Eagle Manual

V.
24
DA
LS
DA
V.24
V.24
LS/DA
2 V.24
R
1
2
2
1
LS
V.24
+24V (P2)
FAULT
STATUS
FAULT
IP-ADDRESS
+24V (P1)
IP-ADDRESS
FAULT
0V
0V
LS
1
EAGLE
Aufkleber MAC-Adresse
DA
P
+24V (P2)
LS
LS/DA
FAULT
2
FAULT
RM
STATUS
+24V (P1)
DA
k
+24V (P2)
0V
0V
g
RS2-4R
EAGLE
1
0 1
RM
V.24
1 2 RING
R
V.24
+24V (P2)
2 V.24
R
1
+24V (P1)
PP
0V
0V
LS/DA
FAULT
k
x
h
0V
0V
1
FAULT
STATUS
+24V (P1)
IP-ADDRESS
IP-ADDRESS
EAGLE
Aufkleber
MAC-Adresse
Aufkleber
MAC-Adresse
FAULT
LS/DA
+24V (P2)
0V
0V
IP-ADDRESS
+24V (P1)
EAGLE Management Manual
Industrial ETHERNET Firewall/VPN-System
EAGLE
FAULT
STATUS
2 V.24
R
V.24
DA
LS
DA
V.24
V.24
LS/DA
2 V.24
R
1
2
2
1
LS
V.24
+24V (P2)
FAULT
STATUS
FAULT
IP-ADDRESS
+24V (P1)
IP-ADDRESS
FAULT
0V
0V
LS
1
EAGLE
DA
P
+24V (P2)
LS
LS/DA
FAULT
2
FAULT
RM
STATUS
+24V (P1)
DA
k
+24V (P2)
0V
0V
g
RS2-4R
EAGLE
1
0 1
RM
V.24
1 2 RING
R
V.24
+24V (P2)
2 V.24
R
1
+24V (P1)
PP
0V
0V
LS/DA
FAULT
k
x
h
0V
0V
1
FAULT
STATUS
+24V (P1)
IP-ADDRESS
IP-ADDRESS
EAGLE
Aufkleber
MAC-Adresse
Aufkleber
MAC-Adresse
FAULT
LS/DA
+24V (P2)
0V
0V
IP-ADDRESS
+24V (P1)
EAGLE Management Manual
Industrial ETHERNET Firewall/VPN-System
EAGLE
FAULT
STATUS
2 V.24
R
The naming of copyrighted trademarks in this manual, even when not specially indicated, should
not be taken to mean that these names may be considered as free in the sense of the trademark
and tradename protection law and hence that they may be freely used by anyone.
2004 Hirschmann Electronics GmbH & Co. KG

Manuals and software are protected by copyright. All rights reserved. The copying, reproduction,
translation, conversion into any electronic medium or machine scannable form is not permitted,
either in whole or in part. An exception is the preparation of a backup copy of the software for
your own use.
The performance features described here are binding only if they have been expressly guaranteed in the contract. This publication has been created by Hirschmann Electronics GmbH & Co.
KG according to the best of our knowledge. Hirschmann reserves the right to change the contents of this manual without prior notice. Hirschmann can give no guarantee in respect of the
correctness or accuracy of the details in this publication.
Hirschmann can accept no responsibility for damages, resulting from the use of the network
components or the associated operating software. In addition, we refer to the conditions of use
specified in the license contract.
Printed in Germany
Hirschmann Electronics GmbH & Co. KG
Automation and Network Solutions
Stuttgarter Strae 45-51
72654 Neckartenzlingen
Tel. +49 1805 141538
039 500-001-02-1004
Hirschmann worldwide:
U Germany
D-72654 Neckartenzlingen
Tel. ++49-7127-14-1480
Fax ++49-7127-14-1502
email: [email protected]
Internet: www.hirschmann.de
U Switzerland
Hirschmann Electronics GmbH & Co. KG, Neckartenzlingen
Niederlassung Uster
Seestr. 16
CH-8610 Uster
Tel. ++41-44905-8282
Fax ++41-44905-8289
U France
Hirschmann Electronics S.A.S.
2, rue des Charpentiers
F-95330 Domont
Tel. ++33-1-39350100
Fax ++33-1-39350102
EAGLE
Release 1.02 10/04
U Great Britain
Hirschmann Electronics Ltd.
4303 Waterside Centre
Solihull Parkway
Birmingham Business Park
Birmingham
West Midlands B37 7YN
Tel. ++44-121 329 5000
Fax ++44-121 329 5001
U Netherlands
Hirschmann Electronics B.V.
Pampuslaan 170
NL-1382 JS Weesp
Tel. ++31-294-462591
Fax ++31-294-462554
U Spain
Hirschmann Electronics S.A.
Calle Traspaderne, 29
Barrio del Aeropuerto
Edificio Barajas I, 2a Planta
E-28042 Madrid
Tel. ++34-1-7461730
Fax ++34-1-7461735
U Hungary
Hirschmann Electronics Kft.
Rokolya u. 1-13
H-1131 Budapest
Tel. ++36-1-3494199
Fax ++36-1-3298453
EAGLE
Release 1.02 10/04
U USA
Hirschmann Electronics Inc.
20440 Century Boulevard, Suite 150
Germantown, MD 20874
Tel. ++1-240-686 2300
Fax ++1-240-686 3589
U Singapore
Hirschmann Electronics Pte. Ltd.
2 International Business Park #11-02/03 Tower One
The Strategy Singapore 609930
Tel: ++65 6316 7797
Fax:++65 6316 7977
U China
Hirschmann Electronics Pte Ltd Shanghai Office
Room 828, Summit Centre,
1088 West Yan An Road
Shanghai 200052
P.R. China
Tel: ++86-21 6207 6637
Fax: ++86-21 6207 6837
Mobile: ++86-1370 185 7382
E-Mail: [email protected]
For all other countries please dial Tel. +49-7127-14-16 20

Contact address see Hirschmann Germany.
EAGLE
Release 1.02 10/04
EAGLE
Release 1.02 10/04
Hirschmann Competence
In the longterm, product excellence alone is not an absolute guarantee of a
successful project implementation. Comprehensive service makes a difference worldwide. In the current scenario of global competition, the Hirschmann Competence Center stands head and shoulders above the
competition with its comprehensive spectrum of innovative services:
D Consulting incorporates comprehensive technical advice, from system
evaluation through network planning to project planning.
D Training offers you an introduction to the technological fundamentals,
product briefing and user training with certification.
D Support ranges from commissioning through the standby service to maintenance concepts.
With the Competence Center, you firmly rule out any compromise: the clientspecific package leaves you free to choose the service components that you
will use.
Internet:
http://www.hicomcenter.com
EAGLE
Release 1.02 10/04
10
EAGLE
Release 1.02 10/04
Safety instructions
Safety instructions
U Supply voltage
The devices are designed for operation with a safety extra-low voltage.
They may only be connected to the supply voltage connections and to
the signal contact with PELV circuits or alternatively SELV circuits with
the voltage restrictions in accordance with IEC/EN 60950.
The supply voltage is electrically isolated from the housing.
V Never start operation with damaged components!
V Relevant for North America:
The subject unit is to be suppplied by a Class 2 power source
complying with the requirements of the National Electrical Code, table
11(b). If power is redundant supplied (two individual power sources)
the power sources together should comply with the requirements of
the National Electrical Code, table 11 (b).
V Relevant for North America:
Use 60/75C or 75C copper(CU)wire only.
V Relevant fr Nordamerika:
Power, input and output (I/O) wiring must be in accordance with
Class I, Division 2 wiring methods [Article 501-4(b) of the National
Electrical Code, NFPA 70] and in accordance with the authority having
jurisdiction.
U Shielding ground
The shielding ground of the connectable twisted pair lines is connected
to the front panel as a conductor.
V Beware of possible short circuits when connecting a cable section with
conductive shielding braiding.
EAGLE
Release 1.02 10/04
11
Safety instructions
U Housing
Only technicians authorized by Hirschmann are permitted to open the
housing.
The device is grounded via the separated ground screw. It is located on
the bottom of the front panel.
V Make sure that the electrical installation meets local or nationally
applicable safety regulations.
V The ventilation slits must not be covered to ensure free air circulation.
V The distance to the ventilation slots of the housing has to be a
minimum of 10 cm.
V Never insert pointed objects (thin screwdrivers, wires, etc.) into the
inside of the subrack! Failure to observe this point may result in injuries
caused by electric shocks.
V The housing has to be mounted in upright position.
V If installed in a living area or office environment, the device must be
operated exclusively in switch cabinets with fire protection
characteristics according to EN 60950.
U Environment
The device may only be operated in the listed maximum surrounding air
temperature range at the listed relative air humidity range (noncondensing).
V The installation location is to be selected so as to ensure compliance
with the climatic limits listed in the Technical Data.
V To be used in a Pollution Degree 2 environment only.
U Qualification requirements for personnel

Qualified personnel as understood in this manual and the warning signs,
are persons who are familiar with the setup, assembly, startup, and
operation of this product and are appropriately qualified for their job. This
includes, for example, those persons who have been:
D trained or directed or authorized to switch on and off, to ground and to
label power circuits and devices or systems in accordance with current
safety engineering standards;
D trained or directed in the care and use of appropriate safety equipment
in accordance with the current standards of safety engineering;
D trained in providing first aid.
12
EAGLE
Release 1.02 10/04
Safety instructions
U General Safety Instructions

This device is electrically operated. Adhere strictly to the safety
requirements relating to voltages applied to the device as described in
the operating instructions!
Failure to observe the information given in the warnings could result in
serious injury and/or major damage.
V Only personnel that have received appropriate training should operate
this device or work in its immediate vicinity. The personnel must be
fully familiar with all of the warnings and maintenance measures in
these operating instructions.
V Correct transport, storage, and assembly as well as careful operation
and maintenance are essential in ensuring safe and reliable operation
of this device.
V These products are only to be used in the manner indicated in this
version of the manual.
V Any work that may have to be performed on the electrical installation
should be performed by fully qualified technicians only.
Warning!
LED- or LASER components according to IEC 60825-1 (2001):
CLASS 1 LASER PRODUCT.
LIGHT EMITTING DIODE - CLASS 1 LED PRODUCT.
U National and international safety regulations

V Make sure that the electrical installation meets local or nationally
applicable safety regulations.
EAGLE
Release 1.02 10/04
13
Safety instructions
U Note on the CE marking

The devices comply with the regulations contained in the following
European directives:
89/336/EEC
Directive of the council for standardizing the regulations of member
states on electromagnetic compatibility (changed by RL 91/263/EEC, 92/
31/EEC and 93/68/EEC).
In accordance with the above-named EU directives, the EU conformity
declaration will be at the disposal of the relevant authorities at the
following address:
D-72654 Neckartenzlingen
Germany
Phone ++49 7127 14 1480
The product can be used in living areas (living area, place of business,
small business) and in industrial areas.
D Interference immunity: EN 61000-6-2:2001
D Emitted interference: EN 55022:1998 + A1 2000 Class A
Warning!
This is a class A device. This device can cause interference in living
areas, and in this case the operator may be required to take appropriate
measures.
The assembly guidelines provided in these instructions must be strictly
adhered to in order to observe the EMC value limits.
14
EAGLE
Release 1.02 10/04
Safety instructions
U FCC note:
Appropriate testing has established that this device fulfills the
requirements of a class A digital device in line with part 15 of the FCC
regulations.
These requirements are designed to provide sufficient protection against
interference where the device is being used in a business environment.
The device creates and uses high frequencies and can radiate same,
and if it is not installed and used in accordance with this operating
manual, it can cause radio transmission interference. The use of this
device in a living area can also cause interference, and in this case the
user is obliged to cover the costs of removing the interference.
U Recycling note:
After usage, this product must be disposed of properly as electronic
waste in accordance with the current disposal regulations of your county
/ state / country.
EAGLE
Release 1.02 10/04
15
Safety instructions
16
EAGLE
Release 1.02 10/04
Content
Content
Safety instructions
11
1 Introduction
25
1.1
Requirement and solution
27
1.2
Product features
29
1.3
Device models
31
2 Typical
application scenarios
EAGLE
Release 1.02 10/04
33
17
Content
3 Hardware
39
3.1
Display
41
3.1.1 Device status

3.1.2 Port status
3.1.3 Function state
41
43
43
Recovery button
45
3.2
4 Installation and
startup procedure
47
4.1
Device installation
49
4.1.1
4.1.2
4.1.3
4.1.4
49
50
52
54
6-pin terminal block

Assembly
Interfaces
Disassembly
4.2
Startup operation
57
4.3
Basic settings
59
4.3.1 System configuration via HiDiscovery

4.3.2 System configuration via Web-based management
4.3.3 System configuration via V.24
59
62
64
18
EAGLE
Release 1.02 10/04
Content
5 Configuration
65
5.1
Setting up a local configuration connection
67
5.1.1 Web-based administrator interface

5.1.2 After a successful connection setup
67
69
Remote configuration
71
5.2.1 Remote configuration via LAN

5.2.2 Remote configuration via modem
71
72
5.2
6 Web-based management
77
6.1
Overview
79
6.2
System menu
81
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
81
84
85
86
88
6.3
6.4
System:Configurations-Profiles
System:Reboot
System:Logs - Display
System:HiDiscovery
System:Signal contact
Ports menu
91
6.3.1 Ports:Configuration Table
91
Redundancy
93
6.4.1 Redundancy:Layer 2 Redundancy
93
EAGLE
Release 1.02 10/04
19
Content
6.5
Network menu
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
6.6
6.7
6.8
20
Network:Base
Network:Transparent mode
Network:Router
Network:PPPoE
Network:PPTP
Network:Status
95
95
100
102
104
105
107
Configuring the firewall
109
6.6.1
6.6.2
6.6.3
6.6.4
6.6.5
6.6.6
110
112
114
116
119
120
Firewall:Incoming
Firewall:Outgoing
Firewall:Port Forwarding
Firewall:NAT
Firewall:Extended Settings
Firewall:Logs - Display
Setting up a VPN connection
121
6.7.1
6.7.2
6.7.3
6.7.4
6.7.5
6.7.6
122
135
138
139
140
140
VPN:Connections
VPN:Machine Certificate
VPN:L2TP
VPN Configuration, IPsec Status - Display
VPN:L2TP Status - Display
VPN:VPN Logs - Display
Services menu
141
6.8.1
6.8.2
6.8.3
6.8.4
6.8.5
6.8.6
6.8.7
141
144
145
147
149
152
154
Services:DNS
Services:DynDNS Monitoring
Services:DynDNS registration
Services:DHCP
Services:NTP
Services:Remote Logging
Services:SNMP Traps
EAGLE
Release 1.02 10/04
Content
6.9
Access menu
157
6.9.1
6.9.2
6.9.3
6.9.4
6.9.5
6.9.6
157
159
160
163
166
169
Access:passwords
Access:Language
Access:HTTPS
Access:SSH
Access:SNMP
Access:Serial line
6.10 Features menu

6.10.1
6.10.2
6.10.3
6.10.4
Features:Install Update
Features:Update Server
Features:Software information - Display
Features:Hardware information
6.11 Support menu

6.11.1 Support:Snapshot
6.11.2 Support:Status - Display
173
173
175
176
177
179
179
180
6.12 CIDR (Classless InterDomain Routing)
183
6.13 Example of a network
185
EAGLE
Release 1.02 10/04
21
Content
7 The Recovery button
187
7.1
Performing a restart
189
7.2
Executing the recovery procedure
191
7.2.1 Aim
7.2.2 Action
191
191
Flashing the firmware

7.3.1 Requirements for flashing the firmware
7.3.2 Installing the DHCP and tftp server under Windows
7.3.3 Installing DHCP and TFTP servers under Linux
193
195
196
198
7.3
8 HiConfig
22
199
EAGLE
Release 1.02 10/04
Content
A Appendix
207
FAQ
209
Based specifications and standards
211
SNMP traps
213
Certifications
215
Technical data
217
Literature references
221
Reader's comments
223
Copyright of integrated software
225
B Glossar
227
C Stichwortverzeichnis
235
EAGLE
Release 1.02 10/04
23
Content
24
EAGLE
Release 1.02 10/04
Introduction
1 Introduction
Today, Ethernet is the most widely used type of communications technology.
It has become the de facto standard in an office environment. Ethernet
technology is also gaining significance in the field of industrial automation.
In addition to the advantages of using a standardized form of communication,
Ethernet allows for a seamless infrastructure that extends from the office all
the way to the machine or sensor. Consequently, not only are process and
production data available on the field level, but they also integrate
seamlessly with interdepartmental data acquisition systems.
Despite these advantages there are new issues that must be solved to be
able to operate the installations securely and reliably. A top-priority issue is
that of security which is determined by the factors: authentication,
authorization, confidentiality, availability and data integrity.
EAGLE
Release 1.02 10/04
25
Introduction
26
EAGLE
Release 1.02 10/04
Introduction
1.1 Requirement and solution

Increasing standardization and networking in the field of automation will lead
to increased vulnerability of these networks. The threat emanates from
dangers which office users have been exposed to for quite some time and
which they have been attempting to ward off with popular security solutions
-- with mixed success.
The greatest danger is not only from hackers and is often not intentional.
Fusing the office and production network makes for easy prey when it comes
to the risks posed by worms. Furthermore, machine and production cells are
often unprotected against intrusions (for example, faulty addressing or faulty
program code) from the production network.
Today this no longer has to be the case:
The industrial firewall and virtual private network (VPN) system EAGLE
monitors with an "eagle's eye" the security of networks across company
borders.
Migration is performed in existing networks for secure and insecure ports via
twisted pair and F/O connections. Furthermore, a V.24 port is available for
configuration and for connecting a modem.
The scaleable security function featuring a
D Pure firewall or a
D Firewall and VPN function
provides customized protection.
In router mode, subnetworks can be separated from the main network.
A particularly user-friendly feature is the implementation of security
mechanisms in industrial networks through transparent modes in
combination with filter rules of the stateful inspection firewall that manage
data communication in a controlled manner. Yet another advantage of the
transparent modes in which the system functions as a bridge is that no further
IP configuration or changes to IP parameters are required to integrate the
EAGLE into the network.
The integrated DHCP server makes it easy and safe to set up service ports
for employees in the field.
By providing a login procedure (internal and external), it is possible to
analyze and thus optimize the data traffic.
Using redundant ring coupling and Dual Homing, the system supports the
Hirschmann redundancy procedure.
EAGLE
Release 1.02 10/04
27
Introduction
RS2-
x
EAGLE
FAULT
STATUS
LS/DA
1
2 V.24
R
IP-ADDRESS
k
1
FAULT
MICE
+24V (P2)
+24V (P1)
0V
0V
V.24
RS2-
RS2-
MICE
Fig. 1:
28
A typical application scenario (for further application scenarios,

see Page 33)
EAGLE
Release 1.02 10/04
Introduction
1.2 Product features

The state-of-the-art security system secures the authentication, fuse
protection, and confidentiality of the communication in production networks:
In combination with the EAGLE, firewalls, VPNs and scaleable security
functions provide the highest possible level of protection for industrial
networks and prevent inadvertent and uncontrolled data manipulation.
The EAGLE can be integrated into existing networks thanks to its singleclient or multi-client transparent mode without having to reconfigure
IP addresses. It also allows you to separate subnetworks from the main
network in router mode.
D Scalability of the security function:
- pure firewall
- firewall with VPN function
D Support for Hirschmann redundancy scenarios:
- redundant ring coupling
- Dual Homing
D Creation of subnetworks:
- router mode
D Easy integration into existing networks without changing IP addresses:
- single-client transparent mode
- multi-client transparent mode
D Easy starting operation:
- HiDiscovery support
- support for the AutoConfiguration adapter
D Remote access to the network:
- dial-in access via V.24
D Extensive diagnostics:
- Web-based management
- status LEDs
- signal contact
- logging in to the SysLog server
- integration with HiVision
D Migration to existing networks:
Twisted pair and F/O links for
- secure port
- insecure port
EAGLE
Release 1.02 10/04
29
Introduction
D Design suitable for industrial use:

- redundant 24 V power supply
- can be mounted to a top-hat rail
- IP 20 without fan
30
EAGLE
Release 1.02 10/04
Introduction
1.3 Device models
1.3 Device models

The EAGLE is available in 16 different models:
D 8 models with a firewall function and VPN function.
D 8 models with a firewall function,
devices with (FW) in their type description,
EAGLE (FW) Medium/Medium

Insecure port
Secure port
(FW): Firewall
Device name
EAGLE Medium/Medium
Insecure port
Secure port
Firewall with VPN function
Device name
Fig. 2:
Device identifier:
EAGLE
Release 1.02 10/04
31
Introduction
1.3 Device models
Device type
TP ports
10/100
EAGLE TX/TX
EAGLE TX/MM SC
EAGLE TX/SM SC
EAGLE TX/LH SC
EAGLE MM SC/TX
EAGLE MM SC/MM SC
EAGLE MM SC/SM SC
EAGLE MM SC/LH SC
EAGLE (FW) TX/TX
EAGLE (FW) TX/MM SC
EAGLE (FW) TX/SM SC
EAGLE (FW) TX/LH SC
EAGLE (FW) MM SC/TX
EAGLE (FW) MM SC/MM SC
EAGLE (FW) MM SC/SM SC
EAGLE (FW) MM SC/LH SC
2
1
1
1
1
2
1
1
1
1
F/O port
F/O port
multimode singlemode
100 MBit/s 1300 nm,
100 MBit/s
F/O port
singlemode
1550 nm,
100 MBit/s
1
1
1
1
2
1
1
1
1
1
1
1
1
2
1
1
1
1
Table 1: Device models
32
EAGLE
Release 1.02 10/04
Typical application scenarios
2 Typical application scenarios

The most common applications used in industry require the operation of the
EAGLE in one of the following modes:
D Single-client transparent mode,
D Multi-client transparent mode and
D Router mode.
U Remote access via a VPN tunnel

