interface gives you the option of operating the Switch from any location in the network via a standard browser such as the Mozilla Firefox or the Microsoft Internet Explorer. As a universal access tool, the Web browser uses an applet which commu- nicates with the Switch via the Simple Network Management Protocol (SNMP).
  • Page 23 Access to the user interfaces 1.3 Web based Interface V Start your Web browser. V Make sure that you have activated JavaScript and Java in the security settings of your browser. V Establish the connection by entering the IP address of the Switch that you want to administer via the Web-based network management in the address field of the Web browser.
  • Page 24 Access to the user interfaces 1.3 Web based Interface V The password “public”, with which you have read permission, appears in the password field. If you wish to access the Switch with write per- mission, then highlight the contents of the password field and overwri- te it with the password “private”...

  • Page 25: Entering The Ip Parameters

    Entering the IP parameters 2 Entering the IP parameters IP address(es) must be entered when the Switch is installed for the first time. The Switch provides 6 options for entering the IP parameters during the first installation: Using the Command Line Interfaces (CLI). Choose this “out-of-band”...
  • Page 26 Entering the IP parameters Using DHCP Option 82. Choose this “in-band” method if you want to configure the installed Switch using DHCP Option 82. You need a DHCP server with Option 82 for this. The DHCP server assigns the configuration data to the Switch using its physical connection (see “System Configuration via DHCP Option 82”...

  • Page 27: Basics Ip Parameter

    Entering the IP parameters 2.1 Basics IP parameter 2.1 Basics IP parameter 2.1.1 IP address (version 4) The IP addresses consist of 4 bytes. These 4 bytes are written in decimal notation, separated by a decimal point. Since 1992, five classes of IP address have been defined in the RFC 1340. Class Network address Host address...

  • Page 28: Network Mask

    Entering the IP parameters 2.1 Basics IP parameter Net ID - 7 bits Host ID - 24 bits Klasse A Net ID - 14 bits Host ID - 16 bits Klasse B Net ID - 21 bits Host ID - 8 bit s Klasse C Multicast Group ID - 28 bits Klasse D...
  • Page 29 Entering the IP parameters 2.1 Basics IP parameter Example of a network mask: Decimal notation 255.255.192.0 Binary notation 11111111.11111111.11000000.00000000 Subnetwork mask bits Class B Example of IP addresses with subnetworks assignment when the above sub- net mask is applied: Decimal notation 129.218.65.17 128 <...

  • Page 30: Example Of How The Network Mask Is Used

    Entering the IP parameters 2.1 Basics IP parameter 2.1.3 Example of how the network mask is used In a large network it is possible that gateways and routers separate the man- agement agent from its management station. How does addressing work in such a case? Romeo Juliet...
  • Page 31 Entering the IP parameters 2.1 Basics IP parameter Lorenzo receives the letter and removes the outer envelope. From the inner envelope he recognizes that the letter is meant for Juliet. He places the inner envelope in a new outer envelope and searches his address list (the ARP table) for Juliet's MAC address.

  • Page 32: Entering The Ip Parameters Via Cli

    Entering the IP parameters 2.2 Entering the IP parameters via CLI 2.2 Entering the IP parameters via CLI If you do not configure the system via BOOTP/DHCP, DHCPOption 82, Hidiscovery protocol or the ACA AutoConfiguration Adapter, then perform the configuration via the V.24 interface using the Command Line Interface: Entering IP addresses Connect the PC with terminal program started to the RJ11 socket...
  • Page 33 'normal' and 'no' command forms. the syntax of a particular command form, please consult the documentation. (Hirschmann PowerMICE) > V Change to privileged EXEC mode by entering enable and then press the Enter key. V Disable DHCP by entering network protocol none and then press the Enter key.
  • Page 34 (Hirschmann PowerMICE) >en (Hirschmann PowerMICE) #network protocol none (Hirschmann PowerMICE) #network parms 149.218.112.105 255.255.255.0 (Hirschmann PowerMICE) #copy system:running-config nvram:startup-config Are you sure you want to save? (y/n) y Copy OK: 15811 bytes copied...

  • Page 35: Entering The Ip Parameters Via Hidiscovery

    Entering the IP parameters 2.3 Entering the IP parameters via HiDiscovery 2.3 Entering the IP parameters via HiDiscovery The HiDiscovery protocol enables you to assign IP parameters to the Switch via the Ethernet. You can easily configure additional parameters with the Web-based mana- gement (see Reference manual „Web-based Interface“).
  • Page 36 Entering the IP parameters 2.3 Entering the IP parameters via HiDiscovery When HiDiscovery is started, it automatically searches the network for those devices which support the HiDiscovery protocol. HiDiscovery uses the first PC network card found. If your computer has se- veral network cards, you can select these in HiDiscovery on the toolbar.

  • Page 37: Loading The System Configuration From The Aca

    Entering the IP parameters 2.4 Loading the system configuration from the 2.4 Loading the system configuration from the ACA The ACA is a device for storing the configuration data of a Switch. storing the Switch software. In the case of a Switch failure, the ACA enables a very simple configuration data transfer by means of a substitute Switch of the same type.
  • Page 38 Entering the IP parameters 2.4 Loading the system configuration from the Switch starten Nein vorhanden? Passwort im Voreingestelltes Nein Nein Switch und ACA Passwort im identisch? Switch? Konfiguration vom Konfiguration aus ACA laden lokalem Speicher laden ACA-LEDs blinken ACA-LEDs blinken synchron alternierend Konfigurationsdaten...

  • Page 39: System Configuration Via Bootp

    Entering the IP parameters 2.5 System configuration via BOOTP 2.5 System configuration via BOOTP During startup operation via BOOTP (bootstrap protocol) the Switch receives its configuration data according to the “BOOTP process” flowchart (see Fig. 13). Note: In its state on delivery, the Switch gets its configuration data from the BOOTP server.
  • Page 40 Entering the IP parameters 2.5 System configuration via BOOTP switch_01:ht=ether net:ha=008063086501:ip=149.218.17.83:tc=.global: switch_02:ht=ether net:ha=008063086502:ip=149.218.17.84:tc=.global: Lines that start with a '#' character are comment lines. The lines under “.global:” make the configuration of several devices easier. With the template (tc) you allocate the global configuration data (tc=.global:). The direct allocation of hardware address and IP address occurs in the de- vice lines (switch-0...).
  • Page 41 Entering the IP parameters 2.5 System configuration via BOOTP Start-up Load default configuration Switch in initalization Switch runs with settings from local flash Send DHCP DHCP/ BOOTP BOOTP? Requests Reply from Save IP parameter DHCP/BOOTP and config file URL server? locally initialize IP stack with IP parameters...
  • Page 42 Entering the IP parameters 2.5 System configuration via BOOTP Load remote Start tftp process configuration from with config URL of DHCP? file URL of DHCP tftp successful? Load transferred config file Save transferred config file local and set boot configuration to local Loading of configurations data...

  • Page 43: System Configuration Via Dhcp

    Entering the IP parameters 2.6 System configuration via DHCP 2.6 System configuration via DHCP The DHCP (dynamic host configuration protocol) responds similarly to the BOOTP and offers in addition the configuration of a DHCP client with a name instead of the MAC address. For the DHCP, this name is known as the “client identifier”...
  • Page 44 Entering the IP parameters 2.6 System configuration via DHCP The special feature of DHCP in contrast to BOOTP is that the server can only provide the configuration parameters for a certain period of time (“lease”). When this time period (“lease duration”) expires, the DHCP client must at- tempt to renew the lease or negotiate a new one.
  • Page 45 Entering the IP parameters 2.6 System configuration via DHCP # Host hugo requests IP configuration # with his client identifier. host hugo { # option dhcp-client-identifier "hugo"; option dhcp-client-identifier 00:68:75:67:6f; fixed-address 149.218.112.83; server-name "149.218.112.11"; filename "/agent/config.dat"; Lines that start with a '#' character are comment lines. The lines preceding the individually listed devices refer to settings that apply to all the following devices.

  • Page 46: System Configuration Via Dhcp Option

    Entering the IP parameters 2.7 System Configuration via DHCP Option 82 2.7 System Configuration via DHCP Option 82 As with the classic DHCP, on startup an agent receives its configuration data according to the “BOOTP/DHCP process” flow chart (see Fig. 13).

