RUGGEDCOM ROS
v4.3
User Guide
For RS969, M969
05/2018
RC1288-EN-06
Preface
Introduction 1
Using ROS 2
Getting Started 3
Device Management 4
System Administration 5
Security 6
Layer 2 7
Redundancy 8
Traffic Control and
Classification 9
Time Services 10
Network Discovery and
Management 11
IP Address Assignment 12
Troubleshooting 13
RUGGEDCOM ROS
User Guide
ii
Copyright © 2018 Siemens Canada Ltd
All rights reserved. Dissemination or reproduction of this document, or evaluation and communication of its contents, is not authorized
except where expressly permitted. Violations are liable for damages. All rights reserved, particularly for the purposes of patent application or
trademark registration.
This document contains proprietary information, which is protected by copyright. All rights are reserved. No part of this document may be
photocopied, reproduced or translated to another language without the prior written consent of Siemens Canada Ltd.
Disclaimer Of Liability
Siemens has verified the contents of this document against the hardware and/or software described. However, deviations between the product
and the documentation may exist.
Siemens shall not be liable for any errors or omissions contained herein or for consequential damages in connection with the furnishing,
performance, or use of this material.
The information given in this document is reviewed regularly and any necessary corrections will be included in subsequent editions. We
appreciate any suggested improvements. We reserve the right to make technical improvements without notice.
Registered Trademarks
RUGGEDCOM™ and ROS™ are trademarks of Siemens Canada Ltd.
Other designations in this manual might be trademarks whose use by third parties for their own purposes would infringe the rights of the
owner.
Third Party Copyrights
Siemens recognizes the following third party copyrights:
Copyright © 2004 GoAhead Software, Inc. All Rights Reserved.
Open Source
RUGGEDCOM ROS contains Open Source Software. For license conditions, refer to the associated License Conditions document.
Security Information
Siemens provides products and solutions with industrial security functions that support the secure operation of plants, machines, equipment
and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens' products and solutions
undergo continuous development. Siemens recommends strongly that you regularly check for product updates.
For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and
integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be
considered. For more information about industrial security, visit https://www.siemens.com/industrialsecurity.
To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visit https://
support.automation.siemens.com.
Warranty
Refer to the License Agreement for the applicable warranty terms and conditions, if any.
For warranty details, visit https://www.siemens.com/ruggedcom or contact a Siemens customer service representative.
RUGGEDCOM ROS
User Guide
iii
Contacting Siemens
Address
Siemens Canada Ltd
Industry Sector
300 Applewood Crescent
Concord, Ontario
Canada, L4K 5C7
Telephone
Toll-free: 1 888 264 0006
Tel: +1 905 856 5288
Fax: +1 905 856 1995
E-mail
ruggedcom.info.i-ia@siemens.com
Web
https://www.siemens.com/ruggedcom
RUGGEDCOM ROS
User Guide
iv
RUGGEDCOM ROS
User Guide
Table of Contents
v
Table of Contents
Preface ........................................................................................................... xiii
Conventions ...................................................................................................................................... xiii
Related Documents ............................................................................................................................ xiv
System Requirements ......................................................................................................................... xv
Accessing Documentation ................................................................................................................... xv
Training ............................................................................................................................................. xv
Customer Support .............................................................................................................................. xvi
Chapter 1
Introduction ..................................................................................................... 1
1.1Features and Benefits ................................................................................................................... 1
1.2Security Recommendations ............................................................................................................ 3
1.3Controlled vs. Non-Controlled ........................................................................................................ 5
1.4Supported Networking Standards ................................................................................................... 6
1.5Port Numbering Scheme ............................................................................................................... 6
1.6Available Services by Port .............................................................................................................. 7
Chapter 2
Using ROS ........................................................................................................ 9
2.1Logging In .................................................................................................................................... 9
2.2Logging Out ............................................................................................................................... 10
2.3Using the Web Interface .............................................................................................................. 11
2.4Using the Console Interface ......................................................................................................... 12
2.5Using the Command Line Interface .............................................................................................. 14
2.5.1Available CLI Commands .................................................................................................. 14
2.5.2Tracing Events ................................................................................................................. 18
2.5.3Executing Commands Remotely via RSH ............................................................................ 19
2.5.4Using SQL Commands ...................................................................................................... 19
2.5.4.1Finding the Correct Table ....................................................................................... 20
2.5.4.2Retrieving Information ........................................................................................... 20
2.5.4.3Changing Values in a Table .................................................................................... 22
2.5.4.4Resetting a Table ................................................................................................... 22
2.5.4.5Using RSH and SQL ............................................................................................... 22
2.6Selecting Ports in RUGGEDCOM ROS ............................................................................................. 23
2.7Managing the Flash File System ................................................................................................... 23
Table of Contents
RUGGEDCOM ROS
User Guide
vi
2.7.1Viewing a List of Flash Files .............................................................................................. 23
2.7.2Viewing Flash File Details ................................................................................................. 24
2.7.3Defragmenting the Flash File System ................................................................................. 24
2.8Accessing BIST Mode ................................................................................................................... 25
Chapter 3
Getting Started ............................................................................................... 27
3.1Connecting to ROS ...................................................................................................................... 27
3.1.1Default IP Address ............................................................................................................ 27
3.1.2Connecting Directly .......................................................................................................... 27
3.1.3Connecting Remotely ....................................................................................................... 28
3.2Configuring a Basic Network ........................................................................................................ 29
Chapter 4
Device Management ....................................................................................... 31
4.1Viewing Product Information ....................................................................................................... 31
4.2Viewing CPU Diagnostics ............................................................................................................. 33
4.3Restoring Factory Defaults ........................................................................................................... 34
4.4Uploading/Downloading Files ....................................................................................................... 35
4.4.1Uploading/Downloading Files Using XMODEM .................................................................... 36
4.4.2Uploading/Downloading Files Using a TFTP Client ............................................................... 36
4.4.3Uploading/Downloading Files Using a TFTP Server .............................................................. 37
4.4.4Uploading/Downloading Files Using an SFTP Server ............................................................ 38
4.5Managing Logs ........................................................................................................................... 38
4.5.1Viewing Local and System Logs ......................................................................................... 39
4.5.2Clearing Local and System Logs ........................................................................................ 39
4.5.3Configuring the Local System Log ..................................................................................... 40
4.5.4Managing Remote Logging ............................................................................................... 41
4.5.4.1Configuring the Remote Syslog Client ..................................................................... 41
4.5.4.2Viewing a List of Remote Syslog Servers .................................................................. 42
4.5.4.3Adding a Remote Syslog Server .............................................................................. 42
4.5.4.4Deleting a Remote Syslog Server ............................................................................ 43
4.6Managing Ethernet Ports ............................................................................................................. 44
4.6.1Controller Protection Through Link Fault Indication (LFI) ..................................................... 45
4.6.2Viewing the Status of Ethernet Ports ................................................................................. 46
4.6.3Viewing Statistics for All Ethernet Ports ............................................................................. 47
4.6.4Viewing Statistics for Specific Ethernet Ports ...................................................................... 48
4.6.5Clearing Statistics for Specific Ethernet Ports ...................................................................... 50
4.6.6Configuring an Ethernet Port ............................................................................................ 51
4.6.7Configuring Port Rate Limiting .......................................................................................... 53
4.6.8Configuring Port Mirroring ................................................................................................ 55
RUGGEDCOM ROS
User Guide
Table of Contents
vii
4.6.9Configuring Link Detection ............................................................................................... 56
4.6.10Detecting Cable Faults .................................................................................................... 58
4.6.10.1Viewing Cable Diagnostics Results ........................................................................ 58
4.6.10.2Performing Cable Diagnostics ............................................................................... 60
4.6.10.3Clearing Cable Diagnostics ................................................................................... 61
4.6.10.4Determining the Estimated Distance To Fault (DTF) ................................................ 62
4.6.11Resetting Ethernet Ports ................................................................................................. 62
4.7Managing IP Interfaces ................................................................................................................ 63
4.7.1Viewing a List of IP Interfaces ........................................................................................... 63
4.7.2Adding an IP Interface ...................................................................................................... 64
4.7.3Deleting an IP Interface .................................................................................................... 66
4.8Managing IP Gateways ................................................................................................................ 67
4.8.1Viewing a List of IP Gateways ........................................................................................... 67
4.8.2Adding an IP Gateway ...................................................................................................... 68
4.8.3Deleting an IP Gateway .................................................................................................... 69
4.9Configuring IP Services ................................................................................................................ 70
4.10Managing Remote Monitoring ................................................................................................... 72
4.10.1Managing RMON History Controls ................................................................................... 73
4.10.1.1Viewing a List of RMON History Controls ............................................................... 73
4.10.1.2Adding an RMON History Control .......................................................................... 73
4.10.1.3Deleting an RMON History Control ........................................................................ 75
4.10.2Managing RMON Alarms ................................................................................................. 76
4.10.2.1Viewing a List of RMON Alarms ............................................................................ 77
4.10.2.2Adding an RMON Alarm ....................................................................................... 78
4.10.2.3Deleting an RMON Alarm ..................................................................................... 80
4.10.3Managing RMON Events ................................................................................................. 81
4.10.3.1Viewing a List of RMON Events ............................................................................. 82
4.10.3.2Adding an RMON Event ....................................................................................... 82
4.10.3.3Deleting an RMON Event ..................................................................................... 84
4.11Upgrading/Downgrading Firmware ............................................................................................. 84
4.11.1Upgrading Firmware ....................................................................................................... 85
4.11.2Downgrading Firmware .................................................................................................. 85
4.12Resetting the Device ................................................................................................................. 86
4.13Decommissioning the Device ..................................................................................................... 87
Chapter 5
System Administration .................................................................................... 89
5.1Configuring the System Information ............................................................................................. 89
5.2Customizing the Login Screen ...................................................................................................... 90
5.3Enabling/Disabling the Web Interface ........................................................................................... 90
5.4Managing Alarms ........................................................................................................................ 90
Table of Contents
RUGGEDCOM ROS
User Guide
viii
5.4.1Viewing a List of Pre-Configured Alarms ............................................................................ 91
5.4.2Viewing and Clearing Latched Alarms ................................................................................ 92
5.4.3Configuring an Alarm ....................................................................................................... 93
5.4.4Authentication Related Security Alarms .............................................................................. 96
5.4.4.1Security Alarms for Login Authentication ................................................................ 96
5.4.4.2Security Messages for Port Authentication ............................................................... 98
5.5Managing the Configuration File .................................................................................................. 99
5.5.1Configuring Data Encryption ............................................................................................. 99
5.5.2Updating the Configuration File ...................................................................................... 101
Chapter 6
Security ......................................................................................................... 103
6.1Configuring Passwords .............................................................................................................. 103
6.2Clearing Private Data ................................................................................................................. 106
6.3Managing User Authentication ................................................................................................... 106
6.3.1Configuring User Name Extensions .................................................................................. 106
6.3.2Managing RADIUS Authentication .................................................................................... 107
6.3.2.1Configuring the RADIUS Server ............................................................................. 108
6.3.2.2Configuring the RADIUS Client on the Device ......................................................... 109
6.3.3Managing TACACS+ Authentication ................................................................................. 110
6.3.3.1Configuring TACACS+ .......................................................................................... 110
6.3.3.2Configuring User Privileges .................................................................................. 112
6.4Managing Port Security ............................................................................................................. 113
6.4.1Port Security Concepts .................................................................................................... 113
6.4.1.1Static MAC Address-Based Authentication .............................................................. 114
6.4.1.2IEEE 802.1x Authentication .................................................................................. 114
6.4.1.3IEEE 802.1X Authentication with MAC Address-Based Authentication ....................... 115
6.4.1.4Assigning VLANS with Tunnel Attributes ................................................................ 115
6.4.2Viewing a List of Authorized MAC Addresses .................................................................... 116
6.4.3Configuring Port Security ................................................................................................ 116
6.4.4Configuring IEEE 802.1X ................................................................................................. 118
6.5Managing SSH and SSL Keys and Certificates .............................................................................. 120
6.5.1SSL Certificates .............................................................................................................. 121
6.5.2SSH Host Key ................................................................................................................. 122
6.5.3Managing SSH Public Keys .............................................................................................. 123
6.5.3.1Public Key Requirements ...................................................................................... 123
6.5.3.2Adding a Public Key ............................................................................................. 124
6.5.3.3Viewing a List of Public Keys ................................................................................ 124
6.5.3.4Updating a Public Key .......................................................................................... 125
6.5.3.5Deleting a Public Key ........................................................................................... 125
6.5.4Certificate and Key Examples .......................................................................................... 126
RUGGEDCOM ROS
User Guide
Table of Contents
ix
Chapter 7
Layer 2 .......................................................................................................... 129
7.1Managing Virtual LANs .............................................................................................................. 129
7.1.1VLAN Concepts .............................................................................................................. 130
7.1.1.1Tagged vs. Untagged Frames ............................................................................... 130
7.1.1.2Native VLAN ........................................................................................................ 130
7.1.1.3The Management VLAN ....................................................................................... 130
7.1.1.4Edge and Trunk Port Types ................................................................................... 131
7.1.1.5Ingress and Egress Rules ...................................................................................... 131
7.1.1.6Forbidden Ports List ............................................................................................. 132
7.1.1.7VLAN-Aware and VLAN-Unaware Modes ................................................................ 132
7.1.1.8GARP VLAN Registration Protocol (GVRP) ............................................................... 132
7.1.1.9PVLAN Edge ........................................................................................................ 134
7.1.1.10QinQ ................................................................................................................ 134
7.1.1.11VLAN Advantages .............................................................................................. 135
7.1.2Viewing a List of VLANs .................................................................................................. 137
7.1.3Configuring VLANs Globally ............................................................................................ 137
7.1.4Configuring VLANs for Specific Ethernet Ports .................................................................. 138
7.1.5Managing Static VLANs ................................................................................................... 140
7.1.5.1Viewing a List of Static VLANs .............................................................................. 141
7.1.5.2Adding a Static VLAN ........................................................................................... 141
7.1.5.3Deleting a Static VLAN ......................................................................................... 143
7.2Managing MAC Addresses ......................................................................................................... 144
7.2.1Viewing a List of MAC Addresses ..................................................................................... 144
7.2.2Configuring MAC Address Learning Options ..................................................................... 145
7.2.3Configuring MAC Address Flooding Options ..................................................................... 146
7.2.4Managing Static MAC Addresses ...................................................................................... 148
7.2.4.1Viewing a List of Static MAC Addresses ................................................................. 148
7.2.4.2Adding a Static MAC Address ............................................................................... 148
7.2.4.3Deleting a Static MAC Address .............................................................................. 150
7.2.5Purging All Dynamic MAC Addresses ................................................................................ 151
7.3Managing Multicast Filtering ...................................................................................................... 152
7.3.1Managing IGMP ............................................................................................................. 152
7.3.1.1IGMP Concepts .................................................................................................... 152
7.3.1.2Viewing a List of Multicast Group Memberships ..................................................... 156
7.3.1.3Viewing Forwarding Information for Multicast Groups ............................................ 157
7.3.1.4Configuring IGMP ................................................................................................ 157
7.3.2Managing GMRP ............................................................................................................ 159
7.3.2.1GMRP Concepts ................................................................................................... 159
7.3.2.2Viewing a Summary of Multicast Groups ............................................................... 162
Table of Contents
RUGGEDCOM ROS
User Guide
x
7.3.2.3Configuring GMRP Globally .................................................................................. 162
7.3.2.4Configuring GMRP for Specific Ethernet Ports ........................................................ 163
7.3.2.5Viewing a List of Static Multicast Groups ............................................................... 165
7.3.2.6Adding a Static Multicast Group ........................................................................... 165
7.3.2.7Deleting a Static Multicast Group .......................................................................... 166
Chapter 8
Redundancy ................................................................................................... 169
8.1Managing Spanning Tree Protocol .............................................................................................. 169
8.1.1RSTP Operation .............................................................................................................. 169
8.1.1.1RSTP States and Roles .......................................................................................... 170
8.1.1.2Edge Ports .......................................................................................................... 172
8.1.1.3Point-to-Point and Multipoint Links ....................................................................... 172
8.1.1.4Path and Port Costs ............................................................................................. 172
8.1.1.5Bridge Diameter .................................................................................................. 173
8.1.1.6eRSTP ................................................................................................................. 174
8.1.1.7Fast Root Failover ................................................................................................ 174
8.1.2RSTP Applications ........................................................................................................... 175
8.1.2.1RSTP in Structured Wiring Configurations .............................................................. 175
8.1.2.2RSTP in Ring Backbone Configurations .................................................................. 177
8.1.2.3RSTP Port Redundancy ......................................................................................... 179
8.1.3MSTP Operation ............................................................................................................. 179
8.1.3.1MSTP Regions and Interoperability ........................................................................ 180
8.1.3.2MSTP Bridge and Port Roles .................................................................................. 181
8.1.3.3Benefits of MSTP ................................................................................................. 182
8.1.3.4Implementing MSTP on a Bridged Network ............................................................ 183
8.1.4Configuring STP Globally ................................................................................................. 184
8.1.5Configuring STP for Specific Ethernet Ports ...................................................................... 185
8.1.6Configuring eRSTP .......................................................................................................... 188
8.1.7Viewing Global Statistics for STP ..................................................................................... 190
8.1.8Viewing STP Statistics for Ethernet Ports .......................................................................... 191
8.1.9Managing Multiple Spanning Tree Instances ..................................................................... 193
8.1.9.1Viewing Statistics for Global MSTIs ....................................................................... 193
8.1.9.2Viewing Statistics for Port MSTIs ........................................................................... 195
8.1.9.3Configuring the MST Region Identifier ................................................................... 196
8.1.9.4Configuring a Global MSTI ................................................................................... 197
8.1.9.5Configuring an MSTI for an Ethernet Port .............................................................. 198
8.1.10Clearing Spanning Tree Protocol Statistics ...................................................................... 200
8.2Managing Link Aggregation ....................................................................................................... 200
8.2.1Link Aggregation Concepts ............................................................................................. 201
8.2.1.1Rules and Limitations ........................................................................................... 202
RUGGEDCOM ROS
User Guide
Table of Contents
xi
8.2.1.2Link Aggregation and Layer 2 Features ................................................................. 202
8.2.1.3Link Aggregation and Physical Layer Features ........................................................ 203
8.2.2Managing Port Trunks .................................................................................................... 203
8.2.2.1Viewing a List of Port Trunks ................................................................................ 203
8.2.2.2Adding a Port Trunk ............................................................................................ 204
8.2.2.3Deleting a Port Trunk ........................................................................................... 205
Chapter 9
Traffic Control and Classification .................................................................... 207
9.1Managing Classes of Service ...................................................................................................... 207
9.1.1Configuring Classes of Service Globally ............................................................................ 208
9.1.2Configuring Classes of Service for Specific Ethernet Ports .................................................. 209
9.1.3Configuring Priority to CoS Mapping ................................................................................ 210
9.1.4Configuring DSCP to CoS Mapping ................................................................................... 211
Chapter 10
Time Services ................................................................................................ 213
10.1Configuring the Time and Date ................................................................................................ 213
10.2Managing NTP ........................................................................................................................ 214
10.2.1Enabling/Disabling NTP Service ...................................................................................... 214
10.2.2Configuring NTP Servers ............................................................................................... 215
Chapter 11
Network Discovery and Management ............................................................. 217
11.1Enabling/Disabling RCDP .......................................................................................................... 217
11.2Managing LLDP ....................................................................................................................... 219
11.2.1Configuring LLDP Globally ............................................................................................. 219
11.2.2Configuring LLDP for an Ethernet Port ........................................................................... 221
11.2.3Viewing Global Statistics and Advertised System Information ........................................... 222
11.2.4Viewing Statistics for LLDP Neighbors ............................................................................ 223
11.2.5Viewing Statistics for LLDP Ports .................................................................................... 223
11.3Managing SNMP ..................................................................................................................... 224
11.3.1SNMP Management Interface Base (MIB) Support ........................................................... 225
11.3.1.1Supported Standard MIBs ................................................................................... 225
11.3.1.2Supported Proprietary RUGGEDCOM MIBs ............................................................ 226
11.3.1.3Supported Agent Capabilities .............................................................................. 227
11.3.2SNMP Traps ................................................................................................................. 228
11.3.3Managing SNMP Users .................................................................................................. 230
11.3.3.1Viewing a List of SNMP Users ............................................................................. 230
11.3.3.2Adding an SNMP User ........................................................................................ 230
11.3.3.3Deleting an SNMP User ...................................................................................... 233
Table of Contents
RUGGEDCOM ROS
User Guide
xii
11.3.4Managing Security-to-Group Mapping ............................................................................ 234
11.3.4.1Viewing a List of Security-to-Group Maps ............................................................ 234
11.3.4.2Adding a Security-to-Group Map ......................................................................... 234
11.3.4.3Deleting a Security-to-Group Map ....................................................................... 236
11.3.5Managing SNMP Groups ............................................................................................... 236
11.3.5.1Viewing a List of SNMP Groups ........................................................................... 237
11.3.5.2Adding an SNMP Group ..................................................................................... 237
11.3.5.3Deleting an SNMP Group ................................................................................... 239
11.4ModBus Management Support ................................................................................................. 239
11.4.1ModBus Function Codes ............................................................................................... 240
11.4.2ModBus Memory Map ................................................................................................... 241
11.4.3Modbus Memory Formats ............................................................................................. 245
11.4.3.1Text .................................................................................................................. 245
11.4.3.2Cmd ................................................................................................................. 246
11.4.3.3Uint16 .............................................................................................................. 246
11.4.3.4Uint32 .............................................................................................................. 246
11.4.3.5PortCmd ........................................................................................................... 246
11.4.3.6Alarm ............................................................................................................... 247
11.4.3.7PSStatusCmd ..................................................................................................... 248
11.4.3.8TruthValues ....................................................................................................... 248
Chapter 12
IP Address Assignment .................................................................................. 251
12.1Managing DHCP Relay Agent ................................................................................................... 251
12.1.1Configuring the DHCP Relay Agent ................................................................................ 251
12.1.2Enabling DHCP Relay Agent Information (Option 82) for Specific Ports .............................. 252
Chapter 13
Troubleshooting ............................................................................................ 255
13.1General .................................................................................................................................. 255
13.2Ethernet Ports ......................................................................................................................... 256
13.3Spanning Tree ........................................................................................................................ 256
13.4VLANs .................................................................................................................................... 258
RUGGEDCOM ROS
User Guide
Preface
Conventions xiii
Preface
This guide describes v4.3 of ROS (Rugged Operating System) running on the RUGGEDCOM RS969/M969. It
contains instructions and guidelines on how to use the software, as well as some general theory.
It is intended for use by network technical support personnel who are familiar with the operation of networks. It is
also recommended for use by network and system planners, system programmers, and line technicians.
IMPORTANT!
Some of the parameters and options described may not be available depending on variations in the
device hardware. While every attempt is made to accurately describe the specific parameters and
options available, this Guide should be used as a companion to the Help text included in the software.
CONTENTS
“Conventions”
“Related Documents”
“System Requirements”
“Accessing Documentation”
“Training”
“Customer Support”
Conventions
This User Guide uses the following conventions to present information clearly and effectively.
Alerts
The following types of alerts are used when necessary to highlight important information.
DANGER!
DANGER alerts describe imminently hazardous situations that, if not avoided, will result in death or
serious injury.
WARNING!
WARNING alerts describe hazardous situations that, if not avoided, may result in serious injury and/or
equipment damage.
CAUTION!
CAUTION alerts describe hazardous situations that, if not avoided, may result in equipment damage.
Preface
RUGGEDCOM ROS
User Guide
xiv Related Documents
IMPORTANT!
IMPORTANT alerts provide important information that should be known before performing a procedure
or step, or using a feature.
NOTE
NOTE alerts provide additional information, such as facts, tips and details.
CLI Command Syntax
The syntax of commands used in a Command Line Interface (CLI) is described according to the following
conventions:
Example Description
command Commands are in bold.
command parameter Parameters are in plain text.
command parameter1 parameter2 Parameters are listed in the order they must be entered.
command parameter1 parameter2 Parameters in italics must be replaced with a user-defined value.
command [ parameter1 | parameter2 ] Alternative parameters are separated by a vertical bar (|).
Square brackets indicate a required choice between two or more
parameters.
command { parameter3 | parameter4 } Curly brackets indicate an optional parameter(s).
command parameter1 parameter2 { parameter3 |
parameter4 }
All commands and parameters are presented in the order they must
be entered.
Related Documents
Product Notes
Product notes specific to each release of RUGGEDCOM ROS are available on the Siemens' Industry Online Support
portal [https://support.industry.siemens.com].
User/Reference Guides
Document Title Link
RUGGEDCOM NMS v2.1 User Guide for Windows https://support.industry.siemens.com/cs/ww/en/view/109737564
RUGGEDCOM NMS v2.1 User Guide for Linux https://support.industry.siemens.com/cs/ww/en/view/109737563
RUGGEDCOM DIRECTOR v1.4 User Guide https://support.industry.siemens.com/cs/ww/en/view/97691648
RUGGEDCOM EXPLORER v1.5 User Guide https://support.industry.siemens.com/cs/ww/en/view/109480804
RUGGEDCOM PING v1.2 User Guide https://support.industry.siemens.com/cs/ww/en/view/97674073
RUGGEDCOM ROS
User Guide
Preface
System Requirements xv
FAQs
Document Title Link
How Do You Configure the SMP Function in a RUGGEDCOM Switch
with RUGGEDCOM ROS?
https://support.industry.siemens.com/cs/ww/en/view/109474615
How to Secure RUGGEDCOM ROS Devices Before and After Field
Deployment
https://support.industry.siemens.com/cs/ww/en/view/99858806
How to Implement Robust Ring Networks Using RSTP and eRSTP https://support.industry.siemens.com/cs/ww/en/view/109738240
How to Implement Secure, Unattended Logging in ROS https://support.industry.siemens.com/cs/ww/en/view/109756843
Installation Guides
Document Title Link
RUGGEDCOM RS969 Installation Guide https://support.industry.siemens.com/cs/ww/en/view/88895127
RUGGEDCOM M969 Installation Guide https://support.industry.siemens.com/cs/ww/en/view/8885210
System Requirements
Each workstation used to connect to the RUGGEDCOM ROS interface must meet the following system
requirements:
Must have one of the following Web browsers installed:
Microsoft Internet Explorer 8.0 or higher
Mozilla Firefox
Google Chrome
Iceweasel/IceCat (Linux Only)
Must have a working Ethernet interface compatible with at least one of the port types on the RUGGEDCOM
device
The ability to configure an IP address and netmask on the computer’s Ethernet interface
Accessing Documentation
The latest user documentation for RUGGEDCOM ROS v4.3 is available online at
https://www.siemens.com/ruggedcom. To request or inquire about a user document, contact Siemens Customer
Support.
Training
Siemens offers a wide range of educational services ranging from in-house training of standard courses on
networking, Ethernet switches and routers, to on-site customized courses tailored to the customer's needs,
experience and application.
Preface
RUGGEDCOM ROS
User Guide
xvi Customer Support
Siemens' Educational Services team thrives on providing our customers with the essential practical skills to make
sure users have the right knowledge and expertise to understand the various technologies associated with critical
communications network infrastructure technologies.
Siemens' unique mix of IT/Telecommunications expertise combined with domain knowledge in the utility,
transportation and industrial markets, allows Siemens to provide training specific to the customer's application.
For more information about training services and course availability, visit https://www.siemens.com/ruggedcom or
contact a Siemens Sales representative.
Customer Support
Customer support is available 24 hours, 7 days a week for all Siemens customers. For technical support or general
information, contact Siemens Customer Support through any of the following methods:
Online
Visit http://www.siemens.com/automation/support-request to submit a Support Request (SR) or check
on the status of an existing SR.
Telephone
Call a local hotline center to submit a Support Request (SR). To locate a local hotline center, visit http://
www.automation.siemens.com/mcms/aspa-db/en/automation-technology/Pages/default.aspx.
Mobile App
Install the Industry Online Support app by Siemens AG on any Android, Apple iOS or Windows mobile
device and be able to:
Access Siemens' extensive library of support documentation, including FAQs and manuals
Submit SRs or check on the status of an existing SR
Contact a local Siemens representative from Sales, Technical Support, Training, etc.
Ask questions or share knowledge with fellow Siemens customers and the support community
RUGGEDCOM ROS
User Guide
Chapter 1
Introduction
Features and Benefits 1
Introduction
Welcome to the RUGGEDCOM ROS v4.3 Software User Guide for the RUGGEDCOM RS969/M969 devices. This
Guide describes the wide array of carrier grade features made available by RUGGEDCOM ROS (Rugged Operating
System).
This chapter provides a basic overview of the RUGGEDCOM ROS software.