A dedicated VPN client software program must be running on the single
computer. Windows 2000/XP contains the VPN client software.
Network mode of the EAGLE: Single-client transparent or router
D In the single-client transparent mode, no changes to the existing TCP/
IP configuration is required on the locally connected computer.
D In router mode, the EAGLE must be defined as the standard gateway
on the locally connected client computer.
MACH 3002
EAGLE
FAULT
STATUS
LS/DA
1
2 V.24
R
IP-ADDRESS
unsecure
network
FAULT
Industrial Backbone
+24V (P2)
+24V (P1)
0V
0V
VPN
V.24
MACH 3002
Fig. 3:
Example of remote access via a VPN tunnel
EAGLE
Release 1.02 10/04
33
U Secure cell separation

Network mode of the EAGLE: Multi-client transparent mode.
D Use in existing networks without changing existing IP configurations.
D Create firewall rules for
controlled access between backbone and cells or also
between the cells.
Network mode of the EAGLE: Router mode
on the client computer connected to the secure port.
34
EAGLE
Release 1.02 10/04
MICE
MICE
Cell/ Subnet 3
Cell/Subnet 2
RS2-
RS2-
RS2-
RS2-
MICE
MICE
x
x
EAGLE
EAGLE
P
FAULT
STATUS
LS/DA
1
FAULT
STATUS
2 V.24
R
IP-ADDRESS
2 V.24
R
IP-ADDRESS
P
LS/DA
1
2
+24V (P2)
0V
0V
FAULT
+24V (P2)
+24V (P1)
0V
0V
FAULT
+24V (P1)
V.24
V.24
MICE
RS2-
Industrial Backbone /
Subnet 1
RS2-
MACH 3002
Fig. 4:
Example of secure cell separation
EAGLE
Release 1.02 10/04
35
U Secure service port

Network mode of the EAGLE: SCT, MCT or router mode.
D Configuration of the EAGLE as the DHCP server: on the insecure port,
enter the MAC-IP allocation (see Fig. 63).
D Definition of firewall rules for the IP address entered in the DHCP
server.
RS2-
x
EAGLE
FAULT
STATUS
LS/DA
1
2 V.24
R
IP-ADDRESS
k
1
MICE
+24V (P2)
+24V (P1)
0V
0V
FAULT
V.24
RS2-
RS2-
MICE
Fig. 5:
36
Example of a secure service port
EAGLE
Release 1.02 10/04
U Secure connection of networks

Network mode of the EAGLE: Router
D If you use a DSL modem, make the PPPoE settings
(see Network:PPPoE on page 104).
MACH 3002
MACH 3002
Industrial Backbone
Industrial Backbone
FAULT
STATUS
2 V.24
R
IP-ADDRESS
k
1
unsecure
network
EAGLE
FAULT
STATUS
LS/DA
1
2 V.24
R
k
1
2
V.24
Fig. 6:
g
+24V (P1)
FAULT
0V
0V
+24V (P1)
+24V (P2)
+24V (P2)
FAULT
IP-ADDRESS
EAGLE
P
LS/DA
0V
0V
V.24
Example of a secure connection of networks
EAGLE
Release 1.02 10/04
37
38
EAGLE
Release 1.02 10/04
Hardware
3 Hardware
1
DA
FAULT
0V
0V
+24V (P2)
V.24
MAC address field

IP address field
Fig. 7:
V.24
V.24
V.24 interface
external
management
and modem
TX
g
+24V (P1)
+24V (P2)
FAULT
+24V (P1)
DA
0V
0V
LS
g
+24V (P1)
DA
Port 1
(trusted)
LS
V.24
Port 1 and 2
TX (RJ45 connector, autonegotiaton
+ autopolarity + autocrossing)
or FX (SC connector; multimode,
singlemode, longhaul)
LS
Aufkleber
MAC-Adresse
Aufkleber
MAC-Adresse
FAULT
+24V (P2)
0V
0V
+24V (P1)
Recovery button
LS
2 V.24
R
EAGLE TX/TX
EAGLE TX/MM SC
EAGLE TX/SM SC
EAGLE TX/LH SC
EAGLE MM SC/TX
EAGLE MM SC/MM SC
EAGLE MM SC/SM SC
EAGLE MM SC/LH SC
x
x
x
x
EAGLE FW TX/TX
EAGLE FW TX/MM SC
EAGLE FW TX/SM SC
EAGLE FW TX/LH SC
EAGLE FW MM SC/TX
EAGLE FW MM SC/MM SC
EAGLE FW MM SC/SM SC
EAGLE FW MM SC/LH SC
x
x
x
x
Port 2
(untrusted)
g
LH
SM
2 V.24
R
LED display
elements
FAULT
STATUS
MM
TX
DA
LS/DA
LH
FAULT
STATUS
SM
6pin terminal block

(screw locking
mechanism)
MM
LS/DA
EAGLE
IP-ADDRESS
FAULT
RM
STATUS
FAULT
IP-ADDRESS
2
0 1
RM
V.24
1 2 RING
R
V.24
+24V (P2)
2 V.24
R
0V
0V
LS/DA
EAGLE
IP-ADDRESS
PP
FAULT
STATUS
FAULT
+24V (P2)
LS/DA
RS2-4R
EAGLE
IP-ADDRESS
IP-ADDRESS
x
h
0V
0V
EAGLE
+24V (P1)
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Front view
EAGLE
Release 1.02 10/04
39
Hardware
40
EAGLE
Release 1.02 10/04
Hardware
3.1 Display
3.1 Display
EAGLE
FAULT
STATUS
LS/DA
1
Fig. 8:
2 V.24
R
Display
3.1.1 Device status

These LEDs provide information about statuses which affect the function of
the entire EAGLE.
U P1 - Power 1 (Green LED)

Display
lit
not lit
EAGLE
Release 1.02 10/04
Meaning
Supply voltage 1 is present.
Supply voltage 1 is less than 9.6 V.
41
Hardware
3.1 Display
U P2 - Power 2 (Green LED)

Display
lit
not lit
Meaning
Supply voltage 2 is present.
Supply voltage 2 is less than 9.6 V.
U FAULT - Failure (Red LED)

Display
lit
not lit
Meaning
The indicator contact is open, i.e. it indicates an error.
The indicator contact is closed, i.e. it does not indicate an error.
If the Operational supervision on page 88 is active for the signal contact, then the error display is independant of the signal contact position.
U STATUS - Device status (Yellow/green LED)

Display
flashes green
lit green
Meaning
Initialization of the device.
Device is operational.
U AutoConfiguration Adapter ACA

The STATUS and V.24 LEDs display memory operations of the
ACA 11.
Display
flashing alternatively:
LEDs flash simultaneously; twice a second
LEDs flash simultaneously; once a second
42
Meaning
Error in memory operation.
Loading the configuration from the ACA.
Saving the configuration to the ACA.
EAGLE
Release 1.02 10/04
Hardware
3.1 Display
3.1.2 Port status

These LEDs display port-related information.
U LS/DA 1, 2 and V.24 - Data, Link status (green/yellow LED)

Display
not lit
lit green
flashes yellow
running light
Meaning
No valid link.
Valid link.
Receiving data.
Initialization phase after a reset.
3.1.3 Function state

These displays go together with the Recovery button (refer to The Recovery
button on page 187).
EAGLE
Release 1.02 10/04
43
Hardware
44
3.1 Display
EAGLE
Release 1.02 10/04
Hardware
3.2 Recovery button
3.2 Recovery button

The Recovery button is used to set the device into the following states:
D Restart (refer to Performing a restart on page 189),
D Recovery procedure (refer to Executing the recovery procedure on page
191),
D Flashing the firmware (refer to Flashing the firmware on page 193)
EAGLE
Release 1.02 10/04
45
Hardware
46
3.2 Recovery button
EAGLE
Release 1.02 10/04
Installation and startup procedure
4 Installation and
startup procedure
The EAGLE industrial firewall/VPN system has been developed for practical
applications in a harsh industrial environment. Accordingly, the installation
process has been kept simple. The few configuration settings required for
operation are described in this chapter.
Note: For security reasons, change the root and the administrator passwords
when you initially change the configuration.
EAGLE
Release 1.02 10/04
47
Before
RS2-
MICE
RS2-
RS2-
MICE
After
RS2-
x
EAGLE
FAULT
STATUS
LS/DA
1
2 V.24
R
IP-ADDRESS
k
1
2
MICE
+24V (P2)
0V
0V
+24V (P1)
FAULT
V.24
RS2-
RS2-
MICE
Fig. 9:
48
Connecting the EAGLE
EAGLE
Release 1.02 10/04
4.1 Device installation

4.1.1 6-pin terminal block
The supply voltage and the signal contact are connected via a 6-pin terminal
block with snap lock.
Warning!
The devices are designed for operation with safety extra-low voltage.
Thus, they may only be connected to the supply voltage connections and to
the signal contact with PELV circuits or alternatively SELV circuits with the
voltage restrictions in accordance with IEC/EN 60950.
U Supply voltage
The supply voltage can be connected redundantly. Both inputs are
uncoupled. There is no distributed load. With redundant supply, the
transformer supplies the device alone with the higher output voltage.
The supply voltage is electrically isolated from the housing.
U Signal contact
The signal contact monitors proper functioning of the device,
thus enabling remote diagnostics.
A break in contact is reported via the potential-free signal contact
(relay contact, closed circuit):
D The failure of at least one of the two supply voltages (supply voltage 1
or 2 < 9,6 V).
D A continuous malfunction in the device (internal 3.3 VDC voltage).
D The defective link status of at least one port. With the device the
indication of link status can be masked by the management for each
port. Link status is not monitored in the delivery condition.
D Error during self-test.
EAGLE
Release 1.02 10/04
49
+24 V (P1)
0V
0V
+24 V (P2)
Fault
Fig. 10:
Pin assignment of the 6-pin terminal block
V Pull the terminal block off the device and connect the power supply and
signal lines.
4.1.2 Assembly
On delivery, the device is ready for operation.
V Attach the upper snap-in guide of the device into the top-hat rail and press
it down against the top-hat rail until it snaps into place.
50
EAGLE
Release 1.02 10/04
Fig. 11:
Assembly
Note: The front panel of the housing is grounded via a ground connection.
Note: The housing must not be opened.
Note: The shielding ground of the industrial connectable twisted pair lines is
connected to the front panel as a conductor.
EAGLE
Release 1.02 10/04
51
4.1.3 Interfaces
U 10/100 Mbit/s connection
10/100 Mbit/s ports (8-pin R45 socket) enable the connection of terminal
devices or independent network segments in compliance with the
IEEE 802.3 100BASE-TX / 10BASE-T standards. These ports support:
D auto-negotiation
D autocrossing (when autonegotiation is switched off)
D autopolarity
D 100 Mbit/s half duplex mode
D 100 Mbit/s full duplex mode
D 10 Mbit/s half duplex mode
D 10 Mbit/s full duplex mode
State on delivery: Autonegotiation activated. Alternative to the Webbased interface (see Ports:Configuration Table on page 91), the
HiConfig interface (see HiConfig on page 199) allows you to change
this setting. While you have access to the Web-based interface of the
EAGLE via the secure and insecure port, you can also reach the
HiConfig interface via the V.24 port.
The socket housings are electrically connected to the front panel.
n.c.
n.c.
TDn.c.
n.c.
TD+
RDRD+
Fig. 12:
Pin 8
Pin 7
Pin 6
Pin 5
Pin 4
Pin 3
Pin 2
Pin 1
Pin assignment of a TP/TX interface in MDI-X mode, RJ45 socket
U 100 Mbit/s F/O connection

100 MBit/s F/O ports (DSC sockets) enable the connection of terminal
devices or independent network segments in compliance with the
IEEE 802.3 100BASE-FX standard. These ports support:
D full and half duplex mode.
State on delivery: full duplex. This configuration is required to form
redundant structures.
52
EAGLE
Release 1.02 10/04
Note: Make sure, that you conncet LH ports only to LH ports, SM ports
only to SM ports and MM ports only to MM ports.
U V.24 interface (external management)

A serial interface is provided on the RJ11 socket (V.24 interface) for the
local connection of
D an external management station (VT100 terminal or PC with
appropriate terminal emulation).
D a modem (via PPP).
D an ACA 11 AutoConfiguration Adapter.
VT-100 terminal settings in state on delivery:
- Speed:
9,600 baud
- Data:
8 bit
- Stopbit:
1 bit
- Handshake:
off
- Parity:
none
The socket housing is electrically connected to the lower covering of the
device.
The signal lines are electrically isolated from the supply voltage (60 V
insulation voltage) and the front panel.
RJ11
DB9
Pin 5
Pin 8
Pin 6
Pin 1
Pin 1
CTS
n.c.
TX
GND
RX
RTS
Fig. 13:
1
2
3
4
5
6
2
3
5
Pin assignment of the terminal cable
EAGLE
Release 1.02 10/04
53
RJ11
DB9
Pin 1
Pin 7
Pin 6
Pin 1
Pin 5
CTS
n.c.
TX
GND
RX
RTS
Fig. 14:
1
2
3
4
5
6
1
2
3
4
5
6
7
8
9
Pin assignment of the modem cable
V Install the signal lines and, if necessary, the terminal/modem cable.

V Attach the ground cable to the ground screw.
4.1.4 Disassembly
V In order to remove the device from the top-hat rail, move the screwdriver
horizontally under the chassis in the locking gate, pull this down without
tilting the screwdriver and fold the device up.
54
EAGLE
Release 1.02 10/04
Fig. 15:
Disassembly
EAGLE
Release 1.02 10/04
55
56
EAGLE
Release 1.02 10/04
4.2 Startup operation

When the supply voltage is connected via the terminal, start up the device.
EAGLE
Release 1.02 10/04
57
58
EAGLE
Release 1.02 10/04
4.3 Basic settings
4.3 Basic settings

On delivery the device is set to multi-client transparent mode (MCT mode)
and can be reached over the default IP address 1.1.1.1 from the secure
network.
In MCT mode, no network settings (for example for subnetworks) are
required for operation.
The firewall has been preconfigured so that all IP traffic from the secure
network is possible; however, traffic from the insecure network to the secure
one is not possible.
Thus already in the delivery state, external intrusions on the secure network
are not possible.
The EAGLE provides 3 options for configuring the management IP address
in transparent mode:
D Entry by HiDiscovery protocol,
D Entry via the Web-based management,
D Entry via the V.24 port.
4.3.1 System configuration via HiDiscovery

The HiDiscovery protocol enables you to assign IP parameters to the device
via the secure network.
You can easily configure additional parameters with the Web-based
management on page 77.
Install the HiDiscovery software on your PC. The software is on the CD
supplied with the device.
V To install it, you start the installation program on the CD.
EAGLE
Release 1.02 10/04
59
4.3 Basic settings
Note: The installation of HiDiscovery involves installing the WinPcap

Version 3.0 software package.
If an earlier version of WinPcap is already installed on the PC, then you must
first uninstall it. A newer version remains intact when you install HiDiscovery.
However, this can not be guaranteed for all future versions of WinPcap.
In the event that the installation of HiDiscovery has overwritten a newer
version of WinPcap, then you uninstall WinPcap 3.0 and then re-install the
new version.
V Start the HiDiscovery program.
Fig. 16:
HiDiscovery
When HiDiscovery is started, it automatically searches the network for those

devices which support the HiDiscovery protocol.
HiDiscovery uses the first PC network card found. If your computer has
several network cards, you can select these in HiDiscovery on the toolbar.
HiDiscovery enables you to identify the devices displayed.
V Select a device line.
V Click on the symbol with the two green dots in the tool bar to set the LEDs
for the selected device flashing. To switch off the flashing, click on the
symbol again.
60
EAGLE
Release 1.02 10/04
4.3 Basic settings
By double-clicking a line, you open a window in which you can enter the
device name and the IP parameter.
Fig. 17:
HiDiscovery - assigning IP parameters
Note: For security reasons, switch off the HiDiscovery function for the device
in the Web-based management, after you have assigned the IP parameters
to the device.
EAGLE
Release 1.02 10/04
61
4.3 Basic settings
4.3.2 System configuration via

Web-based management
U With a configured network interface of the management
station
In order for the EAGLE in transparent mode (SCT/MCT) to be accessed
via the address https://1.1.1.1/, it must of course first be connected to a
configured network interface. This is the case, if you insert it into an
existing network connection (see Fig. 9).
In this case the Web browser can access the EAGLE configuration
interface at the address https://1.1.1.1/ - see Setting up a local
configuration connection on page 67. Continue from this point onwards
in this case.
U Without a configured network interface of the

managementstation
If the computer's network interface has not yet been configured ...
If the system, which will be used to configure the device, was not
previously connected to a network, e.g. because the computer is new,
its network interface will generally not be configured yet. This means that
the system has not yet "been informed" that network traffic should be
handled by this interface.
In this case, you must initialize the standard gateway by assigning it a
dummy value. To accomplish this, proceed as follows:
Initializing the standard gateway
V Determine the currently valid standard gateway address.
If you are using Windows XP, click on
Start:Control Panel:Network Connections.
Right click on the icon of the LAN adapter and then click on
Properties in the pop-up menu. In the dialog Internet
Protocol Properties on the General tab, select Internet
Protocol (TCP/IP) under "This connection uses the following
items" and then click on the Properties button to open the following
dialog:
62
EAGLE
Release 1.02 10/04
4.3 Basic settings
Check for the

IP address of the
standard gateway
or set it.
Fig. 18:
Standard gateway IP address
If no IP address has been entered for the standard gateway in this dialog
box, e.g. because Obtain an IP address automatically has been
activated, enter an IP addresses manually. To do so, first activate Use
the following IP address and then enter, as an example, the following
addresses:
IP address:192.168.1.2
Subnet mask:255.255.255.0
Standard gateway:192.168.1.1
Note: Do not - under any circumstances - set the configuration computer
to an address like 1.1.1.2!
V On the DOS level (Start:Programs:Accessories:Command
Prompt), enter:
arp
-s
EAGLE
Release 1.02 10/04
<IP of the standard gateway>
aa-aa-aa-aa-aa-aa
63
4.3 Basic settings
Example:
You have determined that the address of the standard gateway is:
192.168.1.1
Then the command should be:
arp -s
192.168.1.1
aa-aa-aa-aa-aa-aa
V To proceed with the configuration, first establish the necessary

connection (see Setting up a local configuration connection on page 67).
After setting the configuration, restore the original setting for the standard
gateway address. To do so, either restart the configuration computer or
enter the following command at the DOS level [in the Command Prompt
window]:
arp -d
4.3.3 System configuration via V.24

Connect your PC with the EAGLE as described in Making a connection to
HiConfig over a V.24 port. on page 201.
For entering IP parameters see IP parameter configuration in transparent
mode on page 205.
64
EAGLE
Release 1.02 10/04
Configuration
5 Configuration
Requirements
D When you make the initial configuration, there must be a valid connection
at both network ports (secure and insecure). If this not be possible, enter
a standard gateway on the configuration computer (see the example on
page 63).
D For local configuration:
The computer with which you make the configuration must be either
directly connected to the device,
or it must be connected to it via the local network.
D For remote configuration on the insecure port:
The EAGLE must be configured in such a way that it allows remote
configuration.
D The EAGLE must be switched on, i.e. must be connected to a power
supply unit so that it is supplied with current.
D The EAGLE must be connected, i.e. the required connections must
function properly.
EAGLE
Release 1.02 10/04
65
Configuration
66
EAGLE
Release 1.02 10/04
Configuration
5.1 Setting up a local configuration connection
5.1 Setting up a local

configuration connection
5.1.1 Web-based administrator interface
The EAGLE is configured with the Web browser that runs on the
configuration computer (for example MS Internet-Explorer starting with
version 5.0 or Netscape Communicator staring with version 4.0)
Note: The Web browser must support SSL (i.e. https).
Depending on the network mode (operating mode) in which the EAGLE is in,
it can be reached at the one of the following addresses according to the
factory setting:
Mode
Transparent
Router or PPPoE
Address
https://1.1.1.1/
Table 2: Address line of the browsers
Proceed as follows:
V Start a Web browser.
(For example, MS Internet Explorer Version 5.0 or later or Netscape
Communicator Version 4.0 or later; the Web browser must support SSL
(i.e. https).)
EAGLE
Release 1.02 10/04
67
Configuration
V Make certain that the browser does not automatically setup a connection
when it starts, because otherwise the connection startup to the EAGLE
could be impaired.
In MS Internet Explorer, you can prevent this with the following setting:
In the Extras menu, select Internet Options... and click on
the Connections tab. Make certain that "Never dial a connection" is
selected under Dial-up and Virtual Private Network settings.
V Enter the complete address of the EAGLE into the browser's address
field.
Afterwards:
The EAGLE's Administrator Web page will be displayed. The security
notice shown on the next page will displayed.
Note: If the Administrator Web page is not displayed...
If - even after repeated attempts - the browser still reports that the page
cannot be displayed, try the following:
D Check if both ports have a network connection.
D Check whether the standard gateway has been initialized on the
connected configuration system. See System configuration via Webbased management on page 62.
D Try disabling any existing firewall.
D Make certain that the browser does not use a proxy server.
In MS Internet Explorer (Version 6.0), you can prevent this with the
following setting: In the Extras menu, select Internet Options...
and click on the Connections tab. Under LAN Settings click on the
Properties... button and, in the Local Area Network (LAN)
Settings dialog, check to make certain that Use a proxy server for
your LAN (under Proxy server) is not activated.
D If any other LAN connection is active on the system, deactivate it until the
configuration has been completed.
Under the Windows Start menu:Settings:Control
Panel:Network Connections or Network and Dial-up
Connections, right click on the associated icon and select Disable in
the pop-up menu.
68
EAGLE
Release 1.02 10/04
Configuration
5.1.2 After a successful connection setup

After the connection has been successfully setup, the following security
notice will be displayed (MS Internet Explorer):
Since administrative tasks can

only be performed when a secure
(encrypted) access has been
established to the device, a signed
(by the device) certificate will be
returned.
Fig. 19:
Security notice dialog
V Acknowledge the associated security notice by clicking on Yes.