  • Page 47: System Configuration Via The Web-Based Interface

    Entering the IP parameters 2.8 System configuration via the Web-based 2.8 System configuration via the Web-based Interface With the dialog Basics:Network you define the source from which the Switch gets its network parameters after starting, assign IP parameters and VLAN ID and configure the HiDiscovery access. Fig.
  • Page 48 Entering the IP parameters 2.8 System configuration via the Web-based V Enter the parameters according to the selected mode on the right. V You enter the system name applicable to the DHCP protocol in the Sy stem dialog of the Web-based Interfaces, in the “Name” line. V In the “Local”...

  • Page 49: Faulty Device Replacement

    Entering the IP parameters 2.9 Faulty Device Replacement 2.9 Faulty Device Replacement There are two plug-and-play solutions available for replacing a faulty Switch with a Switch of the same type (Faulty Device Replacement): First, you can configure the new switch using an AutoConfiguration Adapter (see “Loading the system configuration from the ACA”...
  • Page 50 Entering the IP parameters 2.9 Faulty Device Replacement Basic - L3P Release 3.1 06/07...

  • Page 51: Loading/Saving Settings

    Loading/saving settings 3 Loading/saving settings The Switch saves settings such as the IB parameters and the port configuration in the temporary memory. These settings are lost when you switch off or reboot the device. The Switch enables you to save settings from the temporary memory in a permanent memory load settings from a permanent memory into the temporary memory.

  • Page 52: Loading Settings

    Loading/saving settings 3.1 Loading settings 3.1 Loading settings During restart, the Switch automatically loads its configuration data from the local non-volatile memory, provided that you have not activated BOOTP/ DHCP and that no ACA is connected to the Switch. During operation, the Switch enables you to load settings from the following sources: the local non-volatile memory, the AutoConfiguration Adapter.

  • Page 53: Loading From The Local Non-Volatile Memory

    Loading/saving settings 3.1 Loading settings 3.1.1 Loading from the local non-volatile memory When loading the configuration data locally, the Switch loads the configuration data from the local permanent memory if no ACA is connected to the Switch. V Select the Basics:Load/Save dialog. V Click in the “Load”-frame “Local”.

  • Page 54: Loading From A File

    Loading/saving settings 3.1 Loading settings 3.1.3 Loading from a file The Switch allows you to load the configuration data from a file in the connected network if there is no AutoConfiguration Adapter connected to the Switch. V Select the Basics:Load/Save dialog. V Click in the Load"-frame “fromURL”, if you want the Switch to load the configuration data from a file and to retain the locally saved con- figuration.
  • Page 55 Loading/saving settings 3.1 Loading settings Fig. 17: Dialog Load/Save V Enter the enable command to change to the Priviledged EXEC mode. V Enter the command copy tftp://149.218.112.159/switch/config.dat nv ram:startup-config if you want the switch to load the configura- tion data from a tftp server in the connected network. Basic - L3P Release 3.1 06/07...

  • Page 56: Resetting The Configuration To The State On Delivery

    Loading/saving settings 3.1 Loading settings 3.1.4 Resetting the configuration to the state on delivery The Switch gives you the option to, reset the current configuration to the state on delivery. The locally saved configuration remains. reset the Switch to the state on delivery. After restarting, the IP address is also in the original delivery state.

  • Page 57: Saving Settings

    Loading/saving settings 3.2 Saving settings 3.2 Saving settings The Switch enables you to save the settings you have made locally locally and on the ACA, or into a file. 3.2.1 Saving Locally (and on the ACA) The Switch allows you to save the current configuration data in the local permanent memory and the ACA.

  • Page 58: Saving Into A File On Url

    Loading/saving settings 3.2 Saving settings 3.2.2 Saving into a file on URL The Switch allows you to save the current configuration data in a file in the connected network. V Select the Basics:Load/Save dialog. V In the “Save” frame, click on “in URL (binary)”...

  • Page 59: Saving Into A Binary File On The Pc

    Loading/saving settings 3.2 Saving settings 3.2.3 Saving into a binary file on the PC The Switch allows you to save the current configuration data in a binary file on your PC. V Select the Basics:Load/Save dialog. V Click in the “Save”-frame „to PC (binary)“. V Enter in the "Save"-window the file name under which you want the Switch to save the configuration file.
  • Page 60 Loading/saving settings 3.2 Saving settings Basic - L3P Release 3.1 06/07...

  • Page 61: Loading Software Updates

    Hirschmann is continuously working on improving the performance of its products. So it is possible that you may find a more up to date release of the Switch software on the Hirschmann Internet site than the release the you have on your Switch.
  • Page 62 Loading Software Updates Loading the software The Switch gives you three options for loading the software: From the ACA 21-USB (out-of-band) Via tftp from a tftp server (in-band) Via a file selector window from your PC Note: The existing configuration of the Switch is still there after the new software is installed.

  • Page 63: Loading The Software From The Aca

    Loading Software Updates 4.1 Loading the Software from the ACA 4.1 Loading the Software from the ACA Like an usual USB stick, you can also connect the ACA 21-USB to an USB port of your PC and copy the Switch software to the main directory of the ACA 21-USB.
  • Page 64 Loading Software Updates 4.1 Loading the Software from the ACA Select Operating System Image (Available OS: Selected: 1.00 (2004-08-26 07:15), Backup: 1.00 (2004-08- 26 07 :15(Locally selected: 1.00 (2004-08-26 07:15)) Swap OS images Copy image to backup Test stored images in Flash mem. Test stored images in USB mem.

  • Page 65: Starting The Software

    Loading Software Updates 4.1 Loading the Software from the ACA Test stored images in USB memory Select 4 to test, if the stored images of the software in ACA 21-USB con- tain valid codes. Apply and store selection Select 5 to apply and store the selection of the software. Cancel selection Select Sie 6 to cancel selection and leave this dialogue without changes.

  • Page 66: Loading The Software From The Tftp Server

    Loading Software Updates 4.2 Loading the Software from the tftp Server 4.2 Loading the Software from the tftp Server For a tftp update you need a tftp server on which the software to be loaded is stored (see “tftp server for software updates” on page 207).
  • Page 67 Loading Software Updates 4.2 Loading the Software from the tftp Server V After the loading procedure has been completed successfully, activa- te the new software as follows: Select the Basics:Restart dialog und and perform a cold start. V After booting the switch, click “Reload” in your browser to re-enable your access to the Switch.

  • Page 68: Loading Software Via File Selector

    Loading Software Updates 4.3 Loading Software via file selector 4.3 Loading Software via file selector For an update via a file selector window you need the Switch software on a drive which you can reach via your PC. V Select the Basics:Software dialog. V In the file selection frame, click on “...”.

  • Page 69: Configuring Ports

    Configuring ports 5 Configuring ports The port configuration consists of: Switching the port on and off, Selecting the operation mode, Displaying connection error messages, Configuring Power over Ethernet. Switching the port on and off In the state on delivery, all ports are switched on. To enhance access security, switch off the ports which you do not wish to connect..
  • Page 70 The Power over Ethernet function is activated global and on all ports by default. Systempower for MS20/MS30 and Power MICE The Switch provides the rated system performance for the sum of all PoE ports plus a surplus. Because the PoE media module gets its operating voltage externally, the Switch does not know the possible system power.
  • Page 71 Configuring ports V Select the dialog Basics: Power over Ethernet. V With “Function On/Off” you turn PoE either on or off. V “Send trap” allows the switch to send a trap in the following cases: – Whenever a value exceeds or falls below the performance threshold.
  • Page 72 Configuring ports Fig. 20: Power over Ethernet dialog Basic - L3P Release 3.1 06/07...

  • Page 73: Protection From Unauthorized Access

    Protection from unauthorized access 6 Protection from unauthorized access Protect your network from unauthorized access. The Switch provides you with the following functions for protecting against unauthorized access. Password for SNMP access, Setting the SSH/Telnet/Web-Based access, Disabling the HiDiscovery function, Port access control via IP- or MAC-address, Authentication according to 802.1X, Access Control Lists.

  • Page 74: Password For Snmp Access

    Protection from unauthorized access 6.1 Password for SNMP access 6.1 Password for SNMP access 6.1.1 Description Password for SNMP access A network management station communicates with the Switch via the Simple Network Management Protocol. Every SNMP packet contains the IP address of the sending computer and the password under which the sender of the packet wants to access the Switch MIB.