CONTENTS
Section1.1, “Features and Benefits”
Section1.2, “Security Recommendations”
Section1.3, “Controlled vs. Non-Controlled”
Section1.4, “Supported Networking Standards”
Section1.5, “Port Numbering Scheme”
Section1.6, “Available Services by Port”
Section1.1
Features and Benefits
The following describes the many features available in RUGGEDCOM ROS and their benefits:
Cyber Security Features
Cyber security is an urgent issue in many industries where advanced automation and communications networks
play a crucial role in mission critical applications and where high reliability is of paramount importance. Key
RUGGEDCOM ROS features that address security issues at the local area network level include:
Passwords Multi-level user passwords secures against unauthorized configuration
SSH/SSL Extends capability of password protection to add encryption of passwords and data as they
cross the network
Enable/Disable Ports Capability to disable ports so that traffic cannot pass
802.1Q VLAN Provides the ability to logically segregate traffic between predefined ports on switches
SNMPv3 Encrypted authentication and access security
HTTPS For secure access to the Web interface
Enhanced Rapid Spanning Tree Protocol (eRSTP)™
Siemens's eRSTP allows the creation of fault-tolerant ring and mesh Ethernet networks that incorporate
redundant links that are pruned to prevent loops. eRSTP implements both STP and RSTP to promote
interoperability with commercial switches, unlike other proprietary ring solutions. The fast root failover feature
of eRSTP provides quick network convergence in case of an RSTP root bridge failure in a mesh topology.
Chapter 1
Introduction
RUGGEDCOM ROS
User Guide
2 Features and Benefits
Quality of Service (IEEE 802.1p)
Some networking applications such as real-time control or VoIP (Voice over IP) require predictable arrival
times for Ethernet frames. Switches can introduce latency in times of heavy network traffic due to the internal
queues that buffer frames and then transmit on a first come first serve basis. RUGGEDCOM ROS supports Class
of Service, which allows time critical traffic to jump to the front of the queue, thus minimizing latency and
reducing jitter to allow such demanding applications to operate correctly. RUGGEDCOM ROS allows priority
classification by port, tags, MAC address, and IP Type of Service (ToS). A configurable weighted fair queuing
algorithm controls how frames are emptied from the queues.
VLAN (IEEE 802.1Q)
Virtual Local Area Networks (VLAN) allow the segregation of a physical network into separate logical networks
with independent broadcast domains. A measure of security is provided since hosts can only access other hosts
on the same VLAN and traffic storms are isolated. RUGGEDCOM ROS supports 802.1Q tagged Ethernet frames
and VLAN trunks. Port based classification allows legacy devices to be assigned to the correct VLAN. GVRP
support is also provided to simplify the configuration of the switches on the VLAN.
Simple Network Management Protocol (SNMP)
SNMP provides a standardized method, for network management stations, to interrogate devices from different
vendors. SNMP versions supported by RUGGEDCOM ROS are v1, v2c and v3. SNMPv3 in particular provides
security features (such as authentication, privacy, and access control) not present in earlier SNMP versions.
RUGGEDCOM ROS also supports numerous standard MIBs (Management Information Base) allowing for easy
integration with any Network Management System (NMS). A feature of SNMP is the ability to generate traps
upon system events. RUGGEDCOM NMS, the Siemens management solution, can record traps from multiple
devices providing a powerful network troubleshooting tool. It also provides a graphical visualization of the
network and is fully integrated with all Siemens products.
Remote Monitoring and Configuration with RUGGEDCOM NMS
RUGGEDCOM NMS (RNMS) is Siemens's Network Management System software for the discovery, monitoring
and management of RUGGEDCOM products and other IP enabled devices on a network. This highly
configurable, full-featured product records and reports on the availability and performance of network
components and services. Device, network and service failures are quickly detected and reported to reduce
downtime.
RNMS is especially suited for remotely monitoring and configuring RUGGEDCOM routers, switches, serial servers
and WiMAX wireless network equipment. For more information, contact a Siemens Sales representative.
NTP (Network Time Protocol)
NTP automatically synchronizes the internal clock of all RUGGEDCOM ROS devices on the network. This allows
for correlation of time stamped events for troubleshooting.
Port Rate Limiting
RUGGEDCOM ROS supports configurable rate limiting per port to limit unicast and multicast traffic. This can
be essential to managing precious network bandwidth for service providers. It also provides edge security for
Denial of Service (DoS) attacks.
Broadcast Storm Filtering
Broadcast storms wreak havoc on a network and can cause attached devices to malfunction. This could be
disastrous on a network with mission critical equipment. RUGGEDCOM ROS limits this by filtering broadcast
frames with a user-defined threshold.
Link Aggregation
Ethernet ports can be aggregated into a single logical link either statically or dynamically to increase bandwidth
and balance the traffic load.
Port Mirroring
RUGGEDCOM ROS can be configured to duplicate all traffic on one port to a designated mirror port. When
combined with a network analyzer, this can be a powerful troubleshooting tool.
RUGGEDCOM ROS
User Guide
Chapter 1
Introduction
Security Recommendations 3
Port Configuration and Status
RUGGEDCOM ROS allows individual ports to be hard configured for speed, duplex, auto-negotiation, flow
control and more. This allows proper connection with devices that do not negotiate or have unusual settings.
Detailed status of ports with alarm and SNMP trap on link problems aid greatly in system troubleshooting.
Port Statistics and RMON (Remote Monitoring)
RUGGEDCOM ROS provides continuously updating statistics per port that provide both ingress and egress packet
and byte counters, as well as detailed error figures.
Also provided is full support for RMON statistics. RMON allows for very sophisticated data collection, analysis
and detection of traffic patterns.
Multicast Filtering
RUGGEDCOM ROS supports static multicast groups and the ability to join or leave multicast groups dynamically
using IGMP (Internet Group Management Protocol) or GMRP (GARP Multicast Registration Protocol).
Event Logging and Alarms
RUGGEDCOM ROS records all significant events to a non-volatile system log allowing forensic troubleshooting.
Events include link failure and recovery, unauthorized access, broadcast storm detection, and self-test
diagnostics among others. Alarms provide a snapshot of recent events that have yet to be acknowledged by
the network administrator. An external hardware relay is de-energized during the presence of critical alarms,
allowing an external controller to react if desired.
HTML Web Browser User Interface
RUGGEDCOM ROS provides a simple, intuitive user interface for configuration and monitoring via a standard
graphical Web browser or via a standard telcom user interface. All system parameters include detailed online
help to facilitate setup and configuration. RUGGEDCOM ROS presents a common look and feel and standardized
configuration process, allowing easy migration to other managed RUGGEDCOM products.
Brute Force Attack Prevention
Protection against Brute Force Attacks (BFAs) is standard in RUGGEDCOM ROS. If an external host fails to log in
to the Terminal or Web interfaces after a fixed number of attempts, the service will be blocked for one hour.
Section1.2
Security Recommendations
To prevent unauthorized access to the device, note the following security recommendations:
Authentication
Replace the default passwords for all user accounts and processes (where applicable) before the device is
deployed.
Use strong passwords with high randomization (i.e. entropy), without repetition of characters. Avoid weak
passwords such as password1, 123456789, abcdefgh, and any dictionary words or proper names in any
combination. For more information about creating strong passwords, refer to the password requirements in
Section6.1, “Configuring Passwords”.
Make sure passwords are protected and not shared with unauthorized personnel.
Passwords should not be re-used across different user names and systems, or after they expire.
If RADIUS authentication is done remotely, make sure all communications are within the security perimeter or
on a secure channel.
Generate and provision a custom SSL certificate and SSH host key pair before commissioning the device. For
more information, refer to Section6.5, “Managing SSH and SSL Keys and Certificates”.
Chapter 1
Introduction
RUGGEDCOM ROS
User Guide
4 Security Recommendations
Use SSH public key authentication. For more information, refer to Section6.5, “Managing SSH and SSL Keys and
Certificates”.
Physical/Remote Access
Do not connect the device to the Internet. Deploy the device only within a secure network perimeter.
Restrict physical access to the device to only authorized personnel. A person with malicious intent could extract
critical information, such as certificates, keys, etc. (user passwords are protected by hash codes), or reprogram
the device.
Control access to the serial console to the same degree as any physical access to the device. Access to the serial
console allows for potential access to the RUGGEDCOM ROS boot loader, which includes tools that may be used
to gain complete access to the device.
Only enable services that will be used on the device, including physical ports. Unused physical ports could
potentially be used to gain access to the network behind the device.
If SNMP is enabled, limit the number of IP addresses that can connect to the device and change the community
names. Also configure SNMP to raise a trap upon authentication failures. For more information, refer to
Section11.3, “Managing SNMP”.
Avoid using insecure services such as Telnet and TFTP, or disable them completely if possible. These services are
available for historical reasons and are disabled by default.
Disable RCDP if it is not intended for use.
Limit the number of simultaneous Web Server, Telnet and SSH sessions allowed.
Configure remote system logging to forward all logs to a central location. For more information, refer to
Section4.5, “Managing Logs”.
Configuration files are provided in the CSV (comma separated values) format for ease of use. Make sure
configuration files are properly protected when they exist outside of the device. For instance, encrypt the files,
store them in a secure place, and do not transfer them via insecure communication channels.
Management of the configuration file, certificates and keys is the responsibility of the device owner.
Consider using RSA key sizes of at least 2048 bits in length and certificates signed with SHA256 for increased
cryptographic strength. Before returning the device to Siemens for repair, make sure encryption is disabled (to
create a cleartext version of the configuration file) and replace the current certificates and keys with temporary
throwaway certificates and keys that can be destroyed upon the device's return.
Be aware of any non-secure protocols enabled on the device. While some protocols such as HTTPS and SSH are
secure, others such as Telnet, RSH and HTTP were not designed for this purpose. Appropriate safeguards against
non-secure protocols should be taken to prevent unauthorized access to the device/network.
Configure port security features on access ports to prevent an unauthorized third-party from physically
connecting to the device. For more information, refer to Section6.4, “Managing Port Security”.
Hardware/Software
Make sure the latest firmware version is installed, including all security-related patches. For the latest
information on security patches for Siemens products, visit the Industrial Security website [https://
www.siemens.com/global/en/home/company/topic-areas/future-of-manufacturing/industrial-security.html]
or the ProductCERT Security Advisories website [http://www.siemens.com/innovation/en/technology-focus/
siemens-cert/cert-security-advisories.htm]. Updates to Siemens Product Security Advisories can be obtained
by subscribing to the RSS feed on the Siemens ProductCERT Security Advisories website, or by following
@ProductCert on Twitter.
Enable BPDU Guard on ports where RSTP BPDUs are not expected.
RUGGEDCOM ROS
User Guide
Chapter 1
Introduction
Controlled vs. Non-Controlled 5
Use the latest Web browser version compatible with RUGGEDCOM ROS to make sure the most secure Transport
Layer Security (TLS) versions and ciphers available are employed.
Modbus can be deactivated if not required by the user. If Modbus activation is required, then it is recommended
to follow the security recommendations outlined in this User Guide and to configure the environment according
to defense-in-depth best practices.
Prevent access to external, untrusted Web pages while accessing the device via a Web browser. This can assist in
preventing potential security threats, such as session hijacking.
For optimal security, use SNMPv3 whenever possible. Use strong authentication keys and private keys without
repetitive strings ( e.g. abc or abcabc) with this feature. For more information about creating strong passwords,
refer to the password requirements in Section6.1, “Configuring Passwords”.
Unless required for a particular network topology, the IP Forward setting should be set to Disabled to prevent
the routing of packets.
NOTE
For configuration compatibility reasons, the configured setting will not change when upgrading from
RUGGEDCOM ROS versions older than v4.2.0 to v4.2.0 and newer. This setting is always enabled and
cannot be configured on versions before v4.2.0. For new units with firmware v4.2.0 or higher, this
setting is configurable and disabled by default.
Policy
Periodically audit the device to make sure it complies with these recommendations and/or any internal security
policies.
Review the user documentation for other Siemens products used in coordination with device for further security
recommendations.
Section1.3
Controlled vs. Non-Controlled
RUGGEDCOM ROS devices are available as either Controlled (C) or Non-Controlled (NC).
Controlled switches feature a variety of encryption capabilities.
Non-controlled switches have limited encryption capabilities.
To determine if a device is classified as controlled or non-controlled, navigate to Diagnostics» View Product
Information. The Classification parameter on the Product Information form indicates if the device is
controlled or non-controlled.
Chapter 1
Introduction
RUGGEDCOM ROS
User Guide
6 Supported Networking Standards
9
5
4
3
2
1
6
7
8
Figure1:Product Information Form (Example)
1.MAC Address Box 2.Order Code Box 3.Classification Box 4.Serial Number Box 5.Boot Version Box 6.Main Version Box
7.Required Boot Box 8.Hardware ID Box 9.Reload Button
A non-controlled device can be converted to a controlled device by uploading the applicable controlled firmware
version. For more information about uploading firmware to the device, refer to Section4.11.1, “Upgrading
Firmware”.
Section1.4
Supported Networking Standards
The following networking standards are supported by RUGGEDCOM ROS:
Standard 10 Mbps Ports 100 Mbps Ports 1000 Mbps Ports Notes
IEEE 802.3x ü ü ü Full Duplex Operation
IEEE 802.3z ü1000Base-LX
IEEE 802.3ab ü1000Base-Tx
IEEE 802.1D ü ü ü MAC Bridges
IEEE 802.1Q ü ü ü VLAN (Virtual LAN)
IEEE 802.1p ü ü ü Priority Levels
Section1.5
Port Numbering Scheme
For quick identification, each port on a RUGGEDCOM RS969/M969 device is assigned a number. All port numbers
are silk-screened on the device.
RUGGEDCOM ROS
User Guide
Chapter 1
Introduction
Available Services by Port 7
2
1
3
5
7
9
10
4
6
8
Figure2:RUGGEDCOM RS969/M969 Port Numbering (Typical)
Use these numbers to configure applicable features on select ports.
Section1.6
Available Services by Port
The following table lists the services available under RUGGEDCOM ROS. This table includes the following
information:
Services
The service supported by the device.
Port Number
The port number associated with the service.
Port Open
The port state, whether it is always open and cannot be closed, or open only, but can be configured.
NOTE
In certain cases, the service might be disabled, but the port can still be open (e.g. TFTP).
Port Default
The default state of the port (i.e. open or closed).
Access Authorized
Denotes whether the ports/services are authenticated during access.
Services Port Number Service Enabled/
Disabled Access Authorized Note
Telnet TCP/23 Disabled Yes Only available through
management interfaces.
Chapter 1
Introduction
RUGGEDCOM ROS
User Guide
8 Available Services by Port
Services Port Number Service Enabled/
Disabled Access Authorized Note
HTTP TCP/80 Enabled, redirects to 443 Only redirects to 443 on
Controlled versions
HTTPS TCP/443 Enabled (configurable) Yes Only applicable to
Controlled versions
RSH TCP/514 Disabled (configurable) Yes Only available through
management interfaces.
TFTP UDP/69 Disabled (configurable) No Only available through
management interfaces.
SFTP TCP/22 Enabled Yes Only available through
management interfaces.
SNMP UDP/161 Disabled (configurable) Yes Only available through
management interfaces.
SNTP UDP/123 Enabled (configurable) No Only available through
management interfaces.
SSH TCP/22 Enabled Yes Only available through
management interfaces.
ICMP Enabled No
TACACS+ TCP/49 (configurable) Disabled (configurable) Yes
RADIUS UDP/1812 to send
(configurable), opens
random port to listen to
Disabled (configurable) Yes Only available through
management interfaces.
Remote Syslog UDP/514 (configurable) Disabled (configurable) No Only available through
management interfaces.
TCP Modbus (Server) TCP/502 Disabled (configurable) No Only available through
management interfaces.
TCP Modbus (Switch) TCP/502 Disabled (configurable) No
DHCP, DHCP Agent UDP/67, 68 sending msg
if enabled - if received,
always come to CPU,
dropped if service not
configured
Disabled (configurable) No
RCDP Enabled (configurable) Yes
RUGGEDCOM ROS
User Guide
Chapter 2
Using ROS
Logging In 9
Using ROS
This chapter describes how to use RUGGEDCOM ROS.
CONTENTS
Section2.1, “Logging In”
Section2.2, “Logging Out”
Section2.3, “Using the Web Interface”
Section2.4, “Using the Console Interface”
Section2.5, “Using the Command Line Interface”
Section2.6, “Selecting Ports in RUGGEDCOM ROS”
Section2.7, “Managing the Flash File System”
Section2.8, “Accessing BIST Mode”
Section2.1
Logging In
To log in to the device, do the following:
1. Connect to the device either directly or through a Web browser. For more information about how to connect
to the device, refer to Section3.1, “Connecting to ROS”.
Once the connection is established, the login form appears.
1
2
Figure3:SSH Login Screen (Console Interface)
1.User Name Box 2.Password Box
Chapter 2
Using ROS
RUGGEDCOM ROS
User Guide
10 Logging Out
1
3
Figure4:Login Screen (Web Interface)
1.Username Box 2.Password Box 3.Submit Button
NOTE
The following default user names and passwords are set on the device for each user type:
Guest
User Name: guest
Password: guest
Operator
User Name: operator
Password: operator
Admin
User Name: admin
Password: admin
CAUTION!
To prevent unauthorized access to the device, make sure to change the default guest, operator,
and admin passwords before commissioning the device.
For more information about changing passwords, refer to Section6.1, “Configuring Passwords”.
2. In the User Name field, type the user name for an account setup on the device.
3. In the Password field, typ the password for the account.
4. Click Enter or click Submit (Web interface only).
Section2.2
Logging Out
To log out of the device, navigate to the main screen and do the following:
To log out of the Console or secure shell interfaces, press CTRL + X.
To log out of the Web interface, click Logout.
RUGGEDCOM ROS
User Guide
Chapter 2
Using ROS
Using the Web Interface 11
1
Figure5:Web Interface (Example)
1.Logout
NOTE
If any pending configuration changes have not been committed, RUGGEDCOM ROS will request
confirmation before discarding the changes and logging out of the device.
Section2.3
Using the Web Interface
The Web interface is a Web-based Graphical User Interface (GUI) for displaying important information and controls
in a Web browser. The interface is divided into three frames: the banner, the menu and the main frame.
2
1
3
Figure6:Web Interface Layout (Example)
1.Top Frame 2.Side Frame 3.Main Frame
Frame Description
Top The top frame displays the system name for the device.
Chapter 2
Using ROS
RUGGEDCOM ROS
User Guide
12 Using the Console Interface
Frame Description
Side The side frame contains a logout option and a collapsible list of links that open various
screens in the main frame. For information about logging out of RUGGEDCOM ROS, refer to
Section2.2, “Logging Out”.
Main The main frame displays the parameters and/or data related to the selected feature.
Each screen consists of a title, the current user's access level, parameters and/or data (in form or table format),
and controls (e.g. add, delete, refresh, etc.). The title provides access to context-specific Help for the screen that
provides important information about the available parameters and/or data. Click on the link to open the Help
information in a new window.
When an alarm is generated, an alarm notification replaces the current user's access level on each screen until
the alarm is cleared. The notification indicates how many alarms are currently active. For more information about
alarms, refer to Section5.4, “Managing Alarms”.
3
1
2
4
Figure7:Elements of a Typical Screen (Example)
1.Title 2.Parameters and/or Data 3.Access Level or Alarm Notification 4.Controls
NOTE
If desired, the web interface can be disabled. For more information, refer to Section5.3, “Enabling/
Disabling the Web Interface”.
Section2.4
Using the Console Interface
The Console interface is a Graphical User Interface (GUI) organized as a series of menus. It is primarily accessible
through a serial console connection, but can also be accessed through IP services, such as a Telnet, RSH (Remote
Shell), SSH (Secure Shell) session, or SSH remote command execution.
NOTE
IP services can be restricted to control access to the device. For more information, refer to Section4.9,
“Configuring IP Services”.
RUGGEDCOM ROS
User Guide
Chapter 2
Using ROS
Using the Console Interface 13
Each screen consists of a system identifier, the name of the current menu, and a command bar. Alarms are also
indicated on each screen in the upper right corner.
5
4
1
2
3
Figure8:Console Interface (Example)
1.System Identification 2.Menus 3.Command Bar 4.Menu Name 5.Alarms Indicator
NOTE
The system identifier is user configurable. For more information about setting the system name, refer
to Section5.1, “Configuring the System Information”.
Navigating the Interface
Use the following controls to navigate between screens in the Console interface:
Enter Select a menu item and press this Enter to enter the sub-menu or screen beneath.
Esc Press Esc to return to the previous screen.
Configuring Parameters
Use the following controls to select and configure parameters in the Console interface:
Up/Down Arrow Keys Use the up and down arrow keys to select parameters.
Enter Select a parameter and press Enter to start editing a parameter. Press Enter again to commit the change.
Esc When editing a parameter, press Esc to abort all changes.
Chapter 2
Using ROS
RUGGEDCOM ROS
User Guide
14 Using the Command Line Interface
Commands
The command bar lists the various commands that can be issued in the Console interface. Some commands are
specific to select screens. The standard commands include the following:
Ctrl + A Commits configuration changes made on the current screen.
NOTE
Before exiting a screen, RUGGEDCOM ROS will automatically prompt the user to save any changes
that have not been committed.
Ctrl + I Inserts a new record.
Ctrl + L Deletes a record.
Ctrl + S Opens the CLI interface.
Ctrl + X Terminates the current session. This command is only available from the main menu.
Ctrl + Z Displays important information about the current screen or selected parameter.
Section2.5
Using the Command Line Interface
The Command Line Interface (CLI) offers a series of powerful commands for updating RUGGEDCOM ROS,
generating certificates/keys, tracing events, troubleshooting and much more. It is accessed via the Console
interface by pressing Ctrl-S.
CONTENTS
Section2.5.1, “Available CLI Commands”
Section2.5.2, “Tracing Events”
Section2.5.3, “Executing Commands Remotely via RSH”
Section2.5.4, “Using SQL Commands”
Section2.5.1
Available CLI Commands
The following commands are available at the command line:
Command Description Authorized Users
alarms all Displays a list of available alarms.
Optional and/or required parameters include:
all displays all available alarms
Guest, Operator, Admin
arp Displays the IP to MAC address resolution table. Admin
clearalarms Clears all alarms. Operator, Admin
clearethstats [ all |
port ]
Clears Ethernet statistics for one or more ports.
Optional and/or required parameters include:
all clears statistics for all ports
Operator, Admin
RUGGEDCOM ROS
User Guide
Chapter 2
Using ROS
Available CLI Commands 15
Command Description Authorized Users
portis a comma separated list of port numbers (e.g. 1,3-5,7)
clearlogs Clears the system and crash logs. Admin
clrcblstats [ all | port
]
Clears cable diagnostics statistics for one or more ports.
Optional and/or required parameters include:
all clears statistics for all ports
portis a comma separated list of port numbers (e.g. 1,3-5,7)
Admin
clrstpstats Clears all spanning tree statistics. Operator, Admin
cls Clears the screen. Guest, Operator, Admin
dir Prints the directory listing. Guest, Operator, Admin
exit Terminates the session. Guest, Operator, Admin
factory Enables factory mode, which includes several factory-level
commands used for testing and troubleshooting. Only available to
admin users.
CAUTION!
Misuse of the factory commands may corrupt the
operational state of device and/or may permanently
damage the ability to recover the device without
manufacturer intervention.
Admin
flashfiles { info
filename | defrag }
A set of diagnostic commands to display information about the Flash
filesystem and to defragment Flash memory.
Optional and/or required parameters include:
info filename displays information about the specified file in
the Flash file system
defrag defragments files in the Flash file system
For more information about the flashfiles command, refer to
Section2.7, “Managing the Flash File System”.
Admin
flashleds timeout Flashes the LED indicators on the device for a specified number of
seconds.
Optional and/or required parameters include:
timeoutis the number of seconds to flash the LED indicators. To
stop the LEDs from flashing, set the timeout period to 0 (zero).
Admin
fpgacmd Provides access to the FPGA management tool for troubleshooting
time synchronization.
Admin
help command Displays a brief description of the specified command. If no
command is specified, it displays a list of all available commands,
including a description for each.
Optional and/or required parameters include:
commandis the command name.
Guest, Operator, Admin
ipconfig Displays the current IP address, subnet mask and default gateway.
This command provides the only way of determining these values
when DHCP is used.
Guest, Operator, Admin
loaddflts Loads the factory default configuration. Admin
logout Logs out of the shell. Guest, Operator, Admin
logs Displays syslog entries in CLI shell. Admin
Chapter 2
Using ROS
RUGGEDCOM ROS
User Guide
16 Available CLI Commands
Command Description Authorized Users
passwd user_name
new_password
Changes the selected user's password.
Optional and/or required parameters include:
user_name is an existing user_name in RUGGEDCOM ROS.
new_password is the new password that will replace the existing
password of the selected user.
This command is unavailable in Tenet sessions.
Admin
ping address { count |
timeout }
Sends an ICMP echo request to a remotely connected device.
For each reply received, the round trip time is displayed. Use this
command to verify connectivity to the next connected device.
It is a useful tool for testing commissioned links. This command
also includes the ability to send a specific number of pings with a
specified time for which to wait for a response.
Optional and/or required parameters include:
addressis the target IP address.
countis the number of echo requests to send. The default is 4.
timeoutis the time in milliseconds to wait for each reply. The
range is 2 to 5000 seconds. The default is 300 milliseconds.
NOTE
The device to be pinged must support ICMP echo.
Upon commencing the ping, an ARP request for the
MAC address of the device is issued. If the device to
be pinged is not on the same network as the device
pinging the other device, the default gateway must be
programmed.
Guest, Operator, Admin
purgemac Purges the MAC Address table. Operator, Admin
random Display seeds or random numbers. Admin
reset Perform a hard reset of the switch. Operator, Admin
resetport { all | ports
}
Resets one or more Ethernet ports, which may be useful for forcing
re-negotiation of speed and duplex, or in situations where the link
partner has latched into an inappropriate state.
Optional and/or required parameters include:
all resets all ports
portsis a comma separated list of port numbers (e.g. 1,3-5,7)
Operator, Admin
rmon Displays the names of all RMON alarm eligible objects. Guest, Operator, Admin
route Displays the gateway configuration. Guest, Operator, Admin
sfp port { base | alarms
| diag | calibr | thr
| all | no parameter
specified }
Displays SFP (Small Form Factor Pluggable) device information and
diagnostics. If optional or required parameters are not used, this
command displays the base and extended information.
Optional and/or required parameters include:
portis the port number for which the data are required
base displays the base information
alarms displays alarms and warning flags
diag displays measured data
calibr displays calibration data for external calibration
thr displays thresholds data
all displays all diagnostic data
Admin
sql { default | delete
| help | info | insert |
save | select | update }
Provides an SQL-like interface for manipulating all system
configuration and status parameters. All commands, clauses, table,
and column names are case insensitive.
Admin
RUGGEDCOM ROS
User Guide
Chapter 2
Using ROS
Available CLI Commands 17
Command Description Authorized Users
Optional and/or required parameters include:
default sets all records in a table(s) to factory defaults
delete allows for records to be deleted from a table
help provides a brief description for any SQL command or clause
info displays a variety of information about the tables in the
database
insert enables new records to be inserted into a table
save saves the database to non-volatile memory storage
select queries the dtabase and displays selected records
update enable existing records in a table to be updated
For more information about the sql command, refer to
Section2.5.4, “Using SQL Commands”.
sshkeygen [ rsa | dsa ]
[ 1024 | 2048 | 3072 ] N
Generates new RSA or DSA keys in ssh.keys. Keys can be either
1024, 2048 or 3072 bits long.
Admin
sshpubkey List, remove and update key entries in sshpub.keys file. Admin
sslkeygen keytype NGenerates a new SSL certificate in ssl.crt.
Optional and/or required parameters include:
keytypeis the type of key, either rsa or ecc
Nis the number of bits in length. For RSA keys, the allowable sizes
are 1024, 2048 or 3072. For ECC keys, the allowable sizes are 192,
224, 256, 384, or 521.
Admin
telnet dest Opens a telnet session. Press Ctrl-C to close the session.
Optional and/or required parameters include:
destis the server's IP address
Guest, Operator, Admin
tftp address [ put | get
] source target
Opens a TFTP session. Press Ctrl-C to close the session.
Optional and/or required parameters include:
addressis the IP address of the remote TFTP server
put indicates TFTP will be uploading the source file to replace the
destination file
get indicates TFTP will be downloading the source file to replace
the destination file
sourceis the name of the source file
targetis the name of the file that will be replaced
Admin
trace Starts event tracing. Run trace ? for more help. Operator, Admin
type filename Displays the contents of a text file.