Afterwards:
Once you have entered the correct user name (Login) and password,
the Administrator Web page of the EAGLE will be displayed.
Name
Login
Passwort
Entry
admin
private
Table 3: Factory settings for login name and password
Note: These entries are case-sensitive!
EAGLE
Release 1.02 10/04
69
Configuration
Fig. 20:
Administrator website start screen
To configure the device, proceed as follows:

V Call up the desired dialog - see Web-based management on page 77.
V Make the desired settings on the associated page
V Once you have confirmed the changes by clicking on OK, the new settings
will be activated on the device.
You may receive a message from the system (confirmation).
If the changes are not shown when you open the page again, because the
browser has loaded the page from a cache, reload the page to refresh the
display. To do so, click on the appropriate icon in the browser toolbar.
Note: Depending on how you configure the EAGLE, you may also need to
modify the network interface settings of the locally connected system or
network accordingly.
70
EAGLE
Release 1.02 10/04
Configuration
5.2 Remote configuration

Prerequisites:
The EAGLE must be configured via the unsecure port. For reasons of
security, remote configuration is disabled by default.
For information on how to enable remote configuration, see Access:HTTPS
on page 160.
5.2.1 Remote configuration via LAN

To configure the EAGLE from a remote computer, first establish a connection
between it and the local EAGLE.
Proceed as follows:
V Start a Web browser (e.g. MS Internet Explorer Version 5.0 or later or
Netscape Communicator Version 4.0 or later; the Web browser must
support SSL (i.e. https) on the remote system.
V As the URL, enter: the IP address under which the remote site can be
reached via the Internet or WAN, plus the port number.
Example:
If this EAGLE can be found in the Internet at the address 192.144.112.5 and
the Port Number 443 has been set as the port for remote access, you must
enter the following address in the Web browser's address field on the remote
system: 192.144.112.5
(If a different Port Number is used, this must be appended to the IP address,
e.g.: 192.144.112.5:442)
Note: For reasons of security, we recommend that you change the default
Root and Administrator passwords during the first configuration - see
Access:passwords on page 157.
EAGLE
Release 1.02 10/04
71
Configuration
5.2.2 Remote configuration via modem

The V.24 port allows you to,
D perform remote maintenance in transparent mode EAGLE
D perform remote maintenance on the EAGLE in router mode and on the
secure network behind it
via a modem (e.g. INSYS modem 56K small).
Access to the secure network is subject to the firewall rules in this dialog.
U Local installation:
V Connect your modem on the one end to the telephone network and
on the other end to the V.24 port of the EAGLE via the mode cable
(see Accessories on page 220).
U Remote installation:
V Connect your PC to the telephone network via the built-in or external
modem.
RS2-
x
EAGLE
INSYS
P
FAULT
STATUS
LS/DA
1
IP-ADDRESS
k
1
MICE
+24V (P2)
+24V (P1)
FAULT
g
0V
0V
Telephone line
2 V.24
R
V.24
Modem
RS2-
unsecure
network
RS2-
MICE
Fig. 21:
72
Example of a modem connection
EAGLE
Release 1.02 10/04
Configuration
Example of establishing a modem connection under Windows 2000:

V Choose:
Start:Settings:Network and Dial-Up Connections:Make
New Connection
and continue with the Network Connection Wizard (see the following
two figures). Enter the phone number at which you can reach the
modem.
Fig. 22:
Network connection type, phone number
Select "Properties" to
check the settings for
the connection (see the
following two figures).
Fig. 23:
Establishing a connection
EAGLE
Release 1.02 10/04
73
Configuration
Fig. 24:
General connection properties
Fig. 25:
Connection properties: Options, security and network
74
EAGLE
Release 1.02 10/04
Configuration
After a connection has been set up, the connection symbol will appear in
the task bar tray at the bottom right.
V Left-click the connection symbol and select Status.
V In the status window click the register card "Details".
This register card contains the
IP address of the EAGLE (= server IP address).
V Enter htpps:// followed by this IP address in the address bar of your
browser to establish the connection to the EAGLE's Web-based
administrator user interface.
Requirement: Configuration of the serial interface (see the following
figure).
Fig. 26:
Configuring the serial interface
EAGLE
Release 1.02 10/04
75
Configuration
76
EAGLE
Release 1.02 10/04
6 Web-based management
The EAGLE supports both SNMP management and Web-based
management and can thus offer
D extensive diagnostic and configuration functions for fast startup and
D extensive network and device information.
The EAGLE supports the TCP/IP protocol family.
The user-friendly Web-based interface gives you the option of managing the
MICE from any location in the network via a standard browser such as the
Netscape Navigator/Communicator or the Microsoft Internet Explorer.
The Web-based interface allows you to graphically configure the EAGLE.
EAGLE
Release 1.02 10/04
77
78
EAGLE
Release 1.02 10/04
6.1 Overview
6.1 Overview
The Overview dialog shows you a graphic display of the EAGLE and the
system data:
D Name: any name you wish to assign to the EAGLE for easier
identification.
D Location: Location of this EAGLE.
D Power supply 1/2: Status of the power supply units.
D Uptime: Time that has elapsed since the EAGLE was last restarted.
D Temperature, displays the temperature inside the EAGLE. Enter the
lower and upper temperatures as alarm thresholds.
Fig. 27:
System data
EAGLE
Release 1.02 10/04
79
80
6.1 Overview
EAGLE
Release 1.02 10/04
6.2 System menu
6.2 System menu

6.2.1 System:Configurations-Profiles
You can save the configuration settings as a configuration profile under any
name in the EAGLE. You can create and save multiple configuration profiles.
You can then select and activate the configuration profile appropriate at the
time, if you use the EAGLE in different operating environments.
Furthermore, you can also save configuration profiles as files on the
configuration system. Naturally, these configuration files can then be read
back into the EAGLE and activated.
Furthermore, you can restore the EAGLE to the factory settings at any time.
Note: Passwords and user names are not saved in the configuration profiles.
Note: With Save Current Configuration to ACA 11 you save the
current configuration on the ACA 11, if it is connected. Enter the valid root
password.
Fig. 28:
Configuration profiles
EAGLE
Release 1.02 10/04
81
6.2 System menu
U Saving the current configuration in the EAGLE as a profile

V In the Name for the new profile: field, enter the desired name.
V Click on the Save Current Configuration to Profile button.
Stored
configuration
profile
Fig. 29:
Example of a stored configuration profile
U Display / Activate / Delete a configuration profile stored in

the EAGLE
Requirement: At least one configuration profile has been created and is
stored in the EAGLE (see above).
D Display the configuration profile:
Click the name of the configuration profile.
D Activate the configuration profile:
Click the Restore button next to the right of the respective
configuration profile.
D Delete the configuration profile:
Click the Delete button to the right of the respective configuration
profile.
82
EAGLE
Release 1.02 10/04
6.2 System menu
U Factory default settings - displaying / activating

The default setting is stored in the EAGLEas configuration profile under
the name Factory Default.
D Displays: Click the name Factory Default.
D Activate: Click the Restore button next to the name Factory
Default.
It is not possible to delete the configuration profile Factory
Default.
U Saving a configuration profile as a file on a hard disk

V Click on the Download button at the right of the name of the
configuration profile.
V Enter the filename and folder (where the configuration profile should
be saved) in the displayed dialog. You can give the file any name
desired.
U Uploading a configuration profile from a hard disk to the

EAGLE
Prerequisite: Naturally, you must stored (as described above) at least
one configuration profile as a file on the hard disk of the configuration
system.
V In the Name for the new profile field, enter the name that should
be assigned to configuration profile uploaded from the disk.
V Click on Choose and then select the file.
V Click on the Upload Configuration to Profile button.
Afterwards: The uploaded configuration will now be displayed in the
list of configuration profiles.
V If you want to activate the uploaded configuration profile, click on the
Restore button next to the name.
Note: If the restore procedure involves changing from the transparent
mode to another network mode, the EAGLE will be restarted. If the
ACA 11 is connected, the EAGLE will obtain the configuration data
from the ACA 11.
EAGLE
Release 1.02 10/04
83
6.2 System menu
6.2.2 System:Reboot
At the end of restart, the text appears Restarted.
A reboot can be initiated by switching the device off and then back again or
by pressing the Recovery button (see Performing a restart on page 189).
Fig. 30:
84
Reboot
EAGLE
Release 1.02 10/04
6.2 System menu
6.2.3 System:Logs - Display

Displays all recorded log entries (overall system log). For a selection of
specific log entries, see the respective dialogs (see for example VPN:VPN
Logs - Display on page 140).
The format of the log corresponds to that common under Linux
Special analysis programs are available which can be used to present the
information from the log in a more readable format.
You can send the logged entries to an external server (see Services:Remote
Logging on page 152).
Fig. 31:
Logs
EAGLE
Release 1.02 10/04
85
6.2 System menu
6.2.4 System:HiDiscovery
The HiDiscovery protocol allows you to assign the EAGLE an IP address
based on its MAC address. Activate the HiDiscovery protocol if you want
to assign an IP address to the EAGLE from your PC with the enclosed
HiDiscovery software (setting on delivery: active).
Note: For security reasons, the EAGLE HiDiscovery function supports only
the secure port
Fig. 32:
HiDiscovery
U Local HiDiscovery Support

(SCT/MCT, internal/trusted port only)
D Enabled, local IP address assignment via HiDiscovery possible.
D Read-Only, HiDiscovery can read local parameters.
D Disabled, no HiDiscovery access to local parameters possible.
86
EAGLE
Release 1.02 10/04
6.2 System menu
U HiDiscovery Frame Forwarding

(SCT/MCT, bidirectional)
D No, the EAGLE blocks HiDiscovery data packets.
D Yes, the EAGLE forwards HiDiscovery data packets from Hirschmann
devices.
MACH 3002
x
EAGLE
FAULT
STATUS
LS/DA
1
2 V.24
R
IP-ADDRESS
MICE
Industrial Backbone
+24V (P2)
0V
0V
+24V (P1)
FAULT
V.24
MACH 3002
Subnet 1
RS2-
RS2-
MICE
Fig. 33:
Network Management
Example of HiDiscovery frame forwarding
EAGLE
Release 1.02 10/04
87
6.2 System menu
6.2.5 System:Signal contact

The signal contact is for
D manual setting the signal contact.
D monitoring proper functioning of the EAGLE and enables remote
diagnostics.
U Signal contact
Setting the function of the signal contact:
D Operational supervision
D Manual setting
U Operational supervision
A break in contact is reported via the zero-potential signal contact
(relay contact, closed circuit):
D the failure of at least one of the two supply voltages (power supply
voltage 1 or 2 < 9,6 V).
Note: With a non-redundant supply of the supply voltage, the EAGLE will
report a supply power failure. You can prevent this by
feeding the supply voltage over both inputs or
by selecting Ignore redundant power supply.
D the defective link status of at least one port. The link status message
can be masked for
Ignore: no link monitor
Supervise only internal port (trusted)
Supervise only external port (untrusted)
Supervise both ports
Link status is not monitored in the delivery condition.
U Manual settings
This mode gives you the option of remote switching the signal contact.
V Select Open (Alarm) to open the contact.
V Select Closed to close the contact.
88
EAGLE
Release 1.02 10/04
6.2 System menu
Application options:
D Simulation of an error during SPS error monitoring.
D Remote control of a device via SNMP, such as switching on a camera.
Fig. 34:
Signal contact
EAGLE
Release 1.02 10/04
89
90
6.2 System menu
EAGLE
Release 1.02 10/04
6.3 Ports menu
6.3 Ports menu

6.3.1 Ports:Configuration Table
This table allows you to configure every port of the EAGLE.
Fig. 35:
Port configuration
U Automatic Configuration
In the Automatic Configuration (Autonegotiation) column, you can
activate the automatic selection of a port's operating mode by marking
the appropriate field. After the au-tonegotiation has been switched on,
it takes a few seconds for the oper-ating mode to be set.
EAGLE
Release 1.02 10/04
91
6.3 Ports menu
U Manual Configuration
In the Manual Configuration column, you set the operating mode for
this port. The choice of operating modes depends on the media module.
The possible operating modes are:
D 10 Mbit/s half duplex (HDX),
D 10 Mbit/s full duplex (FDX),
D 100 Mbit/s HDX and
D 100 Mbit/s FDX.
Note: The active automatic configuration has priority over the manual
configuration.
92
EAGLE
Release 1.02 10/04
6.4 Redundancy
6.4 Redundancy
6.4.1 Redundancy:Layer 2 Redundancy
This dialog offers you the option of including the EAGLE in the path of the
Redundant Ring /Network Coupling or Dual Homing (requirement for Dual
Homing: redundancy check is deactivated in the MACH 3000).
V For this application select the operating mode
Multi-client transparent mode.
Fig. 36:
Layer 2 Redundancy
U Activate Ring/Network Coupling/Dual Homing

If you include the EAGLE in the path of the redundant Ring/Network
Coupling or Dual Homing, select Yes.
Default setting: No.
EAGLE
Release 1.02 10/04
93
6.4 Redundancy
U Redundancy port
Select the port that leads directly to the coupling switch (see Fig. 37).
MICE
Stand-by switch
Cell 1
MICE
RS2-
RS2-
Coupling switch
x
EAGLE
EAGLE
FAULT
STATUS
LS/DA
FAULT
STATUS
2 V.24
R
IP-ADDRESS
IP-ADDRESS
LS/DA
2 V.24
R
2
2
+24V (P2)
0V
0V
Redundancy port
FAULT
g
+24V (P1)
+24V (P2)
0V
0V
+24V (P1)
V.24
FAULT
V.24
MACH 3002
MACH 3002
Industrial Backbone
MACH 3002
Fig. 37:
94
Example of Layer 2 redundancy in multi-client transparent mode
EAGLE
Release 1.02 10/04
6.5 Network menu
6.5 Network menu

6.5.1 Network:Base
The EAGLE must naturally be set to the Network Mode (= operating mode)
that matches its connection to the local computer or network (see Typical
application scenarios on page 33).
Fig. 38:
Network:Base
Variable
in transparent mode
in router mode
in PPPoE mode
Local netmask
IP address
1.1.1.1
192.168.1.1
192.168.1.1
255.255.255.0
Table 4: The EAGLEs preset local IP address
EAGLE
Release 1.02 10/04
95
6.5 Network menu
Note: When the Network Mode has been changed, the device will reboot
automatically.
Note: If you change the address of the EAGLE (e.g. by changing the Network
Mode from Stealth to Router), the device will be immediately, after a restart,
only accessible at the new address. See System configuration via Webbased management on page 62.
Note: If you set the Network Mode to Router, PPPoE or PPTP and then
change the internal IP address and/or the local netmask, make very certain
that you enter the correct values. Otherwise, the EAGLE will no longer be
accessible.
U Network mode
D Transparent mode
The Transparent mode is used to connect an individual (single client,
SCT) or several devices (multi-client, MCT) to secure port (state on
delivery: Multi-client transparent mode).
Integrate the EAGLE into the existing network. The IP parameters of
the existing network do not need to be reconfigured (see Fig. 9).
The EAGLE analyzes the flowing network traffic and configures its
network connection automatically and operates transparently, i. e.
without the client having to be reconfigured.
Here you can enter the local IP parameters of the EAGLE. These
parameters allow you access to the management of the EAGLE.
The firewall security function is available in the SCT and MCT mode.
The VPN security function is available in SCT.
Note: If transparent is selected as the network mode, no entries need
to be made under Internal IPs and additional internal routers. Existing
entries under these points are ignored.
96
EAGLE
Release 1.02 10/04
6.5 Network menu
D Router mode
If the EAGLE is not in transparent mode, it functions as a normal
router and consequently has an external and internal IP address.
The security functions firewall and VPN are available.
Note: If the EAGLE is operated in router mode, a locally connected client
computer of the EAGLE must be defined as the standard gateway, i.e. the
address of the standard gateway must be set to the internal IP address of
the EAGLE (see IP configuration for the Windows clients on page 149.)
Note: If the EAGLE is operated in Router mode and is used to establish
the connection to the Internet, you should activate NAT to allow access
to the Internet from the local network (see Firewall:NAT on page 116).
If NAT is not activated, the device will only allow VPN connections.
D PPPoE mode
The PPPoE mode corresponds to router mode with DHCP with one
difference: To connect to an external network (Internet, WAN) the
PPPoE protocol is used as in Germany which is used by many
DSL modems (for DSL Internet access). The external IP address,
at which the EAGLE can be reached from a remote terminal, is
determined dynamically by the provider.
Address of the device (for configuration purposes):
IP address: 192.168.1.1
Local network mask: 255.255.255.0
Note: If the EAGLE is operated in PPPoE mode, a locally connected
client computer of the EAGLE must be defined as the standard gateway,
i.e. the address of the standard gateway must be set to the internal IP
address of the EAGLE (see IP configuration for the Windows clients on
page 149.)
Note: If the EAGLE is in PPPoE mode, NAT must be activated to enable
access to the Internet (see Firewall:NAT on page 116). If NAT is not
activated, the device will only allow VPN connections.
D PPTP Mode
This mode is similar to PPPoE mode. In Austria, for example,
PPTP is used instead of the PPPoE protocol for DSL connections.
PPTP is the protocol, which was originally used by Microsoft for
VPN connections.
EAGLE
Release 1.02 10/04
97
6.5 Network menu
Note: If the EAGLE is operated in PPTP mode, you must set it as the
standard gateway in the locally connected client computers. In other
words, the address entered for the standard gateway must be the internal
IP address of the EAGLE (see IP configuration for the Windows clients
on page 149).
Note: If the EAGLE is in PPTP mode, NAT must be activated to enable
access to the Internet (see Firewall:NAT on page 116). If NAT is not
activated, the device will only allow VPN connections.
U Internal IPs
Router / PPPoE / PPTP mode
Internal IPs is the IP address, under which the EAGLE can be
accessed from the locally connected LAN.
Default setting:
IP address: 192.168.1.1
Lokal Netmask: 255.255.255.0
You can also specify other addresses, under which the EAGLE can be
accessed by devices on the locally connected network. This can be
useful, for example, if the locally connected network is divided into
subnetworks. In this case, multiple units on different subnetworks can
access the EAGLE under different addresses
V If you wish to define another internal IP, click on New.
V If you wish to delete an internal IP, click on Delete.
The first IP address in the list cannot be deleted.
98
EAGLE
Release 1.02 10/04
6.5 Network menu
U Additional Internal Routes

Router / PPPoE / PPTP mode
If the locally connected network includes subnetworks, you can define
additional routes.
Also see Example of a network on page 185.
V If you wish to define another route to a subnetwork, click on New.
Enter:
the IP address of the subnetwork (network), plus
the IP address of the gateway through which the subnetwork is
connected.
You can define any number of internal routes.
V If you wish to delete an internal route, click on Delete.
Note: If additional internal routers are defined, these have no effect in
transparent mode.
EAGLE
Release 1.02 10/04
99
6.5 Network menu
6.5.2 Network:Transparent mode

Requirement: The EAGLE has been set to the network mode transparent.
Fig. 39:
Network:Transparent mode
U Single client automatic

A single device to be protected is connected to the EAGLE.
To to be able to support VPN, the EAGLE analyzes the network traffic
that passes through it, configures its network connection automatically,
and operates transparently. Enter the IP parameters for local
management under Local IP configuration.
100
EAGLE
Release 1.02 10/04
6.5 Network menu
U Single client static:

A device to be protected is connected to the EAGLE.
V Enter the IP parameters for local management (see above).
If the EAGLE is unable to analyze the network traffic that passes through
it, for example, because the locally connected computer is only receiving
data, the transparent configuration must be set to single-client
transparent mode, static , to support VPN.
In this case, make the following settings for the points in question:
D IP Address of the connected client
D Client's MAC address. This is the physical address of the local
computer's network adapter to which the EAGLE is connected.
The MAC address can be determined in the following manner:
On the DOS level (Start:Programs:Accessories:Command
Prompt), enter the following command:
ipconfig /all
U Multiple-Client:
Several devices to be protected are connected to the EAGLE
(default settings). The EAGLE does not support VPN in MCT mode.
Enter the IP parameters under IP local configuration.
EAGLE
Release 1.02 10/04
101
6.5 Network menu
6.5.3 Network:Router
Requirement: The EAGLE has been set to the network mode Router.
Fig. 40:
Network:Router
U External interface
Obtain external configuration via DHCP: Yes / No.
V If the EAGLE obtains the configuration data per DHCP (Dynamic Host
Configuration Protocol) from the DHCP server, set Yes. No other
information is necessary.
V If the EAGLE does not obtain the data via DHCP (Dynamic Host
Configuration Protocol) from the DHCP server, set No.
The EAGLE must then operate in the network mode Router
(see Router mode on page 97). You must then make provide
further information:
102
EAGLE
Release 1.02 10/04
6.5 Network menu
U External networks (connected to the insecure port)