  • Page 75: Entering Password For Snmp Access

    Protection from unauthorized access 6.1 Password for SNMP access 6.1.2 Entering password for SNMP access V Select the Security:Password / SNMPv3 access dialog. This dialog gives you the option of changing the read and read/write passwords for access to the Switch via Web-based Interface/CLI/ SNMP.
  • Page 76 Protection from unauthorized access 6.1 Password for SNMP access Fig. 21: Password dialog Important: If you do not know a password with read/write access, you will not have write access to the Switch! Note: After changing the password for write access, restart the Web in- terface in order to access the Switch.
  • Page 77 Protection from unauthorized access 6.1 Password for SNMP access V Select the Security:SNMPv1/v2 Access dialog. This dialog gives you the option to select the access via SNMPv1 or SNMPv2. In the state on delivery both protocols are enabled. Thus you can manage the Switch via HiVision and communicate with earlier versions of SNMP.
  • Page 78 Protection from unauthorized access 6.1 Password for SNMP access Fig. 22: Dialog SNMPv1/v2 access V To create a new line in the table click "Create entry" . V To delete an entry select the line in the table and click "Delete". Basic - L3P Release 3.1 06/07...

  • Page 79: Setting Telnet/Web/Ssh Access

    Protection from unauthorized access 6.2 Setting Telnet/Web/SSH access 6.2 Setting Telnet/Web/SSH access 6.2.1 Description Telnet/Web access The Telnet server of the Switch allows you to configure the Switch using the Command Line Interface (in-band). You can switch off the Telnet server to prevent Telnet access to the Switch.

  • Page 80: Description Of Ssh Access

    Protection from unauthorized access 6.2 Setting Telnet/Web/SSH access 6.2.3 Description of SSH access The SSH server of the Switch allows you to configure the Switch by using the Command Line Interface (in-band) (see “Preparing for access via SSH” on page 212).

  • Page 81: Enabling/Disabling Telnet/Web/Ssh Access

    Protection from unauthorized access 6.2 Setting Telnet/Web/SSH access 6.2.4 Enabling/disabling Telnet/Web/SSH access V Select the Security:Telnet/Web/SSH Access dialog. V Switch off the server to which you wish to disable access. V Enter the command enable to switch to the privileged EXEC mode. V Enter the command transport input telnet to switch on the telnet server.

  • Page 82: Disabling Hidiscovery Function

    Protection from unauthorized access 6.3 Disabling HiDiscovery function 6.3 Disabling HiDiscovery function 6.3.1 Description HiDiscovery protocol The HiDiscovery protocol (see “Entering the IP parameters via HiDiscovery” on page 35) allows you to assign an IP address to the Switch on the basis of its MAC address.

  • Page 83: Disabling Hidiscovery Function

    Protection from unauthorized access 6.3 Disabling HiDiscovery function 6.3.2 Disabling HiDiscovery function V Select the Basics:Network. dialog. V Switch off the HiDiscovery function in the “HiDiscovery Protocol” frame, or limit access to “read-only”. V Enter the command enable to switch to the privileged EXEC mode. V Enter the command network protocol hidiscovery off to switch off the HiDiscovery function.

  • Page 84: Port Access Control

    Protection from unauthorized access 6.4 Port access control 6.4 Port access control 6.4.1 Description port access control The Switch protects every port from unauthorized access. Depending of your choice the Switch checks the MAC address or the IP address of the connected device. The following functions are available for monitoring every individual port: Who has access to this port? The Switch recognizes 2 classes of access control:...

  • Page 85: Defining Port Access Control

    Protection from unauthorized access 6.4 Port access control 6.4.2 Defining port access control V Select the Security:Port Security dialog. V First select, whether you wish the MAC based or the IP based port security. V If you have selected MAC based you enter in the “Allowed MAC addresses”...
  • Page 86 Protection from unauthorized access 6.4 Port access control Fig. 23: Port Security dialog Note: This entry in the port configuration table is part of the configuration (“Loading/saving settings” on page 51) and is saved together with the configuration. Note: An alarm (trap) can only be sent if at least one recipient is entered under “Configuring traps”...

  • Page 87: Port Authentication

    Switch exchange the authentication data via the Extensible Authentication Protocol (EAP), while the Switch and the server exchange the authentication data via the RADIUS protocol. Radius Server Switch/Authenticator 802.1X Supplicant Power MICE Fig. 24: Radius server connection Basic - L3P Release 3.1 06/07...

  • Page 88: Authentication Process

    Protection from unauthorized access 6.5 Port Authentication 6.5.2 Authentication process A supplicant tries to communicate via a Switch port. The Switch requests authentication from the supplicant. At that time only EAPOL traffic is permitted between the supplicant and the Switch. The supplicant replies his identification data.

  • Page 89: Setting 802.1X

    Protection from unauthorized access 6.5 Port Authentication 6.5.4 Setting 802.1X Configurating the Radius server V Select the Security:802.1x Port Authentication:RA DIUS-Server dialog This dialog allows you to enter the data for one, two or three Radius servers. V Click on “Create entry” to open the dialog window for entering the IP address of a Radius server.

  • Page 90: Access Control Lists (Acl)

    Protection from unauthorized access 6.6 Access Control Lists (ACL) 6.6 Access Control Lists (ACL) Access Control Lists (ACL) provide you with the option of filtering, forwarding, redirecting or prioritising data packets on receipt. The Switch offers MAC-based ACLs IP-based ACLs The switch considers the ACLs when it receives a package.

  • Page 91: Description Of Ip-Based Acls

    “Specifying the sequence of the rules” on page 100). Note: With Power MICE and MACH 4000, you can use either MAC-based or IP-based ACLs for each interface. With MACH 4002-24G/48G, you can use both MAC-based and IP-based ACLs for each interface.

  • Page 92: Description Of Mac-Based Acls

    Protection from unauthorized access 6.6 Access Control Lists (ACL) Note: If you use IP ACLs at ports which belong to a HIPER-Ring or which are part of a Ring/Network Coupling add the following rule to the ACLs: PERMIT Protocol: UDP Source IP: ANY Destination IP: 0.0.0.0/32 Source Port: 0...
  • Page 93 Protection from unauthorized access 6.6 Access Control Lists (ACL) PERMIT Source MAC: ANY Destination MAC: 00:80:63:00:00:00 Destination MAC mask: 01:00:00:ff:ff:ff CLI Command: in Config-mac-access mode: permit any 00:80:63:00:00:00 01:00:00:ff:ff:ff Note: If you are using MAC ACLs at ports located in the MRP-Ring, you add the following rule to the ACLs: PERMIT Source MAC: ANY...

  • Page 94: Configuring Ip Acls

    Protection from unauthorized access 6.6 Access Control Lists (ACL) 6.6.3 Configuring IP ACLs Example: Extended ACL IP: 10.0.1.11/24 IP: 10.0.1.13/24 Interface: 2.3 Interface: 3.1 Interface: 1.3 Interface: 2.1 IP: 10.0.1.159/24 IP: 10.0.1.158/24 B and C are not allowed to communicate with A. Switch to the privileged EXEC mode.

  • Page 95: Configuring Mac Acls

    Protection from unauthorized access 6.6 Access Control Lists (ACL) show ip access-lists 100 ACL ID: 100 Rule Number: 1 Action......... deny Match All........FALSE Protocol........255(ip) Source IP Address......10.0.1.11 Source IP Mask......... 0.0.0.0 Destination IP Address......10.0.1.158 Destination IP Mask......0.0.0.0 Rule Number: 2 Action.........
  • Page 96 Protection from unauthorized access 6.6 Access Control Lists (ACL) Switch to the privileged EXEC mode. enable Switch to the configuration mode. configure Create the extended ACL „ipx-apple“ mac access-list extended ipx-apple Add the rule „deny IPX“ to the list . deny any any ipx Add the rule „deny AppleTalk“...

  • Page 97: Configuring Priorities With Ip Acls

    Protection from unauthorized access 6.6 Access Control Lists (ACL) 6.6.5 Configuring priorities with IP ACLs Example: Extended ACL with prioritizing using IP precedence (Layer 3), “IP ToS / DiffServ” on page 139. Switch to the privileged EXEC mode. enable Switch to the configuration mode. configure Create the extended ACL 102 with the first rule.
  • Page 98 Protection from unauthorized access 6.6 Access Control Lists (ACL) show access-lists 102 ACL ID: 102 Rule Number: 1 Action......... permit Match All........FALSE Protocol........255(ip) IP Precedence........0 Assign Queue........2 Rule Number: 2 Action......... permit Match All........FALSE Protocol........255(ip) IP Precedence........
  • Page 99 Protection from unauthorized access 6.6 Access Control Lists (ACL) Switch to the configuration mode. configure Switch to the interface configuration mode for interface 2/1 Interface 2/1. Attach ACL 102 to interface 2/1. ip access-group 102 in Switch to the configuration mode. exit Switch to the privileged EXEC mode.