Optional and/or required parameters include:
filenameis the name of the file to be read
Guest, Operator, Admin
usermod { -b | -r
username | old_user_name
new_user_name }
A set of commands to display, remove and change existing
usernames.
Optional and/or required parameters include:
-b browses through the existing user names in RUGGEDCOM ROS.
-r username removes a specified user name to disable the
account
old_user_name and new_user_name define the user name to
be changed
This command is unavailable in Telnet sessions.
Admin
version Prints the software version. Guest, Operator, Admin
Chapter 2
Using ROS
RUGGEDCOM ROS
User Guide
18 Tracing Events
Command Description Authorized Users
xmodem { send | receive
} filename
Opens an XModem session.
Optional and/or required parameters include:
send sends the file to the client.
receive receives the file from the client.
filenameis the name of the file to be read.
Operator, Admin
Section2.5.2
Tracing Events
The CLI trace command provides a means to trace the operation of various protocols supported by the device.
Trace provides detailed information, including STP packet decodes, IGMP activity and MAC address displays.
NOTE
Tracing has been designed to provide detailed information to expert users. Note that all tracing is
disabled upon device startup.
To trace an event, do the following:
1. Log in to the device as an admin user and access the CLI shell. For more information about accessing the CLI
shell, refer to Section2.5, “Using the Command Line Interface”.
2. Determine the protocols and associated options available by typing:
trace ?
If an option such as allon or alloff is required, determine which options are available for the desired
protocol by typing:
trace protocol ?
NOTE
If required, expand the trace scope by stringing protocols and their associated options together
using a vertical bar (|).
3. Select the type of trace to run by typing:
trace protocol option
Where:
protocol is the protocol to trace
option is the option to use during the trace
Example:
>trace transport allon
TRANSPORT: Logging is enabled
4. Start the trace by typing:
trace
RUGGEDCOM ROS
User Guide
Chapter 2
Using ROS
Executing Commands Remotely via RSH 19
Section2.5.3
Executing Commands Remotely via RSH
The Remote Shell (RSH) facility can be used from a workstation to cause the product to act upon commands as if
they were entered at the CLI prompt. The syntax of the RSH command is usually of the form:
rsh ipaddr –l auth_token command_string
Where:
ipaddr is the address or resolved name of the device.
auth_token is the user name (i.e. guest, operator or admin) and corresponding password separated by a
comma. For example, admin,secret.
command_string is the RUGGEDCOM ROS CLI command to execute.
NOTE
The access level (corresponding to the user name) selected must support the given command.
NOTE
Any output from the command will be returned to the workstation submitting the command.
Commands that start interactive dialogs (such as trace) cannot be used.
Section2.5.4
Using SQL Commands
RUGGEDCOM ROS provides an SQL-like command facility that allows expert users to perform several operations
not possible under the traditional Web or CLI interface. For instance:
Restoring the contents of a specific table, but not the whole configuration, to their factory defaults.
Search tables in the database for specific configurations.
Make changes to tables predicated upon existing configurations.
When combined with RSH, SQL commands provide a means to query and configure large numbers of devices from
a central location.
NOTE
For a list of parameters available under the sql command, refer to Section2.5.1, “Available CLI
Commands”.
NOTE
Read/write access to tables containing passwords or shared secrets is unavailable using SQL
commands.
CONTENTS
Section2.5.4.1, “Finding the Correct Table”
Section2.5.4.2, “Retrieving Information”
Section2.5.4.3, “Changing Values in a Table”
Section2.5.4.4, “Resetting a Table”
Chapter 2
Using ROS
RUGGEDCOM ROS
User Guide
20 Finding the Correct Table
Section2.5.4.5, “Using RSH and SQL”
Section2.5.4.1
Finding the Correct Table
Many SQL commands operate upon specific tables in the database, and require the table name to be specified.
Navigating the menu system in the console interface to the desired menu and pressing Ctrl-Z displays the name of
the table. The menu name and the corresponding database table name will be cited.
Another way to find a table name is to type the following in the CLI:
sql info tables
This command also displays menu names and their corresponding database table names depending upon the
features supported by the device. For example:
Table Description
-------------------------------------------------------------------------------
alarms Alarms
cpuDiags CPU Diagnostics
ethPortCfg Port Parameters
ethPortStats Ethernet Statistics
ethPortStatus Port Status
ipCfg IP Services
Section2.5.4.2
Retrieving Information
The following describes various methods for retrieving information about tables and parameters.
Retrieving Information from a Table
Use the following command to display a summary of the parameters within a table, as well as their values:
sql select from table
Where:
table is the name of the table
Example:
>sql select from ipAddrtable
IP Address Subnet IfIndex IfStats IfTime IfName
172.30.146.88 255.255.224.0 1001 17007888 2994 vlan1
1 records selected
Retrieving Information About a Parameter from a Table
Use the following command to retrieve information about a specific parameter from a table:
RUGGEDCOM ROS
User Guide
Chapter 2
Using ROS
Retrieving Information 21
NOTE
The parameter name must be the same as it is displayed in the menu system, unless the name contains
spaces (e.g. ip address). Spaces must be replaced with underscores (e.g. ip_address) or the parameter
name must be wrapped in double quotes (e.g. "ip address").
sql select parameter from table
Where:
parameter is the name of the parameter
table is the name of the table
Example:
>sql select "ip address" from ipSwitchIfCfg
IP Address
192.168.0.1
1 records selected
Retrieving Information from a Table Using the Where Clause
Use the following command to display specific parameters from a table that have a specific value:
sql select from table where parameter = value
Where:
table is the name of the table
parameter is the name of the parameter
value is the value of the parameter
Example:
>sql select from ethportcfg where media = 1000T
Port Name ifName Media State AutoN Speed Dupx FlowCtrl LFI Alarm
1 Port 1 1 1000T Enabled On Auto Auto Off Off On
2 Port 2 2 1000T Enabled On Auto Auto Off Off On
3 Port 3 3 1000T Enabled On Auto Auto Off Off On
4 Port 4 4 1000T Enabled On Auto Auto Off Off On
4 records selected
Further refine the results by using and or or operators:
sql select from table where parameter = value [ { and | or } | parameter | = | value ...]
Where:
table is the name of the table
parameter is the name of the parameter
value is the value of the parameter
Example:
>sql select from ethportcfg where media = 1000T and State = enabled
Port Name ifName Media State AutoN Speed Dupx FlowCtrl LFI Alarm
Chapter 2
Using ROS
RUGGEDCOM ROS
User Guide
22 Changing Values in a Table
1 Port 1 1 1000T Enabled On Auto Auto Off Off on
2 Port 2 2 1000T Enabled On Auto Auto Off Off On
3 Port 3 3 1000T Enabled On Auto Auto Off Off On
4 Port 4 4 1000T Enabled On Auto Auto Off Off On
4 records selected
Section2.5.4.3
Changing Values in a Table
Use the following command to change the value of parameters in a table:
sql update table set parameter = value
Where:
table is the name of the table
parameter is the name of the parameter
value is the value of the parameter
Example:
>sql update iplcfg set IP_Address_Type = static
1 records updated
Conditions can also be included in the command to apply changes only to parameters that meet specific criteria.
In the following example, flow control is enabled on ports that are operating in 100 Mbps full-duplex mode with
flow control disabled:
>sql update ethportcfg set FlowCtrl = Off where ( Media = 100TX and FlowCtrl = On )
2 records updated
Section2.5.4.4
Resetting a Table
Use the following command to reset a table back to its factory defaults:
sql default into table
Where:
table is the name of the table
Section2.5.4.5
Using RSH and SQL
The combination of remote shell scripting and SQL commands offers a means to interrogate and maintain a
large number of devices. Consistency of configuration across sites may be verified by this method. The following
presents a simple example where the devices to interrogate are drawn from the file Devices:
C:> type Devices
10.0.1.1
10.0.1.2
RUGGEDCOM ROS
User Guide
Chapter 2
Using ROS
Selecting Ports in RUGGEDCOM ROS 23
C:\> for /F %i in (devices) do rsh %i -l admin,admin sql select from ipAddrtable
C:\>rsh 10.0.1.1 -l admin,admin sql select from ipAddrtable
IP Address Subnet IfIndex IfStats IfTime IfName
192.168.0.31 255.255.255.0 1001 274409096 2218 vlan1
1 records selected
C:\>rsh 10.0.1.2 -l admin,admin sql select from ipAddrtable
0 records selected
C:\
Section2.6
Selecting Ports in RUGGEDCOM ROS
Many features in ROS can be configured for one or more ports on the device. The following describes how to
specify a single port, a range of ports, or all ports.
Select a single port by specifying the port number:
2
Select a range of ports using a dash (-) between the first port and the last port in the list:
1-4
Select multiple ports by defining a comma-separated list:
1,4,6,9
Use the All option to select all ports in the device, or, if available, use the None option to select none of the
ports.
Section2.7
Managing the Flash File System
This section describes how to manage the file system.
CONTENTS
Section2.7.1, “Viewing a List of Flash Files”
Section2.7.2, “Viewing Flash File Details”
Section2.7.3, “Defragmenting the Flash File System”
Section2.7.1
Viewing a List of Flash Files
To view a list of files currently stored in Flash memory, do the following:
Chapter 2
Using ROS
RUGGEDCOM ROS
User Guide
24 Viewing Flash File Details
1. Log in to the device as an admin user and access the CLI shell. For more information about accessing the CLI
shell, refer to Section2.5, “Using the Command Line Interface”.
2. Type flashfiles. A list of files currently in Flash memory is displayed, along with their locations and the
amount of memory they consume. For example:
>flashfiles
-----------------------------------------------------------------
Filename Base Size Sectors Used
-----------------------------------------------------------------
boot.bin 00000000 110000 0-16 1095790
main.bin 00110000 140000 17-36 1258403
syslog.txt 00260000 140000 38-57 19222
.
.
.
-----------------------------------------------------------------
Section2.7.2
Viewing Flash File Details
To view the details of a file currently stored in Flash memory, do the following:
1. Log in to the device as an admin user and access the CLI shell. For more information about accessing the CLI
shell, refer to Section2.5, “Using the Command Line Interface”.
2. Display information about a file by typing:
flashfiles info filename
Where:
filename is the name of the file stored in Flash memory
Details, similar to the following, are displayed.
>flashfiles info main.bin
Flash file information for main.bin:
Header version : 4
Platform : ROS-CF52
File name : main.bin
Firmware version : v4.3.0
Build date : Sep 27 2014 15:50
File length : 2624659
Board IDs : 3d
Header CRC : 73b4
Header CRC Calc : 73b4
Body CRC : b441
Body CRC Calc : b441
Section2.7.3
Defragmenting the Flash File System
The flash memory is defragmented automatically whenever there is not enough memory available for a binary
upgrade. However, fragmentation can occur whenever a new file is uploaded to the unit. Fragmentation causes
RUGGEDCOM ROS
User Guide
Chapter 2
Using ROS
Accessing BIST Mode 25
sectors of available memory to become separated by ones allocated to files. In some cases, the total available
memory might be sufficient for a binary upgrade, but that memory may not be available in one contiguous region.
To defragment the flash memory, do the following:
1. Log in to the device as an admin user and access the CLI shell. For more information about accessing the CLI
shell, refer to Section2.5, “Using the Command Line Interface”.
2. Defragment the flash memory by typing:
flashfiles defrag
Section2.8
Accessing BIST Mode
BIST (Built-In-Self-Test) mode is used by service technicians to test and configure internal functions of the device.
It should only be accessed for troubleshooting purposes.
CAUTION!
Mechanical hazard – risk of damage to the device. Excessive use of BIST functions may cause increase
wear on the device, which may void the warranty. Avoid using BIST functions unless instructed by a
Siemens Customer Support representative.
To access BIST mode, do the following:
IMPORTANT!
Do not connect the device to the network when it is in BIST mode. The device will generate excess
multicast traffic in this mode.
1. Disconnect the device from the network.
2. Connect to RUGGEDCOM ROS through the RS-232 console connection and a terminal application. For more
information, refer to Section3.1.2, “Connecting Directly”.
3. Reset the device. For more information, refer to Section4.12, “Resetting the Device”.
4. During the boot up sequence, press Ctrl-C when prompted. The command prompt for BIST appears.
>
5. Type help to view a list of all available options under BIST.
Chapter 2
Using ROS
RUGGEDCOM ROS
User Guide
26 Accessing BIST Mode
RUGGEDCOM ROS
User Guide
Chapter 3
Getting Started
Connecting to ROS 27
Getting Started
This section describes startup tasks to be performed during the initial commissioning of the device. Tasks include
connecting to the device and accessing the RUGGEDCOM ROS Web User InterfaceCLI, as well as configuring a basic
network.
CONTENTS
Section3.1, “Connecting to ROS”
Section3.2, “Configuring a Basic Network”
Section3.1
Connecting to ROS
This section describes the various methods for connecting to the device.
CONTENTS
Section3.1.1, “Default IP Address”
Section3.1.2, “Connecting Directly”
Section3.1.3, “Connecting Remotely”
Section3.1.1
Default IP Address
The default IP address for the device is 192.168.0.1/24.
Section3.1.2
Connecting Directly
RUGGEDCOM ROS can be accessed through a direct console connection for management and troubleshooting
purposes. A console connection provides access to the console interface and CLI.
To establish a console connection to the device, do the following:
1. NOTE
The baud rate for the device is printed on the chassis exterior near the console port.
2. Configure the workstation as follows:
Chapter 3
Getting Started
RUGGEDCOM ROS
User Guide
28 Connecting Remotely
Speed (baud): 57600
Data Bits: 8
Parity: None
Flow Control: Off
Terminal ID: VT100
Stop Bit: 1
3. Connect to the device. Once the connection is established, the login form appears. For more information
about logging in to the device, refer to Section2.1, “Logging In”.
Section3.1.3
Connecting Remotely
RUGGEDCOM ROS can be accessed securely and remotely either through a Web browser, terminal or workstation
running terminal emulation software.
Using a Web Browser
Web browsers provide a secure connection to the Web interface for RUGGEDCOM ROS using the SSL (Secure
Socket Layer) communication method. SSL encrypts traffic exchanged with its clients.
The RUGGEDCOM ROS Web server guarantees that all communications with the client are private. If a client
requests access through an insecure HTTP port, the client is automatically rerouted to the secure port. Access to
the Web server through SSL will only be granted to clients that provide a valid user name and password.
To establish a connection through a Web browser, do the following:
1. On the workstation being used to access the device, configure an Ethernet port to use an IP address falling
within the subnet of the device. The default IP address is 192.168.0.1/24.
For example, to configure the device to connect to one of the available Ethernet ports, assign an IP address to
the Ethernet port on the workstation in the range of 192.168.0.3 to 192.168.0.254.
2. Open a Web browser. For a list of recommended Web browsers, refer to “System Requirements”.
IMPORTANT!
Upon connecting to the device, some Web browsers may report the Web server's certificate cannot
be verified against any known certificates. This is expected behavior, and it is safe to instruct the
browser to accept the certificate. Once the certificate is accepted, all communications with the
Web server through that browser will be secure.
3. In the address bar, type the IP address for the port that is connected to the network. For example, to access
the device using its factory default IP address, type https://192.168.0.1 and press Enter. Once the
connection is established, the login screen for the Web interface appears.
For more information about logging in to the device, refer to Section2.1, “Logging In”. For more information
about the Web interface, refer to Section2.3, “Using the Web Interface”.
Using a Terminal or Terminal Emulation Software
A terminal or computer running terminal emulation software provides access to the console interface for
RUGGEDCOM ROS through a Telnet, RSH (Remote Shell) or SSH (Secure Shell) service.
RUGGEDCOM ROS
User Guide
Chapter 3
Getting Started
Configuring a Basic Network 29
NOTE
IP services can be restricted to control access to the device. For more information, refer to Section4.9,
“Configuring IP Services”.
To establish a connection through a terminal or terminal emulation software, do the following:
1. Select the service (i.e. Telnet, RSH or SSH).
2. Enter the IP address for the port that is connected to the network.
3. Connect to the device. Once the connection is established, the login form appears. For more information
about logging in to the device, refer to Section2.1, “Logging In”.
Section3.2
Configuring a Basic Network
To configure a basic network, do the following:
1. Connect a computer to one of the switch ports of the device and configure the computer to be on the same
subnet as the port.
2. Configure the computer to use the address of VLAN1 as the default gateway.
3. Connect a second computer to a different switch port of the same device, and configure the computer to be
on the same subnet as the port.
4. Configure the second computer to use the address of VLAN1 as the default gateway. The default IP address is
192.168.0.1.
5. Make sure both computers connected to the device can ping one another.
Chapter 3
Getting Started
RUGGEDCOM ROS
User Guide
30 Configuring a Basic Network
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Viewing Product Information 31
Device Management
This chapter describes how to configure and manage the device and its components, such as module interfaces,
logs and files.
CONTENTS
Section4.1, “Viewing Product Information”
Section4.2, “Viewing CPU Diagnostics”
Section4.3, “Restoring Factory Defaults”
Section4.4, “Uploading/Downloading Files”
Section4.5, “Managing Logs”
Section4.6, “Managing Ethernet Ports”
Section4.7, “Managing IP Interfaces”
Section4.8, “Managing IP Gateways”
Section4.9, “Configuring IP Services”
Section4.10, “Managing Remote Monitoring”
Section4.11, “Upgrading/Downgrading Firmware”
Section4.12, “Resetting the Device”
Section4.13, “Decommissioning the Device”
Section4.1
Viewing Product Information
During troubleshooting or when ordering new devices, Siemens personnel may request specific information about
the device, such as the model, order code or serial number.
To view information about the device, navigate to Diagnostics» View Product Information. The Product
Information form appears.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
32 Viewing Product Information
9
5
4
3
2
1
6
7
8
Figure9:Product Information Form (Example)
1.MAC Address Box 2.Order Code Box 3.Classification Box 4.Serial Number Box 5.Boot Version Box 6.Main Version Box
7.Required Boot Box 8.Hardware ID Box 9.Descr Box 10.Reload Button
This screen displays the following information:
Parameter Description
MAC Address Synopsis:  ##-##-##-##-##-## where ## ranges 0 to FF
Shows the unique MAC address of the device.
Order Code Synopsis:  Any 57 characters
Shows the order code of the device.
Classification Synopsis:  Any 15 characters
Provides system classification.
The value Controlled indicates the main firmware is a Controlled release. The value Non-
Controlled indicates the main firmware is a Non-Controlled release.
Serial Number Synopsis:  Any 31 characters
Shows the serial number of the device.
Boot Version Synopsis:  Any 47 characters
Shows the version and the build date of the boot loader software.
Main Version Synopsis:  Any 47 characters
Shows the version and build date of the main operating system software.
Required Boot Synopsis:  Any 15 characters
Shows the minimum boot software loader version required by running main.
Hardware ID Synopsis:  { RSMCPU (40-00-0008 Rev B1), RSMCPU2 (40-00-0026 Rev A1), RS400
(40-00-0010 Rev B2), RMC30, RS900 (40-00-0025 Rev B1), RS900 (40-00-0032 Rev
B1), RS1600M, RS400 (40-00-0010 Rev C1), RSG2100, RS900G, RSG2200, RS969,
RS900 (v2, 40-00-0066), RS900 (v2, 40-00-0067), , RS416 (40-00-0078), RMC30 (v2),
RS930 (40-00-0089), RS969 (v2, 40-00-0090), RS910 (40-00-0091-001 Rev A), RS920L
(40-00-0102-001 Rev A), RS940G (40-00-0097-000 Rev A), RSi80X series CPU board,
RSG2300, RS416v2, ... }
Shows the type, part number, and revision level of the hardware.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Viewing CPU Diagnostics 33
Section4.2
Viewing CPU Diagnostics
To view CPU diagnostic information useful for troubleshooting hardware and software performance, navigate to
Diagnostics» View CPU Diagnostics. The CPU Diagnostics form appears.
2
10
1
3
4
5
6
7
8
9
Figure10:CPU Diagnostics Form
1.Running Time Box 2.Total Powered Time Box 3.CPU Usage Box 4.RAM Total Box 5.RAM Free Box 6.RAM Low Watermark Box
7.Temperature Box 8.Free Rx Bufs Box 9.Free Tx Bufs Box 10.Reload Button
This screen displays the following information:
Parameter Description
Running Time Synopsis:  DDDD days, HH:MM:SS
The amount of time since the device was last powered on.
Total Powered time Synopsis:  DDDD days, HH:MM:SS
The cumulative powered up time of the device.
CPU Usage Synopsis:  0.0 to 100.0%
The percentage of available CPU cycles used for device operation as measured over the last
second.
RAM Total Synopsis:  0 to 4294967295
The total size of RAM in the system.
RAM Free Synopsis:  0 to 4294967295
The total size of RAM still available.
RAM Low Watermark Synopsis:  0 to 4294967295
The size of RAM that have never been used during the system runtime.
Temperature Synopsis:  -32768 to 32767 C
The temperature on CPU board.
Free Rx Bufs Synopsis:  0 to 4294967295
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
34 Restoring Factory Defaults
Parameter Description
Free Rx Buffers.
Free Tx Bufs Synopsis:  0 to 4294967295
Free Tx Buffers.
Section4.3
Restoring Factory Defaults
The device can be completely or partially restored to its original factory default settings. Excluding groups of
parameters from the factory reset, such as those that affect basic connectivity and SNMP management, is useful
when communication with the device is still required during the reset.
The following categories are not affected by a selective configuration reset:
IP Interfaces
IP Gateways
SNMP Users
SNMP Security to Group Maps
SNMP Access
RUGGEDCOM Discovery Protocol™ (RCDP)
In addition, the following categories are not affected by a full or selective configuration reset:
Time Zone
DST Offset
DST Rule
To restore factory defaults, do the following:
1. Navigate to Diagnostics» Load Factory Defaults. The Load Factory Defaults form appears.
3
2
1
Figure11:Load Factory Defaults Form
1.Defaults Choice List 2.Apply Button 3.Reload
2. Configure the following parameter(s) as required:
NOTE
If the VLAN ID for the Management IP interface is not 1, setting Defaults Choice to Selected will
automatically set it to 1.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Uploading/Downloading Files 35
Parameter Description
Defaults Choice Synopsis:  { None, Selected, All }
Setting some records like IP Interfaces management interface, default gateway, SNMP
settings to default value would cause switch not to be accessible with management
applications. This parameter allows user to choose to load defaults to Selected tables,
which would preserve configuration for tables that are critical for switch management
applications, or to force All tables to default settings.
3. Click Apply.
Section4.4
Uploading/Downloading Files
Files can be transferred between the device and a host computer using any of the following methods:
Xmodem using the CLI shell over a Telnet or RS-232 console session
TFTP client using the CLI shell in a console session and a remote TFTP server
TFTP server from a remote TFTP client
SFTP (secure FTP over SSH) from a remote SFTP client
IMPORTANT!
Scripts can be used to automate the management of files on the device. However, depending on the
size of the target file(s), a delay between any concurrent write and read commands may be required,
as the file may not have been fully saved before the read command is issued. A general delay of five
seconds is recommended, but testing is encouraged to optimize the delay for the target file(s) and
operating environment.
NOTE
The contents of the internal file system are fixed. New files and directories cannot be created, and
existing files cannot be deleted. Only the files that can be uploaded to the device can be overwritten.
Files that may need to be uploaded or downloaded include:
main.bin – the main RUGGEDCOM ROS application firmware image
boot.bin – the boot loader firmware image
fpga.xsvf – the FPGA firmware binary image
config.csv – the complete configuration database, in the form of a comma-delimited ASCII text file
factory.txt – contains the MAC address, order code and serial number. Factory data must be signed.
banner.txt – contains text that appears on the login screen
ssl.crt – the SSL certificate. Contains both the SSL certificate and the corresponding RSA private key file.
ssh.keys – the SSH keys for the device
CONTENTS
Section4.4.1, “Uploading/Downloading Files Using XMODEM”
Section4.4.2, “Uploading/Downloading Files Using a TFTP Client”
Section4.4.3, “Uploading/Downloading Files Using a TFTP Server”
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
36 Uploading/Downloading Files Using XMODEM
Section4.4.4, “Uploading/Downloading Files Using an SFTP Server”
Section4.4.1
Uploading/Downloading Files Using XMODEM
To updload or download a file using XMODEM, do the following:
NOTE
This method requires a host computer that has terminal emulation or Telnet software installed and the
ability to perform XMODEM transfers.
1. Establish a connection between the device and the host computer. For more information, refer to Section3.1,
“Connecting to ROS”.
2. Log in to the device as an admin user and access the CLI shell. For more information about accessing the CLI
shell, refer to Section2.5, “Using the Command Line Interface”.
3. At the CLI prompt, type:
xmodem [ send | receive ] filename
Where:
send sends the file to the host computer
receive pulls the file from the host computer
filename is the name of the file (i.e. main.bin)
NOTE
If available in the terminal emulation or Telnet software, select the XModem 1K protocol for
transmission over the standard XModem option.
4. When the device responds with Press Ctrl-X to cancel, launch the XMODEM transfer from the host
computer. The device will indicate when the transfer is complete.
The following is an example from the CLI shell of a successful XMODEM file transfer:
>xmodem receive main.bin
Press Ctrl-X to cancel
Receiving data now ...C
Received 1428480 bytes. Closing file main.bin ...
main.bin transferred successfully
5. If the file has been uploaded, reset the device. For more information, refer to Section4.12, “Resetting the
Device”
Section4.4.2
Uploading/Downloading Files Using a TFTP Client
To upload or download a file using a TFTP client, do the following:
IMPORTANT!
TFTP does not define an authentication scheme. Any use of the TFTP client or server is considered
highly insecure.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Uploading/Downloading Files Using a TFTP Server 37
NOTE
This method requires a TFTP server that is accessible over the network.
1. Identify the IP address of the computer running the TFTP server.
2. Establish a connection between the device and the host computer. For more information, refer to Section3.1,
“Connecting to ROS”.
3. Log in to the device as an admin user and access the CLI shell. For more information about accessing the CLI
shell, refer to Section2.5, “Using the Command Line Interface”.
4. At the CLI prompt, type:
tftp address [ get | put ] source-filename destination-filename
Where:
get copies files from the host computer to the device
put copies files from the device to the host computer
address is the IP address of the computer running the TFTP server
source-filename is the name of the file to be transferred
destination-filename is the name of the file (on the device or the TFTP server) that will be replaced
during the transfer
The following is an example of a successful TFTP client file transfer:
>tftp 10.0.0.1 get ROS-CF52_Main_v4.3.0.bin main.bin
TFTP CMD: main.bin transfer ok. Please wait, closing file ...
TFTP CMD: main.bin loading successful.
5. If the file has been uploaded, reset the device. For more information, refer to Section4.12, “Resetting the
Device”
Section4.4.3
Uploading/Downloading Files Using a TFTP Server
To updload or download a file using a TFTP server, do the following:
IMPORTANT!
TFTP does not define an authentication scheme. Any use of the TFTP client or server is considered
highly insecure.
NOTE
This method requires a host computer that has TFTP server software installed.
IMPORTANT!
Interaction with TFTP servers is strictly controlled within the device to prevent unauthorized access.
Make sure the device is configured to accept the TFTP connection. For more information, refer to
Section4.9, “Configuring IP Services”.
1. Establish a connection between the device and the host computer. For more information, refer to Section3.1,
“Connecting to ROS”.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
38 Uploading/Downloading Files Using an SFTP Server
2. Initialize the TFTP server on the host computer and launch the TFTP transfer. The server will indicate when the
transfer is complete.
The following is an example of a successful TFTP server exchange:
C:\>tftp -i 10.1.0.1 put C:\files\ROS-CF52_Main_v4.3.0.bin main.bin
Transfer successful: 1428480 bytes in 4 seconds, 375617 bytes/s
3. If the file has been uploaded, reset the device. For more information, refer to Section4.12, “Resetting the
Device”
Section4.4.4
Uploading/Downloading Files Using an SFTP Server
SFTP (Secure File Transfer Protocol) is a file transfer mechanism that uses SSH to encrypt every aspect of file
transfer between a networked client and server.
NOTE
The device does not have an SFTP client and, therefore, can only receive SFTP files from an external
source. SFTP requires authentication for the file transfer.
To updload or download a file using an SFTP server, do the following:
NOTE
This method requires a host computer that has SFTP client software installed.