External IPs (untrusted port)
At these external IP addresses, the EAGLE can be reached by devices
of the external network (connected to the Ethernet socket of the EAGLE).
They form the interface to other parts of the LAN or to the Internet. If the
gateway to the Internet is here, the IP address are then determined by
the Internet service provider (ISP).
V If you wish to provide an additional external IP, click New.
V If you wish to delete one of the external IPs, click Delete.
Additional External Routes
In addition to the default route (see below) you can define other
external routes.
V If you wish to provide an additional external route, click New.
V If you wish to delete one of the additional external routes, click
Delete.
See also Example of a network on page 185.
U Default Route
Default Route via IP
Is determined by the Internet service provider (ISP), when the EAGLE
sets up the gateway to the Internet. If the EAGLE is used within the LAN,
the route from the network administrator is specified.
Note: If the local network is not known to the external router, e.g. in the
case of configuration by DHCP, enter the address of your local network
under Firewall:NAT, in other words 0.0.0.0/0
(see Firewall:NAT on page 116).
EAGLE
Release 1.02 10/04
103
6.5 Network menu
6.5.4 Network:PPPoE
Requirement: The EAGLE has been set to the network mode PPPoE.
(see PPPoE mode on page 97).
User name (login) and password are requested by the Internet Service
Provider (ISP), when you wish to establish a connection with the Internet.
Fig. 41:
Network:PPPoE
U PPPoE Login
In this field, enter the user name (Login), which is expected by your
Internet Service Provider when you setup a connection to the Internet.
U PPPoE Password
In this field, enter the password, which is expected by your Internet
Service Provider when you setup a connection to the Internet.
104
EAGLE
Release 1.02 10/04
6.5 Network menu
6.5.5 Network:PPTP
Requirement: The EAGLE has been set to the network mode PPTP
(see PPTP Mode on page 97).
User name (Login) and password are requested by the Internet service
provider (ISP), when you wish to establish a connection with the Internet.
Fig. 42:
Network:PPTP
U PPPoE Login
In this field, enter the user name (Login), which is expected by your
Internet Service Provider when you setup a connection to the Internet.
U PPPoE Password
In this field, enter the password, which is expected by your Internet
Service Provider when you setup a connection to the Internet.
EAGLE
Release 1.02 10/04
105
6.5 Network menu
U Set local IP
Via DHCP
If the address data for access to the PPTP server is supplied by the
Internet service provider per DHCP, select via DHCP.
You do not have to make an entry under Local IP.
Modem IP. This is the address of the PPTP server of the Internet Service
Provider.
static (following field)
If the address data for accessing the PPTP server is not supplied by the
Internet service provider per DHCP, the IP address must be specified as
a local IP address for the PPTP server.
Local IP. IP address, at which the EAGLE can be reached from the
PPTP server.
Modem IP. This is the address of the PPTP server of the Internet Service
Provider.
106
EAGLE
Release 1.02 10/04
6.5 Network menu
6.5.6 Network:Status
U Network mode
Displays the current operating mode of the EAGLE: Transparent (SCT/
MCT), router, PPPoE or PPTP (see Network:Base on page 95).
U External IP
The IP address of the EAGLE at its connection for the insecure network
(WAN or Internet).
If the EAGLE is assigned an IP address dynamically, you can look up the
currently valid IP address here.
In transport mode, the EAGLE takes on the local IP address
(see Network:Transparent mode on page 100).
U Default gateway
The default gateway address is shown here that is entered in the
EAGLE.
Fig. 43:
Network:Status
EAGLE
Release 1.02 10/04
107
108
6.5 Network menu
EAGLE
Release 1.02 10/04
6.6 Configuring the firewall

The EAGLE contains a stateful packet inspection firewall. The connection
data of an active connection are recorded in a database (referred to as
connection tracking). Rules only need to be defined for one direction; data
from the opposite direction of a connection and only this data is automatically
passed through. A side effect is that existing connections are not interrupted
during reconfiguration, even if a new connection can no longer be set up.
Factory settings for the firewall:
D All incoming connections will be rejected (except VPN).
D The data packets of all outgoing connections will be passed through.
Note: VPN connections are not subject to the firewall rules defined under
this menu item. You can define firewall rules for each each individual VPN
connection in the menu VPN:Connections on page 122.
Note: If multiple firewall rules are set, they will be searched in the order
in which they are listed (from top to bottom) until a suitable rule is found.
This rule will then be applied. If further down in the list there are other rules,
which would also fit, they will be ignored.
EAGLE
Release 1.02 10/04
109
6.6.1 Firewall:Incoming
Lists the firewall rules that have been set. They apply to incoming data
packets that are initiated externally.
Note: If no rule has been set, all incoming connections (except for VPN)
are rejected (= factory setting).
Fig. 44:
Firewall:Incoming
U Deleting a rule
V Click on the Delete button next to the entry. Then click on OK.
110
EAGLE
Release 1.02 10/04
U Setting a new rule

V If you wish to set a new rule, click on New.
V Define the desired rule (see below) and then click on OK.
The system will display a confirming message.
The following options are available:
D Protocol: All means: TCP, UDP, ICMP and other IP protocols.
Note: If you select All, the EAGLE ignores the port settings (from port,
to port).
D IP address: 0.0.0.0/0 means all addresses. To indicate a range,
use the CIDR notation - see CIDR (Classless InterDomain Routing)
on page 183.
D Port:
(is only evaluated for the protocols TCP and UDP)
any refers to any port.
startport:endport (e. g. 110:120) refers to a port range.
Individual ports can be specified either with the port number or with the
respective service name: (e. g. 110 for pop3 or pop3 for 110). A list of
the most commonly used port numbers can be found at http://
www.iana.org/assignments/port-numbers.
D Action:
Accept means the data packets are permitted to pass through.
Reject means that the data packets are not accepted, and the sender
is notified that the data was rejected. I transparent mode, Reject
has the same effect as Discard.
Discard means the data packets are not permitted to pass through.
They are discarded, and the sender is not notified about what
happened to the data.
Note: In Transparent mode Reject is supported if the local IP address
is entered correctly.
D Log
For each individual firewall rule you can decide if, when the rule is
applied,
the event should be logged set Log toYes
or not set Log to No (factory default setting).
D Log entries for unknown connection attempts
This logs all connection attempts that are not recorded by the
preceding rules.
EAGLE
Release 1.02 10/04
111
6.6.2 Firewall:Outgoing
Lists the firewall rules that have been established. They apply to outgoing
data connections that are initiated internally. The default setting allows all
packets to pass through.
With the default rule, all outgoing connections are permitted to pass through.
Fig. 45:
Firewall:Outgoing
U Deleting a rule

The system will display a confirming message.
112
EAGLE
Release 1.02 10/04

D Protocol: All means: TCP, UDP, ICMP, and other IP protocols.
Note: If you select All, the EAGLE ignores the port settings (from port,
to port).
D IP address: 0.0.0.0/0 means all addresses. To indicate a range,
use the CIDR notation - see CIDR (Classless InterDomain Routing) see CIDR (Classless InterDomain Routing) on page 183.
D Port:
any refers to any port.
startport:endport (e. g. 110:120) refers to a port range.
Individual ports can be specified either with the port number or with
the respective service name: (e. g. 110 for pop3 or pop3 for 110).
D Action:
is notified that the data was rejected. I transparent mode, Reject
has the same effect as Discard.
They are swallowed, and the sender is not notified about what
D Log
applied,
the event should be logged set Log to Yes
D Log entries for unknown connection attempts
This logs all connection attempts that are not recorded by the
preceding rules.
EAGLE
Release 1.02 10/04
113
6.6.3 Firewall:Port Forwarding

Lists the rules that have been defined for port forwarding.
The following takes place when during port forwarding: The headers of the
incoming data packets from the external network that are addressed to the
external IP address (or to one of the external IP addresses) of the EAGLE as
well as to a specific port of the EAGLE are translated in such a way that they
are forwarded to the internal network to a particular computer and to a
particular port of this computer. This means that the IP address and port
number in the header of the incoming data packets are changed.
This procedure is also referred to as Destination NAT.
Note: These rules do not apply in transparent mode.
Note: The rules established here have priority over the settings under
Firewall:Incoming on page 110.
Fig. 46:
Firewall:Port Forwarding
U Deleting a rule
114
EAGLE
Release 1.02 10/04

D Protocol
Enter the protocol which the rule is to refer to.
D Incoming for IP:
Enter the external IP address (or one of the external IP addresses)
of the EAGLE.
OR
In case there is a dynamic change of the external IP addresses of the
EAGLE so that you can enter the address, use the following variable:
%external.
D Incoming for port:
Original destination port that is specified in the incoming data packets.
D Forward to IP:
IP address to which data packets are to be forwarded and into which
the original destination addresses are to be translated.
D Forward to port:
Port to which data packets are to be forwarded and into which the
original port information is to be translated.
Ports can be specified either with the port number or with
D Log
For each individual port forwarding rule you can decide if, when the
rule is applied,
the event should be logged set Log toYes
EAGLE
Release 1.02 10/04
115
6.6.4 Firewall:NAT
For outgoing addresses the EAGLE can translate the specified sender IP
addresses from its internal network (in the example below: 192.168.x.x)
into its own external address (in the example below: 148.218.112.7 or
149.218.112.8). The EAGLE can break down the assignment of the
incoming data packets using the logical ports.
This method is used if the internal addresses cannot or should not be
routed externally, for example, because a private address range such
as 192.168.x.x is being used or the internal network structure is to be
concealed.
This procedure is also referred to as IP masquerading.
The dialog lists the defined rules for NAT (Network Address Translation).
U Principle of IP masquerading
For addressing purposes, TCP/IP uses so-called port numbers
(UDP, TCP) for the source and destination in addition to the IP
addresses.
Masquerading makes use of this feature.
If the EAGLE receives a data packet in router mode at a secure port,
it will then enter the IP address of the sender (source) and the port in
an internal table. The EAGLE assigns this table entry its own IP port
address and a random port number as new source information.
The EAGLE then forwards the data packet with this new information
at the insecure port.
This is how the receiver sends its reply to this data packet to the EAGLE.
The EAGLE in turn forwards the reply back to the original address using
its internal address.
This method permits a communication request from the the secure to the
insecure network, for example, for one computer located in cell 3 to a
computer in the industrial backbone (see the figure below).
116
EAGLE
Release 1.02 10/04
192.168.0.3
192.168.0.3
MICE
MICE
Cell 3
Cell 2
192.168.0.1
192.168.0.2
192.168.04
192.168.04
RS2-
RS2-
RS2-
RS2-
192.168.0.1
MICE
MICE
x
x
EAGLE
EAGLE
148.218.112.7
FAULT
STATUS
2 V.24
R
IP-ADDRESS
FAULT
STATUS
LS/DA
1
2 V.24
R
IP-ADDRESS
P
LS/DA
+24V (P2)
FAULT
+24V (P2)
+24V (P1)
0V
0V
FAULT
+24V (P1)
148.218.112.6
0V
0V
192.168.0.1
V.24
V.24
148.218.112.8
148.218.112.9
MICE
Industrial Backbone
Fig. 47:
RS2-
Example of a masquerading application: two identically structured

production cells
Note: If the EAGLE is operating in PPPoE/PPTP mode, NAT must be

activated to obtain access to the Internet. If NAT is not activated, only VPN
connections can be used.
Factory setting: There is no NAT.
EAGLE
Release 1.02 10/04
117
Fig. 48:
Firewall:NAT
U Deleting a rule

The following entry options are available:
D From IP:
0.0.0.0/0 means all addresses. In other words, all internal IP
addresses are subject to the NAT procedure. To indicate a range,
on page 183.
Example:
For the IP address range 192.168.0.33 to 192.168.0.64 enter:
192.168.0.1.33/27.
118
EAGLE
Release 1.02 10/04
6.6.5 Firewall:Extended Settings

The settings determine what the basic responses of the firewall will be.
Fig. 49:
Firewall:Extended Settings
D Maximum number of ...

These 5 settings define upper limits. They are so selected that they are
never reached in normal operation. However, since they can be easily
reached in the event of an attack, the limits provide additional security.
If your operational environment has special requirements, you can
increase these values.
D Enable Active FTP NAT/Connection Tracking support
If an outgoing FTP (protocol) connection is setup to download data, the
server called will callback the calling system to establish a connection for
this transfer of data. In other words, for the calling client, the connection
is simply an additional incoming connection, which will be setup with
Active FTP. In this case, Enable Active FTP NAT/Connection
Tracking support must be set to Yes so that the firewall will pass the
data through (factory setting). Without this function, the unit only permits
passive FTP.
EAGLE
Release 1.02 10/04
119
D Enable IRC NAT/Connection Tracking support

This is similar to Active FTP: When the IRC protocol is used for chatting
in the Internet, incoming connections must also be permitted after the
connection has been established actively. In this case, Enable IRC
NAT/Connection Tracking support must be set to Yes so that the
firewall will permit these connections (factory setting).
D Enable PPTP NAT/Connection Tracking support
This need only be set to Yes under the following condition:
if a local system should establish a VPN connection via PPTP to an
external system without help from the EAGLE.
The factory setting is No.
D Transparent Mode only
These 2 settings define maximum values. They are so selected that they
are never reached in normal operation. However, since they can be easily
reached in the event of an attack, the limits provide additional security.
If your operational environment has special requirements, you can
increase these values.
6.6.6 Firewall:Logs - Display

If the logging of events was activated (Log = Yes) on the firewall rules page,
you can view the log with all of the recorded events here.
The format of the log corresponds to that common under Linux.
120
EAGLE
Release 1.02 10/04
6.7 Setting up a VPN connection

Note: VPN is not supported in MCT mode and not by the device models
EAGLE (FW).
Prerequisites for a VPN connection:
The main prerequisite for a VPN connection is that the IP address of the
VPN partner is known and accessible. See Services:DynDNS Monitoring
on page 144.
D To successfully set up an IPsec connection, the VPN remote terminal
must support IPsec with the following configuration:
D Authentication via Pre-Shared Key (PSK) or X.509 certificate
Note: The Hirschmann Competence Center creates and manages
safety certificates.
D ESP
D Diffie-Hellman Groups 2 and 5
D DES, 3DES or AES encryption
D MD5 or SHA-1 hash algorithms
D Tunnel or Transport mode
D Quick Mode
D Main Mode
D SA Lifetime (1 second to 24 hours; standard: 8 hours)
If the system at the remote site is running Windows 2000, the Microsoft
Windows 2000 High Encryption Pack or Service Pack 2 must also be
installed.
D If the remote site is behind a NAT router, it must support NAT-T or the
NAT router must support the IPsec protocol (IPsec/VPN Passthrough).
In either case, for technical reasons, only IPsec Tunnel connections are
supported.
EAGLE
Release 1.02 10/04
121
6.7.1 VPN:Connections
Lists the VPN connections that have been setup.
All of the listed connections may be active at the same time.
Fig. 50:
VPN:Connections
U Setting up new a VPN connection

V Click New.
V Assign a name to the connection and click Edit.
V Make the desired or required settings (see below).
V Afterwards, click OK.
U Editing the VPN connection

V Click the button Edit next to the respective connection.
V Make the desired or required settings (see below).
122
EAGLE
Release 1.02 10/04
Fig. 51:
VPN:Connections:Connection
U Deleting a connection
V Click Delete next to the respective entry. Then OK.
U Any name for the VPN connection

You can give the connection any name you wish.
U Active
Determine if the connection is to be active (=Yes) or not (= No).
EAGLE
Release 1.02 10/04
123
U Address of the remote site's VPN gateway

D What is meant is the address of the access (gateway) to the private
network in which the remote communication partner can be found
(see Fig. 52).
D If you wish to have the EAGLE actively initiate and setup the
connection to the remote site or if the device is in Stealth mode,
enter the IP address of the remote site here. The remote site must
have a fixed and known IP address. Instead of entering an IP address,
you can enter a hostname (i.e. a domain name in the URL syntax www.xyz.de).
If the remote site's VPN gateway does not have a fixed and known
IP address, you can use the DynDNS Service to simulate a fixed and
known address. See Services:DynDNS Monitoring on page 144.
D If the EAGLE is ready to accept the connection that initiates and
establishes a remote terminal active to the local EAGLE with random
IP address, then enter: %any
In this case, the local EAGLE can be called by a remote site, which
has been dynamically assigned its IP address (by the Internet Service
Provider), i.e. which has an IP address that changes. In this scenario,
you may only enter an IP address when this is the fixed and known
IP address of the remote calling site.
124
EAGLE
Release 1.02 10/04
192.168.208.2
MACH 3002
x
unsecure
network
EAGLE
FAULT
STATUS
LS/DA
1
2 V.24
R
IP-ADDRESS
k
1
FAULT
Industrial Backbone
+24V (P2)
+24V (P1)
g
0V
0V
VPN
V.24
192.168.206.10
MACH 3002
192.168.208.11
192.168.208.1
Fig. 52:
Devices and addresses of the remote site
Dialog
Network:Base
Network:Router
VPN:L2TP
Setting
Internal IP
Netmask
Network Mode
DHCP
External IP
Netmask
Start L2TP Server for L2TP
Local IP for L2TP connections
Assignment of IPs for L2TP remote site
VPN:Connections Active
VPN:IPsec State Gateway
Value
192.168.208.11
255.255.255.0
Router
No
192.168.206.11
255.255.255.0
Yes
10.106.106.2
10.106.106.2
10.106.106.254
Yes
192.168.206.11
Table 5: Example to devices and addresses of the remote site
EAGLE
Release 1.02 10/04
125
U Connection type
Connection type
Tunnels
(Network <> Network)
annotation
This type of connection is not only suitable in every case,
but also the most secure. In this mode, the IP datagrams are
completely encrypted before they are sent with a new header
to the remote sites VPN gateway the tunnel end. There the
transferred datagrams are decypted to restore the original
datagrams. These are then passed on to the destination
system.
Transport (Host <> Host) In this type of connection, the device only encrypts the data of
the IP packets. The IP header information remains in the clear
(unencrypted).
Transport
If this type of connection is activated on the remote system, the
(L2TP Microsoft Windows) EAGLE will also take this setting - Transport (L2TP
Microsoft Windows) - and will function accordingly.
In other words, the L2TP/PPP protocol will create a tunnel
within the IPsec transport connection. The locally connected
L2TP system will be assigned its IP address dynamically.
If you select the connection type Transport (L2TP
Microsoft Windows), set Perfect Forward
Secrecy (PFS) to No (see below). As soon as the IPsec/
L2TP connection is started under Windows, a dialog will appear
to prompt you to enter your user name and password. You can
make any entry that you want in this dialog, since the X.509
certificate has already provided your authentication, the EAGLE
will ignore these entries.
Transport
If this type of connection is activated on the locally connected
(L2TP SSH Sentinel)
system, the EAGLE will also take this setting - Transport
(L2TP SSH Sentinel) - and will function accordingly. In other
words, the L2TP/PPP protocol will create a tunnel within the
IPsec transport connection. The locally connected L2TP system
will be assigned its IP address dynamically.
Table 6: Connections types
126
EAGLE
Release 1.02 10/04
U Initiating a connection
There are 2 options:
Start a connection to the remote side
Wait for the remote side [to setup a connection]
D Start a connection to the remote side
In this case, the local EAGLE sets up the connection to the remote
side. The fixed IP address or domain name of the remote side must
be entered in Address of the remote site's VPN gateway
(see above) field.
D Wait for the remote side [to setup a connection]
In this case, the local EAGLE is ready to accept a connection, which
a remote site actively initiates and sets up to the local EAGLE.
The entry in the Address of the remote site's VPN gateway
(see above) field may be: %any.
If the EAGLE should only accept a connection initiated by a specific
remote site (which has a fixed IP address), enter its IP address or
hostname to be on the safe side.
Note: If the EAGLE operates in single-client transparent mode, this
setting has no effect, i.e. it is ignored and the connection is initiated
automatically if the EAGLE notices that the connection is to be used.
In multi-client transparent mode, no VPN is possible.
EAGLE
Release 1.02 10/04
127
U Authentication method
There are 2 options:
X.509 Certifikate and
Pre-Shared Key
D X.509 Certificate
This method is supported by most of the newer IPsec implementations
and is currently considered the most secure. In this case, the EAGLE
uses the public key of the remote site (filename *.cer or *.pem) to
encrypt the authentication datagram before it sends to the remote site,
the tunnel end. (You must have received this *.cer or *.pem file
from the operator at the remote site - perhaps on a diskette or attached
to an e-mail).
To make this public key available to the EAGLE, proceed as follows:
Requirement: You have saved the *.cer- or *.pem file on the
computer.
Click Configure.
Result: The screen VPN:connections:connection xyz:X.509 certificate
appears. (xyz represents the name of the connection.)
Search... click and select the file.
Click Import.
After the import, the contents of the new certificate is displayed see the following figure. For an explanation of the information
displayed, see the Chapter VPN:Machine Certificate on page 135.
Fig. 53:
128
Public key
EAGLE
Release 1.02 10/04
D Pre-Shared Key (PSK)

This procedure is particularly supported by older IPsec implementations.
Here, the EAGLE encrypts the datagrams that it sends to the remote
terminal, the end of the tunnel, with the public key of the remote
terminal (filename *.cer or *.pem).
To make the arranged key available to the EAGLE, proceed as
follows:
Click Configure.
Result: The main screen appears.
Fig. 54:
Pre-Shared Secret Key
Enter the string arranged in the entry field Pre-Shared Key

(PSK). To achieve a security level that is equivalent to 3DES,
the string should be approx. 30 characters that are made up of
upper and lower case letters and digits.
Click Back.
Note: The Pre-Shared Key cannot be used with dynamic (%any)
IP addresses; fixed IP addresses are required at both ends of the tunnel.
EAGLE
Release 1.02 10/04
129
U ISAKMP SA (key exchange)

D Encryption algorithm
Make arrangements with the administrator at the remote terminal as
to which encryption procedure is to be used.
3DES-168 is the most frequently used procedure and for this reason
is the default setting.
The following principles apply: The more bits an encryption algorithm
has, indicated by the number at the end, the higher level of security it
offers. The relatively new procedure AES-256 is regarded as the most
secure, but has not yet been widely implemented.
The encryption procedure takes longer, the longer the key is.
This aspect is irrelevant for the EAGLE, since it operates with
hardware-based encryption. This could, however, play a role for
the remote terminal.
The algorithm named Null offers no encryption whatsoever.
D Checksum algorithm/Hash
Keep the setting on All algorithms. Then it makes no difference
if the remote terminal operates with MD5 or SHA-1.
U IPsec SA (data exchange)