  • Page 100: Specifying The Sequence Of The Rules

    Protection from unauthorized access 6.6 Access Control Lists (ACL) Switch to the configuration mode. configure Switch to the interface configuration mode for interface 2/1 Interface 2/1. Attach ACL 104 to nterface 2/1. ip access-group 104 in Switch to the configuration modes. exit Switch to the privileged EXEC mode.
  • Page 101 Protection from unauthorized access 6.6 Access Control Lists (ACL) show access-lists interface 2/1 in ACL Type ACL ID Sequence Number -------- ------------------------------- --------------- Basic - L3P Release 3.1 06/07...
  • Page 102 Protection from unauthorized access 6.6 Access Control Lists (ACL) Basic - L3P Release 3.1 06/07...

  • Page 103: Synchronizing The System Time Of The Network

    Synchronizing the System Time of the 7 Synchronizing the System Time of the Network The real meaning of the term real time depends on the time requirements of the application. The Switch provides two options with different levels of accuracy for synchronizing the time in your network.

  • Page 104: Entering The Time

    Synchronizing the System Time of the 7.1 Entering the Time 7.1 Entering the Time If there is no reference clock available, you can enter the system time in the Switch so that you can use it like a reference clock (see “PTP Global”...
  • Page 105 Synchronizing the System Time of the 7.1 Entering the Time V Enter the command enable to switch to the privileged EXEC mode. V Enter the command configure to change to the configuration mo- V Enter the command sntp time <YYYY-MM-DD HH:MM:SS> to set the Switch system time.

  • Page 106: Sntp

    Synchronizing the System Time of the 7.2 SNTP 7.2 SNTP 7.2.1 Descripton SNTP SNTP has a hierarchical structure. The SNTP Server places the UTC (Uni- versal Time Coordinated) at disposal. The UTC is the time which is refe- renced to Universal Time Coordinated. The display is the same worldwide. Local time differences are not taken into account.

  • Page 107: Preparing The Sntp Configuration

    Synchronizing the System Time of the 7.2 SNTP 7.2.2 Preparing the SNTP configuration V To gain an overview of how the system time is passed on, draw a network plan which shows all devices involved in SNTP. Please bear in mind that the accuracy of the system time depends on signal runtime.

  • Page 108: Configuring Sntp

    Synchronizing the System Time of the 7.2 SNTP 7.2.3 Configuring SNTP V Select the Time:SNTP dialog. Configuration SNTP Client and Server V In this frame you Switch the SNTP function on/off. When it is switched off, the SNTP server does not send any SNTP packages and does not reply to any SNTP requests.
  • Page 109 Synchronizing the System Time of the 7.2 SNTP Configuration SNTP-Client V In “External Server Address” you enter the IP address of the SNTP server from which the Switch periodically obtains the sy- stem time. V In “Redundant Server Address” you enter the IP address of the SNTP server from which the Switch periodically obtains the sy- stem time, if the Switch does not receive an answer from the “ex- ternal server address”...
  • Page 110 Synchronizing the System Time of the 7.2 SNTP Switch 149.218.112.1 149.218.112.2 149.218.112.3 Function Anycast destination address 0.0.0.0 0.0.0.0 0.0.0.0 Server VLAN ID Anycast send interval Client External server address 149.218.112.0 149.218.112.1 149.218.112.2 Server request interval Accept SNTP Broadcasts Tab. 5: Settings for the example (see Fig.

  • Page 111: Precison Time Protocol

    Synchronizing the System Time of the 7.3 Precison Time Protocol 7.3 Precison Time Protocol 7.3.1 Funtion description PTP The requirment for running time-critical applications over a LAN is a precise time management system. The IEEE 1588 standard with the Precision Time Protocol (PTP) describes a procedure that is based on the principle that one clock is the most precise and makes it possible to synchronize all clocks within a LAN.
  • Page 112 Synchronizing the System Time of the 7.3 Precison Time Protocol Cable delays; device delays The communication protocol defined by IEEE 1588 makes it possible to measure cable delays. Formulas for calculating the current time eliminate delays. Accuracy of local clocks The communication protocol defined by IEEE 1588 takes into account the inaccuracy of local clocks in relationship to the reference clock.
  • Page 113 Synchronizing the System Time of the 7.3 Precison Time Protocol The cable delays are relatively constant. Changes occur very slowly. This fact is taken into account by IEEE 1588 by performing measurements and calculations on a regular basis. IEEE ignores the inaccuracy caused by device delays and device jitter through the definition of “boundary clocks”.

  • Page 114: Preparing The Ptp Configuration

    Synchronizing the System Time of the 7.3 Precison Time Protocol Ordinary Clock Reference (Grandmaster Clock) Switch PTP Subdomain 1 Boundary Clock PTP Subdomain 2 Fig. 30: PTP- subdomains 7.3.2 Preparing the PTP configuration After the function is activated, the PTP takes over the configuration automatically.

  • Page 115: Configuring Ptp

    7.3.3 Configuring PTP In the dialog Time:PTP:Global, you can enable/disable the function and make the PTP settings on the devices MS20/30 and Power MICE which are to apply to all ports. PTP Global V Select the Time:PTP:Global dialog.
  • Page 116 Synchronizing the System Time of the 7.3 Precison Time Protocol Fig. 31: PTP Global dialog Application example: PTP is used to synchronize the time in the network. As an SNTP client, the left Switch gets the time from the NTP server via SNTP. The Switch assigns clock stratum “2”...
  • Page 117 Synchronizing the System Time of the 7.3 Precison Time Protocol Reference Switch with (Grandmaster Clock) RT module Switch with 10.0.1.116 RT module 10.0.1.112 10.0.1.2 Boundary Clock Ordinary Clock Switch without Switch without RT module RT module 10.0.1.105 10.0.1.106 Fig. 32: Example of PTP synchronization Switch 10.0.1.112...

  • Page 118: Interaction Ptp And Sntp

    Synchronizing the System Time of the 7.4 Interaction PTP and SNTP 7.4 Interaction PTP and SNTP According to PTP and SNTP, both protocols are permitted to coexist in one network. However, since both protocols influence the system time of the device, situations may occur in which both protocols compete with each other.
  • Page 119 Synchronizing the System Time of the 7.4 Interaction PTP and SNTP Application example: The requirements made to network time accuracy are rather high, how- ever the terminal devices exclusively support SNTP (see Fig. 33). Switch 149.218.112.1 149.218.112.2 149.218.112.3 Operation Clock Mode ptp-mode- ptp-mode- ptp-mode-...
  • Page 120 Synchronizing the System Time of the 7.4 Interaction PTP and SNTP Basic - L3P Release 3.1 06/07...

  • Page 121: Traffic Control

    Traffic control 8 Traffic control To optimize the data transmission, the Switch provides you with the following functions for controlling the network load: Settings for directed frame forwarding (MAC address filter) Multicast settings Rate Limiter Prioritization Flow control Virtual LANs Basic - L3P Release 3.1 06/07...

  • Page 122: Directed Frame Forwarding

    Traffic control 8.1 Directed frame forwarding 8.1 Directed frame forwarding Directed frame forwarding is a method used by the Switch to avoid unneces- sary increases in the network load. The Switch features the following directed frame forwarding functions: Store-and-forward Multiadress capability Aging of learned addresses Static address entries Disabling the specific packet distribution...

  • Page 123: Aging Of Learned Addresses

    Traffic control 8.1 Directed frame forwarding The Switch can learn up to 8000 addresses. This becomes necessary if more than one terminal device is connected to one or more ports. It is thus possible to connect several independent subnetworks to the Switch. 8.1.3 Aging of learned addresses The Switch monitors the age of the learned addresses.

  • Page 124: Entering Static Address Entries

    Traffic control 8.1 Directed frame forwarding 8.1.4 Entering static address entries One of the most important functions of a Switch is the filter function. It selects data packets according to certain defined patterns called filters. These patterns are associated with switching rules. This means that a data packet received at the port of a Switch is compared to the patterns.

  • Page 125: Disabling The Specific Packet Distribution

    Traffic control 8.1 Directed frame forwarding V Select the Switching:Filter for MAC addresses dialog. In the filtering table each row represents one filter. Filters specify the way in which data packets are sent. They are set automatically by the Switch (learned status) or manually. Data packets whose destination addresses are entered in the table are sent from the receiving port to the ports marked in the table.

