Select the software level at order time
L2S covers basic switching and redundancy. L2A adds security features (ACLs, 802.1X). L3S adds routing. L3A adds multicast routing and ECMP. Upgrade in the field with a license key.
12.2 HiOS Operating System
The previous section introduced the Hirschmann product families. Every managed Hirschmann switch runs 1 of 3 operating systems: HiOS (Hirschmann Industrial Operating System), HiEOS (Hirschmann Entry Operating System), or HiSecOS (Hirschmann Security Operating System). The operating system determines the available features.
Why Software Levels Matter
Section titled “Why Software Levels Matter”A network with 50 switches from 3 product families (BOBCAT, MSP, RSPE) uses the same CLI commands, the same web interface layout, and the same SNMP MIBs when the switches run HiOS. The software level (L2S, L2A, L3S, L3A) controls the available protocols and features. Upgrading the software level on existing hardware adds features without replacing the switch.
HiOS Software Levels
Section titled “HiOS Software Levels”L2S (Layer 2 Standard)
Section titled “L2S (Layer 2 Standard)”L2S provides the base managed feature set. L2S includes MRP (client and manager), RSTP (802.1D-2004), VLAN (802.1Q), LACP, SNMP v1/v2c/v3, SSH, HTTPS, LLDP, port mirroring, RMON, syslog, and basic QoS (802.1p priority queuing). L2S is available on RSP, RSPE, GREYHOUND 1020/1030, and RED switches.
L2A (Layer 2 Advanced)
Section titled “L2A (Layer 2 Advanced)”L2A adds IGMP snooping/querier (v1/v2/v3), GVRP, MVRP, MMRP, port-based access control (802.1X) with RADIUS, MAC authentication bypass, guest VLAN, DHCP snooping, IP source guard, dynamic ARP inspection, DoS prevention, ingress/egress ACLs (MAC-based, IPv4-based, VLAN-based), time-based ACLs, advanced QoS with egress shaping and ingress storm defense, and RSPAN. L2A is available on BOBCAT, MSP, RSPE, GREYHOUND 100/103/105/106/1040, and DRAGON MACH4x00.
L3S (Layer 3 Standard)
Section titled “L3S (Layer 3 Standard)”L3S adds static unicast routing, OSPFv2, RIPv1/v2, VRRP, VLAN-based router interfaces, loopback interfaces, ICMP filtering, and proxy ARP. L3S is available on RSP and RSPE.
L3A (Layer 3 Advanced)
Section titled “L3A (Layer 3 Advanced)”L3A adds multicast routing: IGMP proxy, DVMRP, PIM-DM (RFC 3973), PIM-SM/SSM (RFC 4601). L3A also adds Equal-Cost Multi-Path (ECMP) routing, ICMP Router Discovery (IRDP), and static route tracking. L3A is available on MSP40, GREYHOUND 1040, and DRAGON MACH4x00.
| Feature | L2S | L2A | L3S | L3A |
|---|---|---|---|---|
| MRP, RSTP, VLAN, LACP | Yes | Yes | Yes | Yes |
| SNMP v3, SSH, HTTPS | Yes | Yes | Yes | Yes |
| 802.1X, RADIUS, ACLs | No | Yes | Yes | Yes |
| DHCP snooping, ARP inspection | No | Yes | Yes | Yes |
| IGMP snooping (advanced) | No | Yes | Yes | Yes |
| Static routing | No | No | Yes | Yes |
| OSPF, RIP, VRRP | No | No | Yes | Yes |
| Multicast routing (PIM) | No | No | No | Yes |
| ECMP | No | No | No | Yes |
HiEOS (Hirschmann Entry Operating System)
Section titled “HiEOS (Hirschmann Entry Operating System)”HiEOS runs on LEMUR lite managed switches. HiEOS provides essential Layer 2 switching with a simplified, intuitive web GUI designed for users without specialized IT knowledge. HiEOS includes MRP client, RSTP, ERPS (G.8032), VLAN (802.1Q), IGMP snooping, QoS, SNMP v1/v2/v3, SSH, HTTPS, port mirroring, syslog, and MAC address limit per port.