In contrast to ISAKMP SA (key exchange) (see above), the procedure
for exchanging data is defined here. It can differ from the keys of the key
exchange, but this is not mandatory.
D Encryption algorithm
See above.
D Checksum algorithm/Hash
See above.
130
EAGLE
Release 1.02 10/04
U Perfect Forward Secrecy (PFS)

Procedure for increasing security in data transmissions. With IPsec the
keys for exchanging data are renewed at specific intervals. With PFS
new random numbers are negotiated with the remote station instead of
deriving them from previously arranged random numbers.
Select Yes only if the remote terminal supports this procedure.
When you select the connection type Transport (L2TP Microsoft
Windows), set Perfect Forward Secrecy (PFS) to No.
U Tunnel settings
D The address of the local network
D The related network mask
These entries specify the address of the client (network or computer),
that is directly connected to the secure port of the EAGLE which the
EAGLE is protecting. The address designates the local endpoint of
the connection.
MACH 3002
MACH 3002
Industrial Backbone
Industrial Backbone
FAULT
STATUS
2 V.24
R
IP-ADDRESS
k
1
unsecure
network
EAGLE
FAULT
STATUS
LS/DA
1
2 V.24
R
k
1
2
V.24
Tunnel: The address of the

local network. (can also be
an individual computer)
Fig. 55:
g
+24V (P1)
+24V (P2)
+24V (P1)
0V
0V
FAULT
+24V (P2)
FAULT
IP-ADDRESS
EAGLE
P
LS/DA
0V
0V
V.24
to the remote
terminal
Local devices and addresses
EAGLE
Release 1.02 10/04
131
Example:
If the computer connected to the EAGLE is the one you are using to
configure the device, the entries could then be:
Address of the local network: 192.168.1.1
The related network mask: 255.255.255.0
See also Example of a network on page 185.
D The virtual IP which will be used by the client SCT mode
A VPN tunnel can only connect two local networks over a public
network. If the EAGLE is operating in single-client transparent
mode, there is only one single computer connected to it - see
Network:Transparent mode on page 100. Hence, to set up
a VPN tunnel, a connected local network must be simulated.
The computer connected to the EAGLE is assigned a virtual
IP address in this network.
For the remote terminal, this virtual IP address is the address of the
(simulated) local network, at which the computer that is physically
connected to the EAGLE can be reached in the VPN. For the remote
terminal this means that this simulated IP address there is to be
specified as the address of the network on the other end when the
VPN connection is configured.
The system locally connected to the EAGLE knows nothing of this
virtual IP under which it is accessed by the remote site. In other
words, it need not be specially configured.
What this means is that:
You can enter any IP address desired in the syntax 192.xxx.xxx.xxx
(x = any digit) as long as it is not already assigned at the remote site.
To avoid conflicts with IP addresses at the remote site, speak with the
responsible administrator.
This virtual IP address must be entered at the remote site in the
configuration of this VPN connection as the Remote network address.
D Tunnel: Remote network address
D Tunnel: The appropriate remote netmask
With these two entries, you specify the address of the network in
which the remote communication partner can be found. This address
can also be that of a computer, which is connected directly to the
VPN gateway.
132
EAGLE
Release 1.02 10/04
MACH 3002
MACH 3002
Industrial Backbone
Industrial Backbone
FAULT
STATUS
2 V.24
R
IP-ADDRESS
k
1
unsecure
network
EAGLE
FAULT
STATUS
LS/DA
1
2 V.24
R
k
1
The address of the

VPN gateway of the
remote terminal
Fig. 56:
g
+24V (P1)
FAULT
+24V (P2)
+24V (P1)
0V
0V
V.24
+24V (P2)
IP-ADDRESS
FAULT
P
LS/DA
0V
0V
EAGLE
V.24
Tunnel: The address of the

network on the opposite end.
(can also be an single computer)
Devices and address of the remote terminal
U Firewall incoming, Firewall outgoing

While the settings made in the Firewall menu only affect non-VPN
connections (see Firewall:Incoming on page 110), these settings affect
just the VPN connection defined here. What this means is that: If you
have defined multiple VPN connections, you can restrict the outgoing
or incoming access individually for each connection. You can have any
attempts made to bypass these restrictions logged.
Note: According to the factory setting, the VPN firewall is set up in such
a way that everything is permitted for the VPN connection.
The extended firewall settings, which are defined and explained at the top
(see Firewall:Extended Settings on page 119), apply nonetheless for
each individual VPN connection independent of each other.
Note: If multiple firewall rules are set, they will be searched in the order
in which they are listed (from top to bottom) until a suitable rule is found.
This rule will then be applied. If further down in the list there are other
rules, which would also fit, they will be ignored.
V To set or delete a firewall rule, proceed as described in the earlier
sections (see Firewall:Incoming on page 110 and
Firewall:Outgoing on page 112).
EAGLE
Release 1.02 10/04
133
As there, you have the following entry options:

D Protocol: All means: TCP, UDP, ICMP and other IP protocols.
D IP address: 0.0.0.0/0 means all addresses. To enter an address
space, use the CIDR notation (see CIDR (Classless InterDomain
Routing) on page 183).
D Port: (is only evaluated for the protocols TCP and UDP)
any designates any port.
startport:endport (e. g. 110:120) designates a port range.
Individual ports can be specified either with the port number or with
D Action:
is notified that the data was rejected. (In transparent mode, Reject has
the same effect as Discard, see above)
They are swallowed, and the sender is not notified about what
Log
applied,
Log entries for unknown connection attempts
If this is set to Yes, all attempts to establish a connection, which were not
covered by the rules defined above, will be logged.
Note: If multiple firewall rules have been set, these will be processed in
the order that they were entered.
134
EAGLE
Release 1.02 10/04
6.7.2 VPN:Machine Certificate
Fig. 57:
Machine Certificate
EAGLE
Release 1.02 10/04
135
U Certificate
Display the currently imported X.509 certificate with which the EAGLE
identifies itself to other VPN gateways. The following information is
displayed:
Info
subject
issuer
MD5, SHA1 Fingerprint
notBefore, notAfter
Meaning
The owner to whom the certificate is issued.
The point of authentication that signed the certificate.
C : Country
ST: State
L : City
O : Organization
OU: Department (organization unit)
CN: Hostname, common name
Fingerprint of the certificate so that it, for example,
can be compared with others on the phone. Here,
Windows displays the fingerprint in the SHA1 format.
Validity period of the certificate. Is ignored by the
EAGLE since it does not have a built-in clock.
Table 7: Certificate information
In addition to the information provided above, the imported certificate file

(filename extension *.p12 or *.pfx) contains, both keys: the public key for
encryption and the private one for decryption. The associated public key
can be assigned to any number of connection partners, allowing them to
send encrypted data.
Dependant on the remote terminal, the certificate must be made
available to the operator of the remote terminal as a .cer or .pem file - for
example, by giving it to the operator personally or sending it as an e-mail.
If you do not have access to a secure transmission path, you should
compare the fingerprint displayed by the EAGLE over a secure path.
Only one certificate file (PKCS#12 file) can be imported into the device.
To import a (new) certificate, proceed as follows:
136
EAGLE
Release 1.02 10/04
U New certificate
Requirement:
The certificate file (filename = *.p12 or *.pfx) is generated and stored on
the connected computer.
V Click Search... to select the file.
V Enter the password with which the private key of the PKCS#12 file is
protected into the field.
V Click Import.
V After the import a system message will appear:
Fig. 58:
System message
EAGLE
Release 1.02 10/04
137
6.7.3 VPN:L2TP
Fig. 59:
VPN:L2TP
U Start L2TP Server for IPsec/L2TP? Yes / No

If you wish to permit an L2TP connection, set this switch to Yes.
Within the IPsec transport connection, the L2TP connection contains
in turn a PPP connection. This results in a type of tunnel between two
networks. In doing so, the EAGLE informs the remote terminal about
the addresses that are used: for itself and for the remote terminal.
U Local IP for L2TP connections

With the setting shown in the screenshot above, the EAGLE will inform
the remote site that it's address is 10.106.106.1.
U Assignment of IPs for the L2TP remote site

With the settings shown in the screenshot above, the EAGLE will inform
the remote site that it has been assigned addresses starting from
10.106.206.2 (in the case of a single system) all the way to
10.106.206.254 (in the case of multiple systems).
138
EAGLE
Release 1.02 10/04
6.7.4 VPN Configuration, IPsec Status - Display

Provides information about the status of the IPsec connections.
The names of the VPN connections are listed on the left. Their current
statuses are displayed on their right.
D GATEWAY designates the communicating VPN gateways
D TRAFFIC designates the computers or networks that communicate via
VPN gateways.
D ID
designates the distinguished name (DN) of a X.509 certificate.
D ISAKMP status (Internet Security Association and Key Management
Protocol) has the value established, if both participating VPN gateways
have set up a channel for exchanging keys. In this case, they can contact
each other and thus all entries, including ISAKMP SA on the
configuration end of the connection were correct.
D IPsec status has the value established, if the IPsec encryption is
activated for communication. In this case, the values under IPsec SA
and Tunnel Settings were also correct.
Should you encounter problems, we recommend that you take a look at the
VPN logs of the computer to which the connection was set up. For security
reasons, the initiating computer will not be sent any detailed error messages.
If the display shows:
ISAKMP SA established, IPsec State: WAITING
This means that:
The authentication was successful, but the other parameters are not correct.
Do the connection types (Tunnel, Transport) match?
If Tunnel has been selected, do the network address areas match on at both
ends of the connection?
If the display shows:
IPsec State: IPsec SA established
This means that:
The VPN connection has been successfully setup and can be used. If this is
not the case, there must be a problem with the remote VPN gateway. In this
case, click on the connection name and then on OK to setup the connection
again.
EAGLE
Release 1.02 10/04
139
6.7.5 VPN:L2TP Status - Display

Shows information about the L2TP status, when this type of connection has
been selected. See VPN:L2TP on page 138).
6.7.6 VPN:VPN Logs - Display

Lists all VPN events.
The format of the log corresponds to that common under Linux.
140
EAGLE
Release 1.02 10/04
6.8 Services menu
6.8 Services menu

6.8.1 Services:DNS
If the EAGLE is to set up a connection to a remote terminal (for example
VPN gateway or NTP server), it must know the IP address of the remote
terminal. If the address is provided as a domain address (i. e. in the
format www.abc.xyz.de), the device must first look up which IP address
this resolves to on the domain nameserver.
If the EAGLE is not in transparent mode, you can configure the locally
connected clients, so that they can use the EAGLE to resolve the
hostnames into IP addresses (see IP configuration for the Windows clients
on page 149).
Fig. 60:
Services:DNS
EAGLE
Release 1.02 10/04
141
6.8 Services menu
U Hostname mode
With hostname mode and hostname you can assign the EAGLE
a name. It will be displayed when someone logs in with SSH. A name
environment simplifies the administration of several EAGLEs.
D User defined (see below)
(Standard) The name entered in the field hostname is set as the
name for the EAGLE.
Note: If the EAGLE is operating in transparent mode, the option User
defined must be selected as the hostname mode.
D Provider defined (e. g. via DHCP)
If the network mode permits the hostname to be set externally,
such as with DHCP, the name transmitted by the provider will then
be set for the EAGLE.
U Hostname
If the option User defined is selected under hostname mode, then enter
the name here that is to be given to the EAGLE.
If the option Provider (e. g. via DHCP) is selected under Hostname
mode, an entry in this field will be ignored.
U Domain search path

This entry make it easier for the user to specify a domain name: If the
user enters the domain name in an abbreviated form, the EAGLE will
extend the entry by appending the domain suffix, which is defined here
in the Domain search path.
U Used nameserver
Options:
Root Nameserver
Provider defined
User defined
142
EAGLE
Release 1.02 10/04
6.8 Services menu
D Root Nameserver
Requests are sent to the root nameserver in the Internet whose
IP addresses are stored in the EAGLE. These addresses seldom
change. This setting should only be selected if the alternative settings
do not function.
D Provider defined
With this setting, the device will use the Domain nameserver of
the Internet Service Provider, which is used to access the Internet.
You can select this setting, when the EAGLE will be operated in
PPPoE or Router mode with DHCP active (see Services:DHCP on
page 147).
D User defined
If this setting is selected, the EAGLE sets up a connections with the
domain nameservers that are listed in User-defined nameserver.
In transparent mode only the first two entries are evaluated in this list.
U User defined nameservers

You can record the IP addresses of domain nameservers in this list.
If one of these should be used by the EAGLE, specify this under
Servers to query.
Note: If you have selected User defined, you must configure the locally
connected clients to use the address of the EAGLE to retrieve the
IP address associated with a hostname (see IP configuration for the
Windows clients on page 149).
EAGLE
Release 1.02 10/04
143
6.8 Services menu
6.8.2 Services:DynDNS Monitoring

When setting up aVPN connection between two locations, it is assumed
that the IP address of at least one location is known and thus can be defined.
Many Internet service providers (ISP) assign IP addresses dynamically.
This means that the IP addresses of the computers or networks that access
the Internet always change.
To solve the problem of assigning IP address dynamically, so-called
DynsDNS services can be used. Such a service makes it possible for the
EAGLE to reach a fixed domain name regardless of the IP address it is
currently using. Each time the IP address changes, the EAGLE reports
the new IP address to the DynDNS server so that the current IP address
is always correctly assigned to the domain name on the DNS server
(see Glossar on page 227).
For further information, contact Hirschmann support.
Fig. 61:
DynDNS monitoring
U Monitoring hostnames from VPN remote terminals

If the address of the VPN remote terminal is specified to the EAGLE as
the hostname (see VPN:Connections on page 122), and if this domain
name is assigned by a DynDNS service, then the EAGLE can poll if
changes have been made at the respective DynDNS.
144
EAGLE
Release 1.02 10/04
6.8 Services menu
U Polling interval
Standard: 300 (seconds)
6.8.3 Services:DynDNS registration

To set up VPN connections at least the IP address of one of the partners
must be known, so that the partners can communicate with each other.
This is not case if both participants are assigned IP addresses dynamically
from their Internet service providers. In such a case, a DynDNS service,
such as the one from the Hirschmann Competence Center or DNS4BIZ.com
can help. With the DynSNS service, the currently valid IP address is
registered under a fixed name (see Services:DynDNS registration on
page 145).
Provided that you are registered for one of the DynDNS services supported
by the EAGLE, you can make the proper entries in the dialog box.
Fig. 62:
DynDNS registration
EAGLE
Release 1.02 10/04
145
6.8 Services menu
U Register this EAGLE at a DynDNS Service?

Select Yes, if you have registered with a DynDNS Service provider and
the EAGLE should utilize this service. In this case, the EAGLE will report
its current IP address - the one assigned for its own Internet access by its
Internet Service Provider - to the DynDNS Service.
U Refresh Interval
Standard: 420 (seconds)
Whenever the IP address of its own Internet access is changed, the EAGLE
will inform the DynDNS Service of its new IP address. For additional
reliability, the device will also report its IP address at the interval set here.
U DynDNS provider
The providers made available for selection support the same protocol
that the EAGLE supports.
Enter the name of the provider where you are registered, for example
DynDNS.org.
U DynDNS server
Name of the server of the DynDNS providers selected above,
for example: dyndns.org.
U DynDNS Login
Enter the user name that you have been assigned here.
U DynDNS Password
Enter the password that you have been assigned here.
U DynDNS Hostname
The hostname selected at DynDNS service for this EAGLE- provided that
you use a DynDNS service and have made the proper settings above.
146
EAGLE
Release 1.02 10/04
6.8 Services menu
6.8.4 Services:DHCP
The DHCP server (Dynamic Host Configuration Protocol) of the EAGLE
assigns the clients connected to the EAGLE automatically
D the IP addressed defined in the DHCP range and subnet masks or
D the statically entered IP addresses.
Note: It is possible to configure the EAGLE as a DHCP client in router mode
(see External interface on page 102).
Server on then secure and insecure port
Statically entered
MAC/IP address pairs
Fig. 63:
Services:DHCP
EAGLE
Release 1.02 10/04
147
6.8 Services menu
U Start DHCP server

V Set this switch to Yes, if you wish to activate this function.
Option:
If the DHCP server is activated, you can enter the network parameters to
be used by the clients:
Parameter
DHCP start of range:
DHCP end of range:
Local network mask:
Default gateway:
DNS Server:
Meaning
Beginning and end of the address range from which the DHCP
server of the EAGLE is to assign IP addresses to the locally
connected clients.
The default setting is: 255.255.255.0
Determines which IP address for the client is to be used as the
standard gateway.
Determines from where the clients are to obtain the IP addresses
resolved from hostnames. If the DNS service of the EAGLE is
activated, this can be the local IP address of the EAGLE.
Table 8: Client network parameters
Note: Only one DHCP server per subnet may be used.

Note: When you start the DHCP server of the EAGLE, you must configure
the locally connected clients in such a way that they automatically obtain their
IP addresses.
U Internal server (trusted port)

Dynamic IP address pool =end of range - start of range
MAC address of the clients
Which MAC address are permitted to access the secure port and then
receive an IP address.
U External server (untrusted port)

see Internal server
148
EAGLE
Release 1.02 10/04
6.8 Services menu
U IP configuration for the Windows clients

In Windows XP, proceed by clicking
Start:Control Panel:Network Connections,
Right-click the LAN adapter icon and select Properties in the context
menu.
In the dialog box Properties of LAN connection Local Network
on the tab General under Components checked are used by this
connection, select the entry Internet protocol (TCP/IP)
and then the click the button Properties.
In the dialog box Internet Protocol (TCP/IP Properties)
select the option Obtain an IP address automatically.
6.8.5 Services:NTP
The network time protocol (NTP) allows you to synchronize the system time
within your network. NTP has a hierarchical structure. The NTP server
makes the UTC (Universal Time Coordinated) available. The NTP client
obtains the UTC from the SNTP server.
EAGLE
Release 1.02 10/04
149
Fig. 64:
6.8 Services menu
Network time protocol
U Current system time (UTC)

Displays the current system time in Universal Time Coordinates (UTC).
If the Enable NTP time synchronisation not yet activated
(see below) and Time stamp in filesystem is deactivated, the clock will
start with 1 January 2000.
U Current system time (local time)

If the possibly differing current local time should be displayed, you must
make the corresponding entry under Timezone in POSIX.1
notation... (see below).
U NTP State
Displays the current NTP state.
150
EAGLE
Release 1.02 10/04
6.8 Services menu
U Enable NTP time synchronization: Yes / No

Once the NTP is enabled, the EAGLE takes the time from the Internet
and displays this as its current system time. The synchronisation can
take several seconds.
If this option is set to Yes and at least one time server is specified under
NTP servers to synchronize to (see below), the current system
time will be made available.
U NTP servers to synchronize to

Under this option, enter one or more time servers from which the
EAGLE should obtain the current time. If you enter multiple time servers,
the EAGLE will automatically connect with all of them to determine the
current time.
Note: If you enter a hostname, e.g. pool.ntp.org, instead of an IP address,
a DNS server must also be specified (see Services:DNS on page 141).
Note: If the EAGLE is operating in Transparent mode and multiple time
servers are entered, the EAGLE will only use the first two time servers in
the list.
Note: If the EAGLE is operating in Router, PPPoE or PPTP mode, it will
also make the NTP time available to the connected systems.
EAGLE
Release 1.02 10/04
151
6.8 Services menu
U Timezone in POSIX.1 Notation...