  • Page 126: Multicast Application

    Traffic control 8.2 Multicast application 8.2 Multicast application 8.2.1 Description multicast application The data distribution in the LAN distinguishes between three distribution classes with reference to the addressed recipient: Unicast - one recipient Multicast - a group of recipients Broadcast - every recipient that can be reached In the case of a Multicast address, Switches pass on all the data packets with a Multicast address to all the ports.

  • Page 127: Example Of A Multicast Application

    Traffic control 8.2 Multicast application 8.2.2 Example of a multicast application The cameras for machine surveillance normally transmit their images to monitor located in the machine room and in the monitoring room. In a IP transmission, a camera sends its image data with a multicast address over the network.

  • Page 128: Description Igmp Snooping

    Traffic control 8.2 Multicast application 8.2.3 Description IGMP snooping The Internet Group Management Protocol (IGMP) describes the distribution of Multicast information between routers and terminal devices on the Layer 3 level. Routers with an active IGMP function periodically send queries to find out which IP Multicast group members are connected to the LAN.

  • Page 129: Description Gmrp

    Traffic control 8.2 Multicast application 8.2.4 Description GMRP The GARP Multicast Registration Protocol (GMRP) describes the distribution of data packets with a multicast address as the target address on layer 2. Devices that want to receive data packets with a multicast address as the target address carry out the registration of the multicast address with the aid of the GMRP.
  • Page 130 Traffic control 8.2 Multicast application IGMP Querier With “IGMP Querier active” you can switch the Query function on/ off. The Protocol check boxes allow you to select IGMP version 1, 2 or version 3. Unknown Multicasts "Send to Query Ports", the Switch sends the packets with an unknown MAC/IP multicast address to all query ports.
  • Page 131 Traffic control 8.2 Multicast application Static Query Port A Switch sends IGMP report messages to the ports at which it receives IGMP queries. This column allows you to also send IGMP report messages to other selected ports. Learned Query Port A Switch sends IGMP report messages to the ports at which it receives IGMP queries.
  • Page 132 Traffic control 8.2 Multicast application Fig. 35: IGMP dialog Basic - L3P Release 3.1 06/07...

  • Page 133: Rate Limiter

    A global setting activates/deactivates the rate limiter function at all ports. 8.3.2 Setting Rate Limiter for MACH 4000 and Power MICE V Select the Switching:Rate Limiter dialog. “Ingress Limiter (kbit/s)” allows you to enable or disable...
  • Page 134 = 0, no rate limit for outbound broadcast packets at this port. > 0, maximum rate limit for outbound broadcast packets sent at this port. Fig. 36: Load limiter for MACH 4000 and Power MICE Basic - L3P Release 3.1 06/07...

  • Page 135: Prioritization

    The Switch supports four (eight for MACH 4000 and Power MICE) priority queues (traffic classes in compliance with IEEE 802.1D-1998). The assign- ment of received data packets to these classes depends on Access Control Lists (MAC or IP based ACLs).

  • Page 136: Tagging

    Traffic control 8.4 Prioritization 8.4.2 Tagging The VLAN tag is integrated into the MAC data frame for the VLAN and prio- ritization functions in accordance with the IEEE 802.1 Q standard. The VLAN tag consists of 4 Bytes. It is inserted between the source address field and the type field.
  • Page 137 Traffic control 8.4 Prioritization 42-1500 Octets min. 64, max. 1522 Octets Fig. 37: Ethernet data packet with tag 4 Octets Fig. 38: Tag format Basic - L3P Release 3.1 06/07...
  • Page 138 Traffic control 8.4 Prioritization Although VLAN prioritizing is widespread in the industry sector, it has a number of limitations: The additional 4-byte VLAN tag enlarges the data packets. With small data packets, this leads to a larger bandwidth load. End-to-end prioritizing requires the transfer of the VLAN tags in the entire network, which means that all network components must be VLAN-capable.

  • Page 139: Ip Tos / Diffserv

    Traffic control 8.4 Prioritization 8.4.3 IP ToS / DiffServ TYPE of Service The Type of Service field (ToS) in the IP header (see Fig. 39) already part of the IP protocol from the start, and is used to differentiate different services in IP networks. Even back then, there were ideas about differentiated treatment of IP packets, due to the limited bandwidth available and the unreliable connection paths.
  • Page 140 Traffic control 8.4 Prioritization Differentiated Services The newly defined Differentiated Services field in the IP header in RFC 2474 (see Fig. 40) - often known as the DiffServ code point or DSCP, replaces the ToS field and is used to mark the individual packets with a DSCP.
  • Page 141 Traffic control 8.4 Prioritization The PHB class selector assigns the 7 possible IP precedence values from the old TOS field to particular DSCP values, thus ensuring the downwards compatibility. ToS Meaning Precedence Value Assigned DSCP Network Control CS7 (111000) Internetwork Control CS6 (110000) Critical CS5 (101000)

  • Page 142: Handling Of Received Priority Information

    Traffic control 8.4 Prioritization DSCP Value DSCP Name Priority Class (default setting) 49-55 57-63 Table 11: Mapping the DSCP values onto the priority classes 8.4.4 Handling of received priority information The Switch provides three options for selecting how it handles received data packets that contain priority information.
  • Page 143 Traffic control 8.4 Prioritization Strict priority Weighted Fair Queuing Strict Priority combined with Weighted Fair Queuing Default: Strict Priority. Description Strict Priority With Strict priority, the Switch sends all data packets with a higher priority level before it sends a data packet with the next lower priority level. Thus the Switch does not send a data packet with the next lower priority until there are no other data packets waiting in the queue.

  • Page 144: Setting Prioritization

    Traffic control 8.4 Prioritization Description of Traffic Shaping With Traffic Shaping, you have the option of restricting the maximum bandwidth of an interface or an individual priority class. The values for bandwidth restriction are in the range of 0 % to 100 % in jumps of 5 %.
  • Page 145 Traffic control 8.4 Prioritization Assigning the VLAN priority to the priority classes Switch to the privileged EXEC mode. enable Switch to the configuration mode. configure Assign the priority class 4 to the VLAN priority 0. classofservice dot1p-map ping 0 4 Assign the priority class 4 to the VLAN priority 1.
  • Page 146 Traffic control 8.4 Prioritization Assigning the priority class to a DSCP (MACH 4002-24G/48G) Switch to the privileged EXEC mode. enable Switch to the configuration mode. configure Assingn the priority class 5 to DSCP CS6. classofservice ip-dscp-map ping cs6 5 show classofservice ip-dscp-mapping IP DSCP Traffic Class -------------...
  • Page 147 Traffic control 8.4 Prioritization Configuration of Weighted Fair Queuing and Traffic Shaping Switch to the privileged EXEC mode. enable Switch to the configuration mode. configure Disable Strict Priority for the priority classes 0 to 5 no cos-queue strict 0 1 2 3 and thus enable Weighted Fair Queuing.
  • Page 148 Traffic control 8.4 Prioritization Configuration of traffic shaping at an interface Switch to the privileged EXEC mode. enable Switch to the configuration mode. configure Switch to the interface configuration mode for interface 1/2 Interface 1/2. Restrict the maximum bandwith of Interface 1/2 to traffic-shape 50 50%.

  • Page 149: Flow Control

    Traffic control 8.5 Flow control 8.5 Flow control 8.5.1 Description Flow control Flow control is a mechanism which acts as an overload protection. During periods of heavy traffic it holds off additional traffic. In the example (see fig. 41) the functioning of flow control is displayed gra- phically.

  • Page 150: Setting Flow Control

    Traffic control 8.5 Flow control Flow control with a full duplex link In the example (see fig. 41) there is a full duplex link between Work- station 2 and the Switch. Before the send queue of Port 2 overflows, the Switch sends a request to Workstation 2 to include a small break in the sending transmission.

  • Page 151: Vlans

    Traffic control 8.6 VLANs 8.6 VLANs 8.6.1 Description VLANs A virtual LAN (VLAN) consists of a group of network participants in one or more network segments who can communicate with each other as if they be- longed to the same LAN. VLAN Yellow VLAN Green MACH 3002...
  • Page 152 Traffic control 8.6 VLANs VLANs are based on logical (instead of physical) links and are flexible elements in the network design. The biggest advantage of VLANs is the possibility of forming user groups based on the participant function and not on their physical location or medium.
  • Page 153 Traffic control 8.6 VLANs Member set The member set is list of ports belonging to a VLAN. Every VLAN has a member set. Untagged set The untagged set is a list of the ports of a VLAN which send data packets without a tag.