HiEOS does not include 802.1X, RADIUS, ACLs, DHCP snooping, Layer 3 routing, or the full HiOS CLI command set. HiEOS trades feature depth for simplicity and lower cost.
| Capability | HiEOS (LEMUR) | HiOS L2S |
|---|---|---|
| Web GUI | Simplified, responsive | Full HiOS interface |
| CLI | Limited | Full Cisco-like CLI |
| MRP | Client only | Client + Manager |
| RSTP | Yes | Yes |
| ERPS (G.8032) | Yes | No (L2A adds it) |
| 802.1X / RADIUS | No | No (L2A adds it) |
| ACLs | No | No (L2A adds it) |
| Price point | Lower | Higher |
HiSecOS (Hirschmann Security Operating System)
Section titled “HiSecOS (Hirschmann Security Operating System)”HiSecOS runs on the EAGLE40 Next-Generation Firewall. HiSecOS combines routing and switching with stateful firewall, Deep Packet Inspection (DPI), IPSec VPN, OSPF, and VRRP. HiSecOS meets IEEE 1686 requirements: audit trail logging, user management with password policies, and role-based access control.
DPI suites inspect industrial protocol payloads:
- Industrial Automation Suite: EtherNet/IP enforcer + Modbus enforcer + OPC enforcer
- Substation Suite: IEC 104 enforcer + DNP3 enforcer + GOOSE enforcer + Modbus enforcer
- Unified Suite: combines both suites
Access Methods
Section titled “Access Methods”| Method | Protocol | Default State | Recommended |
|---|---|---|---|
| Web GUI | HTTP / HTTPS | HTTP enabled | HTTPS only |
| CLI | Telnet / SSH | Telnet enabled | SSH only |
| SNMP | v1/v2c/v3 | v1/v2c enabled | SNMPv3 only |
| Serial console | RS-232 / V.24 | Available | Physical access |
The default management IP is 192.168.1.1/24. Default credentials are admin / private (older firmware) or a device-specific password printed on the label (newer firmware). Change the password immediately on first access.
Access the CLI via SSH. HiOS CLI uses Cisco-like syntax:
enable # Enter privileged modeconfigure # Enter configuration modeshow interfaces # Show port statusshow vlan # Show VLAN tableshow mrp # Show MRP statusshow log # Show event logcopy running-config startup-config # Save configurationSNMP Management
Section titled “SNMP Management”HiOS supports SNMP for integration with network management systems. Key MIBs include RFC1213-MIB (standard interface statistics), HIRSCHMANN-MRP-MIB (ring status), and IF-MIB (interface counters). SNMP traps fire for link up/down events, MRP topology changes, authentication events, and temperature alarms.
Firmware Updates and Configuration Backup
Section titled “Firmware Updates and Configuration Backup”To upload firmware, open the web interface at Basic Settings → Load/Save → Software. Test updates on a non-production switch first. To back up the configuration, navigate to Basic Settings → Load/Save → Configuration → Download. The configuration file uses XML format. Store the configuration file in version control for history, comparison, and rapid recovery. HiOS supports dual software images: upload the new firmware to the inactive image slot, verify the firmware, then switch the active image.
Key Takeaways
Section titled “Key Takeaways”HiEOS trades depth for simplicity
LEMUR switches with HiEOS cost less and configure faster. HiEOS lacks 802.1X, ACLs, and Layer 3 routing. Use HiEOS where those features are unnecessary.
HiSecOS runs on firewalls only
EAGLE40 runs HiSecOS with DPI, VPN, and audit trail. HiSecOS is a separate operating system from HiOS with different CLI syntax.
What Comes Next
Section titled “What Comes Next”HiOS manages individual switches. Managing an entire network of switches requires a network management system. The next section covers HiVision, the Hirschmann network management software for topology discovery, monitoring, and event management.
References
Section titled “References”- Belden/Hirschmann. (2024). Hirschmann Essentials Product Catalog. Belden Inc.
- Hirschmann. (2024). HiOS Reference Manual. Belden/Hirschmann.
- Hirschmann. (2024). HiSecOS Reference Manual. Belden/Hirschmann.