If the Current system time above should display your current
local time instead of the current Greenwich time (if it is different to the
Greenwich time), you must enter the number of hours (plus or minus)
that your local time differs from Greenwich time.
Examples:
In Berlin, the time is one hour earlier than in Greenwich. Therefore,
enter: CET-1.
In the entry, the characters preceding the -1, -2 or +1 etc. are not
considered. Only the numerical difference is important. The characters
preceding the numerical difference may be CET or any other acronym
that you find useful.
If you wish to display Central European Time (for example for Germany)
and have it automatically switch to/from daylight saving time, enter:
CET-1CEST,M3.5.0,M10.5.0/3
U Time stamp in filesystem (2h granularity): Yes / No

If this option is set to Yes, the EAGLE will save the current system time to
its memory every two hours.
Afterwards: If the EAGLE is switched off and back on, a time from this
two hour period of time will be displayed when the EAGLE is switched
on and not (the factory setting) a time on 1 January 2000.
6.8.6 Services:Remote Logging

All log entries are recorded in the EAGLEs memory. Once the memory
available for the log has been filled, the oldest log entry will be overwritten.
Furthermore, if the EAGLE is switched off all log entries are deleted.
If you wish to keep a copy of the log, the log entries can be sent to an
external system. This is particularly useful if you wish to have centralised
administration of the logs.
152
EAGLE
Release 1.02 10/04
Fig. 65:
6.8 Services menu
Remote Logging
U Activate remote UDP Logging: Yes / No

If all log entries should be sent to an external (specified below)
Log Server, set this option to Yes.
U Log Server IP address

Enter the IP address of the log server to which the log entries should be
sent via UDP.
Note: This entry must be an IP address - not a hostname! This function
does not support hostnames, since, if it did, it would not be possible to
log the loss of a DNS server.
U Log Server port

Enter the port of the log server to which the log entries should be sent via
UDP. Standard: 514.
EAGLE
Release 1.02 10/04
153
6.8 Services menu
6.8.7 Services:SNMP Traps

This dialog allows you to determine which events trigger an alarm (trap) and
where these alarms should be sent.
Fig. 66:
SNMP traps
U Enable Authentication traps

The EAGLE sends an authentication alarm, if it rejects an unauthorized
access.
U Enable link Up/Down traps

Der EAGLE sends a link status alarm, if the connection to the connected
network has been interrupted or re-established.
U Enable coldstart traps

Der EAGLE sends a cold reset alarm after it has been switched on.
154
EAGLE
Release 1.02 10/04
6.8 Services menu
U Enable SecurityGateway traps

Der EAGLE sends a SecurityGateway alarm if one of the following
events has occurred:
HTTPS login: There was a login attempt via HTTPS.
Shell login: There was a login attempt via the shell.
DHCP NewClient: The DHCP server has received a request from an
unidentified client.
U Enable chassis traps

The EAGLE sends a chassis alarm if one of the following events has
occurred:
Power Supply: The status of a supply voltage has changed.
Signaling relay: The status of the signal contact has changed.
U Enable agent traps

The EAGLE sends an agent alarm if one of the following events has
occurred:
Temperature: The temperature has exceeded / fallen below the set
threshold values.
AutoConfigAdapter: The Auto Configuration adapter, ACA, has been
added or removed.
U SNMP trap destinations

Destination IP: Enter the IP address of the recipient here, to which
the traps are to be sent.
Destination name: Here you can enter a name of your choice for
each recipient.
Destination community: The community with which the EAGLE
sends a trap. Enter the community here that the trap recipient is
expecting.
EAGLE
Release 1.02 10/04
155
156
6.8 Services menu
EAGLE
Release 1.02 10/04
6.9 Access menu
6.9 Access menu

6.9.1 Access:passwords
The EAGLE supports 3 levels of user authorization. To login at a specific
level of authorization, the user must enter the corresponding password for
the level.
Fig. 67:
Access:Password
U Authorization level root

Offers all rights for all parameters of the EAGLE.
Note: Only this authorization level allows you to connect to the device via
SSH so that you can render the entire system useless by making faulty
configurations. The system can then only be returned to its delivery state
by flashing the firmware (see Flashing the firmware on page 193).
Default root password: root
EAGLE
Release 1.02 10/04
157
6.9 Access menu
To change the password, proceed as follows:

V Enter the currently valid root password in the field Old Password.
V Enter the new password twice in the fields New Password and New
Password (Repeat).
U Authorization level Administrator

If you login at this level (password), you will be granted all the rights
required for the configuration options that are accessible via the Webbased Administrator interface.
Default user name: admin
Default password: private
The user name admin cannot be changed.
To change the password, enter the desired new password once in each
of the corresponding entry fields.
U Authorization level User

If a user password has been defined and activated, the user must after every restart of the EAGLE - enter this password to enable a VPN
connection when he or she first attempts to access any HTTP URL.
If you wish to use this option, enter the desired user password once in
each of the corresponding entry fields. Then set Enable User
Password to Yes. (Stat on delivery: No).
To define one, enter the desired password twice in both entry fields.
158
EAGLE
Release 1.02 10/04
6.9 Access menu
6.9.2 Access:Language
If you select (Automatic) from the list of languages, the device will use the
language setting of the system's browser.
Fig. 68:
Setting the language
EAGLE
Release 1.02 10/04
159
6.9 Access menu
6.9.3 Access:HTTPS
If HTTPS remote access is activated, the EAGLE can be configured via
its Web-based administrator interface from a computer connected to the
insecure port. This means that a browser is used on the remote computer
to configure the local EAGLE.
This option is disabled by default.
Fig. 69:
Access:HTTPS
IMPORTANT: If you enable remote access, make sure that a secure root and
administrator password have been defined.
To enable HTTPS remote access, make the following settings:
160
EAGLE
Release 1.02 10/04
6.9 Access menu
U Enable HTTPS remote access

If you wish to enable HTTPS, set this switch to Yes.
Note: Ensure that in this case the firewall rules on this end have been set
so that it possible to access the EAGLE from an external terminal.
U Port for incomming HTTPS connections

(remote administration only)
Standard: 443
You can set another port.
The remote terminal that performs the remote access must add the port
number defined here to the end of the IP address when it assigns the
address.
Example:
If this EAGLE can be reached at the address 192.144.112.5 over the
Internet, and if port number 443 has been set for remote access, this port
number does not have to be added to the end of the address in the Web
browser at the remote terminal.
When using a different port number, this number must be added to the
end of the IP address, e.g.: 192.144.112.5:442.
U Firewall rules to accept external HTTPS access

Lists the firewall rules that have been set up. They apply to the incoming
data packets of an HTTP remote access attempt.
D Delete rule
Click Delete next to the respective entry.
D Set new rule
If you wish to set a new rule, click New.
Define the desired rule (see above) and click OK.
D From IP
Enter the address(s) of the computer(s) which is/are permitted remote
access.
IP address: 0.0.0.0/0 means all addresses. To indicate a range,
on page 183.
EAGLE
Release 1.02 10/04
161
6.9 Access menu
D Interface
external (fixed)
D Action
Options: Accept / Reject / Drop
Action
Accept
Reject
Drop
Meaning
the data packets are permitted to pass through.
the data packets are rejected, and the sender is notified that the data was
rejected.
In transparent mode, Reject has the same effect as Discard, see above.
the data packets are not permitted to pass through. They are swallowed,
and the sender is not notified about what happened to the data.
Table 9: Actions for HTTPS access

D Log
applied,
162
EAGLE
Release 1.02 10/04
6.9 Access menu
6.9.4 Access:SSH
If SSH remote access is activated, the EAGLE can be configured by the
computer connected to the insecure port by making an entry on the
command line.
This option is disabled by default.
Fig. 70:
Access:SSH
IMPORTANT: If you enable remote access, make sure that a secure root and
administrator password have been defined.
To enable SSH remote access, make the following settings:
U Enable SSH remote access

If you wish to enable SSH remote access, set this switch to Yes.
Note: Ensure that in this case the firewall rules on this end have been set
so that it is possible to access the EAGLE from an external terminal.
EAGLE
Release 1.02 10/04
163
6.9 Access menu
U Port for incomming SSH conections

(remote administration only)
Standard: 22
You can set another port.
The remote terminal that performs the remote access must add the port
number defined here to the end of the IP address when it assigns the
address.
Example:
If this EAGLE can be reached at the address 192.144.112.5 over the
Internet, and if port number 22 has been set for remote access, this port
number does not have to be specified in the SSH client.
This must be specified for another port number (e.g. 22222), for example:
ssh -p 22222 192.144.112.5
U Firewall rules to accept external SSH access

Lists the firewall rules that have been established. They apply to the
incoming data packets of an SSH remote access connection.
D Delete rule
D Set new rule
D From IP
Enter the address(s) of the computer(s) which is/are permitted remote
access.
on page 183.
D Interface
external (fixed)
164
EAGLE
Release 1.02 10/04
6.9 Access menu
D Action
Action
Accept
Reject
Drop
Meaning
rejected.

D Log
For each individual firewall rule you can decide if, when the rule
is applied,
EAGLE
Release 1.02 10/04
165
6.9 Access menu
6.9.5 Access:SNMP
SNMP (Simple Network Management Protocol) is mainly used in more
complex networks to monitor the status and operation of devices.
SNMP is available in several releases: SNMPv1/SNMPv2 and SNMPv3.
The older versions SNMPv1/SNMPv2 do not use encryption and are not
considered to be secure. We therefore recommend that you do not use
SNMPv1/SNMPv2.
As far as security is concerned, SNMPv3 is considerably better, but not all
management consoles support it.
Note: When you use SNMPv1, set up a VPN connection between the
management station and the EAGLE. The SNMPv1 passwords will then
be transmitted invisibly.
Fig. 71:
166
Access:SNMP
EAGLE
Release 1.02 10/04
6.9 Access menu
U Enable SNMPv3 access

If you wish to allow monitoring of the EAGLE via SNMPv3, set this switch
to Yes.
Unlike SNMPv1/v2 no login data is required, since the protocol itself
organises a secure authentication.
The factory setting for access via SNMPv3, requires an authentication
with a login and password. These entries are:
Login: admin
Password: private
MD5 is supported for the authentication; DES is supported for
encryption.
U Enable SNMPv1/2 access

If you wish to allow monitoring of the EAGLE via SNMPv1/v2, set this
switch to Yes.
In addition, you must enter the following login data:
SNMPv1 and SNMPv2 read-write Community String
SNMPv1 und SNMPv2 read-only Community String
Enter the required login data in these two fields.
U Port for incoming ANMP connections

(external interface only)
Standard: 161
U Firewall rules to accept external SNMP access

Lists the firewall rules that have been set. These apply for the incoming
data packets of an SNMP remote access.
D Delete rule
D Set new rule
EAGLE
Release 1.02 10/04
167
6.9 Access menu
D From IP
Enter the address(s) of the computer(s) on which SNMP monitoring
is permitted.
on page 183.
D Interface
external (fixed)
D Action
Action
Accept
Reject
Drop
Meaning
rejected.
Note: For security reasons, the EAGLE responds exclusively to ICMP

echo requests (ping) from computers that are permitted access via
SNMP.
D Log
applied,
168
EAGLE
Release 1.02 10/04
6.9 Access menu
6.9.6 Access:Serial line

This dialog allows you to configure the dial-in access via amodem.
In transparent mode (SCT/MCT) you can access the EAGLE directly via
a modem.
In router mode you can also access the secured network according to the
firewall rules in this dialog.
Note: Use the Hirschmann modem cable to connect the modem
(see Accessories on page 220).
The socket housing is electrically connected to the front panel of the device.
The signal lines are electrically isolated from the supply voltage (60 V insulation
voltage) and the front panel.
State on delivery:
- Speed:9600 Baud
- Data:8 bit
- Stopbit:1 bit
- Handshake:off
- Parity:none
EAGLE
Release 1.02 10/04
169
Fig. 72:
6.9 Access menu
Serial line
U Serial connection, modem, PPP

D Baud rate
Select the same baud rate as the modem.
Note: A change in the baud rate has an effect on terminal operation.
D MODEM (PPP)
Enable access for the modem. An enabled modem prevents access
to the terminal.
D Hardware handshake RTS/CTS
Select the same baud rate as for the modem.
U PPP dial-in options

D Local IP
IP address of the EAGLE for the serial port.
D Remote IP
IP address of the device connected to the serial port.
170
EAGLE
Release 1.02 10/04
6.9 Access menu
D PPP Login name

D PPP Password
U Firewall Incoming (PPP interface)

incoming data packets of a remote access connection from a modem
in the direction of the secured network.
D Delete rule
D Set new rule
D From IP
Enter the address(s) of the computer(s) on which modem monitoring
is permitted.
on page 183.
D From port
D To IP
D To port
D Action
EAGLE
Release 1.02 10/04
171
Action
Accept
Reject
Drop
6.9 Access menu
Meaning
rejected.
Table 12: Actions for modem access

D Log
applied,
U Internal server (trusted port)

outgoing data packets of a remote access connection from a modem.
172
EAGLE
Release 1.02 10/04
6.10 Features menu
6.10 Features menu

6.10.1 Features:Install Update
Prerequisite: You must have a current software package either
saved locally on your configuration system
OR
available from a remote server.
Note: For information as to whether or not and, if so, in which manner you
can obtain a software update, please contact Hirschmann.
Fig. 73:
Install Update
If you have saved a current software update on your configuration computer,

proceed as follows:
V Please read the README file!
V Click on Browse... and then select the file.
EAGLE
Release 1.02 10/04
173
6.10 Features menu
V Click installed packets to load them into the device.

This procedure can take several minutes depending on the size of the
update.
If a reboot is required after the system update, this will be displayed.
If a current software update is made available to you on a remote server,
its address must be entered (see Features:Update Server on page 175).
V Enter the file name in the entry field.
V Click on Install Package Set to transfer them to the device.
Depending on the size of the update, this may take several minutes.
If a reboot is necessary after a system update, a message to this effect
will be displayed.
174
EAGLE
Release 1.02 10/04
6.10 Features menu
6.10.2 Features:Update Server

If a software update (see Features:Install Update on page 173) for
the EAGLE is made available on a remote server, enter its address here.
The protocol used must, in any case, precede the server's address.
Examples: http://123.456.789.1 or http: //www.xyz.com/update
Fig. 74:
Update Servers
EAGLE
Release 1.02 10/04
175
6.10 Features menu
6.10.3 Features:Software information - Display

This page lists the software modules (packages) currently loaded in the
device. Each of these is called a package.
The purpose of this page is to provide the information required prior to
making an update: Compare the displayed package version numbers with
those of the corresponding current packages. For the relevant information.
please contact your distributor.
If new versions are available, you can update the software in the device
(see Features:Install Update on page 173).
Fig. 75:
176
Software information
EAGLE
Release 1.02 10/04
6.10 Features menu
6.10.4 Features:Hardware information

Only for experienced system administrators or Support.
Fig. 76:
Hardware information
EAGLE
Release 1.02 10/04
177
178
6.10 Features menu
EAGLE
Release 1.02 10/04
6.11 Support menu
6.11 Support menu

6.11.1 Support:Snapshot
This function creates a compressed file (in the tar format), which contains
all current configuration settings and log entries, that are relevant for error
diagnostics. This file does not contain any private information such as the
private machine certificate or passwords. However, any pre-shared keys
used for VPN connections are included in the snapshots. If requested,
please provide this file to Hirschmann-Support.
Fig. 77:
Snapshot
To create a snapshot, proceed as follows:

V Click Download.
V Save the file under the name snapshot.tar.gz
V Please make the file available to Hirschmann Support, if so requested.
EAGLE
Release 1.02 10/04
179
6.11 Support menu
6.11.2 Support:Status - Display

Displays a summary of various status information for support purposes:
Fig. 78:
Support:Status
U Network mode
The EAGLE's mode of operation
D Transparent (SCT/MCT)
D Router
D PPPoE
D PPTP
U Externe IP
The IP address of the EAGLE at its connection for the network
(WAN or Internet) connected to the insecure port.
In transport mode, the EAGLE takes on the local IP address
(see Network:Transparent mode on page 100).
180
EAGLE
Release 1.02 10/04
6.11 Support menu
U Default gateway
The default gateway address is shown here that is entered in the
EAGLE.
U VPN
Supports:
D Total: Total number of VPN connections setup
D Used: Number of VPN connections used
D Up: Number of VPN connections currently active
U DynDNS registration
Supports:
D none: no DynDNS server specified
D DynDNS Server: Address of the DynDNS server, at which the EAGLE
should register.
D failure: The EAGLE has unsuccessfully attempted to setup a
connection to the DynDNS server.
D trying: The EAGLE is currently attempting to setup a connection to the
DynDNS server.
U HTTPS remote access

Possible settings
D no
D yes
U SSH remote access

Possible settings
D no
D yes
EAGLE
Release 1.02 10/04
181
6.11 Support menu
U NTP Status
Options:
D synchronized: The EAGLE receives the current time from a time
server (Greenwich time) via the Network Time Protocol.
D not synchronized: The EAGLE is not connected to a time server
and can thus not provide the current time.
U Software version
Shows the version of the software installed in the EAGLE
U System Uptime
This shows how much time has elapsed since the last time that the
EAGLE was started.
U Language
This field shows the currently selected language.
182
EAGLE
Release 1.02 10/04
6.12 CIDR (Classless InterDomain

Routing)
IP netmasks and CIDR are notations, which define an address space
containing multiple IP addresses. In this case, an address space in which
the addresses follow one another sequentially is treated as a network.
CIDR reduced the e.g. routing tables stored in routers to a network postfix
in the IP address. With this postfix, an aggregate of many networks can be
identified. The method is described in RFC 1518.
To define a range of IP addresses for the EAGLE e.g. when configuring the
firewall, it may be necessary to use the CIDR notation to specify the address
space. The following table presents the IP netmask on the left and the
corresponding CIDR notation on the right.
EAGLE
Release 1.02 10/04
183
IP
binary
CIDR
255.255.255.255
255.255.255.254
255.255.255.252
255.255.255.248
255.255.255.240
255.255.255.224
255.255.255.192
255.255.255.128
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111110
11111100
11111000
11110000
11100000
11000000
10000000
32
31
30
29
28
27
26
25
255.255.255.0
255.255.254.0
255.255.252.0
255.255.248.0
255.255.240.0
255.255.224.0
255.255.192.0
255.255.128.0
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111110
11111100
11111000
11110000
11100000
11000000
10000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
24
23
22
21
20
19
18
17
255.255.0.0
255.254.0.0
255.252.0.0
255.248.0.0
255.240.0.0
255.224.0.0
255.192.0.0
255.128.0.0
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111110
11111100
11111000
11110000
11100000
11000000
10000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
16
15
14
13
12
11
10
9
255.0.0.0
254.0.0.0
252.0.0.0
248.0.0.0
240.0.0.0
224.0.0.0
192.0.0.0
128.0.0.0
11111111
11111110
11111100
11111000
11110000
11100000
11000000
10000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
8
7
6
5
4
3
2
1
0.0.0.0
00000000 00000000 00000000 00000000 0
Example: 192.168.1.0 / 255.255.255.0 corresponds to 192.168.1.0/24 in

CIDR notation.
184
EAGLE
Release 1.02 10/04

The diagram below illustrates how in a local network with subnetworks the
IP address could be distributed, what the resulting network addresses would
be, and how an additional internal router would be specified.
Internet
Internet
External addresses e.g.: 80.81.192.37
(assigned by the Internet service provider)
EAGLE in the network mode router
Internal address of the EAGLE: 192.168.11.1
EAGLE
FAULT
STATUS
LS/DA
1
2 V.24
R
IP-ADDRESS
k
1
A1
A2
A3
A4
Router
IP external:
192.168.15.1
IP internal:
192.168.27.254
Network mask:
255.255.255.0
+24V (P2)
+24V (P1)
V.24
MACH 3002
MACH 3002
Fig. 79:
0V
0V
Router
IP external:
192.168.11.2
IP internal:
192.168.15.254
Network mask:
255.255.255.0
FAULT
additional
internal route
B1
C1
B2
C2
B3
C3
B4
C4
A5
Network A
Network
address:
192.168.11.0/24
Network mask:
255.255.255.0
Network B
Network
address:
192.168.15.0/24
Network mask:
255.255.255.0
Network C
Network
address:
192.168.27.0/24
Network mask:
255.255.255.0
Network example
EAGLE
Release 1.02 10/04
185
Computer
A1
A2
A3
A4
A5
IP address
192.168.11.3 192.168.11.4 192.168.11.5 192.168.11.6 192.168.11.7
Network mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
Table 13: Network A
Computer
B1
B2
B3
B4
IP address
192.168.15.2 192.168.15.3 192.168.15.4 192.168.15.5
Network mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
Table 14: Network B
Computer
C1
C2
C3
C4
IP address
192.168.27.1 192.168.27.2 192.168.27.3 192.168.27.4
Network mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
Table 15: Network C
Network
192.168.15.0/24
192.168.27.0/24
Gateway
192.168.11.2
192.168.11.2
Table 16: Additional internal routes for EAGLE (see Network:Base on page 95)
186
EAGLE
Release 1.02 10/04
The Recovery button
7 The Recovery button

The Recovery button enables you to,
D perform a restart,
D perform the Recovery procedure and
D to flash the firmware.
EAGLE
Release 1.02 10/04
187
The Recovery button
188
EAGLE
Release 1.02 10/04
The Recovery button
7.1 Performing a restart

The EAGLE offers several ways of performing a restart.
D Restart with Recovery button
V To perform a restart, press the Recovery button longer than
1.5 seconds and less than 7 seconds until the STATUS LED
goes out and the FAULT LED lights up red.
D The supply of current is temporarily interrupted.
D Management Web interface
See System:Reboot on page 84.
D Management SNMP
with the MIB object hmSecAction.
EAGLE
Release 1.02 10/04
189
The Recovery button
190
EAGLE
Release 1.02 10/04
The Recovery button
7.2 Executing the recovery procedure
7.2 Executing the recovery

procedure
7.2.1 Aim
The recovery procedure allows you to reset selected parameters to their
default values. These parameters are:
D
D
D
D
D
local IP address (0.0.0.0),

netmask (0.0.0.0),
operating mode (MCT mode),
modem access (off) and
baud rate (9600).
Note: The configured settings for VPN connections and firewall remain
unchanged, as do the passwords.
Possible reasons for executing the recovery procedure:
D The EAGLE is in router or PPPoE mode,
D The device address of the EAGLE has been configured differently than
the default setting.
D You do not know the current IP address of the device,
D You have no way of making this setting from a V.24 terminal.
7.2.2 Action
V Perform a restart - see Performing a restart on page 189.
V Wait until the STATUS-LED is continuously green-lit. This lasts about
30 seconds.
EAGLE
Release 1.02 10/04
191
The Recovery button
7.2 Executing the recovery procedure
V Press the Recovery button slowly 6 times.

Result:
The EAGLE responds after about 2 seconds:
The STATUS LED blinks 6 times yellow and then green.
V Press the Recovery button 6 times again within the next 60 seconds.
Result:
The device performs a restart, switches to transparent mode (MCT),
and deletes the local IP address. It can then be reached again at the
following address:
192
EAGLE
Release 1.02 10/04
The Recovery button
7.3 Flashing the firmware

Aim
The entire EAGLE software is to be loaded into the device.
Note: All configured settings will be deleted. The EAGLE is reset to its default
values (state on delivery).
Possible reasons to flash the firmware:
D You have lost or forgotten the administrator password.
D The firewall rules have been set in such a way that the administrator no
longer has access.
Action
Prerequisites:
D You have copied the software of the EAGLE from the EAGLE CD or
obtained it from Hirschmann support and have saved it on the
configurations computer.
D The DHCP and tftp server are installed on the same computer
(see Requirements for flashing the firmware on page 195).
Proceed as follows:
V Keep the Recovery button pressed until the recovery status starts as
follows:
The EAGLE is restarted (after 1.5 seconds). After approx. 7 seconds
the EAGLE switches to recovery status.
Status display of the recovery status: All ports and STATUS LEDs are
green-lit.
V Release the Recovery switch no more than 1 second after the device has
entered its recovery state.
Note: If you do not release the Recovery quickly enough, the EAGLE will
restart again.
EAGLE
Release 1.02 10/04
193
The Recovery button
Result:
The EAGLE starts the recovery system. It searches for the DHCP server
via the computer connected to the secure port or via the connected
network in order to obtain an IP address from it.
Status display: The STATUS LED blinks.
The file install.p7s is loaded from the tftp server. It contains the
electronically signed control procedure for the installation procedure.
Only files that have been signed by Hirschmann are loaded.
The control procedure then deletes the flash memory and prepares the
reinstallation of the software.
Status display: Die 3 port LEDs form a sequential light.
The software jffs2.img.p7s is then downloaded from the tftp server
and stored in the flash memory. This file contains the actual EAGLEoperating system and is electronically signed. Only files that have been
signed by Hirschmann are accepted.
Status display: Die 3 port LEDs form a sequential light.
It takes about 3 to 5 minutes to delete and store the file.
The EAGLE is the then restarted automatically.
The new software is then unpacked and configured.
This takes about 5 minutes.
Status display: The STATUS LED blinks.
Once the procedure has ended, all port LEDs blink green simultaneously.
V Restart the EAGLE.