  • Page 154: Configuring Vlans

    In this mode the VLAN-ID “0” is retained in the packet, regardless of the setting of the port VLAN ID in the “VLAN Port” dialog. Note: For Power MICE and MACH 4000 In “transparent mode”, the devices ignore the VLAN tags when they receive data.
  • Page 155 RS2 xx/xx (from Vers. 7.00), RS2-16M, RS 20, RS 30, RS 40 MICE (from Rel. 3.0) or Power MICE MS 20, MS 30 MACH 1000 MACH 3000 (from Rel. 3.3) MACH 4000...

  • Page 156: Setting Up Vlans

    Traffic control 8.6 VLANs 8.6.3 Setting up VLANs V Select the Switching:VLAN:Static dialog. To set up VLANs, you first specify the desired VLANs in the VLAN static table: V After clicking on “Create”, you enter the appropriate VLAN ID. A new line appears in the table.

  • Page 157: Displaying The Vlan Configuration

    Traffic control 8.6 VLANs 8.6.4 Displaying the VLAN configuration V Select the Switching:VLAN:Current dialog. The Current table displays all locally configured VLANs and VLANs configured by GVRP. 8.6.5 Deleting the VLAN settings V Select the Switching:VLAN:Global dialog. The “Delete” button in the VLAN global dialog allows you to restore all the default VLAN settings of the device (state on delivery).

  • Page 158: Example Of A Simple Vlan

    Traffic control 8.6 VLANs 8.6.6 Example of a simple VLAN The following example provides a quick insight into configuring a VLAN that is commonly found in practice. The configuration is explained step by step. 149.218.112.76 VLAN Brown ID = 1 Network VLAN Yellow VLAN Green...
  • Page 159 Traffic control 8.6 VLANs Fig. 44: Creating a VLAN Fig. 45: Entering a VLAN ID V Repeat the steps: Creating a VLAN and Entering a VLAN ID for all VLANs. Basic - L3P Release 3.1 06/07...
  • Page 160 Traffic control 8.6 VLANs Fig. 46: Assigning a VLAN any name and saving it Basic - L3P Release 3.1 06/07...
  • Page 161 Traffic control 8.6 VLANs Fig. 47: Defining the VLAN membership of the ports. Ports 1.1 to 1.3 are assigned to the terminal devices of the yellow VLAN and ports 2.1 to 2.4 to the terminal devices of the green VLAN. As termi- nal devices normally do not sent data packets with a tag, the setting U must be selected here.
  • Page 162 Traffic control 8.6 VLANs Fig. 48: Saving the VLAN configuration Basic - L3P Release 3.1 06/07...
  • Page 163 Traffic control 8.6 VLANs Fig. 49: Assigning the VLAN ID, Acceptable Frame Types and Ingress Filtering to the ports and saving it Ports 1.1 to 1.3 are assigned to the terminal devices of the yellow VLAN and therefore VLAN ID 2 and ports 2.1 to 2.4 are assigned to the termi- nal devices of the green VLAN and hence VLAN ID 3.
  • Page 164 Traffic control 8.6 VLANs Fig. 50: Globally activating GVRP Fig. 51: Saving the configuration to non-volatile memory Basic - L3P Release 3.1 06/07...

  • Page 165: Operation Diagnostics

    Operation Diagnostics 9 Operation Diagnostics The Switch provides you with the following diagnostic tools for the function diagnosis: Sending traps Monitoring Device Status Out-of-band signaling via signal contact Port status indication Event counter on port level SFP status indication TP cable diagnosis Topology discovery Reports Monitoring the traffic of a port (Portmirroring)

  • Page 166: Sending Traps

    Operation Diagnostics 9.1 Sending traps 9.1 Sending traps If unusual events occur during normal operation of the Switch, they are reported immediately to the management station. This is done by means of so-called traps - alarm messages - that bypass the polling procedure (“Polling”...

  • Page 167: Snmp Trap Listing

    Operation Diagnostics 9.1 Sending traps 9.1.1 SNMP trap listing All possible traps that can occur are listed in the following table. Trap description Meaning authenticationFailure is sent if a station attempts to access an agent without permission. coldStart is sent for a cold and warm start during the boot process after successful management initialization.

  • Page 168: Snmp Traps When Booting

    Operation Diagnostics 9.1 Sending traps 9.1.2 SNMP traps when booting The ColdStart trap is sent during every boot procedure. 9.1.3 Configuring traps V Select the Diagnostics:Alarms (Traps) dialog. This dialog allows you to specify which events trigger an alarm (trap) and to whom these alarms should be sent.
  • Page 169 Operation Diagnostics 9.1 Sending traps Fig. 52: Alarmes dialog The events which can be selected are: Name Bedeutung Authentication The Switch has rejected an unauthorized access attempt (see the Access for IP Addresses und Port Security dialog). Cold Start The Switch has been switched off. Link Down At one port of the Switch, the link to the device connected there has been interrupted.
  • Page 170 Operation Diagnostics 9.1 Sending traps Name Bedeutung Chassis encompasses the following events: – Power Supply: The status of a supply voltage has changed (see the System dialog). – Signaling Relay: The status of the signal contact has changed. Diagno To cosider this event enable “generate Trap” in the stics:Signal Contact 1/2 Dialog.

  • Page 171: Monitoring Device Status

    Operation Diagnostics 9.2 Monitoring Device Status 9.2 Monitoring Device Status The device status provides an overview of the overall condition of the Switch. Many process visualization systems record the device status for a device in order to present its condition in graphic form. The Switch enables you to signal the device status out-of-band via a signal contact (see...
  • Page 172 Operation Diagnostics 9.2 Monitoring Device Status It depends on the management setting which events cause a contact to switch. Note: With non-redundant supply of the mains voltage, the Switch reports a power failure. You can prevent this message by applying the supply voltage over the two inputs or by switching off the monitoring (see “Monitoring correct operation via the signal contact”...
  • Page 173 Operation Diagnostics 9.2 Monitoring Device Status V Select the Basics:System dialog. Time of the oldest existing alarm Cause of the oldest existing alarm Symbol indicates the Device Status Fig. 53: Device Status display Basic - L3P Release 3.1 06/07...

  • Page 174: Out-Of-Band Signaling

    Operation Diagnostics 9.3 Out-of-band signaling 9.3 Out-of-band signaling The signal contacts are for controlling external devices by manually setting the signal contacts. monitoring proper functioning of the Switch which makes it possible to perform remote diagnostics. A break in contact is reported via the potential-free signal contact (relay contact, closed circuit): Faulty power supply: the failure of the supply voltage 1/2,...

  • Page 175: Manual Setting The Signal Contact

    Operation Diagnostics 9.3 Out-of-band signaling 9.3.1 Manual setting the signal contact This mode gives you the option of remote switching each signal individually. Application options: Simulation of an error during SPS error monitoring. Remote control of a device via SNMP, such as switching on a camera.. V Select the Diagnostics:Signal Contact 1/2 dialog.

  • Page 176: Monitoring Correct Operation Via The Signal Contact

    Operation Diagnostics 9.3 Out-of-band signaling 9.3.2 Monitoring correct operation via the signal contact Configuring the monitoring correct operation V Select the Diagnostics:Signal Contact dialog. V Select “Monitoring correct operation” in the frame “Mode Signal con- tact”, to use the contact for function monitoring. V Select in the frame “Monitoring correct operation”...

  • Page 177: Monitoring The Device Status With A Signal Contact

    Operation Diagnostics 9.3 Out-of-band signaling Fig. 54: Signal contact dialog Display signal contact status Switch to the privileged EXEC mode.. exit Displays the status of the function monitoring show signal-contact 1 and the setting for the status determination. 9.3.3 Monitoring the Device Status with a signal contact The “Device status”...

  • Page 178: Port Status Indication

    Operation Diagnostics 9.4 Port status indication 9.4 Port status indication V Select the Basics:System dialog. The device view displays the Switch with the current configuration. The symbols underneath the device view represent the status of the individu- al ports. Abb. 55: Eaxample for a device view Meaning of the symbols: The port (10, 100, 1000 MBit/s) is enabled and the connection is OK.
  • Page 179 Operation Diagnostics 9.4 Port status indication The port is in autonegotiation mode. Basic - L3P Release 3.1 06/07...