1. Establish an SFTP connection between the device and the host computer.
2. Launch the SFTP transfer. The client will indicate when the transfer is complete.
The following is an example of a successful SFTP server exchange:
user@host$ sftp admin@ros_ip
Connecting to ros_ip...
admin@ros_ip's password:
sftp> put ROS-CF52_Main_v4.3.0.bin main.bin
Uploading ROS-CF52_Main_v4.3.0.bin to /main.bin
ROS-CF52_Main_v4.3.0.bin 100% 2139KB 48.6KB/s 00:44
sftp> put ROS-MPC83_Main_v4.3.0.bin main.bin
Uploading ROS-MPC83_Main_v4.3.bin to /main.bin
ROS-MPC83_Main_v4.3.0.bin 100% 2139KB 48.6KB/s 00:44
sftp>
3. If the file has been uploaded, reset the device. For more information, refer to Section4.12, “Resetting the
Device”
Section4.5
Managing Logs
The crash (crashlog.txt) and system (syslog.txt) log files contain historical information about events that
have occurred during the operation of the device.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Viewing Local and System Logs 39
The crash log contains debugging information related to problems that might have resulted in unplanned restarts
of the device or which may effect the operation of the device. A file size of 0 bytes indicates that no unexpected
events have occurred.
The system log contains a record of significant events including startups, configuration changes, firmware
upgrades and database re-initializations due to feature additions. The system log will accumulate information until
it is full, holding approximately 2 MB of data.
CONTENTS
Section4.5.1, “Viewing Local and System Logs”
Section4.5.2, “Clearing Local and System Logs”
Section4.5.3, “Configuring the Local System Log”
Section4.5.4, “Managing Remote Logging”
Section4.5.1
Viewing Local and System Logs
The local crash and system logs can both be downloaded from the device and viewed in a text editor. For more
information about downloading log files, refer to Section4.4, “Uploading/Downloading Files”.
To view the system log through the Web interface, navigate to Diagnostics» View System Log. The syslog.txt
form appears.
Figure12:syslog.txt Form
Section4.5.2
Clearing Local and System Logs
To clear both the local crash and system logs, log in to the CLI shell and type:
clearlogs
To clear only the local system log, log in to the Web interface and do the following:
1. Navigate to Diagnostics» Clear System Log. The Clear System Log form appears.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
40 Configuring the Local System Log
1
Figure13:Clear System Log Form
1.Confirm Button
2. Click Confirm.
Section4.5.3
Configuring the Local System Log
To configure the severity level for the local system log, do the following:
NOTE
For maximum reliability, use remote logging. For more information, refer to Section4.5.4, “Managing
Remote Logging”.
1. Navigate to Administration» Configure Syslog» Configure Local Syslog. The Local Syslog form appears.
32
1
Figure14:Local Syslog Form
1.Local Syslog Level 2.Apply Button 3.Reload Button
2. Configure the following parameter(s) as required:
Parameter Description
Local Syslog Level Synopsis:  { EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE,
INFORMATIONAL, DEBUGGING }
Default:  INFORMATIONAL
The severity of the message that has been generated. Note that the severity level
selected is considered the minimum severity level for the system. For example, if ERROR
is selected, the system sends any syslog messages generated by Error, Critical, Alert and
Emergency.
3. Click Apply.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Managing Remote Logging 41
Section4.5.4
Managing Remote Logging
In addition to the local system log maintained on the device, a remote system log can be configured as well to
collect important event messages. The syslog client resides on the device and supports up to 5 collectors (or syslog
servers).
The remote syslog protocol, defined in RFC 3164, is a UDP/IP-based transport that enables the device to send event
notification messages across IP networks to event message collectors, also known as syslog servers. The protocol
is designed to simply transport these event messages from the generating device to the collector(s).
CONTENTS
Section4.5.4.1, “Configuring the Remote Syslog Client”
Section4.5.4.2, “Viewing a List of Remote Syslog Servers”
Section4.5.4.3, “Adding a Remote Syslog Server”
Section4.5.4.4, “Deleting a Remote Syslog Server”
Section4.5.4.1
Configuring the Remote Syslog Client
To configure the remote syslog client, do the following:
1. Navigate to Administration» Configure Syslog» Configure Remote Syslog Client. The Remote Syslog
Client form appears.
32
1
Figure15:Remote Syslog Client Form
1.UDP Port 2.Apply Button 3.Reload Button
2. Configure the following parameter(s) as required:
Parameter Description
UDP Port Synopsis:  1025 to 65535 or { 514 }
Default:  514
The local UDP port through which the client sends information to the server(s).
3. Click Apply.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
42 Viewing a List of Remote Syslog Servers
Section4.5.4.2
Viewing a List of Remote Syslog Servers
To view a list of known remote syslog servers, navigate to Administration» Configure Syslog» Configure
Remote Syslog Server. The Remote Syslog Server table appears.
Figure16:Remote Syslog Server Table
If remote syslog servers have not been configured, add the servers as needed. For more information, refer to
Section4.5.4.3, “Adding a Remote Syslog Server”.
Section4.5.4.3
Adding a Remote Syslog Server
RUGGEDCOM ROS supports up to 5 remote syslog servers (or collectors). Similar to the local system log, a remote
system log server can be configured to log information at a specific severity level. Only messages of a severity
level equal to or greater than the specified severity level are written to the log.
To add a remote syslog server to the list of known servers, do the following:
1. Navigate to Administration» Configure Syslog» Configure Remote Syslog Server. The Remote Syslog
Server table appears.
1
Figure17:Remote Syslog Server Table
1.InsertRecord
2. Click InsertRecord. The Remote Syslog Server form appears.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Deleting a Remote Syslog Server 43
75
6
4
3
2
1
Figure18:Remote Syslog Server Form
1.IP Address Box 2.UDP Port Box 3.Facility Box 4.Severity Box 5.Apply Button 6.Delete Button 7.Reload Button
3. Configure the following parameter(s) as required:
Parameter Description
IP Address Synopsis:  ###.###.###.### where ### ranges from 0 to 255
Syslog server IP Address.
UDP Port Synopsis:  1025 to 65535 or { 514 }
Default:  514
The UDP port number on which the remote server listens.
Facility Synopsis:  { USER, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6,
LOCAL7 }
Default:  LOCAL7
Syslog Facility is one information field associated with a syslog message. The syslog
facility is the application or operating system component that generates a log message.
ROS map all syslog logging information onto a single facility which is configurable by
user to facilitate remote syslog server.
Severity Synopsis:  { EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE,
INFORMATIONAL, DEBUGGING }
Default:  DEBUGGING
The severity level is the severity of the message that has been generated. Please note
that the severity level user select is accepted as the minimum severity level for the
system. For example, if user selects the severity level as 'Error' then the system send any
syslog message originated by Error, Critical, Alert and Emergency.
4. Click Apply.
Section4.5.4.4
Deleting a Remote Syslog Server
To delete a remote syslog server from the list of known servers, do the following:
1. Navigate to Administration» Configure Syslog» Configure Remote Syslog Server. The Remote Syslog
Server table appears.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
44 Managing Ethernet Ports
Figure19:Remote Syslog Server Table
2. Select the server from the table. The Remote Syslog Server form appears.
75
6
4
3
2
1
Figure20:Remote Syslog Server Form
1.IP Address Box 2.UDP Port Box 3.Facility Box 4.Severity Box 5.Apply Button 6.Delete Button 7.Reload Button
3. Click Delete.
Section4.6
Managing Ethernet Ports
This section describes how to manage Ethernet ports.
NOTE
For information about configuring remote monitoring for Ethernet ports, refer to Section4.10,
“Managing Remote Monitoring”.
CONTENTS
Section4.6.1, “Controller Protection Through Link Fault Indication (LFI)”
Section4.6.2, “Viewing the Status of Ethernet Ports”
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Controller Protection Through Link Fault Indication (LFI) 45
Section4.6.3, “Viewing Statistics for All Ethernet Ports”
Section4.6.4, “Viewing Statistics for Specific Ethernet Ports”
Section4.6.5, “Clearing Statistics for Specific Ethernet Ports”
Section4.6.6, “Configuring an Ethernet Port”
Section4.6.7, “Configuring Port Rate Limiting”
Section4.6.8, “Configuring Port Mirroring”
Section4.6.9, “Configuring Link Detection”
Section4.6.10, “Detecting Cable Faults”
Section4.6.11, “Resetting Ethernet Ports”
Section4.6.1
Controller Protection Through Link Fault Indication (LFI)
Modern industrial controllers often feature backup Ethernet ports used in the event of a link failure. When these
interfaces are supported by media (such as fiber) that employ separate transmit and receive paths, the interface
can be vulnerable to failures that occur in only one of the two paths.
Consider for instance two switches (A and B) connected to a controller. Switch A is connected to the main port on
the controller, while Switch B is connected to the backup port, which is shut down by the controller while the link
with Switch A is active. Switch B must forward frames to the controller through Switch A.
2
1
4
3
5
Figure21:Example
1.Switch A 2.Switch B 3.Main Transmit Path 4.Backup Transmit Path 5.Controller
If the transmit path from the controller to Switch A fails, Switch A still generates a link signal to the controller
through the receive path. The controller still detects the link with Switch A and does not failover to the backup
port.
This situation illustrates the need for a notification method that tells a link partner when the link integrity signal
has stopped. Such a method natively exists in some link media, but not all.
100Base-TX, 1000Base-T, 1000Base-X Includes a built-in auto-negotiation feature (i.e. a special flag called Remote Fault Indication
is set in the transmitted auto-negotation signal).
100Base-FX Links Includes a standard Far-End-Fault-Indication (FEFI) feature defined by the IEEE 802.3
standard for this link type. This feature includes:
Transmitting FEFI
Transmits a modified link integrity signal in case a link failure is detected (i.e. no link signal
is received from the link partner)
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
46 Viewing the Status of Ethernet Ports
Detecting FEFI
Indicates link loss in case an FEFI signal is received from the link partner
10Base-FL LInks No standard support.
10Base-FL links do not have a native link partner notification mechanism and FEFI support in 100Base-FX links is
optional according to the IEEE 802.3 standard, which means that some links partners may not support it.
Siemens offers an advanced Link-Fault-Indication (LFI) feature for the links that do not have a native link partner
notification mechanism. With LFI enabled, the device bases the generation of a link integrity signal upon its
reception of a link signal. In the example described previously, if switch A fails to receive a link signal from the
controller, it will stop generating a link signal. The controller will detect the link failure and failover to the backkup
port.
IMPORTANT!
If both link partners have the LFI feature, it must not be enabled on both sides of the link. If it is
enabled on both sides, the link will never be established, as each link partner will be waiting for the
other to transmit a link signal.
The switch can also be configured to flush the MAC address table for the controller port. Frames destined for the
controller will be flooded to Switch B where they will be forwarded to the controller (after the controller transmits
its first frame).
Section4.6.2
Viewing the Status of Ethernet Ports
To view the current status of each Ethernet port, navigate to Ethernet Ports» View Port Status. The Port Status
table appears.
Figure22:Port Status Table
This table displays the following information:
Parameter Description
Port Synopsis:  1 to maximum port number
The port number as seen on the front plate silkscreen of the switch.
Name Synopsis:  Any 15 characters
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Viewing Statistics for All Ethernet Ports 47
Parameter Description
A descriptive name that may be used to identify the device conected on that port.
Link Synopsis:  { ----, ----, Down, Up }
The port's link status.
Speed Synopsis:  { ---, 10M, 100M, 1G, 10G }
The port's current speed.
Duplex Synopsis:  { ----, Half, Full }
The port's current duplex status.
Section4.6.3
Viewing Statistics for All Ethernet Ports
To view statistics collected for all Ethernet ports, navigate to Ethernet Stats» View Ethernet Statistics. The
Ethernet Statistics table appears.
Figure23:Ethernet Statistics Table
This table displays the following information:
Parameter Description
Port Synopsis:  1 to maximum port number
The port number as seen on the front plate silkscreen of the switch.
State Synopsis:  { ----, ----, Down, Up }
InOctets Synopsis:  0 to 4294967295
The number of octets in received good packets (Unicast+Multicast+Broadcast) and dropped
packets.
OutOctets Synopsis:  0 to 4294967295
The number of octets in transmitted good packets.
InPkts Synopsis:  0 to 4294967295
The number of received good packets (Unicast+Multicast+Broadcast) and dropped packets.
OutPkts Synopsis:  0 to 4294967295
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
48 Viewing Statistics for Specific Ethernet Ports
Parameter Description
The number of transmitted good packets.
ErrorPkts Synopsis:  0 to 4294967295
The number of any type of erroneous packet.
Section4.6.4
Viewing Statistics for Specific Ethernet Ports
To view statistics collected for specific Ethernet ports, navigate to Ethernet Stats» View Ethernet Port Statistics.
The Ethernet Port Statistics table appears.
Figure24:Ethernet Port Statistics Table
This table displays the following information:
Parameter Description
Port Synopsis:  1 to maximum port number
The port number as seen on the front plate silkscreen of the switch.
InOctets Synopsis:  0 to 18446744073709551615
The number of octets in received good packets (Unicast+Multicast+Broadcast) and dropped
packets.
OutOctets Synopsis:  0 to 18446744073709551615
The number of octets in transmitted good packets.
InPkts Synopsis:  0 to 18446744073709551615
The number of received good packets (Unicast+Multicast+Broadcast) and dropped packets.
OutPkts Synopsis:  0 to 18446744073709551615
The number of transmitted good packets.
TotalInOctets Synopsis:  0 to 18446744073709551615
The total number of octets of all received packets. This includes data octets of rejected and
local packets which are not forwarded to the switching core for transmission. It should
reflect all the data octets received on the line.
TotalInPkts Synopsis:  0 to 18446744073709551615
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Viewing Statistics for Specific Ethernet Ports 49
Parameter Description
The number of received packets. This includes rejected, dropped local, and packets which are
not forwarded to the switching core for transmission. It should reflect all packets received
ont the line.
InBroadcasts Synopsis:  0 to 18446744073709551615
The number of good Broadcast packets received.
InMulticasts Synopsis:  0 to 18446744073709551615
The number of good Multicast packets received.
CRCAlignErrors Synopsis:  0 to 4294967295
The number of packets received which meet all the following conditions:
Packet data length is between 64 and 1536 octets inclusive.
Packet has invalid CRC.
Collision Event has not been detected.
Late Collision Event has not been detected.
OversizePkts Synopsis:  0 to 4294967295
The number of packets received with data length greater than 1536 octets and valid CRC.
Fragments Synopsis:  0 to 4294967295
The number of packets received which meet all the following conditions:
Packet data length is less than 64 octets, or packet without SFD and is less than 64 octets
in length.
Collision Event has not been detected.
Late Collision Event has not been detected.
Packet has invalid CRC.
Jabbers Synopsis:  0 to 4294967295
The number of packets which meet all the following conditions:
Packet data length is greater that 1536 octets.
Packet has invalid CRC.
Collisions Synopsis:  0 to 4294967295
The number of received packets for which Collision Event has been detected.
LateCollisions Synopsis:  0 to 4294967295
The number of received packets for which Late Collision Event has been detected.
Pkt64Octets Synopsis:  0 to 4294967295
The number of received and transmitted packets with size of 64 octets. This includes
received and transmitted packets as well as dropped and local received packets. This does
not include rejected received packets.
Pkt65to127Octets Synopsis:  0 to 4294967295
The number of received and transmitted packets with size of 65 to 127 octets. This includes
received and transmitted packets as well as dropped and local received packets. This does
not include rejected received packets.
Pkt128to255Octets Synopsis:  0 to 4294967295
The number of received and transmitted packets with size of 128 to 257 octets. This includes
received and transmitted packets as well as dropped and local received packets. This does
not include rejected received packets.
Pkt256to511Octets Synopsis:  0 to 4294967295
The number of received and transmitted packets with size of 256 to 511 octets. This includes
received and transmitted packets as well as dropped and local received packets. This does
not include rejected received packets.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
50 Clearing Statistics for Specific Ethernet Ports
Parameter Description
Pkt512to1023Octets Synopsis:  0 to 4294967295
The number of received and transmitted packets with size of 512 to 1023 octets. This
includes received and transmitted packets as well as dropped and local received packets. This
does not include rejected received packets.
Pkt1024to1536Octets Synopsis:  0 to 4294967295
The number of received and transmitted packets with size of 1024 to 1536 octets. This
includes received and transmitted packets as well as dropped and local received packets. This
does not include rejected received packets.
DropEvents Synopsis:  0 to 4294967295
The number of received packets that are droped due to lack of receive buffers.
OutMulticasts Synopsis:  0 to 18446744073709551615
The number of transmitted Multicast packets. This does not include Broadcast packets.
OutBroadcasts Synopsis:  0 to 18446744073709551615
The number of transmitted Broadcast packets.
UndersizePkts Synopsis:  0 to 4294967295
The number of received packets which meet all the following conditions:
Packet data length is less than 64 octets.
Collision Event has not been detected.
Late Collision Event has not been detected.
Packet has valid CRC.
Section4.6.5
Clearing Statistics for Specific Ethernet Ports
To clear the statistics collected for one or more Ethernet ports, do the following:
1. Navigate to Ethernet Stats» Clear Ethernet Port Statistics. The Clear Ethernet Port Statistics form
appears.
1
2
Figure25:Clear Ethernet Port Statistics Form (Typical)
1.Port Check Boxes 2.Confirm Button
2. Select one or more Ethernet ports.
3. Click Confirm.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Configuring an Ethernet Port 51
Section4.6.6
Configuring an Ethernet Port
To configure an Ethernet port, do the following:
1. Navigate to Ethernet Ports» Configure Port Parameters. The Port Parameters table appears.
Figure26:Port Parameters Table
2. Select an Ethernet port. The Port Parameters form appears.
8
12
7
6
5
4
3
2
1
9
10
1011
13
Figure27:Port Parameters Form
1.Port Box 2.Name Box 3.Media Box 4.State Options 5.AutoN Options 6.Speed List 7.Dupx List 8.FlowCtrl Options
9.LFI Option 10.Alarm Options 11.Act on LinkDown Options 12.DownShift Options 13.Apply Button 14.Reload Button
3. Configure the following parameter(s) as required:
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
52 Configuring an Ethernet Port
Parameter Description
Port Synopsis:  1 to maximum port number
Default:  1
The port number as seen on the front plate silkscreen of the switch.
Name Synopsis:  Any 15 characters
Default:  Port x
A descriptive name that may be used to identify the device connected on that port.
Media Synopsis:  { 100TX, 10FL, 100FX, 1000X, 1000T, 802.11g, EoVDSL, 100TX Only,
10FL/100SX, 10GX }
Default:  100TX
The type of the port media.
State Synopsis:  { Disabled, Enabled }
Default:  Enabled
Disabling a port will prevent all frames from being sent and received on that port. Also,
when disabled link integrity signal is not sent so that the link/activity LED will never be
lit. You may want to disable a port for troubleshooting or to secure it from unauthorized
connections.
NOTE
Disabling a port whose media type is set to 802.11g disables the
corresponding wireless module.
AutoN Synopsis:  { Off, On }
Default:  On
Enable or disable IEEE 802.3 auto-negotiation. Enabling auto-negotiation results in
speed and duplex being negotiated upon link detection; both end devices must be auto-
negotiation compliant for the best possible results. 10Mbps and 100Mbps fiber optic
media do not support auto-negotiation so these media must be explicitly configured to
either half or full duplex. Full duplex operation requires that both ends are configured as
such or else severe frame loss will occur during heavy network traffic.
Speed Synopsis:  { Auto, 10M, 100M, 1G }
Default:  Auto
Speed (in Megabit-per-second or Gigabit-per-second). If auto-negotiation is enabled, this
is the speed capability advertised by the auto-negotiation process. If auto-negotiation is
disabled, the port is explicitly forced to this speed mode.
AUTO means advertise all supported speed modes.
Dupx Synopsis:  { Auto, Half, Full }
Default:  Auto
Duplex mode. If auto-negotiation is enabled, this is the duplex capability advertised by
the auto-negotiation process. If auto-negotiation is disabled, the port is explicitly forced
to this duplex mode.
AUTO means advertise all supported duplex modes.
Flow Control Synopsis:  { Off, On }
Default:  On
Flow Control is useful for preventing frame loss during times of severe network traffic.
Examples of this include multiple source ports sending to a single destination port or a
higher speed port bursting to a lower speed port.
When the port is half-duplex it is accomplished using 'backpressure' where the switch
simulates collisions causing the sending device to retry transmissions according to the
Ethernet backoff algorithm.
When the port is full-duplex it is accomplished using PAUSE frames which causes the
sending device to stop transmitting for a certain period of time.
LFI Synopsis:  { Off, On }
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Configuring Port Rate Limiting 53
Parameter Description
Default:  Off
Enabling Link-Fault-Indication (LFI) inhibits transmitting link integrity signal when the
receive link has failed. This allows the device at far end to detect link failure under all
circumstances.
NOTE
This feature must not be enabled at both ends of a fiber link.
Alarm Synopsis:  { On, Off }
Default:  On
Disabling link state alarms will prevent alarms and LinkUp and LinkDown SNMP traps
from being sent for that port.
Act on LinkDown Synopsis:  { Do nothing, Admin Disable }
Default:  Do nothing
The action to be taken upon a port LinkDown event. Options include:
Do nothing – No action is taken
Admin Disable – The port state is disabled
NOTE
If one end of the link is fixed to a specific speed and duplex type and the peer auto-negotiates,
there is a strong possibility the link will either fail to raise, or raise with the wrong settings on
the auto-negotiating side. The auto-negotiating peer will fall back to half-duplex operation, even
when the fixed side is full duplex. Full-duplex operation requires that both ends are configured
as such or else severe frame loss will occur during heavy network traffic. At lower traffic volumes
the link may display few, if any, errors. As the traffic volume rises, the fixed negotiation side will
begin to experience dropped packets, while the auto-negotiating side will experience excessive
collisions. Ultimately, as traffic load approaches 100%, the link will become entirely unusable.
These problems can be avoided by always configuring ports to the appropriate fixed values.
4. Click Apply.
Section4.6.7
Configuring Port Rate Limiting
To configure port rate limiting, do the following:
1. Navigate to Ethernet Ports» Configure Port Rate Limiting. The Port Rate Limiting table appears.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
54 Configuring Port Rate Limiting
Figure28:Port Rate Limiting Table
2. Select an Ethernet port. The Port Rate Limiting form appears.
65
4
3
2
1
Figure29:Port Rate Limiting Form
1.Port Box 2.Ingress Limit Box 3.Ingress Frames List 4.Egress Limit Box 5.Apply Button 6.Reload Button
3. Configure the following parameter(s) as required:
Parameter Description
Port Synopsis:  1 to maximum port number
Default:  1
The port number as seen on the front plate silkscreen of the switch.
Ingress Limit Synopsis:  62 to 256000 Kbps or { Disabled }
Default:  1000 Kbps
The rate after which received frames (of the type described by the ingress frames
parameter) will be discarded by the switch.
Ingress Frames Synopsis:  { Broadcast, Bcast&Mcast, Bcast&Mcast&FloodUcast, Bcast&FloodUcast,
FloodUcast, All }
Default:  Broadcast
This parameter specifies the types of frames to be rate-limited on this port. It applies only
to received frames:
Broadcast - only broadcast frames
Bcast&Mcast - broadcast and multicast frames
Bcast&FloodUcast - broadcast and flooded unicast frames
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Configuring Port Mirroring 55
Parameter Description
Bcast&Mcast&FloodUcast - broadcast, multicast and flooded unicast frames
FloodUcast - only flooded unicast frames
All - all (multicast, broadcast and unicast) frames
Egress Limit Synopsis:  { Broadcast, Multicast, Mcast&FloodUcast, All }">62 to 256000 Kbps or
{ Disabled }
Default:  Disabled
The maximum rate at which the switch will transmit (multicast, broadcast and unicast)
frames on this port. The switch will discard frames in order to meet this rate if required.
4. Click Apply.
Section4.6.8
Configuring Port Mirroring
Port mirroring is a troubleshooting tool that copies, or mirrors, all traffic received or transmitted on a designated
port to a specified mirror port. If a protocol analyzer is attached to the target port, the traffic stream of valid
frames on any source port is made available for analysis.
IMPORTANT!
Select a target port that has a higher speed than the source port. Mirroring a 100 Mbps port onto a 10
Mbps port may result in an improperly mirrored stream.
IMPORTANT!
Frames will be dropped if the full-duplex rate of frames on the source port exceeds the transmission
speed of the target port. Since both transmitted and received frames on the source port are mirrored to
the target port, frames will be discarded if the sum traffic exceeds the target port’s transmission rate.
This problem reaches its extreme in the case where traffic on a 100 Mbps full-duplex port is mirrored
onto a 10 Mbps half-duplex port.
IMPORTANT!
Before configuring port mirroring, note the following:
Traffic will be mirrored onto the target port irrespective of its VLAN membership. It could be the same
as or different from the source port's membership.
Network management frames (such as RSTP, GVRP etc.) cannot be mirrored.
Switch management frames generated by the switch (such as Telnet, HTTP, SNMP, etc.) cannot be
mirrored.
NOTE
Invalid frames received on the source port will not be mirrored. These include CRC errors, oversize and
undersize packets, fragments, jabbers, collisions, late collisions and dropped events.
To configure port mirroring, do the following:
1. Navigate to Ethernet Ports» Configure Port Mirroring. The Port Mirroring form appears.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
56 Configuring Link Detection
56
4
3
2
1
Figure30:Port Mirroring Form
1.Port Mirroring Options 2.Source Port Box 3.Source Direction Options 4.Target Port Box 5.Apply Button 6.Reload Button
2. Configure the following parameter(s) as required:
Parameter Description
Port Mirroring Synopsis:  { Disabled, Enabled }
Default:  Disabled
Enabling port mirroring causes all frames received and transmitted by the source port(s)
to be transmitted out of the target port.
Source Port Synopsis:  Any combination of numbers valid for this parameter
The port(s) being monitored.
Source Direction Synopsis:  Egress and Ingress, Egress Only
Default:  Egress and Ingress
Specifies monitoring whether both egress and ingress traffics or only egress traffic of the
source port.
Target Port Synopsis:  1 to maximum port number
Default:  1
The port where a monitoring device should be connected.
3. Click Apply.
Section4.6.9
Configuring Link Detection
To configure link detection, do the following:
1. Navigate to Ethernet Ports» Configure Link Detection. The Link Detection form appears.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Configuring Link Detection 57
4
3
2
1
Figure31:Link Detection Form
1.Fast Link Detection Box 2.Link Detection Time Box 3.Apply Button 4.Reload Button
2. Configure the following parameter(s) as required:
NOTE
When Fast Link Detection is enabled, the system prevents link state change processing from
consuming all available CPU resources. However, if Port Guard is not used, it is possible for almost
all available CPU time to be consumed by frequent link state changes, which could have a negative
impact on overall system responsiveness.
Parameter Description
Fast Link Detection Synopsis:  { Off, On, On_withPortGuard }
Default:  On_withPortGuard
This parameter provides protection against faulty end devices generating an improper
link integrity signal. When a faulty end device or a mis-matching fiber port is connected
to the unit, a large number of continuous link state changes could be reported in a short
period of time. These large number of bogus link state changes could render the system
unresponsive as most, if not all, of the system resources are used to process the link state
changes. This could in turn cause a serious network problem as the unit's RSTP process
may not be able to run, thus allowing network loop to form.
Three different settings are available for this parameter:
ON_withPortGuard - This is the recommended setting. With this setting, an extended
period (~2 minutes) of excessive link state changes reported by a port will prompt Port
Guard feature to disable FAST LINK DETECTION on that port and raise an alarm. By
disabling FAST LINK DETECTION on the problematic port, excessive link state changes
can no longer consume substantial amount of system resources. However if FAST LINK
DETECTION is disabled, the port will need a longer time to detect a link failure. This
may result in a longer network recovery time of up to 2s. Once Port Guard disables
FAST LINK DETECTION of a particular port, user can re-enable FAST LINK DETECTION on
the port by clearing the alarm.
ON - In certain special cases where a prolonged excessive link state changes constitute
a legitimate link operation, using this setting can prevent Port Guard from disabling
FAST LINK DETECTION on the port in question. If excessive link state changes persist
for more than 2 minutes, an alarm will be generated to warn user about the observed
bouncing link. If the excessive link state changes condition is resolved later on, the
alarm will be cleared automatically. Since this option does not disable FAST LINK
DETECTION, a persistent bouncing link could continue affect the system in terms of
response time. This setting should be used with caution.
OFF - Turning this parameter OFF will disable FAST LINK DETECTION completely.
The switch will need a longer time to detect a link failure. This will result in a longer
network recovery time of up to 2s.
Link Detection Time Synopsis:  100 ms to 1000 ms
Default:  100 ms
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
58 Detecting Cable Faults
Parameter Description
The time that the link has to continuously stay up before the "link up" decision is made by
the device.
(The device performs de-bouncing of Ethernet link detection to avoid multiple responses
to an occasional link bouncing event, e.g. when a cable is shaking while being plugged-
in or unplugged).
3. Click Apply.
Section4.6.10
Detecting Cable Faults
Connectivity issues can sometimes be attributed to faults in Ethernet cables. To help detect cable faults, short
circuits, open cables or cables that are too long, RUGGEDCOM ROS includes a built-in cable diagnostics utility.