To do this, press the Recovery button until the STATUS LED goes out.
or
Disconnect the device from power supply and then reconnect it.
Result:
The EAGLE is in the delivery state. Reconfigure it (see Setting up a
local configuration connection on page 67).
194
EAGLE
Release 1.02 10/04
The Recovery button
7.3.1 Requirements for flashing the firmware

To flash the firmware, a DHCP and tftp server must be installed on the locally
connected computer or network computer.
(DHCP = Dynamic Host Configuration Protocol; tftp = Trivial File Transfer
Protocol)
V Install the DHCP and tftp server, if needed (see below).
Note: If you install a second DHCP server in a network, this can affect the
configuration of the entire network!
EAGLE
Release 1.02 10/04
195
The Recovery button
7.3.2 Installing the DHCP and tftp server under

Windows
Install the software for the tftp server and DHCP server, that is located on
the CD. Proceed by following the steps below:
V If the Windows system is connected to network, disconnect it.
V Copy the software into any empty folder on the Windows system.
Start the program TFTPD32.EXE.
The image files are also found on the CD-ROM, which was included in
the package.
Fig. 80:
Start screen of the TFTPD32 program
V The server IP must be set to: 192.168.10.1

This must also be the address of the network adapter.
Click on the Browse button to switch to the folder in which the EAGLE
image files have been saved: install.p7s, jffs2.img.p7s
196
EAGLE
Release 1.02 10/04
The Recovery button
V Click on the tftp Server or DHCP Server tab and then click on
the Settings button to open the dialog shown below. Then set the
parameters as shown:
Fig. 81:
Settings
EAGLE
Release 1.02 10/04
197
The Recovery button
7.3.3 Installing DHCP and TFTP servers under

Linux
All current Linux distributions include DHCP and TFTP servers. Install the
corresponding packages in accord with the instructions for the respective
distribution.
V Configure the DHCP server by making the following settings in the
/etc/dhcp file:
subnet 192.168.134.0 netmask 255.255.255.0 {
range 192.168.134.100 192.168.134.119;
option routers 192.168.134.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.134.255;}
This sample configuration makes 20 IP addresses (.100 to .119)

available. It is assumed that the DHCP server has the address
192.168.134.1 (settings for ISC DHCP 2.0).
The required TFTP server is configured in the following file:
/etc/inetd.conf
V In this file, insert the appropriate lines or set the necessary parameter for
the TFTP service (the directory for data is: /tftpboot)
tftp dgram udp wait root /usr/sbin/in.tftpd -s /tftpboot/
V Then restart the inetd process to activate the modified configuration.

If you use a different mechanism, e.g. xinetd, please read the
corresponding documentation.
198
EAGLE
Release 1.02 10/04
HiConfig
8 HiConfig
HiConfig is a command-line oriented program for configuring the EAGLE.
The HiConfig interface can be reached via
D the secure port,
D the insecure port or
D the V.24 port.
U Making a connection the HiConfig over a LAN

PuTTY is a terminal program with which you can establish a secure
connection to the HiConfig interface of the EAGLEfrom your PC over
the LAN.
V Copy the putty.exe file from the enclosed CD to your PC's hard disk.
V Start PuTTY by doubleclicking this file.
Host name or
IP address of
the EAGLE
Connection
protocol
Fig. 82:
Connection setup
V Enter the host name or the IP address of the EAGLE.

V Select the connection protocol.
SSH, if your PC accesses the EAGLE from within a LAN.
EAGLE
Release 1.02 10/04
199
HiConfig
V Click Open.
PuTTY establishes a connection to the EAGLE and
opens the login window.
V Press the Enter key.
The EAGLE operating system will prompt you to enter the username
(admin or root).
V Enter the username.
The EAGLE operating system will prompt you to enter the password
(private or root).
V Enter the password.
The EAGLE operating system responds with the $ prompt
(for admin) or # (for root).
V Enter hiconfig (please note that entries are case-sensitive)
and press the Enter key.
HiConfig responds by displaying a list of valid commands.
delete the current row

--delete-all-rows
delete all rows
--silent
DON'T reconfigure services
(the gaid session daemon isn't required when option is used)
--get-all
dump all configuration data to stdout
--set-all
read all configuration data from stdin
--cache <file>
alternative location for the cache file
--socket <file>
use an alternative unix domain socket
Examples:
hiconfig --set ROUTERMODE router
hiconfig --set VPN.1.GATEWAY 192.168.1.1
hiconfig --goto VPN.0 --set .GATEWAY %any --set .ENABLED no
hiconfig --goto VPN --add-row --set .NAME tokyo --set .GATEWAY
146.215.5.34
hiconfig --goto VPN.2 --delete-row
#
Fig. 83:
200
HiConfig start page
EAGLE
Release 1.02 10/04
HiConfig
U Making a connection to HiConfig over a V.24 port.

The V.24 port allows you to configure the EAGLE, in the event access
via the LAN ports is not possible. The cause for this can be: failed
autonegotiations, faulty firewall configuration, etc.
V Using the terminal cable, connect your PC to the V.24 port of the
EAGLE.
Example of establishing a terminal connection under Windows 2000:
V Choose:
Start:Programs:Accessories:Communication:
HyperTerminal
Enter a name of
your choice for
this connection.
Fig. 84:
Setting up the terminal connection
Click OK.
Fig. 85:
Terminal connection without phone number
EAGLE
Release 1.02 10/04
201
HiConfig
Enter the connection

settings and click OK.
Fig. 86:
Properties of the terminal connection
V Press the Enter key.

The EAGLE operating system will prompt you to enter the username
(admin or root).
V Enter the username.
The EAGLE operating system will prompt you to enter the password
(private or root).
V Enter the password.
The EAGLE operating system responds with the $ prompt
(for admin) or # (for root).
V Enter hiconfig (please note that entries are case-sensitive)
and press the Enter key.
HiConfig responds by displaying a list of valid commands.
202
EAGLE
Release 1.02 10/04
HiConfig
delete the current row

--delete-all-rows
delete all rows
--silent
DON'T reconfigure services
(the gaid session daemon isn't required when option is used)
--get-all
dump all configuration data to stdout
--set-all
read all configuration data from stdin
--cache <file>
alternative location for the cache file
--socket <file>
use an alternative unix domain socket
Examples:
hiconfig --set ROUTERMODE router
hiconfig --set VPN.1.GATEWAY 192.168.1.1
hiconfig --goto VPN.0 --set .GATEWAY %any --set .ENABLED no
hiconfig --goto VPN --add-row --set .NAME tokyo --set .GATEWAY
146.215.5.34
hiconfig --goto VPN.2 --delete-row
#
Fig. 87:
HiConfig start page
EAGLE
Release 1.02 10/04
203
HiConfig
U Port Configuration
To set the port configuration you will need the following parameters:
Designation
Secure port
Insecure port
Enable port
Disable port
Autonegotiation on
Autonegotiation off
10 Mbit/s, halfduplex
10 Mbit/s, fullduplex
100 Mbit/s, halfduplex
100 Mbit/s, fullduplex
Value
ETH1
ETH0
ENABLE
DISABLE
AUTONEG yes
AUTONEG no
FIXEDSETTING
FIXEDSETTING
FIXEDSETTING
FIXEDSETTING
10hd
10fd
100hd
100fd
Table 17: Port configuration parameters
The command hiconfig --set and the proper parameters allow you
to configure the ports.
The command hiconfig --get-all | more displays all the
configured parameters one page at a time.
Example:
Set the secure port to 10 Mbit/s halfduplex:
hiconfig --set ENABLE_ETH1_AUTONEG no
hiconfig --set ETH1_FIXEDSETTING 10hd
Set the secure port to Autonegotiation on:
hiconfig -- set ENABLE_ETH1_AUTONEG yes
204
EAGLE
Release 1.02 10/04
HiConfig
U IP parameter configuration in transparent mode

V Enter the management IP address in transparent mode as follows:
$ hiconfig --set STEALTH_MANAGE_IP 149.218.112.55
V Enter the gateway address in transparent mode as follows:
$ hiconfig --set STEALTH_MANAGE_GW 148.218.112.199
V Enter the network mask in transparent mode as follows:
$ hiconfig --set STEALTH_MANAGE_NET 255.255.255.0
The IP addresses and the network mask refer to the entries in the
HiDiscovery example (see Fig. 17).
EAGLE
Release 1.02 10/04
205
HiConfig
206
EAGLE
Release 1.02 10/04
Appendix
A Appendix
EAGLE
Release 1.02 10/04
207
Appendix
208
EAGLE
Release 1.02 10/04
Appendix
FAQ
FAQ
Answers to frequently asked questions can be found at the Hirschmann
Website:
www.hirschmann.com
Under Products/Support inside Automation and Network
Solutions is located on the pages Products the area FAQ.
For detailed information on all services offered by the Hirschmann
Competence Center, please visit the Web site http://www.hicomcenter.com/.
EAGLE
Release 1.02 10/04
209
Appendix
210
FAQ
EAGLE
Release 1.02 10/04
Appendix
Based specifications and

standards
U List of norms and standards:
D EN 61000-6-2:2001 Basic standard - interference resistance in
industry
D EN 55022:1998 + A1 2000 + A2 2003 - Interference characteristics for
IT systems
D EN 60950:2001 - Security in IT systems
D EN 61131-2:2003 - Programmable Logic Controllers
D FCC 47 CFR Part 15:2003 Code of Federal Regulations
D Germanischer Lloyd, Rules for Classification and Construction VI - 7 3 Part 1, Ed. 2003.
D cUL 508:1998 Safety for Industrial Control Equipment
D cUL 1604 Electrical Equipment for Use in Class I and Class II, Div.2
and Class III Hazardous (Classified) Locations
D cUL 60950 Safety for Information Technoloy Equipment.
Certified devices are marked with a certification identifier.
U IEEE standards
IEEE 802.1 D
Switching, GARP, GMRP, Spanning Tree
IEEE 802.1 Q
Tagging
IEEE 802.3
Ethernet
EAGLE
Release 1.02 10/04
211
Appendix
U Supported MIBs
Private MIBs:
D hmprivate
D hmSecurityGateway-MIB
Standard MIBs:
D IF-MIB
D MAU-MIB
D RFC1155-SMI
D RFC1213-MIB
D SNMPv2-MIB
D SNMPv2-SMI
D SNMPv2-TC
The private MIBs are located on the enclosed EAGLE CD-ROM.
212
EAGLE
Release 1.02 10/04
Appendix
SNMP traps
SNMP traps
U Private MIB:
hmSecHTTPSLoginTrap
is sent, if a login attempt was made via HTTPS.
hmSecShellLoginTrap
is sent if a login was made via the security shell or the V.24 terminal.
hmSecDHCPNewClientTrap
is sent if the DHCP server receives a request from an unknown client.
hmTemperatureTrap
is sent if the temperature exceeds / falls below the set threshold values.
hmPowerSupply
is sent if the status of the voltage supply changes.
hmSignallingRelay
is sent if the status of the signal contact changes.
hmAutoconfigAdapterTrap
is sent if the AutoConfiguration adapter ACA 11 is removed or plugged
in again.
U Standard traps:
coldStart
is sent during the boot process after successful management
initialization following a cold or warm start.
linkUp
is sent if the link to a port is re-established.
linkDown
is sent if the link to a port is interrupted.
EAGLE
Release 1.02 10/04
213
Appendix
SNMP traps
authenticationFailure
is sent if a station attempts to access an agent without permission.
214
EAGLE
Release 1.02 10/04
Appendix
Certifications
Certifications
The following table lists the certification status of the
EAGLE product family.
Certified devices are marked with a certification identifier.
Standard
EN 61131-2
CE
FCC 47 CFR Part 15
cUL 508 / CSA C22.2 No.142
cUL 1604 / CSA C22.2 No.213
Germanischer Lloyd
EAGLE
In preparation
In preparation
In preparation
In preparation
In preparation
fulfilled
Table 18: Certifications, for the current status, visit www.hirschmann.com
EAGLE
Release 1.02 10/04
215
Appendix
216
Certifications
EAGLE
Release 1.02 10/04
Appendix
Technical data
Technical data
EAGLE
Dimensions W x H x D
Weight
Top-hat rail fastener
Power supply
Operating voltage
Power consumption
with 2 TX ports
with 1 TX port and 1 FX port
with 2 FX ports
Overload current protection at input
Environment
Ambient temperature
Storage temperature
Air humidity
Atmospheric pressure
Pollution Degree
Protection classes
Laser protection
Protection class
EAGLE
Release 1.02 10/04
46 x 131 x 111 mm
1.8 in x 5.2 in x 4.4 in
340 g, 0.75 lb
in line with IEC 60715:1981 + A1:1995
24 V DC, -25 % +33 %

Nec Class 2 power source,
safety extra-low voltage (SELV/PELV)
redundant inputs uncoupled
7.2 W maximum at 24 V DC
24.6 BTU/h
28.7 BTU/h
32.8BTU/h
non-changeable thermal fuse
Surrouding air:
0 C to 60 C (32 F to 140 F)
Surrouding air:
-20 C to +70 C (-4 F to 158 F)
10 % to 95 % (non-condensing)
Suitable for operation up to 2000 m
(6561 ft), 795 hPa
2
Class 1 conforming to EN 60825-1

(2001)
IP 20
217
Appendix
EMC interference immunity

EN 61000-4-2
EN 61000-4-3
EN 61000-4-4
EN 61000-4-5
EN 61000-4-6
EMC emitted immunity
EN 55022
FCC 47 CFR Part 15
Germanischer Lloyd
Stability
Vibration
Shock
218
Technical data
electrostatic discharge
contact discharge:
test level 3 (6 kV)
air discharge:
test level 3 (8 kV)
electromagnetic field
test level 3
(10 V/m; 80 - 2000 MHz)
fast transients (burst)
test level 3
(2 kV power line, 1 kV data line)
surge voltage
power line
symmetric: test level 2 (1kV)
asymmetric: test level 3 (2kV);
data Line: test level 2 (1kV)
cable-based RF faults: test level 3
10 V (150 kHz - 80 MHz)
Class A
Class A
Rules for Classification and
Construction VI - 7 - 3 Part 1, Ed. 2003
IEC 60068-2-6 Test FC, testing level
in line with IEC 61131-2 E2 CDV and
Germanischer Lloyd Guidelines for
the Performance of Type Tests Part 1
IEC 60068-2-27 Test Ea, testing level
in line with IEC 61131-2 E2 CDV
EAGLE
Release 1.02 10/04
Appendix
Interfaces
Signal contact
V.24 port
2 type depending ports
Technical data
1 A maximum, 24 V
external management, modem
TX ports with RJ-45 socket,
FX ports with DSC socket
Network size TX port 10BASE-T/100BASE-TX/1000BASE-TX

Length of a TP segment
100 m (328 ft) max.
Network size F/O ports 100BASE-FX
System attenuation
50/125 m fiber, multimode
0-8 dB
62.5/125 m fiber, multimode
0-11 dB
9/125 m fiber, singlemode
0-16 dB
Wave length
1300 nm
7-29 dB
Wave length
1550 nm
Example for F/O line length
50/125 m fiber, multimode
62,5/125 fiber, multimode
EAGLE
Release 1.02 10/04
5 km/16,400 ft max.
data of fiber: 1 dB/km, 800 MHz*km
4 km/13,120 ft max.
1 dB/km, 500 MHz*km
30 km/98,420 ft max.
data of fiber at 1300 nm, 0.4 dB/km
3.5 ps/(nm*km)
24-86.6 km/78,740-284,121 ft
data of fiber at 1550 nm, 0.3 dB/km
19 ps/(nm*km)
219
Appendix
Scope of delivery
EAGLE Firewall/VPN System incl.
Order number
EAGLE TX/TX
EAGLE TX/MM SC
EAGLE TX/SM SC
EAGLE TX/LH SC
EAGLE MM SC/TX
EAGLE MM SC/MM SC
EAGLE MM SC/SM SC
EAGLE MM SC/LH SC
EAGLE FW TX/TX
EAGLE FW TX/MM SC
EAGLE FW TX/SM SC
EAGLE FW TX/LH SC
EAGLE FW MM SC/TX
EAGLE FW MM SC/MM SC
EAGLE FW MM SC/SM SC
EAGLE FW MM SC/LH SC
Technical data
terminal block for power supply

EAGLE manual on CDROM
Description and operating instructions
943 011-001
943 011-002
943 011-003
943 011-004
943 011-005
943 011-006
943 011-007
943 011-008
943 011-011
943 011-012
943 011-013
943 011-014
943 011-015
943 011-016
943 011-017
943 011-018
Accessories
Manual: Basics of
Industrial ETHERNET and TCP/IP280720-834
ACA Auto Configuration Adapter
943 751-001
Terminal cable
943 301-001
6-pin terminal block (50 pieces)
943 845-002
Rail Power Supply RPS 30
943 662-003
943 662-001
943 662-011
Network Management Software
HiVision
943 471-100
220
EAGLE
Release 1.02 10/04
Appendix
[1]
Optische bertragungstechnik
in der Praxis
Christoph Wrobel
Hthig Buch Verlag Heidelberg
ISBN 3-8266-5040-9
[2]
TCP/IP Illustrated, Vol. 1

W.R. Stevens
Addison Wesley 1994
ISBN 0-201-63346-9
[3]
Hirschmann Manual
Basics of Industrial ETHERNET and TCP/IP
280 720-834
[4]
Hirschmann Manual
MultiLAN Switch
943 309-001
[5]
Hirschmann Manual
ETHERNET
943 320-001
[6]
Hirschmann Manual
Network Managent F
039 584-620
EAGLE
Release 1.02 10/04
221
Appendix
222
EAGLE
Release 1.02 10/04
Appendix
Reader's comments
Reader's comments
What is your opinion of this manual? We are always striving to provide as
comprehensive a description of our product as possible, as well as important
information that will ensure trouble-free operation. Your comments and
suggestions help us to further improve the quality of our documentation.
Your assessment of this manual:
excellent
good
satisfactory
mediocre
poor
Accuracy
Readability
Comprehensibility
Examples
Structure/Layout
Completeness
Graphics
Drawings
Tables
Did you discover an error in the manual?

If so, on what page?
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
EAGLE
Release 1.02 10/04
223
Appendix
Reader's comments
Suggestions for improvement and additional information:

.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
General comments:
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
Company / Department
..........................................................................................................
Name / Telephone number ..........................................................................................................