  • Page 180: Event Counter On Port Level

    Operation Diagnostics 9.5 Event counter on port level 9.5 Event counter on port level The port statistics table allows experienced network administrators to identify possible problems occuring in the network. This table shows you the contents of various event counters. In the menü item restart with "Restart Switch", "Hot restart"...
  • Page 181 Operation Diagnostics 9.5 Event counter on port level Fig. 56: Port statistic table Basic - L3P Release 3.1 06/07...

  • Page 182: Displaying The Sfp Status

    Operation Diagnostics 9.6 Displaying the SFP Status 9.6 Displaying the SFP Status By having the SFP status displayed you can view the current connection to the SFP modules and their properties. The properties include: module type, support provided in the media module temperature in degrees Celsius transmission power in milliwatts reception power in milliwatts...

  • Page 183: Tp Cable Diagnosis

    Operation Diagnostics 9.7 TP cable diagnosis 9.7 TP cable diagnosis The TP cable diagnosis allows you to check the connected cables for short circuits or interruptions. Note: While the check is being carried out, the data traffic at this port is suspended.

  • Page 184: Topology Discovery

    Operation Diagnostics 9.8 Topology discovery 9.8 Topology discovery 9.8.1 Description Topology discovery IEEE 802.1AB describes the Link Layer Discovery Protocol (LLDP). LLDP allows users to automatically detect the topology of their LANs. A device with active LLDP sends its own connection and management information to neighboring devices of the shared LAN, in as far as they have also LLDP activated.
  • Page 185 LLDP packets. Consequently, a non-LLDP-capable device between two LLDP-capable devices prevents the exchange of LLDP infor- mation. To avoid this, Hirschmann Switch send additional LLDP packets to the Hirschmann Multicast-MAC address 01:80:63:2F:FF:0B. Hirschmann Switch with the LLDP function are thus also able to exchange LLDP informa- tion with each other via devices which themselves are not LLDP-capable.

  • Page 186: Displaying The Topology Discovery

    Operation Diagnostics 9.8 Topology discovery 9.8.2 Displaying the topology discovery V Select the Diagnostics:Topology Discovery dialog. This dialogue offers you the possibility to switch on/off the function for topology discovery (LLDP). The topology table shows you the selected information to neighbour devices.
  • Page 187 Operation Diagnostics 9.8 Topology discovery If several devices are connected to a port, for example via a hub, the table shows one line for each connected device. devices with active topology discovery function and devices without active topology discovery function are connected to a port, the topology table hides the devices without ac- tive topology discovery.

  • Page 188: Ip Address Conflict Detection

    Operation Diagnostics 9.9 IP Address Conflict Detection 9.9 IP Address Conflict Detection 9.9.1 Description of IP address conflicts By definition, each IP address may only be assigned once within a subnet- work. Should two or more devices erroneously share the same IP address within one subnetwork, this will inevitably lead to malfunctions including com- munication disruptions with devices that have this IP address.

  • Page 189: Configuring Acd

    Operation Diagnostics 9.9 IP Address Conflict Detection 9.9.2 Configuring ACD V Select the dialog Diagnostics:IP Address Conflict Detection. V With “Status” you can enable or disable IP address conflict detection or select the operating mode (see Tab. 16 on page 188).
  • Page 190 Operation Diagnostics 9.9 IP Address Conflict Detection Fig. 59: IP address conflict detection Basic - L3P Release 3.1 06/07...

  • Page 191: Reports

    Operation Diagnostics 9.10 Reports 9.10Reports For diagnosis purposes, the Switch allows you to use the following reports: Log Filei The Log File is an HTML file in which the Switch records all important device internal events. System Information The system information in an HTML file containing all system relevant data.
  • Page 192 Operation Diagnostics 9.10 Reports Syslog The Switch allows you to send to up to 4 Syslog servers messages con- cerning important device internal events. Setting Syslog Switch to the privilege EXEC mode. enable Switch to the configuration mode. configure Select the receiver of the log message and its logging host 10.0.1.159 514 3 port 514.

  • Page 193: Monitoring Port Traffic (Port Mirroring)

    A management tool connected to the destination port, such as an RMON probe, can thus observe the data traffic at the source port. The destination port forwards data to be sent and blocks received data. Switch Power MICE Backbone RMON-Probe Fig. 60: Port Mirroring V Select the Diagnostics:Port Mirroring dialog.
  • Page 194 Operation Diagnostics 9.11 Monitoring port traffic (port mirroring) V Select „enabled“, to enable the function. The “Delete” button in the dialog allows you to restore all the default port mirroring settings (state on delivery). Note: In active port mirroring, the specified port is used solely for obser- vation purposes.

  • Page 195: Apendix A:setting Up The Configuration Environment

    Setting up the configuration Apendix A: Setting up the configuration environment Basic - L3P Release 3.1 06/07...

  • Page 196: Setting Up Dhcp/Bootp Server

    Setting up the configuration environment A.1 Setting up DHCP/BOOTP Server A.1 Setting up DHCP/BOOTP Server On the CDROM supplied with the switch you will find the software for a DHCP server from the software development company IT-Consulting Dr. Herbert Hanewinkel. You can test the software for 30 calendar days from the date of the first installation, and then decide whether you want to purchase a license.
  • Page 197 Setting up the configuration A.1 Setting up DHCP/BOOTP Server V Open the window for the program settings in the menu bar: Options:Preferences and select the DHCP tab page.Enter the settings shown in the illustration and click on OK. Fig. 63: DHCP setting V To enter the configuration profiles, select manage in the menu bar of Options:Manage Profiles.
  • Page 198 Setting up the configuration environment A.1 Setting up DHCP/BOOTP Server V Enter the network mask and click on Accept. Fig. 65: Network mask in the configuration profile V Select the Boot tab page. V Enter the IP address of your tftp server. V Enter the path and the file name for the configuration file.
  • Page 199 Setting up the configuration A.1 Setting up DHCP/BOOTP Server V Add a profile for each device type. If devices of the same type have different configurations, then you add a profile for each configuration. To complete the addition of the configuration profiles, click on OK. Fig.
  • Page 200 Setting up the configuration environment A.1 Setting up DHCP/BOOTP Server V Click on New. Fig. 69: Adding static addresses V Enter the MAC address of the switch. V Enter the IP address of the switch. V Select the configuration profile of the switch. V Click on Accept and then on OK.
  • Page 201 Setting up the configuration A.1 Setting up DHCP/BOOTP Server V Add an entry for each device that will get its parameters from the DHCP server. Fig. 71: DHCP server with entries Basic - L3P Release 3.1 06/07...

  • Page 202: Setting Up Dhcp Server Option

    Setting up the configuration environment A.2 Setting up DHCP Server Option 82 A.2 Setting up DHCP Server Option 82 On the CDROM supplied with the switch you will find the software for a DHCP server from the software development company IT-Consulting Dr. Herbert Hanewinkel.
  • Page 203 Setting up the configuration A.2 Setting up DHCP Server Option 82 V Select static. Fig. 73: Static address input V Open the window for the program settings in the menu bar: Options:Preferences and select the DHCP tab page. V Select the DHCP tab page. Enter the settings shown in the illustration and click on OK.
  • Page 204 Setting up the configuration environment A.2 Setting up DHCP Server Option 82 V To enter the static addresses, click on Add. Fig. 75: Adding static addresses V Select Circuit Identifier and Remote Identifier. Fig. 76: Default setting for the fixed address assignment Basic - L3P Release 3.1 06/07...
  • Page 205 ID cl: length of the circuit ID hh: Hirschmann identifier: 01 if a Hirschmann switch is connected to the port, otherwise 00. vvvv: VLAN ID of the DHCP request (default: 0001 = VLAN 1) ss: socket of switch at which the module with that port is located to which the device is connected.
  • Page 206 Setting up the configuration environment A.2 Setting up DHCP Server Option 82 Switch (Option 82) MACH 3002 MICE MAC address = IP = 00:80:63:10:9a:d7 149.218.112.100 DHCP server IP = 149.218.112.1 IP = 149.218.112.100 Fig. 78: Application example of using Option 82 Basic - L3P Release 3.1 06/07...

  • Page 207: Tftp Server For Software Updates

    Setting up the configuration A.3 tftp server for software updates A.3 tftp server for software updates On delivery, the switch software is held in the flash memory. The Switch boots the software from the flash memory. Software updates can be realized via a tftp server. This presupposes that a tftp server has been installed in the connected network and that it is active.