CONTENTS
Section4.6.10.1, “Viewing Cable Diagnostics Results”
Section4.6.10.2, “Performing Cable Diagnostics”
Section4.6.10.3, “Clearing Cable Diagnostics”
Section4.6.10.4, “Determining the Estimated Distance To Fault (DTF)”
Section4.6.10.1
Viewing Cable Diagnostics Results
To view the results of previous diagnostic tests, navigate to Ethernet Ports» Configure/View Cable Diagnostics
Parameters. The Cable Diagnostics Parameters table appears.
NOTE
For information about how to start a diagnostic test, refer to Section4.6.10.2, “Performing Cable
Diagnostics”.
Figure32:Cable Diagnostics Parameters Table
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Viewing Cable Diagnostics Results 59
This table displays the following information:
Parameter Description
Port Synopsis:  1 to maximum port number
The port number as seen on the front plate silkscreen of the switch.
State Synopsis:  { Stopped, Started }
Control the start/stop of the cable diagnostics on the selected port. If a port does not support
cable diagnostics, State will be reported as N/A.
Runs Synopsis:  0 to 65535
The total number of times cable diagnostics to be performed on the selected port. If this
number is set to 0, cable diagnostics will be performed forever on the selected port.
Calib. Synopsis:  -100.0 to 100.0 m
This calibration value can be used to adjust or calibrate the estimated distance to fault. User
can take following steps to calibrate the cable diagnostics estimated distance to fault:
Pick a particular port which calibration is needed
Connect an Ethernet cable with a known length (e.g. 50m) to the port
DO NOT connect the other end of the cable to any link partner
Run cable diagnostics a few times on the port. OPEN fault should be detected
Find the average distance to the OPEN fault recorded in the log and compare it to the
known length of the cable. The difference can be used as the calibration value
Enter the calibration value and run cable diagnostics a few more times
The distance to OPEN fault should now be at similar distance as the cable length
Distance to fault for the selected port is now calibrated
Good Synopsis:  0 to 65535
The number of times GOOD TERMINATION (no fault) is detected on the cable pairs of the
selected port.
Open Synopsis:  0 to 65535
The number of times OPEN is detected on the cable pairs of the selected port.
Short Synopsis:  0 to 65535
The number of times SHORT is detected on the cable pairs of the selected port.
Imped Synopsis:  0 to 65535
The number of times IMPEDANCE MISMATCH is detected on the cable pairs of the selected
port.
Pass /Fail /Total Synopsis:  Any 19 characters
This field summarizes the results of the cable diagnostics performed so far.
Pass - number of times cable diagnostics successfully completed on the selected port.
Fail - number of times cable diagnostics failed to complete on the selected port.
Total - total number of times cable diagnostics have been attempted on the selected port.
NOTE
For each successful diagnostic test, the values for Good, Open, Short or Imped will increment based
on the number of cable pairs connected to the port. For a 100Base-T port, which has two cable pairs,
the number will increase by two. For a 1000Base-T port, which has four cable pairs, the number will
increase by four.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
60 Performing Cable Diagnostics
NOTE
When a cable fault is detected, an estimated distance-to-fault is calculated and recorded in the system
log. The log lists the cable pair, the fault that was detected, and the distance-to-fault value. For more
information about the system log, refer to Section4.5.1, “Viewing Local and System Logs”.
Section4.6.10.2
Performing Cable Diagnostics
To perform a cable diagnostic test on one or more Ethernet ports, do the following:
1. Connect a CAT-5 (or better quality) Ethernet cable to the selected Ethernet port.
IMPORTANT!
Both the selected Ethernet port and its partner port can be configured to run in Enabled mode
with auto-negotiation, or in Disabled mode. Other modes are not recommended, as they may
interfere with the cable diagnostics procedure.
2. Connect the other end of the cable to a similar network port. For example, connect a 100Base-T port to a
100Base-T port, or a 1000Base-T port to a 1000Base-T port.
3. In RUGGEDCOM ROS, navigate to Ethernet Ports» Configure/View Cable Diagnostics Parameters. The
Cable Diagnostics Parameters table appears.
Figure33:Cable Diagnostics Parameters Table
4. Select an Ethernet port. The Cable Diagnostics Parameters form appears.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Clearing Cable Diagnostics 61
11
10
9
8
7
6
5
4
3
2
1
Figure34:Cable Diagnostics Parameters Form
1.Port Box 2.State Options 3.Runs Box 4.Calib. Box 5.Good Box 6.Open Box 7.Short Box 8.Imped Box 9.Pass/Fail/
Total Box 10.Apply Button 11.Reload Button
5. Under Runs, enter the number of consecutive diagnostic tests to perform. A value of 0 indicates the test will
run continuously until stopped by the user.
6. Under Calib., enter the estimated Distance To Fault (DTF) value. For information about how to determine the
DTF value, refer to Section4.6.10.4, “Determining the Estimated Distance To Fault (DTF)”.
7. Select Started.
IMPORTANT!
A diagnostic test can be stopped by selecting Stopped and clicking Apply. However, if the test is
stopped in the middle of a diagnostic run, the test will run to completion.
8. Click Apply. The state of the Ethernet port will automatically change to Stopped when the test is complete.
For information about how to monitor the test and view the results, refer to Section4.6.10.1, “Viewing Cable
Diagnostics Results”.
Section4.6.10.3
Clearing Cable Diagnostics
To clear the cable diagnostic results, do the following:
1. Navigate to Ethernet Ports» Clear Cable Diagnostics Statistics. The Clear Cable Diagnostics Statistics
form appears.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
62 Determining the Estimated Distance To Fault (DTF)
1
2
Figure35:Clear Cable Diagnostics Statistics Form
1.Port Check Boxes 2.Apply Button
2. Select one or more Ethernet ports.
3. Click Apply.
Section4.6.10.4
Determining the Estimated Distance To Fault (DTF)
To determine the estimate Distance To Fault (DTF), do the following:
1. Connect a CAT-5 (or better quality) Ethernet cable with a known length to the device. Do not connect the
other end of the cable to another port.
2. Configure the cable diagnostic utility to run a few times on the selected Ethernet port and start the test. For
more information, refer to Section4.6.10.2, “Performing Cable Diagnostics”. Open faults should be detected
and recorded in the system log.
3. Review the errors recorded in the system log and determine the average distance of the open faults. For more
information about the system log, refer to Section4.5.1, “Viewing Local and System Logs”.
4. Subtract the average distance from the cable length to determine the calibration value.
5. Configure the cable diagnostic utility to run a few times with the new calibration value. The distance to the
open fault should now be the same as the actual length of the cable. The Distance To Fault (DTF) is now
calibrated for the selected Ethernet port.
Section4.6.11
Resetting Ethernet Ports
At times, it may be necessary to reset a specific Ethernet port, such as when the link partner has latched into an
inappropriate state. This is also useful for forcing a re-negotiation of the speed and duplex modes.
To reset a specific Ethernet port(s), do the following:
1. Navigate to Ethernet Ports» Reset Port(s). The Reset Port(s) form appears.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Managing IP Interfaces 63
1
2
Figure36:Reset Port(s) Form
1.Ports 2.Apply Button
2. Select one or more Ethernet ports to reset.
3. Click Apply. The selected Ethernet ports are reset.
Section4.7
Managing IP Interfaces
RUGGEDCOM ROS allows one IP interface to be configured for each subnet (or VLAN), up to a maximum of 255
interfaces. One of the interfaces must also be configured to be a management interface for certain IP services,
such as DHCP relay agent.
Each IP interface must be assigned an IP address. In the case of the management interface, the IP address type can
be either static, DHCP, BOOTP or dynamic. For all other interfaces, the IP address must be static.
CAUTION!
Configuration hazard – risk of communication disruption. Changing the ID for the management VLAN
will break any active Raw Socket TCP connections. If this occurs, reset all serial ports.
CONTENTS
Section4.7.1, “Viewing a List of IP Interfaces”
Section4.7.2, “Adding an IP Interface”
Section4.7.3, “Deleting an IP Interface”
Section4.7.1
Viewing a List of IP Interfaces
To view a list of IP interfaces configured on the device, navigate to Administration» Configure IP Interfaces»
Configure IP Interfaces. The IP Interfaces table appears.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
64 Adding an IP Interface
Figure37:IP Interfaces Table
If IP interfaces have not been configured, add IP interfaces as needed. For more information, refer to
Section4.7.2, “Adding an IP Interface”.
Section4.7.2
Adding an IP Interface
To add an IP interface, do the following:
1. Navigate to Administration» Configure IP Interfaces. The IP Interfaces table appears.
1
Figure38:IP Interfaces Table
1.InsertRecord
2. Click InsertRecord. The Switch IP Interfaces form appears.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Adding an IP Interface 65
7
8
1
2
3
4
5
6
9
Figure39:IP Interfaces Form
1.Type Options 2.ID Box 3.Mgmt Options 4.IP Address Type Box 5.IP Address Box 6.Subnet Box 7.Apply Button
8.Delete Button 9.Reload Button
3. Configure the following parameter(s) as required:
NOTE
The IP address and mask configured for the management VLAN are not changed when resetting all
configuration parameters to defaults and will be assigned a default VLAN ID of 1. Changes to the
IP address take effect immediately. All IP connections in place at the time of an IP address change
will be lost.
Parameter Description
Type Synopsis:  { VLAN }
Default:  VLAN
Specifies the type of the interface for which this IP interface is created.
ID Synopsis:  1 to 4094
Default:  1
Specifies the ID of the interface for which this IP interface is created. If the interface type
is VLAN, this represents the VLAN ID.
Mgmt Synopsis:  { No, Yes }
Default:  No
Specifies whether the IP interface is the device management interface.
IP Address Type Synopsis:  { Static, Dynamic, DHCP, BOOTP }
Default:  Static
Specifies whether the IP address is static or is dynamically assigned via DHCP or BOOTP>.
The Dynamic option automatically switches between BOOTP and DHCP until it receives a
response from the relevant server. The Static option must be used for non-management
interfaces.
IP Address Synopsis:  ###.###.###.### where ### ranges from 0 to 255
Default:  192.168.0.1
Specifies the IP address of this device. An IP address is a 32-bit number that is notated by
using four numbers from 0 through 255, separated by periods. Only a unicast IP address
is allowed, which ranges from 1.0.0.0 to 233.255.255.255.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
66 Deleting an IP Interface
Parameter Description
Subnet Synopsis:  ###.###.###.### where ### ranges from 0 to 255
Default:  255.255.255.0
Specifies the IP subnet mask of this device. An IP subnet mask is a 32-bit number that
is notated by using four numbers from 0 through 255, separated by periods. Typically,
subnet mask numbers use either 0 or 255 as values (e.g. 255.255.255.0) but other
numbers can appear.
IMPORTANT!
Each IP interface must have a unique network address.
4. Click Apply.
Section4.7.3
Deleting an IP Interface
To delete an IP interface configured on the device, do the following:
1. Navigate to Administration» Configure IP Interfaces. The IP Interfaces table appears.
Figure40:IP Interfaces Table
2. Select the IP interface from the table. The IP Interfaces form appears.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Managing IP Gateways 67
7
8
1
2
3
4
5
6
9
Figure41:IP Interfaces Form
1.Type Options 2.ID Box 3.Mgmt Options 4.IP Address Type Box 5.IP Address Box 6.Subnet Box 7.Apply Button
8.Delete Button 9.Reload Button
3. Click Delete.
Section4.8
Managing IP Gateways
RUGGEDCOM ROS allows up to ten IP gateways to be configured. When both the Destination and Subnet
parameters are blank, the gateway is considered to be a default gateway.
NOTE
The default gateway configuration will not be changed when resetting all configuration parameters to
their factory defaults.
CONTENTS
Section4.8.1, “Viewing a List of IP Gateways”
Section4.8.2, “Adding an IP Gateway”
Section4.8.3, “Deleting an IP Gateway”
Section4.8.1
Viewing a List of IP Gateways
To view a list of IP gateways configured on the device, navigate to Administration» Configure IP Gateways. The
IP Gateways table appears.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
68 Adding an IP Gateway
Figure42:IP Gateways Table
If IP gateways have not been configured, add IP gateways as needed. For more information, refer to Section4.8.2,
“Adding an IP Gateway”.
Section4.8.2
Adding an IP Gateway
IMPORTANT!
DHCP-provided IP gateway addresses will override manually configured values.
To add an IP gateway, do the following:
1. Navigate to Administration» Configure IP Gateways. The IP Gateways table appears.
1
Figure43:IP Gateways Table
1.InsertRecord
2. Click InsertRecord. The IP Gateways form appears.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Deleting an IP Gateway 69
64
5
2
1
3
Figure44:IP Gateways
1.Destination Box 2.Subnet Prefix Box 3.Gateway Box 4.Apply Button 5.Delete Button 6.Reload Button
3. Configure the following parameter(s) as required:
Parameter Description
Destination Synopsis:  ###.###.###.### where ### ranges from 0 to 255
Specifies the IP address of destination network or host. For default gateway, both the
destination and subnet are 0.
Subnet Synopsis:  ###.###.###.### where ### ranges from 0 to 255
Specifies the destination IP subnet mask. For default gateway, both the destination and
subnet are 0.
Gateway Synopsis:  ###.###.###.### where ### ranges from 0 to 255
Specifies the gateway to be used to reach the destination.
4. Click Apply.
Section4.8.3
Deleting an IP Gateway
To delete an IP gateway configured on the device, do the following:
1. Navigate to Administration» Configure IP Gateways. The IP Gateways table appears.
Figure45:IP Gateways Table
2. Select the IP gateway from the table. The IP Gateways form appears.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
70 Configuring IP Services
64
5
2
1
3
Figure46:IP Gateways Form
1.Destination Box 2.Subnet Box 3.Gateway Box 4.Apply Button 5.Delete Button 6.Reload Button
3. Click Delete.
Section4.9
Configuring IP Services
To configure the IP services provided by the device, do the following:
1. Navigate to Administration» Configure IP Services. The IP Services form appears.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Configuring IP Services 71
1
2
3
4
5
6
7
8
9
10
11
13
12
Figure47:IP Services Form
1.Inactivity Timeout Box 2.Telnet Sessions Allowed Box 3.Web Server Users Allowed Box 4.TFTP Server Box 5.Modbus Address
Box 6.SSH Sessions Allowed Box 7.RSH Server Options 8.IP Forward Options 9.Max Failed Attempts Box 10.Failed Attempts
Window Box 11.Lockout Time Box 12.Apply Button 13.Reload Button
2. Configure the following parameter(s) as required:
Parameter Description
Inactivity Timeout Synopsis:  1 to 60 or { Disabled }
Default:  5 min
Specifies when the console will timeout and display the login screen if there is no user
activity. A value of zero disables timeouts. For Web Server users maximum timeout value
is limited to 30 minutes.
Telnet Sessions Allowed Synopsis:  1 to 4 or { Disabled }
Default:  Disabled
Limits the number of Telnet sessions. A value of zero prevents any Telnet access.
Web Server Users Allowed Synopsis:  1 to 4 or { Disabled }
Default:  4
Limits the number of simultaneous web server users.
TFTP Server Synopsis:  { Disabled, Get Only, Enabled }
Default:  Disabled
As TFTP is a very insecure protocol, this parameter allows user to limit or disable TFTP
Server access..
DISABLED - disables read and write access to TFTP Server
GET ONLY - only allows reading of files via TFTP Server
ENABLED - allows reading and writing of files via TFTP Server
ModBus Address Synopsis:  1 to 255 or { Disabled }
Default:  Disabled
Determines the Modbus address to be used for Management through Modbus.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
72 Managing Remote Monitoring
Parameter Description
SSH Sessions Allowed (Controlled Version
Only)
Synopsis:  1 to 4
Default:  4
Limits the number of SSH sessions.
RSH Server Synopsis:  { Disabled, Enabled }
Default:  Disabled (controlled version) or Enabled (non-controlled version)
Disables/enables Remote Shell access.
IP Forward Synopsis:  { Disabled, Enabled }
Controls the ability of IP Forwarding between VLANs in Serial Server or IP segments.
NOTE
When upgrading to ROS v4.3, the default will be set to { Enabled }.
Max Failed Attempts Synopsis:  1 to 20
Default:  10
Maximum number of consecutive failed access attempts on service within Failed
Attempts Window before blocking the service.
Failed Attempts Window Synopsis:  1 to 30 min
Default:  5 min
The time in minutes (min) in which the maximum number of failed login attempts must
be exceeded before a service is blocked. The counter of failed attempts resets to 0 when
the timer expires.
Lockout Time Synopsis:  1 to 120 min
Default:  60 min
The time in minutes (min) the service remains locked out after the maximum number of
failed access attempts has been reached.
3. Click Apply.
Section4.10
Managing Remote Monitoring
Remote Monitoring (RMON) is used to collect and view historical statistics related to the performance and
operation of Ethernet ports. It can also record a log entry and/or generate an SNMP trap when the rate of
occurrence of a specified event is exceeded.
CONTENTS
Section4.10.1, “Managing RMON History Controls”
Section4.10.2, “Managing RMON Alarms”
Section4.10.3, “Managing RMON Events”
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Managing RMON History Controls 73
Section4.10.1
Managing RMON History Controls
The history controls for Remote Monitoring take samples of the RMON-MIB history statistics of an Ethernet port at
regular intervals.
CONTENTS
Section4.10.1.1, “Viewing a List of RMON History Controls”
Section4.10.1.2, “Adding an RMON History Control”
Section4.10.1.3, “Deleting an RMON History Control”
Section4.10.1.1
Viewing a List of RMON History Controls
To view a list of RMON history controls, navigate to Ethernet Stats» Configure RMON History Controls. The
RMON History Controls table appears.
Figure48:RMON History Controls Table
If history controls have not been configured, add controls as needed. For more information, refer to
Section4.10.1.2, “Adding an RMON History Control”.
Section4.10.1.2
Adding an RMON History Control
To add an RMON history control, do the following:
1. Navigate to Ethernet Stats» Configure RMON History Controls. The RMON History Controls table appears.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
74 Adding an RMON History Control
1
Figure49:RMON History Controls Table
1.InsertRecord
2. Click InsertRecord. The RMON History Controls form appears.
10
7
8
1
2
3
4
5
6
9
Figure50:RMON History Controls Form
1.Index Box 2.Port Box 3.Requested Buckets Box 4.Granted Buckets Box 5.Interval Box 6.Owner Box 7.Apply Button
8.Delete Button 9.Reload Button
3. Configure the following parameter(s) as required:
Parameter Description
Index Synopsis:  1 to 65535
Default:  1
The index of this RMON History Contol record.
Port Synopsis:  1 to maximum port number
Default:  1
The port number as seen on the front plate silkscreen of the switch.
Requested Buckets Synopsis:  1 to 4000
Default:  50
The maximum number of buckets requested for this RMON collection history group of
statistics. The range is 1 to 4000. The default is 50.
Granted Buckets Synopsis:  0 to 65535
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Deleting an RMON History Control 75
Parameter Description
The number of buckets granted for this RMON collection history. This field is not
editable.
Interval Synopsis:  1 to 3600
Default:  1800
The number of seconds in over which the data is sampled for each bucket. The range is 1
to 3600. The default is 1800.
Owner Synopsis:  Any 127 characters
Default:  Monitor
The owner of this record. It is suggested to start this string withword 'monitor'.
4. Click Apply.
Section4.10.1.3
Deleting an RMON History Control
To delete an RMON history control, do the following:
1. Navigate to Ethernet Stats» Configure RMON History Controls. The RMON History Controls table appears.
Figure51:RMON History Controls Table
2. Select the history control from the table. The RMON History Controls form appears.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
76 Managing RMON Alarms
10
7
8
1
2
3
4
5
6
9
Figure52:RMON History Controls Form
1.Index Box 2.Port Box 3.Requested Buckets Box 4.Granted Buckets Box 5.Interval Box 6.Owner Box 7.Apply Button
8.Delete Button 9.Reload Button
3. Click Delete.
Section4.10.2
Managing RMON Alarms
When Remote Monitoring (RMON) alarms are configured, RUGGEDCOM ROS examines the state of a specific
statistical variable.
Remote Monitoring (RMON) alarms define upper and lower thresholds for legal values of specific statistical
variables in a given interval. This allows RUGGEDCOM ROS to detect events as they occur more quickly than a
specified maximum rate or less quckly than a minimum rate.
When the rate of change for a statistics value exceeds its limits, an internal INFO alarm is always generated. For
information about viewing alarms, refer to Section5.4.2, “Viewing and Clearing Latched Alarms”.
Additionally, a statistic threshold crossing can result in further activity. An RMON alarm can be configured to point
to a particular RMON event, which can generate an SNMP trap, an entry in the event log, or both. The RMON event
can also direct alarms towards different users defined for SNMP.
The alarm can point to a different event for each of the thresholds. Therefore, combinations such as trap on rising
threshold or trap on rising threshold, log and trap on falling threshold are possible.
Each RMON alarm may be configured such that its first instance occurs only for rising, falling, or all thresholds that
exceed their limits.
The ability to configure upper and lower thresholds on the value of a measured statistic provides for the ability to
add hysteresis to the alarm generation process.
If the value of the measured statistic over time is compared to a single threshold, alarms will be generated each
time the statistic crosses the threshold. If the statistic’s value fluctuates around the threshold, an alarm can be
generated every measurement period. Programming different upper and lower thresholds eliminates spurious
alarms. The statistic value must travel between the thresholds before alarms can be generated. The following
illustrates the very different patterns of alarm generation resulting from a statistic sample and the same sample
with hysteresis applied.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Viewing a List of RMON Alarms 77
Figure53:The Alarm Process
There are two methods to evaluate a statistic to determine when to generate an event: delta and absolute.
For most statistics, such as line errors, it is appropriate to generate an alarm when a rate is exceeded. The
alarm defaults to the delta measurement method, which examines changes in a statistic at the end of each
measurement period.
It may be desirable to alarm when the total, or absolute, number of events crosses a threshold. In this case, set the
measurement period type to absolute.
CONTENTS
Section4.10.2.1, “Viewing a List of RMON Alarms”
Section4.10.2.2, “Adding an RMON Alarm”
Section4.10.2.3, “Deleting an RMON Alarm”
Section4.10.2.1
Viewing a List of RMON Alarms
To view a list of RMON alarms, navigate to Ethernet Stats» Configure RMON Alarms. The RMON Alarms table
appears.
Figure54:RMON Alarms Table
If alarms have not been configured, add alarms as needed. For more information, refer to Section4.10.2.2,
“Adding an RMON Alarm”.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
78 Adding an RMON Alarm
Section4.10.2.2
Adding an RMON Alarm
To add an RMON alarm, do the following:
1. Navigate to Ethernet Stats» Configure RMON Alarms. The RMON Alarms table appears.
1
Figure55:RMON Alarms Table
1.InsertRecord
2. Click InsertRecord. The RMON Alarms form appears.
14
12
13
1
2
3
4
5
6
7
8
9
10
11
Figure56:RMON Alarms Form
1.Index Box 2.Variable Box 3.Rising Thr Box 4.Falling Thr Box 5.Value Box 6.Type Options 7.Interval Box 8.Startup
Alarm List 9.Rising Event Box 10.Falling Event Box 11.Owner Box 12.Apply Button 13.Delete Button 14.Reload Button
3. Configure the following parameter(s) as required:
Parameter Description
Index Synopsis:  1 to 65535
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Adding an RMON Alarm 79
Parameter Description
Default:  1
The index of this RMON Alarm record.
Variable Synopsis:  SNMP Object Identifier - up to 39 characters
The SNMP object identifier (OID) of the particular variable to be sampled. Only variables
that resolve to an ASN.1 primitive type INTEGER (INTEGER, Integer32,Counter32,
Counter64, Gauge, or TimeTicks) may be sampled. A list of objects can be printed using
shell command 'rmon'. The OID format: objectName.index1.index2... where index format
depends on index object type.
Rising Thr Synopsis:  -2147483647 to 2147483647
Default:  0
A threshold for the sampled variable. When the current sampled variable value is greater
than or equal to this threshold, and the value at the last sampling interval was less than
this threshold, a single event will be generated. A single event will also be generated if
the first sample after this record is created is greater than or equal to this threshold and
the associated startup alarm ils equal to 'rising'.After rising alarm is generated, another
such event will not be generated until the sampled value falls below this threshold and
reaches the value of FallingThreshold.
Falling Thr Synopsis:  -2147483647 to 2147483647
Default:  0
A threshold for the sampled variable. When the current sampled variable value is
less than or equal to this threshold, and the value at the last sampling interval was
greater than this threshold, a single event will be generated. A single event will also
be generated if the first sample after this record is created is less than or equal to this
threshold and the associated startup alarm ils equal to 'falling'.After falling alarm is
generated, another such event will not be generated until the sampled value rises above
this threshold and reaches the value of RisingThreshold.
Value Synopsis:  -2147483647 to 2147483647
The value of monitoring object during the last sampling period. The presentation of
value depends of sample type ('absolute' or 'delta').
Type Synopsis:  { absolute, delta }
Default:  delta
The method of sampling the selected variable and calculating the value to be compared
against the thresholds. The value of sample type can be 'absolute' or 'delta'.
Interval Synopsis:  0 to 2147483647
Default:  60
The number of seconds in over which the data is sampled and compared with the rising
and falling thresholds.
Startup Alarm Synopsis:  { rising, falling, risingOrFalling }
Default:  risingOrFalling
The alarm that may be sent when this record is first created if condition for raising alarm
is met. The value of startup alarm can be 'rising', 'falling' or 'risingOrFalling'.
Rising Event Synopsis:  0 to 65535
Default:  0
The index of the event that is used when a falling threshold is crossed. If there is no
corresponding entryl in the Event Table, then no association exists. In particular, if this
value is zero, no associated event will be generated.
Falling Event Synopsis:  0 to 65535
Default:  0
The index of the event that is used when a rising threshold is crossed. If there is no
corresponding entryl in the Event Table, then no association exists. In particular, if this
value is zero, no associated event will be generated.
Owner Synopsis:  Any 127 characters
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
80 Deleting an RMON Alarm
Parameter Description
Default:  Monitor
The owner of this record. It is suggested to start this string withword 'monitor'.
4. Click Apply.
Section4.10.2.3
Deleting an RMON Alarm
To delete an RMON alarm, do the following:
1. Navigate to Ethernet Stats» Configure RMON Alarms. The RMON Alarms table appears.
Figure57:RMON Alarms Table
2. Select the alarm from the table. The RMON Alarms form appears.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Managing RMON Events 81
14
12
13
1
2
3
4
5
6
7
8
9
10
11
Figure58:RMON Alarms Form
1.Index Box 2.Variable Box 3.Rising Thr Box 4.Falling Thr Box 5.Value Box 6.Type Options 7.Interval Box 8.Startup
Alarm List 9.Rising Event Box 10.Falling Event Box 11.Owner Box 12.Apply Button 13.Delete Button 14.Reload Button
3. Click Delete.
Section4.10.3
Managing RMON Events
Remote Monitoring (RMON) events define behavior profiles used in event logging. These profiles are used by
RMON alarms to send traps and log events.
Each alarm may specify that a log entry be created on its behalf whenever the event occurs. Each entry may also
specify that a notification should occur by way of SNMP trap messages. In this case, the user for the trap message
is specified as the Community.
Two traps are defined: risingAlarm and fallingAlarm.
CONTENTS
Section4.10.3.1, “Viewing a List of RMON Events”
Section4.10.3.2, “Adding an RMON Event”
Section4.10.3.3, “Deleting an RMON Event”
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
82 Viewing a List of RMON Events
Section4.10.3.1
Viewing a List of RMON Events
To view a list of RMON events, navigate to Ethernet Stats» Configure RMON Events. The RMON Events table
appears.
Figure59:RMON Events Table
If events have not been configured, add events as needed. For more information, refer to Section4.10.3.2,
“Adding an RMON Event”.
Section4.10.3.2
Adding an RMON Event
To add an RMON alarm, do the following:
1. Navigate to Ethernet Stats» Configure RMON Events. The RMON Events table appears.
1
Figure60:RMON Events Table
1.InsertRecord
2. Click InsertRecord. The RMON Events form appears.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Adding an RMON Event 83
9
7
8
1
2
3
4
5
6
Figure61:RMON Events Form
1.Index Box 2.Type List 3.Community Box 4.Last Time Sent Box 5.Description Box 6.Owner Box 7.Apply Button
8.Delete Button 9.View Button 10.Reload Button
3. Configure the following parameter(s) as required:
Parameter Description
Index Synopsis:  1 to 65535
Default:  3
The index of this RMON Event record.