Street
..........................................................................................................
Zip code / City
..........................................................................................................
Date / Signature
..........................................................................................................
Dear User,
Please fill out and return this page
by fax to the number +49 (0)7127/14-1798 or
by mail to
Department AMM
Stuttgarter Str. 45- 51
72654 Neckartenzlingen
Germany
224
EAGLE
Release 1.02 10/04
Appendix

The EAGLE incorporates certain free and open software. The license terms
associated with this software require that we give copyright and license
information. These informations can be found on the enclosed CD-ROM.
For free software under the terms of the GPL/LGPL we also provide source
code according to Subsection 3b of the GPL or Subsection 6b of the
LGPL,respectively.
Please contact your Hirschmann contract partner.
EAGLE
Release 1.02 10/04
225
Appendix
226
EAGLE
Release 1.02 10/04
Glossar
B Glossar
D 3DES / DES
This symmetrical encryption algorithm was developed by IBM and chekked by the NSA. DES (Symmetrical encryption on page 233) was set in
1977 by the American National Bureau of Standards, which was the predecessor of the National Institute of Standards and Technology (NIST), as
the standard for American governmental institutions. Since this was the
very first standardized encryption algorithm, it quickly won acceptance by
industry even outside of America.
DES uses a 56 bit long key, which is no longer considered secure as the
processing power available has greatly increased since 1977.
3DES is a variant of DES. It uses keys that are three times as long, i.e.
168 bits long. 3DES is still considered to be secure and is also included
in the IPsec standard
D Asymmetrical encryption
In the case of asymmetrical encryption, data is encrypted with one key
and decrypted with a second key. Either key may be used for encryption
or decryption. One of the keys is kept secret by its owner (Private Key),
the other is made available to the public (Public Key), i.e. possible communication partners.
A message encrypted with the public key can only be decrypted and
read by the receiver who has the associated private key. A message
encrypted with the private key can only be decrypted and read by a
receiver who has the associated public key. The fact that the message
was encrypted with the private key proves that the owner of the associated public key actually sent the message. Therefore, the expression
"digital signature" is also often used.
However, asymmetrical encryption techniques such as RSA are both
slow and susceptible to certain types of attack and are therefore frequently combined with some form of symmetrical encryption (Symmetrical encryption on page 233). On the other hand, there are concepts
which avoid the additional work of administering symmetrical keys.
D AES
Advanced Encryption Standard. This encryption standard was developed
by NIST (National Institute of Standards and Technology) in cooperation
with the industry. This Symmetrical encryption on page 233 was developed to replace the earlier DES standard. AES specifies three different
key sizes (128, 192 and 256 bits).
EAGLE
Release 1.02 10/04
227
Glossar
In 1997, NIST started the AES initiative and announced its conditions for
the algorithm. From the many proposed encryption algorithms, NIST
selected a total of five algorithms for closer examination - the MARS,
RC6, Rijndael, Serpent and Twofish algorithms. In October 2000, the
Rijndael algorithm was adopted as the standard's encryption algorithm.
D Certificate (X.509)
A type of "Seal", which certifies the authenticity of a public key (Asymmetrical encryption on page 227) and the associated data.
To enable the user of the public key, which will be used to encrypt the data, to be sure that the public key that he/she has received is really from its
issuer and thus from the instance, which should later receive the data, it
is possible to use certification. A Certification Authority CA certifies the
authenticity of the public key and the associated link between the identity
of the issuer and his/her key. The certification authority will verify authenticity in accordance with its rules, which may, for example, require that the
issuer of the public key appear before it in person. Once authenticity has
be successfully certified, the certification authority will add its digital signature to the issuers public key. The result is a Certificate.
An X.509(v3) Certificate thus includes a public key, information about the
key owner (given as it Distinguished Name (DN)), the authorized usage
etc. and the signature of the certification authority.
The signature is created as follows: The certification authority creates an
individual bit sequence, which is known as the HASH value, from the bit
sequence of the public key, the information about its owner and other data. This sequence may be up to 160 bits long. The certification authority
encrypts this with its own private key and then adds it to the certificate.
The encryption with the certification authority's private key proves the authenticity of the certificate, i.e. the encrypted HASH string is the certification authority's digital signature. If the certificate's data is altered, this
HASH value will no longer be correct with the consequence that the certificate will be worthless.
The HASH value is also known as the fingerprint. Since it is encrypted
with the certification authority's private key, anyone who has the public
key can decrypt the bit sequence and thus verify the authenticity of this
fingerprint or signature.
The usage of a certification authority means it is not necessary for each
owner of a key to know every other owner. It is enough for them to know
the certification authority. The additional information about the key further
simplifies the administration of the key.
X.509 certificates are used, e.g. for e-mail encryption, in S/MIME or IPsec.
228
EAGLE
Release 1.02 10/04
Glossar
D Client / Server
In a client-server environment, a server is a program or computer, which
accepts and answers queries from client programs or computers.
In data communication, a computer which establishes a connection to a
server (or host) is also called a client. In other words, the client is the
calling computer and the server (or host) is the computer called.
D Datagram
In the TCP/IP protocol, data is sent in the form of data packets, which are
know as IP datagrams. An IP datagram has the following structure:
IP-Header
TCP, UDP, ESP etc. Daten (Payload)

Header
The IP header contains:

the IP address of the sender (source IP address)
the IP address of the receiver (destination IP address)
the protocol number of the protocol of the next higher protocol layer (in
accord with OSI [seven layer] model)
the IP header checksum used to check the integrity of the received
header.
The TCP/UDP header contains the following information:
the sender's port (source port)
the recipient's port (destination port)
a checksum covering the TCP header and some information from the
IP header (among others the source and destination IP addresses)
D DynamicDNS provider
Every computer, which is connected to the Internet, has an IP address (IP
= Internet Protocol). An IP address consists of a maximum of 4 three-digit
numbers, which are each separated by a dot. If the computer accesses its
Internet Service Provider (ISP) via a modem on a phone line, ISDN or
ADSL, its ISP will assign it a dynamic IP address. In other words, it will be
assigned a different address for every online session. If the computer is
online 24 hours a day without interruption (e.g. in the case of a flat rate
access), the IP address will even change during the session.
If a local computer should be accessible via the Internet, it must have an
address that is known to the remote system. Unless this is true, no connection can be established between the remote system and the local
computer. If the local computer's address is constantly changing, no connection can be setup. Unless, of course, the operator of the local computer has an account with a Dynamic DNS provider (DNS = Domain Name
Server).
In this case, he/she can define a domain name in URL format (URL - Uniform Resource Locator) at this Dynamic DNS provider under which comEAGLE
Release 1.02 10/04
229
Glossar
puter should be accessible in the future, e.g.: www.xyz.abc.de. The

Dynamic DNS provider also supplies a small program, which must be installed and run on this local computer. At each new Internet session, this
tool will inform the Dynamic DNS provider which IP address the local computer has currently been assigned. This Domain Name Server will register
the current assignment of Domain Name IP Address and will also inform
the other Domain Name Servers in the Internet.
If a remote system now attempts to establish a connection the local computer, which is register with the DynamicDNS provider, the remote system
can use the host name of the local system as its address. This will setup
a connection to the responsible DNS (Domain Name Server) to lookup the
IP address that is currently registered for this domain name. The corresponding IP address will now be sent back from the DNS to the remote
system, which can then use this as the destination address. The remote
system can now directly address the desired local computer.
In principle, all Internet addresses are based on this procedure: First, a
connection will be established to a DNS to lookup the IP address
assigned for the domain name. Once that has been accomplished, this
"looked up" IP address will be used to setup a connection the desired
remote site, which could be any site in the Internet.
D IP address
Every host or router in the Internet or an Intranet has a unambiguous IP
address (IP = Internet Protocol). The IP address is 32 bits (= 4 bytes) long
and is written as 4 three-digit numbers (each in the range from 0 to 255),
which are separated by a dot.
An IP address consists of 2 parts: the network address and the host
address.
Netzwork address Host address
Each host [or workstation] in a network has the same network address,
but a different host address. Depending on the size of the respective network - networks are categorized as Class A, B or C networks, which are
each different in size - the two parts of the address differ in length:
1. Byte
Class A
Class B
Class C
230
2. Byte
Netz-Adr.
3. Byte
4. Byte
Host-Adr.
Netz-Adr.
Netz-Adr.
Host-Adr.
Host-Adr.
EAGLE
Release 1.02 10/04
Glossar
Whether the IP address of a device in a network is Class A, B or C can

be seen in the first byte of the IP address. The following has been
specified:
Wert des
1. Byte
Bytes f r die
Netz-Adresse
Bytes f r die
Host-Adresse
Class A
1-126
Class B
128-191
Class C
191-223
As you can see, there can be a worldwide total of 126 Class A networks
and each of these networks can have a maximum of 256 x 256 x 256
hosts (3 bytes of address space). There can be 64 x 256 Class B networks and each of these networks can have up to 65,536 hosts (2 bytes
address space: 256 x 256). There can be 32 x 256 x 256 Class C networks and each of these networks can have up to 256 hosts (1 bytes
address space).
Subnet Mask see Subnet Mask on page 233.
D IPsec
IP Security (IPsec) is a standard, which uses encryption to verify the
authenticity of the sender and ensure the confidentiality and integrity of
the data in IP datagrams (> Datagram, page 229). The components of
IPsec are the Authentication Header (AH), the Encapsulating Security
Payload (ESP), the Security Association (SA) and the Internet Key Exchange (IKE).
To begin communication, the computers at both ends negotiate the mode
to be used: Transport Mode or Tunnel Mode.
In Transport Mode, an IPsec header will be inserted between the
IP header and the TCP or UDP header in each IP datagram. Since the
IP header remains unchanged, this mode is only suitable for a host- tohost connection.
In Tunnel Mode, an IPsec header and a new IP header will be added in
front of the entire IP datagram. As a consequence, the original datagram
will be encrypted in its entirety and sent as the payload of the new
datagram.
The Tunnel Mode is used in VPN applications: The devices at the tunnel
ends ensure that the datagrams are encrypted before they pass through
the tunnel so the actual datagrams are completely protected while being
transferred over the public network.
EAGLE
Release 1.02 10/04
231
Glossar
D NAT (Network Address Translation)

Using Network Address Translation (NAT) which is also often called IPMasquerading an entire network is hidden behind a single device,
which is known as a NAT router. The internal computers in the local network with their IP addresses will remain hidden, if you communicate with
the outside via a NAT router. The remote system outside will only see the
NAT router with its own IP address.
If the internal computers are to directly communicate with external systems (in the Internet), the NAT router must modify the IP datagrams that
are passed back-and-forth between the internal computers and the remote sites.
If an IP datagram is sent from the internal network to a remote site, the
NAT router will modify the IP and TCP headers of the outgoing datagrams. It replaces the source IP address and port with its own official IP
address and its - thus far unused - port. It maintains a table in which the
original values listed together with the corresponding new ones.
When a reply datagram is received, the NAT router will recognize that it
is actually for an internal computer from the datagrams destination port.
Using the table, the NAT router will replace the destination IP address and
port and pass the datagram on via the internal network.
D Port Number
The Port Number field is a 2 byte field in the UDP and TCP header. Port
Numbers are used to identify the various data streams that are processed
simultaneously by the UDP/TCP. The entire exchange of data between
the UDP/TCP and the application processes is regulated via port numbers. The assignment of the port numbers to the application processes is
dynamic and random. Fixed port numbers are assigned for certain,
frequently used application processes. These are called "Assigned
Numbers".
D PPPoE
The acronym for Point-to-Point Protocol over Ethernet. This protocol is
based on the PPP and Ethernet standards. PPPoE defines how to connect users via Ethernet with the Internet via a jointly used broadband medium such as DSL, a Wireless LAN or a cable modem.
D PPTP
The acronym for Point-to-Point Tunneling Protocol. This protocol was developed in a cooperation between Microsoft, U.S. Robotics and others to
securely transfer data between VPN nodes (VPN (Virtual Private Network) on page 234) via a public network.
232
EAGLE
Release 1.02 10/04
Glossar
D Protocol, communication protocol

Devices, which communicate with each other, must follow the same rules.
They must "speak the same language". Such rules and standards are called protocols or communication protocols. Some of the more frequently
used protocols include, for example, IP, TCP, PPP, HTTP and SMTP.
TCP/IP is the general term for all protocols based on IP.
D Service Provider
Service providers are companies or institutions, which offer users access
to Internet or an online service.
D Spoofing, Anti-Spoofing
In Internet terminology, spoofing means supplying a false address. With
the false Internet address, the user can create the illusion of being an authorized user.
Anti-Spoofing is term for mechanisms, which detect or prevent spoofing.
D Subnet Mask
Normally, a company's network - with access to the Internet - is only
officially assigned a single IP address, e.g. 134.76.0.0. Based on the first
byte of this sample address, one can see that this company network is a
Class B network and therefore the last 2 bytes are free to be used for
host addresses. With a Class B network, the company network has
address space for up to 65,536 hosts (256 x 256).
Obviously, such huge network is not practical. At this point, one can see
a need for subnetworks. The standard answers this need with the Subnet
Mask. Like an IP address, this mask is 4 bytes long. The bytes, which
represent the network address, are each assigned the value 255. The
main purpose of the mask is to "borrow" a portion of the host address
which can then be used to address the subnetworks. As an example, by
using the subnet mask 255.255.255.0 in a Class B network (2 bytes for
the network address, 2 bytes for the host address), the third byte, which
was actually intended for host addressing, can now be used for subnet
addressing. With this configuration, the company's network could support 256 subnetworks that each have 256 hosts.
D Symmetrical encryption
In the case of symmetrical encryption, the same key is used to encrypt
and decrypt the data. Two examples of symmetrical encryption algorithms are DES and AES. They are fast, but as the number of users
increases the administration becomes rather involved.
EAGLE
Release 1.02 10/04
233
Glossar
D TCP/IP (Transmission Control Protocol/Internet Protocol)

This is a network protocol. It is used to connect two computers in the Internet.
IP ist das Basisprotokoll.
UDP is based on IP and sends individual packets. The packets may arrive
at the recipient in an order different from that in which they were sent or
they may even be lost.
TCP secures the connection and ensures, for example, that data packets
are passed on the application in the right order.
UDP and TCP add the Port Numbers 1 to 65535 to the IP addresses. The
various services offered by the protocols may be distinguished by these
Port Numbers.
A number of additional protocols are based on UDP and TCP, e.g. HTTP
(HyperText Transfer Protocol), HTTPS (Secure HyperText Transfer Protocol), SMTP (Simple Mail Transfer Protocol), POP3 (Post Office Protocol, Version 3) and DNS (Domain Name Service)..
ICMP is based on IP and adds control messages.
UDP is based on IP and sends individual packets.
SMTP is an e-mail protocol that is based on TCP.
IKE is an IPsec protocol that is based on UDP.
ESP is an IPsec protocol that is based on IP.
On a Windows PC, the WINSOCK.DLL (or WSOCK32.DLL) handles both
protocols.
(see datagram, page 229)
D VPN (Virtual Private Network)
A Virtual Private Network (VPN) connects several separate private
networks (subnets) together via a public network, e.g. the Internet, to
form a single joint network. A cryptographic protocol is used to ensure
confidentiality and authenticity. A VPN thus offers an economical
alternative to using dedicated lines to build a nationwide corporate
network.
234
EAGLE
Release 1.02 10/04
Stichwortverzeichnis
C Stichwortverzeichnis
Numerics
3DES
3DES-168
129, 227
130
ACA
53, 155
Administration
142
Administrator interface
158
Administrator password
47
Administrators
177
ADSL
229
AES
121, 227
AES-256
130
Agent alarm
155
AH
231
Air humidity
12
Air temperature
12
Alarm
154
American National Bureau of Standard 227
Anti-Spoofing
233
Assigned Numbers
232
Asymmetrical encryption
227
Authentication
128, 167
Authentication Header
231
Authenticity
228, 231, 234
Authorization level
157
Auto Configuration Adapter
53, 155
Automatic Configuration
91
Autonegotiation
52
Browser
77, 159
CA
228
Cache
70
CE
14
Certification Authority
228
Chassis alarm
155
Checksum
229
Checksum algorithm
130
CIDR 111, 113, 118, 161, 164, 168, 171, 183
Class A
230
Client
33, 34, 36, 37, 131, 147, 229
Climatic
12
Communication protocol
233
Configuration
65, 91
Configuration setting
179
Cryptographic protocol
234
EAGLE
Release 1.02 10/04
Datagram
128
DES
167, 227
Destination IP address
229, 232
Destination NA
114
Destination port
229
DHCP
97, 102, 106, 142, 147, 155, 198
DHCP client
147
DHCP server
155, 193, 195, 197, 198
Digital signature
227, 228
Distinguished Name
228
DN
228
DNS
141, 229, 230, 234
Domain address
141
Domain name
144, 229
Domain nameserver
141
Domain suffix
142
DSL
232
Dual Homing
93
Dynamic DNS provider
229
Dynamic IP address
229
DynamicDNS
229
DynDNS Login
146
DynDNS Password
146
DynDNS server
144, 146, 181
DynDNS Service
124
Electromagnetic compatibility
EMC
Encapsulating Security Payload
Encryption
ESP
ESP-Header
EU conformity declaration
Factory setting
FAQ
FCC
Fingerprint
Firewall
Firmware
Flat rate
Forward
Gateway
Ground
Ground cable
14
14
231
227, 231
231, 234
229
14
67, 110, 117
209
15
228
68, 109
187
229
115
124, 139, 181
12, 51
54
235
Ground screw
Hardware
Hash
Hash algorithms
HCP server
Header
HiDiscovery
Host address
Hostname
Hostname mode
HTTP
HTTPS
HTTPS login
HTTPS Remote Access
54
177
130, 228
121
148
114
59, 86
230, 233
142
142
158
67, 71, 234
155
160, 181
IANA
111
ICMP
111, 113, 234
IKE
231, 234
Indicator contact
42
Internet Key Exchange
231
Internet Protocol
62
Internet Service Provider 104, 105, 124, 144
IP
111, 113, 234
IP address
63, 124, 230
IP datagram
229
IP header
231
IP masquerading
116
IP Security
231
IP-Header
229
IP-Masquerading
232
IPsec
121, 129, 138, 227, 228, 231
IPsec connection
121
IPsec header
231
IPsec Status
139
ISAKMP
130, 139
ISDN
229
ISP
104, 105, 144, 229
Key exchange
L2TP
L2TP status
LAN adapter
Language
Language setting
Linux
Local configuration
Login
236
130
126, 131
140
62
159, 182
159
198
65
69, 104, 105, 142
MAC address
Main Mode
MARS
MD5
Modem
Modem cable
Monitoring proper functioning
MS Internet Explorer
101
121
228
121, 130, 167
72, 229
54
88
68
NAT
116, 121, 232
NAT router
121, 232
National Institute of Standards and Technology
227
NAT-T
121
Netmask
132
Network address
230, 233
Network Address Translation
116, 232
Network coupling
93
Network mask
97, 131
Network Time Protocol
149
Network traffic
101
NIST
227
Norms
211
NSA
227
NTP
149
Online service
Operating mode
Operating system
233
91
194
Password
69, 104, 105, 167
PELV
11
Perfect Forward Secrecy
131
PFS
126, 131
Phone line
229
Phone number
73
Point-to-Point Protocol
232
Point-to-Point Tunneling Protocol
232
Pollution Degree
12
POP3
111, 113, 234
Port number
71, 111, 161, 232
Power Supply
155
PPP
126, 232
PPP connection
138
PPPoE
180, 232
PPPoE Login
104, 105
PPPoE mode
97, 117
PPPoE Password
104, 105
PPTP
180, 232
Pre-Shared Key
128, 129
EAGLE
Release 1.02 10/04
Private Key
Private network
Profile
Protocol
Provider
Provider defined
Proxy server
PSK
Public Key
Public network
Quick Mode
RC6
Reboot
Recovery
Recovery button
Recovery procedure
Recovery status
Recovery switch
Recycling
Redundant coupling
Redundant power supply
Refresh Interval
Relay contact
Remote configuration
Remove
Restart
RFC 1518
Rijndael
Ring coupling
Root
Root password
Router
Router mode
RSA
S/MIME
SA
SA Lifetime
Safety certificates
Safety regulations
Security
Security Association
Security notice
SELV
Serpent
Server
Service names
Service Provider
SHA-1
EAGLE
Release 1.02 10/04
227
234
82
233
97, 142
142
68
129
128, 227, 228
234
121
228
174
45
193
187
193
187
15
93
88
146
88
65
54
189, 192
183
228
93
157
47, 157
180, 230
97
227
228
231
121
121
13
155
231
69
11
228
229
111
233
121, 130
Shell login
155
Shielding ground
11
Signal contact
49, 88
Signature
228
Simple Network Management Protocol 166
SMTP
234
Snap-in guide
50
Snapshot.tar.gz
179
SNMP
166
Software module
176
Software version
182
Source IP address
229
Source port
229
Spoofing
233
SSH
142, 157
SSH remote access
163, 181
SSL
67, 71
Standard gateway
62, 68, 97
Standards
211
State on delivery
96, 157, 194
Stateful Packet Inspection
109
Stealth mode
124
Subnet
233, 234
Subnet mask
147, 233
Subnetwork
148
Subnetwork mask
63
Supply voltage
11, 41, 42, 49
Support
177, 209
Surrounding air temperature
12
Symmetrical encryption
227
System time
149
System update
174
System Uptime
182
TCP
111, 113, 234
TCP header
231, 232
TCP/IP
33, 77, 149, 229
TCP-Header
229
Telephone network
72
Temperature
12, 155
Terminal block
50
Terminal cable
54
TFTP
198
TFTP server
193, 195, 197, 198
TFTP service
198
Traffic
139
Transparent 33, 111, 113, 134, 162, 165, 168,
172, 180
Transparent mode
96, 111, 113, 192
Transport Mode
231
Trap
154
Tunnel Mode
231
Tunnels
129
237
Twofish
UDP
UDP header
Update
URL
User defined
User name
User password
228
111, 113, 232, 234
229, 231
174
229
142
69, 104, 105
158
V.24 interface
53
V.24 port
72
Virtual Private Network
234
VPN
232, 234
VPN application
231
VPN client
33
VPN connection
109, 117, 121, 144, 181
VT100
53
WAN
Web browser
Windows system
Wireless
X.509
238
71, 97, 180

67, 71, 161
196
232
128, 228
EAGLE
Release 1.02 10/04

Eagle Manual

Uploaded by

Copyright:

Available Formats

Eagle Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Eagle Manual

Uploaded by

Copyright:

Available Formats

V.

EAGLE Management Manual

Industrial ETHERNET Firewall/VPN-System

EAGLE Management Manual

Industrial ETHERNET Firewall/VPN-System

2004 Hirschmann Electronics GmbH & Co. KG

For all other countries please dial Tel. +49-7127-14-16 20

U Qualification requirements for personnel

U General Safety Instructions

U National and international safety regulations

U Note on the CE marking

Requirement and solution

3.1.1 Device status

6-pin terminal block

4.3.1 System configuration via HiDiscovery

Setting up a local configuration connection

5.1.1 Web-based administrator interface

5.2.1 Remote configuration via LAN

6.3.1 Ports:Configuration Table

6.4.1 Redundancy:Layer 2 Redundancy

Configuring the firewall

Setting up a VPN connection

6.10 Features menu

6.11 Support menu

6.12 CIDR (Classless InterDomain Routing)

6.13 Example of a network

7 The Recovery button

Executing the recovery procedure

Flashing the firmware

Based specifications and standards

Copyright of integrated software

1.1 Requirement and solution

1.1 Requirement and solution

1.1 Requirement and solution

A typical application scenario (for further application scenarios,

1.2 Product features

1.2 Product features

1.2 Product features

D Design suitable for industrial use:

1.3 Device models

1.3 Device models

EAGLE (FW) Medium/Medium

1.3 Device models

Table 1: Device models

Typical application scenarios

2 Typical application scenarios

U Remote access via a VPN tunnel

Example of remote access via a VPN tunnel

Typical application scenarios

U Secure cell separation

Typical application scenarios

Example of secure cell separation

Typical application scenarios

U Secure service port

Example of a secure service port

Typical application scenarios

U Secure connection of networks

Example of a secure connection of networks

Typical application scenarios

MAC address field