  • Page 208: Setting Up The Tftp Process

    Setting up the configuration environment A.3 tftp server for software updates A.3.1 Setting up the tftp process General prerequisites: The local address of the Switch and the IP address of the tftp servers or the gateway are known to the Switch. The TCP/IP stack with tftp is installed on tftp server.
  • Page 209 Setting up the configuration A.3 tftp server for software updates You can obtain additional information about the tftpd daemon tftpd with the UNIX command “man tftpd”. Hinweis: The command “ps” does not always show the tftp daemon, alt- hough it is actually running. Special steps for HP workstations: V During installation on an HP workstation, enter the user tftp in the /etc/passwd file.
  • Page 210 Setting up the configuration environment A.3 tftp server for software updates Checking the tftp process Edit the file /etc/inetd.conf Is tftp* commented out? Delete the comment character »#« from this line Re-initialize inetd.conf by entering kill-1 PID Problems with the tftp server? cd /tftpboot/mice tftp <tftp-Servername>...

  • Page 211: Software Access Rights

    Setting up the configuration A.3 tftp server for software updates A.3.2 Software access rights The agent needs read permission to the tftp directory with the Switch soft- ware. Example of a UNIX tftp server Once Switch software has been installed, the tftp server should have the following directory structure with the stated access rights: Filename Access...

  • Page 212: Preparing For Access Via Ssh

    Setting up the configuration environment A.4 Preparing for access via SSH A.4 Preparing for access via SSH To be able to access the Switch via SSH, you will need: A key. Install the key on the Switch. Enable access via SSH on the Switch. A program for executing the SSH protocol on your computer.
  • Page 213 Setting up the configuration A.4 Preparing for access via SSH Fig. 80: PuTTY key generator The OpenSSH Suite offers experienced network administrators a further option of generating the key. To generate the key enter the following command: ssh-keygen(.exe) -q -t rsa1 -f rsa1.key -C '' -N '' Basic - L3P Release 3.1 06/07...

  • Page 214: Uploading The Key

    Setting up the configuration environment A.4 Preparing for access via SSH A.4.2 Uploading the key The Command Line Interface enables you to upload the SSH key to the Switch. V Store the key file on your tftp server. V With the command enable, switch to the privileged EXEC mode. V With the command no ip ssh deactivate the SSH function on the Switch, before you transfer the...

  • Page 215: Access Via Ssh

    Setting up the configuration A.4 Preparing for access via SSH A.4.3 Access via SSH The program PuTTY offers a way to access your Switch via SSH. This program is located on the product CD. V Start the program by double-clicking. V Enter the address of your Switch.
  • Page 216 Setting up the configuration environment A.4 Preparing for access via SSH PuTTY will display another security alert message for the set warning threshold. Fig. 82: Security alert prompt for the set warning threshold V Click “Yes” to this security alert message. To suppress this message for future connection setups, select “SSH”...

  • Page 217: Appendix B:general Information

    General Information Appendix B: General Information Basic - L3P Release 3.1 06/07...

  • Page 218: Hirschmann Competence

    General Information B.1 Hirschmann Competence B.1 Hirschmann Competence In the longterm, product excellence alone is not an absolute guarantee of a successful project implementation. Comprehensive service makes a diffe- rence worldwide. In the current scenario of global competition, the Hirsch-...

  • Page 219: Faq

    General Information B.2 FAQ B.2 FAQ Answers to frequently asked questions can be found at the Hirschmann Website: www.hirschmann.com Under Products/Support inside Automation and Network Soluti ons is located on the pages Products the area FAQ. For detailed information on all services offered by the Hirschmann Competence Center, please visit the Web site http://www.hicomcenter.com/.

  • Page 220: Management Information Base Mib

    General Information B.3 Management Information BASE MIB B.3 Management Information BASE MIB The Management Information Base (MIB) is designed in the form of an ab- stract tree structure. The branching points are the object classes. The “leaves” of the MIB are called generic object classes.
  • Page 221 General Information B.3 Management Information BASE MIB System User Interface Upper (e.g. threshold value) Vendor = manufacturer (Hirschmann) Definition of the syntax terms used: Integer An integer in the range 0 - 2 IP address xxx.xxx.xxx.xxx (xxx = integer in the range 0-255)
  • Page 222 11 snmp 16 rmon 17 dot1dBridge 26 snmpDot3MauMGT Fig. 83: Tree structure of the Hirschmann MIB A complete description of the MIB can be found on the CD-ROM that is included with the device. Basic - L3P Release 3.1 06/07...

  • Page 223: Used Abbreviations

    General Information B.4 Used abbreviations B.4 Used abbreviations AutoConfiguration Adapter Access Control List BOOTP Bootstrap Protocol Command Line Interface DHCP Dynamic Host Configuration Protocol) Forwarding Database GARP General Attribute Registration Protocol GMRP GARP Multicast Registration Protocol http Hypertext Transfer Protocol ICMP Internet Control Message Protocol IGMP...

  • Page 224: List Of Rfc's

    General Information B.5 List of RFC's B.5 List of RFC's RFC 768 (UDP) RFC 783 (TFTP) RFC 791 (IP) RFC 792 (ICMP) RFC 793 (TCP) RFC 826 (ARP) RFC 854 (Telnet) RFC 855 (Telnet Option) RFC 951 (BOOTP) RFC 1112 (IGMPv1) RFC 1157 (SNMPv1) RFC 1155 (SMIv1) RFC 1212 (Concise MIB Definitions)
  • Page 225 General Information B.5 List of RFC's RFC 2574 (User Based Security Model for SNMP v3) RFC 2575 (View Based Access Control Model for SNMP) RFC 2576 (Coexistence between SNMP v1,v2 & v3) RFC 2578 (SMI v2) RFC 2579 (Textual Conventions for SMI v2) RFC 2580 (Conformance statements for SMI v2) RFC 2613 (SMON) RFC 2618 (RADIUS Authentication Client MIB)

  • Page 226: Based Ieee Standards

    IEEE 802.3 - 2002 Ethernet IEEE 802.3 ac VLAN Tagging IEEE 802.3 ad Link Aggregation with Static LAG and LACP sup- port (Power MICE and MACH 4000) IEEE 802.3 x Flow Control IEEE 802.1 af Power over Ethernet Basic - L3P...

  • Page 227: Technical Data

    General Information B.7 Technical Data B.7 Technical Data VLAN VLAN ID 1 to 4042 (MACH 4000: 3966) Number of VLANs max. 256 simultaneously per switch max. 256 simultaneously per port Number of VLANs with GMRP in VLAN 1 max. 256 simultaneously per switch in VLAN 1 max.

  • Page 228: Copyright Of Integrated Software

    General Information B.8 Copyright of integrated software B.8 Copyright of integrated soft- ware B.8.1 Bouncy Castle Crypto APIs (Java) The Legion Of The Bouncy Castle Copyright (c) 2000 The Legion Of The Bouncy Castle (http://www.bouncycastle.org) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies...

  • Page 229: Reader's Comments

    General Information B.9 Reader's comments B.9 Reader's comments What is your opinion of this manual? We are always striving to provide as comprehensive a description of our product as possible, as well as important information that will ensure trouble-free operation. Your comments and suggestions help us to further improve the quality of our documentation.
  • Page 230 ......................Dear User, Please fill out and return this page − by fax to the number +49 (0)7127/14-1798 or − by mail to Hirschmann Automation and Control GmbH Department AMM Stuttgarter Str. 45 - 51 72654 Neckartenzlingen Germany Basic - L3P...
  • Page 231 Index Appendix C: Index DHCP client 37, 53, 63, 65, 170 DHCP Option 82 Access Control List DHCP server 196, 202 Access right Differentiated Services DiffServ DiffServ code point Address conflict DSCP 135, 140, 142, 146 Address Conflict Detection Address table Aging Time 123, 128 Egress rule...
  • Page 232 Index Industry Protocols PHY layer Ingress Filter 156, 163 Polling Ingress rule Port Configuration Instantiation Port Mirroring Internet Assigned Numbers Authority Port priority Internet Service Provider Port Security 86, 170 IP address 25, 27, 33, 40, 43, 48, 82, 85, 188, Port VLAN ID Power Supply IP header...
  • Page 233 Index Source port Web-based interface SSH server Web-based management State on delivery Weighted Fair Queuing 143, 144, 147 Static Weighted Round Robin Strict priority Subdomain Subidentifier Subnetwork 33, 123 Support Synchronizing clocks System monitor System name System time Target address TCP/IP stack Telnet Temperature threshold...
  • Page 234 Index Basic - L3P Release 3.1 06/07...

This manual is also suitable for:

Mach 4002-24gMach 4002-48gMach 4000

Table of Contents