Type Synopsis:  { none, log, snmpTrap, logAndTrap }
Default:  logAndTrap
The type of notification that the probe will make about this event. In the case of 'log', an
entry is made in the RMON Log table for each event. In the case of snmp_trap, an SNMP
trap is sent to one or more management stations.
Community Synopsis:  Any 31 characters
Default:  public
If the SNMP trap is to be sent, it will be sent to the SNMP community specified by this
string.
Last Time Sent Synopsis:  DDDD days, HH:MM:SS
The time from last reboot at the time this event entry last generated an event. If this
entry has not generated any events, this value will be 0.
Description Synopsis:  Any 127 characters
Default:  EV2-Rise
A comment describing this event.
Owner Synopsis:  Any 127 characters
Default:  Monitor
The owner of this event record. It is suggested to start this string withword 'monitor'.
4. Click Apply.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
84 Deleting an RMON Event
Section4.10.3.3
Deleting an RMON Event
To delete an RMON event, do the following:
1. Navigate to Ethernet Stats» Configure RMON Events. The RMON Events table appears.
Figure62:RMON Events Table
2. Select the event from the table. The RMON Events form appears.
9
7
8
1
2
3
4
5
6
Figure63:RMON Events Form
1.Index Box 2.Type List 3.Community Box 4.Last Time Sent Box 5.Description Box 6.Owner Box 7.Apply Button
8.Delete Button 9.View Button 10.Reload Button
3. Click Delete.
Section4.11
Upgrading/Downgrading Firmware
This section describes how to upgrade and downgrade the firmware for RUGGEDCOM ROS.
CONTENTS
Section4.11.1, “Upgrading Firmware”
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Upgrading Firmware 85
Section4.11.2, “Downgrading Firmware”
Section4.11.1
Upgrading Firmware
Upgrading RUGGEDCOM ROS firmware, including the main, bootloader and FPGA firmware, may be necessary
to take advantage of new features or bug fixes. Binary firmware releases, including updates, can be obtained by
submitting a Support Request via the Siemens Industry Online Support [https://support.industry.siemens.com]
website. For more information, refer to https://support.industry.siemens.com/My/ww/en/requests.
Binary firmware images transferred to the device are stored in non-volatile Flash memory and require a device
reset to take effect.
NOTE
The IP address set for the device will not be changed following a firmware upgrade.
To upgrade the RUGGEDCOM ROS firmware, do the following:
1. Upload a different version of the binary firmware image to the device. For more information, refer to
Section4.4, “Uploading/Downloading Files”.
2. Reset the device to complete the installation. For more information, refer to Section4.12, “Resetting the
Device”.
3. Access the CLI shell and verify the new software version has been installed by typing version. The currently
installed versions of the main and boot firmware are displayed.
>version
Current ROS-CF52 Boot Software v2.20.0 (Jan 01 4.3 00:01)
Current ROS-CF52 Main Software v4.3.0 (Jan 01 4.3 00:01)
Section4.11.2
Downgrading Firmware
Downgrading the RUGGEDCOM ROS firmware is generally not recommended, as it may have unpredictable
effects. However, if a downgrade is required, do the following:
IMPORTANT!
Before downgrading the firmware, make sure the hardware and FPGA code types installed in the
device are supported by the older firmware version. Refer to the Release Notes for the older firmware
version to confirm.
CAUTION!
Do not downgrade the RUGGEDCOM ROS boot version.
1. Disconnect the device from the network.
2. Log in to the device as an admin user. For more information, refer to Section2.1, “Logging In”.
3. Make a local copy of the current configuration file. For more information, refer to Section4.4, “Uploading/
Downloading Files”.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
86 Resetting the Device
IMPORTANT!
Never downgrade the firmware with encryption enabled to a version that does not support
encryption.
4. Restore the device to its factory defaults. For more information, refer to Section4.3, “Restoring Factory
Defaults”.
5. Upload and apply the older firmware version and its associated FPGA files using the same methods used to
install newer firmware versions. For more information , refer to Section4.11.1, “Upgrading Firmware”.
6. Press Ctrl-S to access the CLI.
7. Clear all logs by typing:
clearlogs
8. Clear all alarms by typing:
clearalarms
IMPORTANT!
After downgrading the firmware and FPGA files, be aware that some settings from the previous
configuration may be lost or reverted back to the factory defaults (including user passwords if
downgrading from a security related version), as those particular tables or fields may not exist in
the older firmware version. Because of this, the unit must be configured after the downgrade.
9. Configure the device as required.
Section4.12
Resetting the Device
To reset the device, do the following:
1. Navigate to Diagnostics» Reset Device. The Reset Device form appears.
1
Figure64:Reset Device Form
1.Confirm Button
2. Click Confirm.
RUGGEDCOM ROS
User Guide
Chapter 4
Device Management
Decommissioning the Device 87
Section4.13
Decommissioning the Device
Before taking the device out of service, either permanently or for maintenance by a third-party, make sure the
device has been fully decommissioned. This includes removing any sensitive, proprietary information.
To decommission the device, do the following:
1. Disconnect all network cables from the device.
2. Connect to the device via the RS-232 serial console port. For more information, refer to Section3.1.2,
“Connecting Directly”.
3. Restore all factory default settings for the device. For more information, refer to Section4.3, “Restoring
Factory Defaults”.
4. Access the CLI. For more information, refer to Section2.5, “Using the Command Line Interface”.
5. Upload a blank version of the banner.txt file to the device to replace the existing file. For more information
about uploading a file, refer to Section4.4, “Uploading/Downloading Files”.
6. Confirm the upload was successful by typing:
type banner.txt
7. Clear the system and crash logs by typing:
clearlog
8. Generate a random SSL certificate by typing:
sslkeygen
This may take several minutes to complete. To verify the certificate has been generated, type:
type syslog.txt
When the phrase
Generated ssl.crt was saved
appears in the log, the SSL certificate has been generated.
9. Generate random SSH keys by typing:
sshkeygen
This may take several minutes to complete. To verify the keys have been generated, type:
type syslog.txt
When the phrase
Generated ssh.keys was saved
appears in the log, the SSH keys have been generated.
10. De-fragment and erase all free flash memory by typing:
flashfile defrag
This may take several minutes to complete.
Chapter 4
Device Management
RUGGEDCOM ROS
User Guide
88 Decommissioning the Device
RUGGEDCOM ROS
User Guide
Chapter 5
System Administration
Configuring the System Information 89
System Administration
This chapter describes how to perform various administrative tasks related to device identification, user
permissions, alarm configuration, certificates and keys, and more.
CONTENTS
Section5.1, “Configuring the System Information”
Section5.2, “Customizing the Login Screen”
Section5.3, “Enabling/Disabling the Web Interface”
Section5.4, “Managing Alarms”
Section5.5, “Managing the Configuration File”
Section5.1
Configuring the System Information
To configure basic information that can be used to identify the device, its location, and/or its owner, do the
following:
1. Navigate to Administration» Configure System Identification. The System Identification form appears.
54
3
2
1
Figure65:System Identification Form
1.System Name Box 2.Location Box 3.Contact Box 4.Apply Button 5.Reload Button
2. Configure the following parameter(s) as required:
Parameter Description
System Name Synopsis:  Any 24 characters
The system name is displayed in all RUGGEDCOM ROS menu screens. This can make it
easier to identify the switches within your network provided that all switches are given a
unique name.
Chapter 5
System Administration
RUGGEDCOM ROS
User Guide
90 Customizing the Login Screen
Parameter Description
Location Synopsis:  Any 49 characters
The location can be used to indicate the physical location of the switch. It is displayed in
the login screen as another means to ensure you are dealing with the desired switch.
Contact Synopsis:  Any 49 characters
The contact can be used to help identify the person responsible for managing the switch.
You can enter name, phone number, email, etc. It is displayed in the login screen so that
this person may be contacted should help be required.
3. Click Apply.
Section5.2
Customizing the Login Screen
To display a custom welcome message, device information or any other information on the login screen for the
Web and console interfaces, add text to the banner.txt file stored on the device.
If the banner.txt file is empty, only the Username and Password fields appear on the login screen.
To update the banner.txt file, download the file from the device, modify it and then load it back on to the
device. For information about uploading and downloading files, refer to Section4.4, “Uploading/Downloading
Files”.
Section5.3
Enabling/Disabling the Web Interface
In some cases, users may want to disable the Web interface to increase cyber security.
To disable or enable the Web interface, do the following:
NOTE
The Web interface can be disabled via the Web UI by configuring the Web Server Users Allowed
parameter in the IP Services form. For more information, refer to Section4.9, “Configuring IP Services”.
1. Log in to the device as an admin user and access the CLI shell. For more information about accessing the CLI
shell, refer to Section2.5, “Using the Command Line Interface”.
2. Navigate to Administration» Configure IP Services» Web Server Users Allowed.
3. Select Disabled to disable the Web interface, or select the desired number of Web server users allowed to
enable the interface.
Section5.4
Managing Alarms
Alarms indicate the occurrence of events of either importance or interest that are logged by the device.
There are two types of alarms:
RUGGEDCOM ROS
User Guide
Chapter 5
System Administration
Viewing a List of Pre-Configured Alarms 91
Active alarms signify states of operation that are not in accordance with normal operation. Examples include
links that should be up, but are not, or error rates that repeatedly exceed a certain threshold. These alarms are
continuously active and are only cleared when the problem that triggered the alarms is resolved.
Passive alarms are a record of abnormal conditions that occurred in the past and do not affect the current
operation state of the device. Examples include authentication failures, Remote Network MONitoring (RMON)
MIB generated alarms, or error states that temporarily exceeded a certain threshold . These alarms can be
cleared from the list of alarms.
NOTE
For more information about RMON alarms, refer to Section4.10.2, “Managing RMON Alarms”.
When either type of alarm occurs, a message appears in the top right corner of the user interface. If more than
one alarm has occurred, the message will indicate the number of alarms. Active alarms also trip the Critical Failure
Relay LED on the device. The message and the LED will remain active until the alarm is cleared.
NOTE
Alarms are volatile in nature. All alarms (active and passive) are cleared at startup.
CONTENTS
Section5.4.1, “Viewing a List of Pre-Configured Alarms”
Section5.4.2, “Viewing and Clearing Latched Alarms”
Section5.4.3, “Configuring an Alarm”
Section5.4.4, “Authentication Related Security Alarms”
Section5.4.1
Viewing a List of Pre-Configured Alarms
To view a list of alarms pre-configured for the device, navigate to Diagnostic» Configure Alarms. The Alarms
table appears.
Chapter 5
System Administration
RUGGEDCOM ROS
User Guide
92 Viewing and Clearing Latched Alarms
Figure66:Alarms Table
NOTE
This list of alarms (configurable and non-configurable) is accessible through the Command Line
Interface (CLI) using the alarms. For more information, refer to Section2.5.1, “Available CLI
Commands”.
For information about modifying a pre-configured alarm, refer to Section5.4.3, “Configuring an Alarm”.
Section5.4.2
Viewing and Clearing Latched Alarms
To view a list of alarms that are configured to latch, navigate to Diagnostics» View Latched Alarms. The
Latched Alarms table appears.
RUGGEDCOM ROS
User Guide
Chapter 5
System Administration
Configuring an Alarm 93
Figure67:Latched Alarms Table
To clear the passive alarms from the list, do the following:
1. Navigate to Diagnostics» Clear Latched Alarms. The Clear Latched Alarms form appears.
1
Figure68:Clear Latched Alarms Form
1.Confirm Button
2. Click Confirm.
Section5.4.3
Configuring an Alarm
While all alarms are pre-configured on the device, some alarms can be modified to suit the application. This
includes enabling/disabling certain features and changing the refresh time.
To configuring an alarm, do the following:
IMPORTANT!
Critical and Alert level alarms are not configurable and cannot be disabled.
1. Navigate to Diagnostic» Configure Alarms. The Alarms table appears.
Chapter 5
System Administration
RUGGEDCOM ROS
User Guide
94 Configuring an Alarm
Figure69:Alarms Table
2. Select an alarm. The Alarms form appears.
RUGGEDCOM ROS
User Guide
Chapter 5
System Administration
Configuring an Alarm 95
9
8
7
6
5
4
3
2
1
Figure70:Alarms Form
1.Name Box 2.Level Box 3.Latch Box 4.Trap Box 5.Log Box 6.LED & Relay Box 7.Refresh Time Box 8.Apply Button
9.Reload Button
3. Configure the following parameter(s) as required:
Parameter Description
Name Synopsis:  Any 34 characters
Default:  sys_alarm
The alarm name, as obtained through the alarms CLI command.
Level Synopsis:  { EMRG, ALRT, CRIT, ERRO, WARN, NOTE, INFO, DEBG }
Severity level of the alarm:
EMERG - The device has had a serious failure that caused a system reboot.
ALERT - The device has had a serious failure that did not cause a system reboot.
CRITICAL - The device has a serious unrecoverable problem.
ERROR - The device has a recoverable problem that does not seriously affect operation.
WARNING - Possibly serious problem affecting overall system operation.
NOTIFY - Condition detected that is not expected or not allowed.
INFO - Event which is a part of normal operation, e.g. cold start, user login etc.
DEBUG - Intended for factory troubleshooting only.
This parameter is not configurable.
Latch Synopsis:  { On, Off }
Default:  Off
Enables latching occurrence of this alarm in the Alarms Table.
Trap Synopsis:  { On, Off }
Default:  Off
Enables sending an SNMP trap for this alarm.
Log Synopsis:  { On, Off }
Default:  Off
Enables logging the occurrence of this alarm in syslog.txt.
LED & Relay Synopsis:  { On, Off }
Default:  Off
Enables LED and fail-safe relay control for this alarm. If latching is not enabled, this field
will remain disabled.
Chapter 5
System Administration
RUGGEDCOM ROS
User Guide
96 Authentication Related Security Alarms
Parameter Description
Refresh Time Synopsis:  0 s to 60 s
Default:  60 s
Refreshing time for this alarm.
4. Click Apply.
Section5.4.4
Authentication Related Security Alarms
This section describes the authentication-related security messages that can be generated by RUGGEDCOM ROS.
CONTENTS
Section5.4.4.1, “Security Alarms for Login Authentication”
Section5.4.4.2, “Security Messages for Port Authentication”
Section5.4.4.1
Security Alarms for Login Authentication
RUGGEDCOM ROS provides various logging options related to login authentication. A user can log into a
RUGGEDCOM ROS device via four different methods: Web, console, SSH or Telnet. RUGGEDCOM ROS can log
messages in the syslog, send a trap to notify an SNMP manager, and/or raise an alarm when a successful and
unsuccessful login event occurs. In addition, when a weak password is configured on a unit or when the primary
authentication server for TACACS+ or RADIUS is not reachable, RUGGEDCOM ROS will raise alarms, send SNMP
traps and log messages in the syslog.
The following is a list of log and alarm messages related to user authentication:
Weak Password Configured
Login and Logout Information
Excessive Failed Login Attempts
RADIUS Server Unreachable
TACACS Server Unreachable
TACACS Response Invalid
SNMP Authentication Failure
NOTE
All alarms and log messages related to login authentication are configurable. For more information
about configuring alarms, refer to Section5.4.3, “Configuring an Alarm”.
Weak Password Configured
RUGGEDCOM ROS generates this alarm and logs a message in the syslog when a weak password is configured in
the Passwords table.
RUGGEDCOM ROS
User Guide
Chapter 5
System Administration
Security Alarms for Login Authentication 97
Message Name Alarm SNMP Trap Syslog
Weak Password Configured Yes Yes Yes
Default Keys In Use
RUGGEDCOM ROS generates this alarm and logs a message in the syslog when default keys are in use. For more
information about default keys, refer to Section6.5, “Managing SSH and SSL Keys and Certificates”.
NOTE
For Non-Controlled (NC) versions of RUGGEDCOM ROS, this alarm is only generated when default SSL
keys are in use.
Message Name Alarm SNMP Trap Syslog
Default Keys In Use Yes Yes Yes
Login and Logout Information
RUGGEDCOM ROS generates this alarm and logs a message in the syslog when a successful and unsuccessful login
attempt occurs. A message is also logged in the syslog when a user with a certain privilege level is logged out
from the device.
Login attempts are logged regardless of how the user accesses the device (i.e. SSH, Web, Console, Telnet or RSH).
However, when a user logs out, a message is only logged when the user is accessing the device through SSH,
Telnet or Console.
Message Name Alarm SNMP Trap Syslog
Successful Login Yes Yes Yes
Failed Login Yes Yes Yes
User Logout No No Yes
Excessive Failed Login Attempts
RUGGEDCOM ROS generates this alarm and logs a message in the syslog after 10 failed login attempts by a user
occur within a span of five minutes. Furthermore, the service the user attempted to access will be blocked for one
hour to prevent further attempts.
Message Name Alarm SNMP Trap Syslog
Excessive Failed Login Attempts Yes Yes Yes
RADIUS Server Unreachable
RUGGEDCOM ROS generates this alarm and logs a message in the syslog when the primary RADIUS server is
unreachable.
Message Name Alarm SNMP Trap Syslog
Primary RADIUS Server
Unreachable
Yes Yes Yes
Chapter 5
System Administration
RUGGEDCOM ROS
User Guide
98 Security Messages for Port Authentication
TACACS+ Server Unreachable
RUGGEDCOM ROS generates this alarm and logs a message in the syslog when the primary TACACS+ server is
unreachable.
Message Name Alarm SNMP Trap Syslog
Primary TACACS Server
Unreachable
Yes Yes Yes
TACACS+ Response Invalid
RUGGEDCOM ROS generate this alarm and logs a message in the syslog when the response from the TACACS+
server is received with an invalid CRC.
Message Name Alarm SNMP Trap Syslog
TACACS Response Invalid Yes Yes Yes
SNMP Authentication Failure
RUGGEDCOM ROS generates this alarm, sends an authentication failure trap, and logs a message in the syslog
when an SNMP manager with incorrect credentials communicates with the SNMP agent in RUGGEDCOM ROS.
Message Name Alarm SNMP Trap Syslog
SNMP Authentication Failure Yes Yes Yes
Section5.4.4.2
Security Messages for Port Authentication
The following is the list of log and alarm messages related to port access control in RUGGEDCOM ROS:
MAC Address Authorization Failure
Secure Port X Learned MAC Addr on VLAN X
Port Security Violated
MAC Address Authorization Failure
RUGGEDCOM ROS generates this alarm and logs a message in the syslog when a host connected to a secure port
on the device is communicating using a source MAC address which has not been authorized by RUGGEDCOM
ROS, or the dynamically learned MAC address has exceeded the total number of MAC addresses configured to be
learned dynamically on the secured port. This message is only applicable when the port security mode is set to
Static MAC.
Message Name Alarm SNMP Trap Syslog
MAC Address Authorization
Failure
Yes Yes Yes
RUGGEDCOM ROS
User Guide
Chapter 5
System Administration
Managing the Configuration File 99
Secure Port X Learned MAC Addr on VLAN X
RUGGEDCOM ROS logs a message in the syslog and sends a configuration change trap when a MAC address is
learned on a secure port. Port X indicates the secured port number and VLAN number on that port. This message is
not configurable in RUGGEDCOM ROS.
Message Name SNMP Trap Syslog
Secure Port X Learned MAC Addr on VLAN X Yes Yes
Port Security Violated
This message is only applicable when the security mode for a port is set to "802.1X or 802.1X/MAC-Auth"
RUGGEDCOM ROS this alarm and logs a message in the syslog when the host connected to a secure port tries to
communicate using incorrect login credentials.
Message Name Alarm SNMP Trap Syslog
802.1X Port X Authentication
Failure
Yes Yes Yes
802.1X Port X Authorized Addr.
XXX
No No Yes
Section5.5
Managing the Configuration File
The device configuration file for RUGGEDCOM ROS is a single CSV (Comma-Separate Value) formatted ASCII text
file, named config.csv. It can be downloaded from the device to view, compare against other configuration
files, or store for backup purposes. It can also be overwritten by a complete or partial configuration file uploaded
to the device.
To prevent unauthorized access to the contents of the configuration file, the file can be encrypted and given a
password/passphrase key.
CONTENTS
Section5.5.1, “Configuring Data Encryption”
Section5.5.2, “Updating the Configuration File”
Section5.5.1
Configuring Data Encryption
To encrypt the configuration file and protect it with a password/passphrase, do the following:
NOTE
Data encryption is not available in Non-Controlled (NC) versions of RUGGEDCOM ROS. When switching
between Controlled and Non-Controlled (NC) versions of RUGGEDCOM ROS, make sure data encryption
is disabled. Otherwise, the NC version of RUGGEDCOM ROS will ignore the encrypted configuration file
and load the factory defaults.
Chapter 5
System Administration
RUGGEDCOM ROS
User Guide
100 Configuring Data Encryption
NOTE
Only configuration data is encrypted. All comments and table names in the configuration file are saved
as clear text.
NOTE
When sharing a configuration file between devices, make sure both devices have the same passphrase
configured. Otherwise, the configuration file will be rejected.
NOTE
Encryption must be disabled before the device is returned to Siemens or the configuration file is shared
with Customer Support.
IMPORTANT!
Never downgrade the RUGGEDCOM ROS software version beyond RUGGEDCOM ROS v4.3 when
encryption is enabled. Make sure the device has been restored to factory defaults before downgrading.
1. Navigate to Administration» Configure Data Storage. The Data Storage form appears.
54
3
2
1
Figure71:Data Storage Form
1.Encryption Options 2.Passphrase Box 3.Confirm Passphrase Box 4.Apply Button 5.Reload Button
2. Configure the following parameter(s) as required:
Parameter Description
Encryption Synopsis:  { On, Off }
Enable/disable encryption of data in configuration file.
Passphrase Synopsis:  31 character ascii string
This passphrase is used as a secret key to encrypt the configuration data.
Encrypted data can be decrypted by any device configured with the same passphrase.
Confirm Passphrase Synopsis:  31 character ascii string
This passphrase is used as a secret key to encrypt the configuration data.
Encrypted data can be decrypted by any device configured with the same passphrase.
3. Click Apply.
RUGGEDCOM ROS
User Guide
Chapter 5
System Administration
Updating the Configuration File 101
Section5.5.2
Updating the Configuration File
Once downloaded from the device, the configuration file can be updated using a variety of different tools:
NOTE
For information about uploading/downloading files, refer to Section4.4, “Uploading/Downloading
Files”.
Any text editing program capable of reading and writing ASCII files
Difference/patching tools (e.g. the UNIX diff and patch command line utilities)
Source Code Control systems (e.g. CVS, SVN)
CAUTION!
Configuration hazard – risk of data loss. Do not edit an encrypted configuration file. Any line that has
been modified manually will be ignored.
RUGGEDCOM ROS also has the ability to accept partial configuration updates. For example, to update only the
parameters for Ethernet port 1 and leave all other parameters unchanged, transfer a file containing only the
following lines to the device:
# Port Parameters
ethPortCfg
Port,Name,Media,State,AutoN,Speed,Dupx,FlowCtrl,LFI,Alarm,
1,Port 1,100TX,Enabled,On,Auto,Auto,Off,Off,On,
Chapter 5
System Administration
RUGGEDCOM ROS
User Guide
102 Updating the Configuration File
RUGGEDCOM ROS
User Guide
Chapter 6
Security
Configuring Passwords 103
Security
This chapter describes how to configure and manage the security-related features of RUGGEDCOM ROS.
CONTENTS
Section6.1, “Configuring Passwords”
Section6.2, “Clearing Private Data”
Section6.3, “Managing User Authentication”
Section6.4, “Managing Port Security”
Section6.5, “Managing SSH and SSL Keys and Certificates”
Section6.1
Configuring Passwords
To configure passwords for one or more of the user profiles, do the following:
1. Navigate to Administration» Configure Passwords. The Configure Passwords form appears.
Chapter 6
Security
RUGGEDCOM ROS
User Guide
104 Configuring Passwords
12 13
11
10
9
8
7
6
5
4
3
2
1
Figure72:Configure Passwords Form
1.Auth Type Box 2.Guest Username Box 3.Guest Password Box 4.Confirm Guest Password Box 5.Operator Username Box
6.Operator Password Box 7.Confirm Operator Password Box 8.Admin Username Box 9.Admin Password Box 10.Confirm
Admin Password Box 11.Password Minimum Length box 12.Apply Button 13.Reload Button
NOTE
RUGGEDCOM ROS requires that all user passwords meet strict guidelines to prevent the use of
weak passwords. When creating a new password, make sure it adheres to the following rules:
Must not be less than 8 characters in length.
Must not include the username or any 4 continous characters found in the username.
For example, if the username is Subnet25, the password may not be subnet25admin,
subnetadmin or net25admin. However, net-25admin or Sub25admin is permitted.
Must have at least one alphabetic character and one number. Special characters are permitted.
Must not have more than 3 continuously incrementing or decrementing numbers. For example,
Sub123 and Sub19826 are permitted, but Sub12345 is not.
An alarm will generate if a weak password is configured. The weak password alarm can be
disabled by the user. For more information about disabling alarms, refer to Section5.4, “Managing
Alarms”.
2. Configure the following parameter(s) as required:
Parameter Description
Auth Type Synopsis:  { Local, RADIUS, TACACS+, RADIUSorLocal, TACACS+orLocal }
Default:  Local
Password can be authenticated using localy configured values, or remote RADIUS or
TACACS+ server. Setting value to any of combinations that involve RADIUS or TACACS+
require Security Server Table to be configured.
RUGGEDCOM ROS
User Guide
Chapter 6
Security
Configuring Passwords 105
Parameter Description
Settings:
Local - Authentication from the local Password Table.
RADIUS - Authentication using a RADIUS server.
TACACS+ - Authentication using a TACACS+ server.
RADIUSOrLocal - Authentication using RADIUS. If the server cannot be reached,
authenticate from the local Password Table.
TACACS+OrLocal - Authentication using TACACS+. If the server cannot be reached,
authenticate from the local Password Table
NOTE
For console access, only local credentials are checked when Local, RADIUS,
or TACACS+ authentication is selected. When RADIUSOrLocal or TACACS
+OrLocal authentication is selected, RADIUS or TACACS+ credentials are
checked first, respectively. If authentication fails , local credentials will then
be checked.
Guest Username Synopsis:  Any 15 characters
Default:  guest
Related password is in field Guest Password; view only, cannot change settings or run
any commands.
Guest Password Synopsis:  19 character ASCII string
Related username is in field Guest Username; view only, cannot change settings or run
any commands.
Confirm Guest Password Synopsis:  19 character ASCII string
Related username is in field Guest Username; view only, cannot change settings or run
any commands.
Operator Username Synopsis:  Any 15 characters
Default:  operator
Related password is in field Oper Password; cannot change settings; can reset alarms,
statistics, logs, etc.
Operator Password Synopsis:  19 character ASCII string
Related username is in field Oper Username; cannot change settings; can reset alarms,
statistics, logs, etc
Confirm Operator Password Synopsis:  19 character ASCII string
Related username is in field Oper Username; cannot change settings; can reset alarms,
statistics, logs, etc.
Admin Username Synopsis:  Any 15 characters
Default:  admin
Related password is in field Admin Password; full read/write access to all settings and
commands.
Admin Password Synopsis:  19 character ASCII string
Related username is in field Admin Username; full read/write access to all settings and
commands.
Confirm Admin Password Synopsis:  19 character ASCII string
Related username is in field Admin Username; full read/write access to all settings and
commands.
Password Minimum Length Synopsis:  1 to 17
Default:  1
Configure the password string minimum length. The new password shorter than the
minimum length will be rejected.
Chapter 6
Security
RUGGEDCOM ROS
User Guide
106 Clearing Private Data
3. Click Apply.
Section6.2
Clearing Private Data
When enabled, during system boot up, a user with serial console access can clear all configuration data and keys
stored on the device, and restore all user names and passwords to factory default settings.
To clear private data, do the following:
NOTE
The commands used in the following procedure are time-sensitive. If the specified time limits are
exceeded before providing the appropriate response, the device will continue normal boot up.
1. Connect to the device via the RS-232 serial console port. For more information, refer to Section3.1.2,
“Connecting Directly”.
2. Cycle power to the device. As the device is booting up, the following prompt will appear:
Press any key to start
3. Within four seconds, press CTRL + r. The access banner will appear, followed by the command prompt:
>
4. Type the following command, then press Enter within 30 seconds:
clear private data
5. When prompted "Do you want to clear private data (Yes/No)?", answer yes and press Enter within five
seconds. All configuration and keys in flash will be zeroized. An entry in the event log will be created.
Crashlog.txt files (if existing) and syslog.txt files will be preserved. The device will reboot automatically.
Section6.3
Managing User Authentication
This section describes the various methods for authenticating users.
CONTENTS
Section6.3.1, “Configuring User Name Extensions”
Section6.3.2, “Managing RADIUS Authentication”
Section6.3.3, “Managing TACACS+ Authentication”
Section6.3.1
Configuring User Name Extensions
When configured to authenticate users using RADIUS or TACACS+, RUGGEDCOM ROS can be configured to add
information to each user name important to the authentication server. This can include the NAS IP address, system
name, system location, or any other user-defined text.
RUGGEDCOM ROS
User Guide
Chapter 6
Security
Managing RADIUS Authentication 107
If the Username Extension parameter is left blank, only the user name will be sent to the authentication server.
NOTE
Extensions are ignored when IEEE 802.1x port-based authentication is enabled. RUGGEDCOM ROS will
remain transparent and not make any changes to the username. For more information about IEEE
802.1x authentication, refer to Section6.4.1, “Port Security Concepts”.
To configure a username extension, do the following:
1. Navigate to Administration» Configure Security Server» Configure Common Security Parameters. The
Common Security Parameters form appears.
1
3
2
Figure73:Common Security Parameters Form
1.Username Extension Box 2.Apply Button 3.Reload Button
2. Configure the following parameter(s) as required:
Parameter Description
Username Extension Synopsis:  Any 127 characters
Defines the format of all user names sent to a RADIUS or TACACS+ server for
authentication. A prefix or suffix can be added to the user name using predefined
keywords (wrapped in % delimiters) or user-defined strings.
Delimited values include:
%Username%: The name associated with the user profile (e.g. admin, oper, etc.)
%IPaddr%: The management IP address of the switch that acts as a Network Access
Server (NAS).
%SysName%: The system name given to the device.
%SysLocation%: The system location given to the device.
All pre-defined keywords are case-insensitive.
Examples:
%Username%@ABC.com
%Username%_%SysLocation%
If an extension is not defined, only the user name is sent to the authentication server.
3. Click Apply.
Section6.3.2
Managing RADIUS Authentication
RUGGEDCOM ROS can be configured to act as a RADIUS client and forward user credentials to a RADIUS (Remote
Authentication Dial In User Service) server for remote authentication and authorization.
Chapter 6
Security
RUGGEDCOM ROS
User Guide
108 Configuring the RADIUS Server
RADIUS is a UDP-based protocol used for carrying authentication, authorization and configuration information
between a Network Access Server (NAS) that desires to authenticate its links and a shared authentication server. It
provides centralized authentication and authorization for network access.
RADIUS is also widely used in conjunction with the IEEE 802.1X standard for port security using the Extensible
Authentication Protocol (EAP).
IMPORTANT!
RADIUS messages are sent as UDP messages. The switch and the RADIUS server must use the same
authentication and encryption key.
IMPORTANT!
RUGGEDCOM ROS supports both Protected Extensible Authentication Protocol (PEAP) and EAP-MD5.
PEAP is more secure and is recommended if available in the supplicant.
NOTE
For more information about the RADIUS protocol, refer to RFC 2865 [http://tools.ietf.org/html/rfc2865].
For more information about the Extensible Authentication Protocol (EAP), refer to RFC 3748 [http://
tools.ietf.org/html/rfc3748].
CONTENTS
Section6.3.2.1, “Configuring the RADIUS Server”
Section6.3.2.2, “Configuring the RADIUS Client on the Device”
Section6.3.2.1
Configuring the RADIUS Server
NOTE
For information about configuring the RADIUS server, refer to the manufacturer's instructions of the
server being configured.
The Vendor-Specific attribute (or VSA) sent to the RADIUS server as part of the RADIUS request is used to
determine the access level from the RADIUS server. This attribute may be configured within the RADIUS server
with the following information:
Attribute Value
Vendor-Specific Vendor-ID: 15004
Format: String
Number: 2
Attribute: { Guest, Operator, Admin }
NOTE
If no access level is received in the response packet from the RADIUS server, access is denied.
RUGGEDCOM ROS
User Guide
Chapter 6
Security
Configuring the RADIUS Client on the Device 109
Section6.3.2.2
Configuring the RADIUS Client on the Device
The RADIUS client can be configured to use two RADIUS servers: a primary server and a backup server. If the
primary server is unavailable, the device will automatically attempt to connect with the backup server.
NOTE
The RADIUS client uses the Password Authentication Protocol (PAP) to verify access.
To configure access to either the primary or backup RADIUS servers, do the following:
1. Navigate to Administration» Configure Security Server» Configure RADIUS Server. The RADIUS Server
table appears.
Figure74:RADIUS Server Table
2. Select either Primary or Backup from the table. The RADIUS Server form appears.
1
2
3
4
5
6
7
8
9
Figure75:RADIUS Server Form
1.Server Box 2.IP Address Box 3.Auth UDP Port Box 4.Max Retry Box 5.Timeout Box 6.Auth Key Box 7.Confirm Auth Key
Box 8.Apply Button 9.Reload Button
3. Configure the following parameter(s) as required:
Parameter Description
Server Synopsis:  Any 8 characters
Default:  Primary
Chapter 6
Security
RUGGEDCOM ROS
User Guide
110 Managing TACACS+ Authentication
Parameter Description
This field tells whether this configuration is for a Primary or a Backup Server.
IP Address Synopsis:  ###.###.###.### where ### ranges from 0 to 255
The Server IP Address.
Auth UDP Port Synopsis:  1 to 65535
Default:  1812
The IP Port on server.
Max Retry Synopsis:  1 to 10
Default:  2
The maximum number of times the Authenticator will attempt to contact the
authentication server to authenticate the user in case of any failure.
Timeout Synopsis:  1000 to 120000
Default:  10000
The amount of time in milliseconds the Authenticator will wait for a response from the
authentication server.
Auth Key Synopsis:  31 character ASCII string
The authentication key to be shared with server. Only available on Controlled versions.
Confirm Auth Key Synopsis:  31 character ASCII string
The authentication key to be shared with server. Only available on Controlled versions.
4. Click Apply.
Section6.3.3
Managing TACACS+ Authentication
TACACS+ (Terminal Access Controller Access-Control System Plus) is a TCP-based access control protocol that
provides authentication, authorization and accounting services to routers, Network Access Servers (NAS) and
other networked computing devices via one or more centralized servers.
CONTENTS
Section6.3.3.1, “Configuring TACACS+”
Section6.3.3.2, “Configuring User Privileges”
Section6.3.3.1
Configuring TACACS+
RUGGEDCOM ROS can be configured to use two TACACS+ servers: a primary server and a backup server. If the
primary server is unavailable, the device will automatically attempt to connect with the backup server.
To configure access to either the primary or backup TACACS+ servers, do the following:
1. Navigate to Administration» Configure Security Server» Configure TacPlus Server» Configure TACACS
Plus Server. The TACACS Plus Server table appears.
RUGGEDCOM ROS
User Guide
Chapter 6
Security
Configuring TACACS+ 111
Figure76:TACACS Plus Server Table
2. Select either Primary or Backup from the table. The TACACS Plus Server form appears.
9
8
1
2
3
4
5
6
7
Figure77:TACACS Plus Server Form
1.Server Box 2.IP Address Box 3.Auth TCP Port Box 4.Max Retry Box 5.Timeout Port Box 6.Reachable Box 7.Auth Key
Box 8.Confirm Key Box 9.Apply Button 10.Reload Button
3. Configure the following parameter(s) as required:
Parameter Description
Server Synopsis:  Any 8 characters
Default:  Primary
This field tells whether this configuration is for a Primary or a Backup Server.
IP Address Synopsis:  ###.###.###.### where ### ranges from 0 to 255
The Server IP Address.
Auth TCP Port Synopsis:  1 to 65535
Default:  49
The IP Port on server.
Max Retry Synopsis:  1 to 10
Default:  3
The maximum number of times the Authenticator will attempt to contact the
authentication server to authenticate the user in case of any failure.
Timeout Synopsis:  1000 to 120000
Chapter 6
Security
RUGGEDCOM ROS
User Guide
112 Configuring User Privileges
Parameter Description
Default:  10000
The amount of time in milliseconds the Authenticator will wait for a response from the
authentication server.
Auth Key Synopsis:  31 character ascii string
Default:  mySecret
The authentication key to be shared with server.
Confirm Auth Key Synopsis:  31 character ascii string
The authentication key to be shared with server.
4. Set the privilege levels for each user type (i.e. admin, operator and guest). For more information, refer to
Section6.3.3.2, “Configuring User Privileges”.
5. Click Apply.
Section6.3.3.2
Configuring User Privileges
Each TACACS+ authentication request includes a priv_lvl attribute that is used to grant access to the device. By
default, the attribute uses the following ranges:
15 represents the admin access level
2-14 represents the operator access level
1 represents the guest access level
To configure the privilege levels for each user type, do the following:
1. Navigate to Administration» Configure Security Server» Configure TacPlus Server» Configure TACPLUS
Serv Privilege Config. The TACPLUS Serv Privilege Config form appears.
54
3
2
1
Figure78:TACPLUS Serv Privilege Config Form
1.Admin Priv Box 2.Oper Priv Box 3.Guest Priv Box 4.Apply Button 5.Reload Button
2. Configure the following parameter(s) as required:
Parameter Description
Admin Priv Synopsis:  (0 to 15)-(0 to 15)
Default:  15
Privilege level to be assigned to the user.
Oper Priv Synopsis:  (0 to 15)-(0 to 15)
RUGGEDCOM ROS
User Guide
Chapter 6
Security
Managing Port Security 113
Parameter Description
Default:  2-14
Privilege level to be assigned to the user.
Guest Priv Synopsis:  (0 to 15)-(0 to 15)
Default:  1
Privilege level to be assigned to the user.
3. Click Apply.
Section6.4
Managing Port Security
Port security, or port access control, provides the ability to filter or accept traffic from specific MAC addresses.
Port security works by inspecting the source MAC addresses of received frames and validating them against the list
of MAC addresses authorized by the port. Unauthorized frames are filtered and, optionally, the part that received
the frame can be shut down permanently or for a specified period of time. An alarm will be raised indicating the
detected unauthorized MAC address.
Frames to unknown destination addresses are flooded through secure ports.
CONTENTS
Section6.4.1, “Port Security Concepts”
Section6.4.2, “Viewing a List of Authorized MAC Addresses”
Section6.4.3, “Configuring Port Security”
Section6.4.4, “Configuring IEEE 802.1X”
Section6.4.1
Port Security Concepts
This section describes some of the concepts important to the implementation of port security in RUGGEDCOM
ROS.
CONTENTS
Section6.4.1.1, “Static MAC Address-Based Authentication”
Section6.4.1.2, “IEEE 802.1x Authentication”
Section6.4.1.3, “IEEE 802.1X Authentication with MAC Address-Based Authentication”
Section6.4.1.4, “Assigning VLANS with Tunnel Attributes”
Chapter 6
Security
RUGGEDCOM ROS
User Guide
114 Static MAC Address-Based Authentication
Section6.4.1.1
Static MAC Address-Based Authentication
With this method, the switch validates the source MAC addresses of received frames against the contents in the
Static MAC Address Table.
RUGGEDCOM ROS also supports a highly flexible Port Security configuration which provides a convenient means
for network administrators to use the feature in various network scenarios.
A Static MAC address can be configured without a port number being explicitly specified. In this case, the
configured MAC address will be automatically authorized on the port where it is detected. This allows devices to
be connected to any secure port on the switch without requiring any reconfiguration.
The switch can also be programmed to learn (and, thus, authorize) a pre-configured number of the first source
MAC addresses encountered on a secure port. This enables the capture of the appropriate secure addresses when
first configuring MAC address-based authorization on a port. Those MAC addresses are automatically inserted into
the Static MAC Address Table and remain there until explicitly removed by the user.
Section6.4.1.2
IEEE 802.1x Authentication
The IEEE 802.1x standard defines a mechanism for port-based network access control and provides a means of
authenticating and authorizing devices attached to LAN ports.
Although IEEE 802.1x is mostly used in wireless networks, this method is also implemented in wired switches.
The IEEE 802.1x standard defines three major components of the authentication method: Supplicant,
Authenticator and Authentication server. RUGGEDCOM ROS supports the Authenticator component.
4
3
2
1
Figure79:IEEE 802.1x General Topology
1.Supplicant 2.Authenticator Switch 3.LAN 4.Authentication Server
IMPORTANT!
RUGGEDCOM ROS supports both Protected Extensible Authentication Protocol (PEAP) and EAP-MD5.
PEAP is more secure and is recommended if available in the supplicant.
IEEE 802.1x makes use of the Extensible Authentication Protocol (EAP), which is a generic PPP authentication
protocol that supports various authentication methods. IEEE 802.1x defines a protocol for communication
between the Supplicant and the Authenticator, referred to as EAP over LAN (EAPOL).
RUGGEDCOM ROS communicates with the Authentication Server using EAP over RADIUS.
RUGGEDCOM ROS
User Guide
Chapter 6
Security
IEEE 802.1X Authentication with MAC Address-Based
Authentication 115
NOTE
The switch supports authentication of one host per port.
NOTE
If the host’s MAC address is configured in the Static MAC Address Table, it will be authorized, even if the
host authentication is rejected by the authentication server.
Section6.4.1.3
IEEE 802.1X Authentication with MAC Address-Based Authentication
This method, also referred to as MAB (MAC-Authentication Bypass), is commonly used for devices, such as VoIP
phones and Ethernet printers, that do not support the 802.1x protocol. This method allows such devices to be
authenticated using the same database infrastructure as that used in 802.1x.
IEEE 802.1x with MAC-Authentication Bypass works as follows:
1. The device connects to a switch port.
2. The switch learns the device MAC address upon receiving the first frame from the device (the device usually
sends out a DHCP request message when first connected).
3. The switch sends an EAP Request message to the device, attempting to start 802.1X authentication.
4. The switch times out while waiting for the EAP reply, because the device does not support 802.1x.
5. The switch sends an authentication message to the authentication server, using the device MAC address as
the username and password.
6. The switch authenticates or rejects the device according to the reply from the authentication server.
Section6.4.1.4
Assigning VLANS with Tunnel Attributes
RUGGEDCOM ROS supports assigning a VLAN to the authorized port using tunnel attributes, as defined in RFC
3580 [http://tools.ietf.org/html/rfc3580], when the Port Security mode is set to 802.1x or 802.1x/MAC-Auth.
In some cases, it may be desirable to allow a port to be placed into a particular VLAN, based on the authentication
result. For example:
To allow a particular device, based on its MAC address, to remain on the same VLAN as it moves within a
network, configure the switches for 802.1X/MAC-Auth mode
To allow a particular user, based on the user’s login credentials, to remain on the same VLAN when the user logs
in from different locations, configure the switches for 802.1X mode
If the RADIUS server wants to use this feature, it indicates the desired VLAN by including tunnel attributes in the
Access-Accept message. The RADIUS server uses the following tunnel attributes for VLAN assignment:
Tunnel-Type=VLAN (13)
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=VLANID
Note that VLANID is 12-bits and takes a value between 1 and 4094, inclusive. The Tunnel-Private-Group-ID is a
string as defined in RFC 2868 [http://tools.ietf.org/html/rfc2868], so the VLANID integer value is encoded as a
string.
Chapter 6
Security
RUGGEDCOM ROS
User Guide
116 Viewing a List of Authorized MAC Addresses
If the tunnel attributes are not returned by the authentication server, the VLAN assigned to the switch port
remains unchanged.
Section6.4.2
Viewing a List of Authorized MAC Addresses
To view a list of static MAC addresses learned from secure ports, navigate to Network Access Control» Port
Security» View Authorized MAC Addresses. The Authorized MAC Addresses table appears.
NOTE
Only MAC addresses authorized on a static MAC port(s) are shown. MAC addresses authorized with
IEEE 802.1X are not shown.
Figure80:Authorized MAC Addresses Table
This table displays the following information:
Parameter Description
Port Synopsis:  1 to maximum port number
Port on which MAC address has been learned.
MAC Address Synopsis:  ##-##-##-##-##-## where ## ranges 0 to FF
Authorized MAC address learned by the switch.
VID Synopsis:  0 to 65535
VLAN Identifier of the VLAN upon which the MAC address operates.
Sticky Synopsis:  { No, Yes }
This describes whether the authorized MAC address/Device can move to another port or not:
YES - authorized MAC address/Device cannot move to a different switch port
NO - authorized MAC address/Device may move to another switch port
If a MAC address is not listed, do the following:
Configure port security. For more information, refer to Section6.4.3, “Configuring Port Security”.
Configure IEEE 802.1X. For more information, refer to Section6.4.4, “Configuring IEEE 802.1X”.
Section6.4.3
Configuring Port Security
To configure port security, do the following:
1. Navigate to Network Access Control» Port Security» Configure Ports Security. The Ports Security table
appears.
RUGGEDCOM ROS
User Guide
Chapter 6
Security
Configuring Port Security 117
Figure81:Ports Security Table
2. Select an Ethernet port. The Ports Security form appears.
8
7
6
5
4
3
2
1
Figure82:Ports Security Form
1.Port Box 2.Security List 3.Autolearn Box 4.Sticky Options 5.Shutdown Time Box 6.Status Box 7.Apply Button
8.Reload Button
3. Configure the following parameter(s) as required:
Parameter Description
Port Synopsis:  1 to maximum port number
Default:  1
The port number as seen on the front plate silkscreen of the switch.
Security Synopsis:  { Off, Static MAC, 802.1X, 802.1x/MAC-Auth }
Default:  Off
Enables or disables the port's security feature. Two types of port access control are
available:
Static MAC address-based. With this method, authorized MAC address(es) should be
configured in the Static MAC Address table. If some MAC addresses are not known
in advance (or it is not known to which port they will be connected), there is still an
option to configure the switch to auto-learn certain number of MAC addresses. Once
learned, they do not age out until the unit is reset or the link goes down.
Chapter 6
Security
RUGGEDCOM ROS
User Guide
118 Configuring IEEE 802.1X
Parameter Description
IEEE 802.1X standard authentication.
IEEE 802.1X with MAC-Authentication, also known as MAC-Authentication Bypass.
With this option, the device can authenticate clients based on the client’s MAC address
if IEEE 802.1X authentication times out.
Autolearn Synopsis:  1 to 16 or { None }
Default:  None
Only applicable when the 'Security' field has been set to 'Static MAC'. It specifies
maximum number of MAC addresses that can be dynamically learned on the port.
If there are static addresses configured on the port, the actual number of addresses
allowed to be learned is this number minus the number of the static MAC addresses.
Sticky Synopsis:  { No, Yes }
Default:  Yes
Only applicable when the 'Security' field has been set to 'Static MAC'. Change the
behaviour of the port to either sticky or non-sticky.
If Sticky is 'Yes', MACs/Devices authorized on the port 'stick' to the port and the switch
will not allow them to move to a different port.
If Sticky is 'No', MACs/Devices authorized on the port may move to another port.
Shutdown Time Synopsis:  1 to 86400 s or { Until reset, Don't shutdown }
Default:  Don't shutdown
Specifies for how long to shut down the port, if a security violation occurs.
Status Synopsis:  Any 31 characters
Describes the security status of the port.
NOTE
There are a few scenarios in which static MAC addresses can move:
When the link is up/down on a non-sticky secured port
When traffic switches from or to a non-sticky secured port
NOTE
Traffic is lost until the source MAC Address of the incoming traffic is authorized against the static
MAC address table.
4. Click Apply.
Section6.4.4
Configuring IEEE 802.1X
To configure IEEE 802.1X port-based authentication, do the following:
1. Navigate to Network Access Control» Port Security» Configure 802.1X. The 802.1X Parameters table
appears.
RUGGEDCOM ROS
User Guide
Chapter 6
Security
Configuring IEEE 802.1X 119
Figure83:802.1X Parameters Table
2. Select an Ethernet port. The 802.1X Parameters form appears.
11
10
9
8
7
6
5
4
3
2
1
Figure84:802.1X Parameters Form
1.Port Box 2.tX Period Box 3.quietPeriod Box 4.reAuthEnabled Options 5.reAuthPeriod Box 6.reAuthMax Box
7.suppTimeout Box 8.serverTimeout Box 9.maxReq Box 10.Apply Button 11.Reload Button
3. Configure the following parameter(s) as required:
Parameter Description
Port Synopsis:  1 to maximum port number
Default:  1
The port number as seen on the front plate silkscreen of the switch.
txPeriod Synopsis:  1 to 65535
Default:  30 s
The time to wait for the Supplicant's EAP Response/Identity packet before retransmitting
an EAP Request/Identity packet.
quietPeriod Synopsis:  0 to 65535
Chapter 6
Security
RUGGEDCOM ROS
User Guide
120 Managing SSH and SSL Keys and Certificates
Parameter Description
Default:  60 s
The period of time not to attempt to acquire a Supplicant after the authorization session
failed.
reAuthEnabled Synopsis:  { No, Yes }
Default:  No
Enables or disables periodic re-authentication.
reAuthPeriod Synopsis:  60 to 86400
Default:  3600 s
The time between periodic re-authentication of the Supplicant.
reAuthMax Synopsis:  1 to 10
Default:  2
The number of re-authentication attempts that are permitted before the port becomes
unauthorized.
suppTimeout Synopsis:  1 to 300
Default:  30 s
The time to wait for the Supplicant's response to the authentication server's EAP packet.
serverTimeout Synopsis:  1 to 300
Default:  30 s
The time to wait for the authentication server's response to the Supplicant's EAP packet.
maxReq Synopsis:  1 to 10
Default:  2
The maximum number of times to retransmit the authentication server's EAP Request
packet to the Supplicant before the authentication session times out.
4. Click Apply.
Section6.5
Managing SSH and SSL Keys and Certificates
RUGGEDCOM ROS uses X.509v3 certificates and keys to establish secure connections for remote logins (SSH) and
Web access (SSL).
IMPORTANT!
Siemens recommends the following actions before commissioning the device:
Replace the factory-provisioned SSL certificate with one signed by a trusted Certificate Authority (CA)
Replace the factory-provisioned SSH host key pair with one generated by a trusted security authority
NOTE
Only admin users can write certificates and keys to the device.
Each RUGGEDCOM ROS device is shipped with a unique RSA 2048-based SSH host key pair and an RSA 2048-based
self-signed certificate that are generated at and provisioned by the factory. The administrator may upload a new
certificate and keys to the system at any time, which will overwrite the existing ones. In addition, CLI commands
are available to regenerate SSL certificate and key pair as well as the SSH host key pair.
There are three types of certificates and keys used in RUGGEDCOM ROS:
RUGGEDCOM ROS
User Guide
Chapter 6
Security
SSL Certificates 121
NOTE
Network exposure to a ROS unit operating with the default keys, although always only temporary
by design, should be avoided. The best way to reduce or eliminate this exposure is to provision user-
created certificate and keys as quickly as possible, and preferably before the unit is placed in network
service.
NOTE
The default certificate and keys are common to all RUGGEDCOM ROS versions without a certificate or
key files. That is why it is important to either allow the key auto-generation to complete or to provision
custom keys. In this way, one has at least unique, and at best, traceable and verifiable keys installed
when establishing secure communication with the unit.
Default
A default certificate and SSL/SSH keys are built in to RUGGEDCOM ROS and are common across all RUGGEDCOM
ROS units sharing the same firmware image. In the event that valid SSL certificate or SSL/SSH key files are not
available on the device (as is usually only the case when upgrading from an old ROS version that does not
support user-configurable keys and therefore does was not shipped with unique, factory-generated keys), the
default certificate and keys are put into service temporarily so that SSH and SSL (HTTPS) sessions can be served
until generated or provisioned keys are available.
Auto-Generated
If a default SSL certificate and SSL/SSH keys are in use, RUGGEDCOM ROS immediately begins to generate a
unique certificate and SSL/SSH keys for the device in the background. This process may take several minutes to
complete depending on the requested key length and how busy the device is at the time. If a custom certificate
and keys are loaded while auto-generated certificates and keys are being generated, the generator will abort
and the custom certificate and keys and will be used.
Custom (Recommended)
Custom certificates and keys are the most secure option. They give the user complete control over certificate
and key management, allow for the provision of certificates signed by a public or local certificate authority,
enable strictly controlled access to private keys, and allow authoritative distribution of SSL certificates, any CA
certificates, and public SSH keys.
NOTE
The RSA or EC private key corresponding to the SSL certificate must be appended to the certificate in
the ssl.crt file.
CONTENTS
Section6.5.1, “SSL Certificates”
Section6.5.2, “SSH Host Key”
Section6.5.3, “Managing SSH Public Keys”
Section6.5.4, “Certificate and Key Examples”
Section6.5.1
SSL Certificates
RUGGEDCOM ROS supports SSL certificates that conform to the following specifications:
X.509 v3 digital certificate format
PEM format
Chapter 6
Security
RUGGEDCOM ROS
User Guide
122 SSH Host Key
For RUGGEDCOM ROS Controlled verions: RSA key pair, 1024, 2048 or 3072 bits; or NIST P-192, P-224, P-256,
P-384 or P-521
For RUGGEDCOM ROS Non-Controlled (NC) verions: RSA key pair, 512 to 2048 bits
NOTE
RSA keys smaller than 2048 bits in length are not recommended. Support is only included here for
compatibility with legacy equipment.
Two standard PEM files are required: the SSL certificate and the corresponding RSA private key file. These are
concatenated into the resulting ssl.crt file, which may then be uploaded to RUGGEDCOM ROS. For more
information about transferring files between the device and a host computer, refer to Section4.4, “Uploading/
Downloading Files”.
While RUGGEDCOM ROS is capable of using self-signed certificates created using the sslkeygen command,
Siemens recommends using an X.509 certificate issued by an organization's own Certificate Authority (CA).
Section6.5.2
SSH Host Key
NOTE
SSH is not supported in Non-Controlled (NC) versions of RUGGEDCOM ROS.
Controlled versions of RUGGEDCOM ROS support SSH public/private key pairs that conform to the following
specifications:
PEM format
DSA key pair, 1024, 2048 or 3072 bits in length
RSA key pair, 1024, 2048 or 3072 bits in length
NOTE
DSA or RSA key generation times increase depending on the key length. 1024 bit RSA keys take less
than 5 minutes to generate on a lightly loaded unit, whereas 2048 bit keys may take significantly
longer. A typical modern PC system, however, can generate these keys in seconds.
The following (bash) shell script fragment uses the ssh-keygen command line utility to generate a 2048 bit RSA
key suitable for use in RUGGEDCOM ROS. The resulting ssh.keys file may then be uploaded to RUGGEDCOM
ROS:
# RSA key size:
BITS=2048
# Make an SSH key pair:
ssh-keygen -t RSA -b $BITS -N '' -f ssh.keys
For an example of an SSH key generated by RUGGEDCOM ROS, refer to Section6.5.4, “Certificate and Key
Examples”.
RUGGEDCOM ROS
User Guide
Chapter 6
Security
Managing SSH Public Keys 123
Section6.5.3
Managing SSH Public Keys
RUGGEDCOM ROS allows admin users to list, add and delete SSH public keys. Public keys are added as non-volatile
storage (i.e. flash) files on RUGGEDCOM ROS devices, and are retrieved at the time of SSH client authentication.
CONTENTS
Section6.5.3.1, “Public Key Requirements”
Section6.5.3.2, “Adding a Public Key”
Section6.5.3.3, “Viewing a List of Public Keys”
Section6.5.3.4, “Updating a Public Key”
Section6.5.3.5, “Deleting a Public Key”
Section6.5.3.1
Public Key Requirements
Public keys are stored in a flash file, called sshpub.keys. The sshpub.keys file consists of ssh user public key entries.
Similar to the config.csv file, each entry must be separated by an empty line. An entry has two components. They
are, in sequence:
Header
Key
The header contains the parameters of the entry, separated by comma. The parameters are, in sequence:
ID: A number between 0 and 9999
Entry type: UserKey
Access Level: (Admin, Operator or Guest)
Revocation Status: active/inactive (always active for keys)
User Name: This is the client's user name (not the RUGGEDCOM ROS user name). This will be used by clients to
later SSH into the RUGGEDCOM ROS device.
The key must be in RFC4716 format, or in PEM format with any of the following header and footer lines:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
-----BEGIN SSH2 PUBLIC KEY-----
-----END SSH2 PUBLIC KEY-----
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
The following is an example of a valid entry in the sshpub.keys file in PEM format:
1,userkey,admin,active,alice
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAABIwAAAQEA4mRrqfk+RKXnmGRvzMyWVDsbq5VwpGGrlLQYCrjVEa
NdbXsphqYKop8V5VUeXFRAUFzOy82yk8TF/5JxGPWq6wRNjhnYR7IY2AiMBq0+K8XeURl/
z5K2XNRjnqTZSFwkhaUVJeduvjGgOlNN4yvgUwF3n0idU9k3E1q/na+LmYIeGhOwzCqoAc
ipHAdR4fhD5u0jbmvjv+gDikTSZIbj9eFJfP09ekImMLHwbBry0SSBpqAKbwVdWEXIKQ47
zz7ao2/rs3rSV16IXSq3Qe8VZh2irah0Md6JFMOX2qm9fo1I62q1DDgheCOsOiGPf4xerH
rI2cs6FT31rAdx2JOjvw==
Chapter 6
Security
RUGGEDCOM ROS
User Guide
124 Adding a Public Key
---- END SSH2 PUBLIC KEY ----
The following is an example of a valid entry in the sshpub.keys file in in RFC4716 format:
2,userkey,admin,active,bob
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH0NivR8zzbTxlecvFPzR/
GR24NrRJa0Lc7scNsWRgi0XulHuGrRLRB5RoQ39+spdig88Y8CqhRI49XJx7uLJe0Su3RvyNYz1jkdSwHq2hSZCpukJxJ6CK95Po/
sVa5Gq2gMaHowiYDSkcx+AJywzK/eM6i/jc125lRxFPdfkj74u+ob3PCvmIWz5z3WAJBrQU1IDPHDets511WMu8O9/
mAPZRwjqrWhRsqmcXZuv5oo54wIopCAZSo20SPzM2VmXFuUsEwDkvYMXLJK1koJPbDjH7yFFC7mwK2eMU/
oMFFn934cbO5N6etsJSvplYQ4pMCw6Ok8Q/bB5cPSOa/rAt bob@work
RUGGEDCOM ROS allows only 16 user key entries to be stored. Each key entry must meet the following limits:
Key type must be either RSA 2048 bits or RSA 3072 bits
Key size must not exceed 4000 base64 encoded characters
Entry Type in the header must not exceed 8 ASCII characters
Access Level in the header must not exceed 8 ASCII characters (operator is maximum)
Revocation status in the header must not exceed 8 ASCII characters (inactive is maximum)
User Name must not exceed 12 ASCII characters
Section6.5.3.2
Adding a Public Key
Administrators can add one or more public keys to RUGGEDCOM ROS.
There are two ways to update sshpub.keys:
Upload a locally-created file directly to the sshpub.keys file. The content of the file replace the content currently
stored in flash memory.
Upload a locally-created file to the sshaddpub.keys file. The content of the file is appended to the existing
entries in the sshpub.keys file.
IMPORTANT!
The content of the sshaddpub.keys file must follow the same syntax as the sshpub.keys file.
To add keys, do the following:
1. Create a public key file via a host computer.
2. Transfer the public key file to the device using SFTP or Xmodem. For more information about transferring
files, refer to Section4.4, “Uploading/Downloading Files”.
3. Log in to the device as an admin user and access the CLI shell. For more information about accessing the CLI
shell, refer to Section2.5, “Using the Command Line Interface”.
4. Check the system log to make sure the files were properly transferred. For more information about viewing
the system log, refer to Section4.5.1, “Viewing Local and System Logs”.
Section6.5.3.3
Viewing a List of Public Keys
Admin users can view a list of existing public keys on the device.
To view public keys, do the following:
RUGGEDCOM ROS
User Guide
Chapter 6
Security
Updating a Public Key 125
1. Log in to the device as an admin user and access the CLI shell. For more information about accessing the CLI
shell, refer to Section2.5, “Using the Command Line Interface”.
2. At the CLI prompt, type:
sshpubkey list
A list of public keys will appear, including their key ID, access level, revocation status, user name and key
fingerprint.
Section6.5.3.4
Updating a Public Key
Admin users can update public keys.
To update public keys, do the following:
1. Log in to the device as an admin user and access the CLI shell. For more information about accessing the CLI
shell, refer to Section2.5, “Using the Command Line Interface”.
2. At the CLI prompt, type:
sshpubkey list
A list of public keys will appear, including their key ID, access level, revocation status, user name and key
fingerprint.
3. Type the following commands to update the public keys:
Command Description
sshpubkey update_id current_ID
new_ID
Updates the ID of user public key.
NOTE
The user public key ID must be a number between 0 and 9999.
current_ID is the ID currently assigned to the public key
new_ID is the ID that will be used to identify the public key going forward
sshpubkey update_al AL Updates the access level of a user public key.
AL is the access level (admin, operator or guest) of the public key to be updated
sshpubkey update_rs RS Updates the revocation status (active, inactive) of a user public key.
RS is the revocation status of the public key to be updated
sshpubkey update_un UN Updates the user name of a user public key.
UN is the user name of the public key to be updated
Section6.5.3.5
Deleting a Public Key
Admin users can delete one or more public keys.
To delete a public key, do the following:
1. Log in to the device as an admin user and access the CLI shell. For more information about accessing the CLI
shell, refer to Section2.5, “Using the Command Line Interface”.
2. At the CLI prompt, type:
Chapter 6
Security
RUGGEDCOM ROS
User Guide
126 Certificate and Key Examples
sshpubkey list
A list of public keys will appear, including access level, revocation status, user name and key fingerprint.
3. Type the following commands to delete the public key(s):
Command Description
sshpubkey remove ID Removes a key from the non-volatile storage.
ID is the ID of the public key to be removed
Section6.5.4
Certificate and Key Examples
For SSL, certificates must meet the requirements outlined in Section6.5.1, “SSL Certificates”.
The certificate and keys must be combined in a single ssl.crt file and uploaded to the device.
The following is an example of a combined SSL certificate and key:
-----BEGIN CERTIFICATE-----
MIIC9jCCAl+gAwIBAgIJAJh6rrehMt3iMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD
VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHQ29uY29yZDESMBAG
A1UEChMJUnVnZ2VkY29tMRkwFwYDVQQLExBDdXN0b21lciBTdXBwb3J0MSYwJAYD
VQQDEx1XUy1NSUxBTkdPVkFOLlJVR0dFRENPTS5MT0NBTDEkMCIGCSqGSIb3DQEJ
ARYVc3VwcG9ydEBydWdnZWRjb20uY29tMB4XDTEyMTAyMzIxMTA1M1oXDTE3MTAy
MjIxMTA1M1owgZwxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYD
VQQHEwdDb25jb3JkMRIwEAYDVQQKEwlSdWdnZWRDb20xGTAXBgNVBAsTEEN1c3Rv
bWVyIFN1cHBvcnQxFDASBgNVBAMTCzE5Mi4xNjguMS4yMSQwIgYJKoZIhvcNAQkB
FhVTdXBwb3J0QHJ1Z2dlZGNvbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBALfE4eh2aY+CE3W5a4Wz1Z1RGRP02COHt153wFFrU8/fFQXNhKlQirlAHbNT
RSwcTR8ZFapivwYDivn0ogOGFXknYP90gv2oIaSVY08FqZkJW77g3kzkv/8Zrw3m
W/cBsZJ8SyKLIDfy401HkHpDOle5NsQFSrziGUPjAOIvvx4rAgMBAAGjLDAqMAkG
A1UdEwQCMAAwHQYDVR0OBBYEFER0utgQOifnrflnDtsqNcnvRB0XMA0GCSqGSIb3
DQEBBQUAA4GBAHtBsNZuh8tB3kdqR7Pn+XidCsD70YnI7w0tiy9yiRRhARmVXH8h
5Q1rOeHceri3JFFIOxIxQt4KgCUYJLu+c9Esk/nXQQar3zR7IQCt0qOABPkviiY8
c3ibVbhJjLpR2vNW4xRAJ+HkNNtBOg1xUlp4vOmJ2syYZR+7XAy/OP/S
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAn3UT94ZjlmBjygLXaA21ULum7EDmgsvFvg2tKYyaMj1en5UW
x172GvlDLUm5EwGmcG9u6DyuO3wOyv/taD1OUFkZA1W7cPu9NjeTtZjIQCx33xSU
1d6INMi2oOzwJmWzqwqIkIgy0uMdw78be4n7359U0UOOEtCStOmUfdw34jv6c38J
8sb+lC/FktX8Eilka4mDr07tf/ivC2kdwpPlGZIKt/xjcwjOsNHIBSfqbEbg5mO3
9OAPqsPRWKhBQZ6rM8aqEQjGPlrSTTNHrxO/CYVxAh0gtz+6qUytL3zi7Z9P7EzD
H8V8qNdXRNN0w5hsh2A5ZJj6+cbQJm0JHQeOowIDAQABAoIBAH2zXqUfBLyTibbC
3KoDPG7DLwhI9S4gkuaKg3ogg6GdLU2hys4p9to2qxU1a7cm8tzpi0V6KGNuHX87
lxw4T9cZFZXCbLvZR0RJNaDPKvUj2O87m0SpYzgxDX74qSuruqHX8OX26BHExj78
FR8jHDIhuUwp9AKy9yO0isFY65jkLov6tdRpNy5A+QrGyRVBilCIT6YFYKSzEEI8
6+29FkLtX+ERjqxJs+aGHyEPDWE4Zy7dBsuTk1Fwz8F6/rOz4PS2pNQXc2sWmomn
muQXv0hwKY5gMcovCkC3y/op3kNuc/3qeBHjeCBYEMLR0o25hZHGrKOrQahFsy+R
V48sgIECgYEA0H66Ijfcc7NpgKOQwyvCt9/uhRZ3RkeABoSBLb/wYfQjw4pMadqr
RMMzVPzOLC459Giv4m8GeikNPl53rYdTCRmd/t1nZClU/UQKhgj+RRt4xY2cJNsg
j2CTZDr5SJO8H957K1IbvN5mxdsWZuDc5dtf0wBMIaCJoXR/iDMcf2MCgYEAw8oK
Dkpz9PdhGkbTE0ARLeUv7okelBkfDIGgucXBFHUElHAGe+XLF5dMppmzRDHXi2NG
gSNPJsDOlgSyLJjKX7HapYeAJWm91w5kJEX+oERr1EnEPWPvOHI+OW5DjM6eR1s9
xRJ87e3ymgLIF7G5rmf0p3OlnVvCaQvIVYTB98ECgYEAl+sPI2nCp0eeY05LZ/rV
6fcwLCdfh4UHwzf/jF9j/2vON2fpH+RmkTcOiymd7NFOB0nUhtBRTufkr4JT/8wv
89yHpDKdaH05YUWXyWx6Ic7PpFr34F8OjYpYO1tBUuHa3PnWk41Dis4e4qIt446L
Rq0fWHbKAmKghlWFq69aX3MCgYEArKU2JM/mXHbfe0pEyk7OV0gn8hGbk0Brrp2H
2wjUb3OYbEQ0k4BYjB7wimAyQcoppVIPU8SNAUE3afYOH2FD4wp0IU7Q4yzRKBga
mhnWpABxjSrXDsNWqNGkqQPgMQPpcka0u1jILQ6LxN77Dlm7wF0O0bIash292t92
8mI0oIECgYEAql8/uRHGtwSk64rXWXI+uq+x4ewwZkVc+mMmJ0yCMuQsOzbQTxhx
v9GEi3xsFbNazGCx4b56+/6Bi6gf7aH+NeK2+7C4ddlpHGEawoEcW1CW8hRQ2brp
RUGGEDCOM ROS
User Guide
Chapter 6
Security
Certificate and Key Examples 127
vWgC+m5nmQ2SaYGzlilzZVK3JE6qOZ/AG8k+ZEG9tsvakMliG1SoJXk=
-----END RSA PRIVATE KEY-----
For SSH, DSA or RSA host key pairs must meet the requirements outlined in Section6.5.2, “SSH Host Key”.
The following is an example of a PEM formatted SSH key:
-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQD0gcGbXx/rrEMu2913UW4cYo1OlcbnuUz7OZyd2mBLDx/GYbD8
X5TnRcMraJ0RuuGK+chqQJW5k3zQmZa/BS6q9U7wYwIAx8JSxxpwfPfl/t09VwKG
rtSJIMpLRoDq3qEwEVyR4kDUo4LFQDsljtiyhcz1n6kd6gqsd5Xu1vdh4wIVANXb
SBi97GmZ6/9f4UCvIIBtXLEjAoGAAfmhkcCCEnRJitUTiCE+MurxdFUr3mFs/d31
4cUDaLStQEhYYmx5dbFdQuapl4Y32B7lZQkohi5q1T1iUAa40/nUnJx1hFvblkYT
8DLwxcuDAaiu0VqsaPtJ+baL2dYNp96tFisj/475PEEWBGbP6GSe5kKa1Zdgwuie
9LyPb+ACgYBv856v5tb9UVG5+tX5Crfv/Nd8FFlSSFKmVWW3yzguhHajg2LQg8UU
sm1/zPSwYQ0SbQ9aOAJnpLc2HUkK0lji/0oKVI7y9MMc4B+bGu4W4OnryP7oFpnp
YYHt5PJY+zvLw/Wa+u3NOVFHkF1tGyfVBMXeV36nowPo+wrVMolAEgIVALLTnfpW
maV6uh6RxeE1d4XoxSg2
-----END DSA PRIVATE KEY-----
Chapter 6
Security
RUGGEDCOM ROS
User Guide
128 Certificate and Key Examples
RUGGEDCOM ROS
User Guide
Chapter 7
Layer 2
Managing Virtual LANs 129
Layer 2
This chapter describes the Layer 2, or Data Link Layer (DLL), features of RUGGEDCOM ROS.
CONTENTS
Section7.1, “Managing Virtual LANs”
Section7.2, “Managing MAC Addresses”
Section7.3, “Managing Multicast Filtering”
Section7.1
Managing Virtual LANs
A Virtual Local Area Network (VLAN) is a group of devices on one or more LAN segments that communicate as if
they were attached to the same physical LAN segment. VLANs are extremely flexible because they are based on
logical connections, rather than physical connections.
When VLANs are introduced, all traffic in the network must belong to one VLAN or another. Traffic on one VLAN
cannot pass to another, except through an inter-network router or Layer 3 switch.
VLANs are created in three ways:
Explicitly
Static VLANs can be created in the switch. For more information about static VLANs, refer to Section7.1.5,
“Managing Static VLANs”.
Implicitly
When a VLAN ID (VID) is set for a port-based VLAN, static MAC address or IP interface, an appropriate VLAN is
automatically created if it does not yet exist.
Dynamically
VLANs can be learned through GVRP. For more information about GVRP, refer to Section7.1.1.8, “GARP VLAN
Registration Protocol (GVRP)”
For more information about VLANs, refer to Section7.1.1, “VLAN Concepts”.
CONTENTS
Section7.1.1, “VLAN Concepts”
Section7.1.2, “Viewing a List of VLANs”
Section7.1.3, “Configuring VLANs Globally”
Section7.1.4, “Configuring VLANs for Specific Ethernet Ports”
Section7.1.5, “Managing Static VLANs”
Chapter 7
Layer 2
RUGGEDCOM ROS
User Guide
130 VLAN Concepts
Section7.1.1
VLAN Concepts
This section describes some of the concepts important to the implementation of VLANs in RUGGEDCOM ROS.
CONTENTS
Section7.1.1.1, “Tagged vs. Untagged Frames”
Section7.1.1.2, “Native VLAN”
Section7.1.1.3, “The Management VLAN”
Section7.1.1.4, “Edge and Trunk Port Types”
Section7.1.1.5, “Ingress and Egress Rules”
Section7.1.1.6, “Forbidden Ports List”
Section7.1.1.7, “VLAN-Aware and VLAN-Unaware Modes”
Section7.1.1.8, “GARP VLAN Registration Protocol (GVRP)”
Section7.1.1.9, “PVLAN Edge”
Section7.1.1.10, “QinQ”
Section7.1.1.11, “VLAN Advantages”
Section7.1.1.1
Tagged vs. Untagged Frames
VLAN tags identify frames as part of a VLAN network. When a switch receives a frame with a VLAN (or 802.1Q)
tag, the VLAN identifier (VID) is extracted and the frame is forwarded to other ports on the same VLAN.
When a frame does not contain a VLAN tag, or contains an 802.1p (prioritization) tag that only has prioritization
information and a VID of 0, it is considered an untagged frame.
Section7.1.1.2
Native VLAN
Each port is assigned a native VLAN number, the Port VLAN ID (PVID). When an untagged frame ingresses a port, it
is associated with the port's native VLAN.
By default, when a switch transmits a frame on the native VLAN, it sends the frame untagged. The switch can be
configured to transmit tagged frames on the native VLAN.
Section7.1.1.3
The Management VLAN
Management traffic, like all traffic on the network, must belong to a specific VLAN. The management VLAN is
configurable and always defaults to VLAN 1. This VLAN is also the default native VLAN for all ports, thus allowing
all ports the possibility of managing the product. Changing the management VLAN can be used to restrict
management access to a specific set of users.
RUGGEDCOM ROS
User Guide
Chapter 7
Layer 2
Edge and Trunk Port Types 131
Section7.1.1.4
Edge and Trunk Port Types
Each port can be configured as an edge or trunk port.
An edge port attaches to a single end device, such as a PC or Intelligent Electronic Device (IED). An edge port
carries traffic on the native VLAN.
Trunk ports are part of the network and carry traffic for all VLANs between switches. Trunk ports are automatically
members of all VLANs configured in the switch.
The switch can 'pass through' traffic, forwarding frames received on one trunk port out of another trunk port. The
trunk ports must be members of all VLANs that the 'pass through' traffic is part of, even if none of those VLANs are
used on edge ports.
Frames transmitted out of the port on all VLANs other than the port's native VLAN are always sent tagged.
NOTE
It may be desirable to manually restrict the traffic on the trunk to a specific group of VLANs. For
example, when the trunk connects to a device, such as a Layer 3 router, that supports a subset of the
available LANs. To prevent the trunk port from being a member of the VLAN, include it in the VLAN's
Forbidden Ports list.
For more information about the Forbidden Ports list, refer to Section7.1.1.6, “Forbidden Ports List”.
Port Type VLANs Supported PVID Format Usage
Untagged VLAN Unaware Networks: All frames are sent and received without
the need for VLAN tags.
Edge 1 (Native)
Configured
Tagged VLAN Aware Networks: VLAN traffic domains are enforced on a
single VLAN.
Trunk All Configured Tagged or Untagged Switch-to-Switch Connections: VLANs must be manually created and
administered, or can be dynamically learned through GVRP.
Multiple-VLAN End Devices: Implement connections to end devices
that support multiple VLANs at the same time.
Section7.1.1.5
Ingress and Egress Rules
Ingress and egress rules determine how traffic is received and transmitted by the switch.
Ingress rules are applied as follows to all frame when they are received by the switch:
If an incoming frame is untagged or has a VID of 0 (priority tagged), the frame is associated with the ingress
port's PVID
If an incoming frame is tagged, the frame is allowed to pass, while keeping its VID
Incoming frames are only dropped if ingress filtering is enabled and the frame is tagged with a VID that does not
match any VLAN to which the ingress port is a member
Egress rules are applied as follows to all frames when they are transmitted by the switch.
If PVID tagging is enabled, outgoing frames are tagged if they are associated with the egress port's native VLAN,
regardless of the egress port's membership type (edge or trunk)
Frames egressing on an edge interface are dropped if they are associated with a VLAN other than the egress
port's native VLAN
Chapter 7
Layer 2
RUGGEDCOM ROS
User Guide
132 Forbidden Ports List
Frames egressing on a trunk interface are tagged if they are associated with a VLAN to which the egress port is a
member
Section7.1.1.6
Forbidden Ports List
Each VLAN can be configured to exclude ports from membership in the VLAN using the forbidden ports list. For
more information, refer to Section7.1.5.2, “Adding a Static VLAN”.
Section7.1.1.7
VLAN-Aware and VLAN-Unaware Modes
The native operation mode for an IEEE 802.1Q compliant switch is VLAN-aware. Even if a specific network
architecture does not use VLANs, RUGGEDCOM ROS's default VLAN settings allow the switch to still operate in a
VLAN-aware mode, while providing functionality required for almost any network application. However, the IEEE
802.1Q standard defines a set of rules that must be followed by all VLAN-aware switches:
Valid VIDs are within the range of 1 to 4094. VIDs equal to 0 or 4095 are invalid.
Each frame ingressing a VLAN-aware switch is associated with a valid VID.
Each frame egressing a VLAN-aware switch is either untagged or tagged with a valid VID. Priority-tagged frames
with an invalid VID will never sent out by a VLAN-aware switch.
NOTE
Some applications have requirements conflicting with IEEE 802.Q1 native mode of operation. For
example, some applications explicitly require priority-tagged frames to be received by end devices.
To avoid conflicts and provide full compatibility with legacy (VLAN-unaware) devices, RUGGEDCOM
ROS can be configured to work in VLAN-unaware mode.
In that mode:
Frames ingressing a VLAN-unaware device are not associated with any VLAN
Frames egressing a VLAN-unaware device are sent out unmodified (i.e. in the same untagged,
802.1Q-tagged or priority-tagged format as they were received)
Section7.1.1.8
GARP VLAN Registration Protocol (GVRP)
GARP VLAN Registration Protocol (GVRP) is a standard protocol built on GARP (Generic Attribute Registration
Protocol) to automatically distribute VLAN configuration information in a network. Each switch in a network needs
only to be configured with VLANs it requires locally. VLANs configured elsewhere in the network are learned
through GVRP. A GVRP-aware end station (i.e. PC or Intelligent Electronic Device) configured for a particular VID
can be connected to a trunk on a GVRP-aware switch and automatically become part of the desired VLAN.
When a switch sends GVRP bridge protocol data units (BPDUs) out of all GVRP-enabled ports, GVRP BPDUs advertise
all the VLANs known to that switch (configured manually or learned dynamically through GVRP) to the rest of the
network.
When a GVRP-enabled switch receives a GVRP BPDU advertising a set of VLANs, the receiving port becomes a
member of those advertised VLANs and the switch begins advertising those VLANs through all the GVRP-enabled
ports (other than the port on which the VLANs were learned).
RUGGEDCOM ROS
User Guide
Chapter 7
Layer 2
GARP VLAN Registration Protocol (GVRP) 133
To improve network security using VLANs, GVRP-enabled ports may be configured to prohibit the learning of any
new dynamic VLANs but at the same time be allowed to advertise the VLANs configured on the switch.
The following is an example of how to use GVRP:
A
A2
A1
D
D1
D2
B
B4
B3
B1 B2
C
C2
C1
E
E2
E1
D
EA C
1
2
Figure85:Using GVRP
1.Switch 2.End Node
Switch B is the core switch, all others are edge switches
Ports A1, B1 to B4, C1, D1, D2 and E1 are GVRP aware
Ports B1 to B4, D1 and D2 are set to advertise and learn
Ports A1, C1 and E1 are set to advertise only
Ports A2, C2 and E2 are edge ports
End node D is GVRP aware
End nodes A, E and C are GVRP unaware
Ports A2 and C2 are configured with PVID 7
Port E2 is configured with PVID 20
End node D is interested in VLAN 20, hence VLAN 20 is advertised by it towards switch D
D2 becomes a member of VLAN 20
Ports A1 and C1 advertise VID 7
Ports B1 and B2 become members of VLAN 7
Chapter 7
Layer 2
RUGGEDCOM ROS
User Guide
134 PVLAN Edge
Ports B1, B2 and D1 advertise VID 20
Ports B3, B4 and D1 become members of VLAN 20
For more information about how to configure GVRP, refer to Section7.1.4, “Configuring VLANs for Specific
Ethernet Ports”.
Section7.1.1.9
PVLAN Edge
Private VLAN (PVLAN) Edge isolates multiple VLAN Edge ports from each other on a single device. When VLAN
Edge ports are configured as protected, they are prohibited from sending frames to one another, but are still
permitted to send frames to other, non-protected ports within the same VLAN. This protection extends to all traffic
on the VLAN, including unicast, multicast and broadcast traffic.
For more information about how to configure a port as protected, refer to Section7.1.4, “Configuring VLANs for
Specific Ethernet Ports”.
NOTE
This feature is strictly local to the switch. PVLAN Edge ports are not prevented from communicating
with ports outside of the switch, whether protected (remotely) or not.
Section7.1.1.10
QinQ
QinQ, also referred to as Stacked VLANs, port bridging, double VLAN-tagging and Nested VLANs, is used to overlay
a private Layer 2 network over a public Layer 2 network.
A large network service provider, for example, might have several clients whose networks each use multiple
VLANs. It is likely the VLAN IDs used by these different client networks would conflict with one another, were
they mixed together in the provider's network. Using double QinQ, each client network could be further tagged
using a client-specific VID at the edges where the clients' networks are connected to the network service provider's
infrastructure.
Any tagged frames ingressing an edge port of the service provider's switch are tagged with VIDs of the customer’s
private network. When those frames egress the switch's QinQ-enabled port into the service provider network, the
switch always adds an extra tag (called an outer tag) on top of the frame's original VLAN tag (called an inner tag).
The outer tag VID is the PVID of the frame's ingress edge port. This means that traffic from an individual customer
is tagged with their unique VID and is thus segregated from other customers' traffic. For untagged ingress frames,
the switch will only add the outer VLAN tag.
Within the service provider network, switching is based on the VID in the outer tag.
The service provider strips the outer VID from the frame on egress, leaving the frame with its original VLAN ID tag.
Those frames are then forwarded on the appropriate VLANs.
The following figure shows an example of traffic flow using QinQ.
For tagged frames:
Frames received from customer 1 with VID 100 would carry an inner tag of 100 and an outer tag of VID X (i.e.
VLAN 110) which is configured on the edge port connected to customer 1.
Next, the frames from customer 1 are forwarded through the QinQ port carrying an inner and an outer tag.
Finally, upon arrival of the frames in the peer switch, the outer VLAN tag is removed and the frames are
forwarded with the inner VLAN tag towards customer 1.
RUGGEDCOM ROS
User Guide
Chapter 7
Layer 2
VLAN Advantages 135
For untagged frames:
Frames received from customer 2 would carry an outer tag of VID Y(i.e VLAN 220) which is configured on the
edge port connected to customer 2.
Next, the frames from customer 2 are forwarded through the QinQ port carrying the outer tag.
Finally, upon arrival of the frames in the peer switch, the outer VLAN tag is removed before the frames are
forwarded to customer 2.
1
5
2
3
5
1
4
2
4
Figure86:Using QinQ
1.Customer 1 (PVID is X) 2.Customer 2 (PVID is Y) 3.Network Service Provider Infrastructure 4.Switch 5.QinQ
NOTE
Depending on the hardware installed, some switch models allow only one switch port be configured to
QinQ mode at a time.
NOTE
When QinQ is enabled, all non-QinQ ports will be untagged and cannot be changed, and all QinQ ports
will be tagged, and cannot be changed.
Section7.1.1.11
VLAN Advantages
The following are a few of the advantages offered by VLANs.
Traffic Domain Isolation
VLANs are most often used for their ability to restrict traffic flows between groups of devices.
Unnecessary broadcast traffic can be restricted to the VLAN that requires it. Broadcast storms in one VLAN need
not affect users in other VLANs.
Hosts on one VLAN can be prevented from accidentally or deliberately assuming the IP address of a host on
another VLAN.
Chapter 7
Layer 2
RUGGEDCOM ROS
User Guide
136 VLAN Advantages
The use of creative bridge filtering and multiple VLANs can carve seemingly unified IP subnets into multiple
regions policed by different security/access policies.
Multi-VLAN hosts can assign different traffic types to different VLANs.
2
3
54
2
1
Figure87:Multiple Overlapping VLANs
1.VLAN 2.Switch
Administrative Convenience
VLANs enable equipment moves to be handled by software reconfiguration instead of by physical cable
management. When a host's physical location is changed, its connection point is often changed as well. With
VLANs, the host's VLAN membership and priority are simply copied to the new port.
Reduced Hardware
Without VLANs, traffic domain isolation requires the use of separate bridges for separate networks. VLANs
eliminate the need for separate bridges.
The number of network hosts may often be reduced. Often, a server is assigned to provide services for
independent networks. These hosts may be replaced by a single, multi-horned host supporting each network on
its own VLAN. This host can perform routing between VLANs.
Multi-VLAN hosts can assign different traffic types to different VLANs.
RUGGEDCOM ROS
User Guide
Chapter 7
Layer 2
Viewing a List of VLANs 137
199.85.245.192/26
199.85.245.128/26
199.85.245.1/25
1
4
2
3
5
Figure88:Inter-VLAN Communications
1.Server, Router or Layer 3 Switch 2.Switch 3.VLAN 2 4.VLAN 3 5.VLAN 4
Section7.1.2
Viewing a List of VLANs
To view a list of all VLANs, whether they were created statically, implicitly or dynamically, navigate to Virtual
LANs» View VLAN Summary. The VLAN Summary table appears.
Figure89:VLAN Summary Table
If a VLANs are not listed, add static VLANs as needed. For more information, refer to Section7.1.5.2, “Adding a
Static VLAN”.
Section7.1.3
Configuring VLANs Globally
To configure global settings for all VLANs, do the following:
1. Navigate to Virtual LANs» Configure Global VLAN Parameters. The Global VLAN Parameters form
appears.