Choose the software level at order time
L2S for basic switching and redundancy. L2A for security features (ACLs, 802.1X). L3S for routing. L3A for multicast routing and ECMP. Upgrade in the field with a license key.
12.2 HiOS Operating System
The previous section introduced the Hirschmann product families. Every managed Hirschmann switch runs one of three operating systems: HiOS (Hirschmann Industrial Operating System), HiEOS (Hirschmann Entry Operating System), or HiSecOS (Hirschmann Security Operating System). The operating system determines the available features.
Why Software Levels Matter
Section titled “Why Software Levels Matter”A network with 50 switches from three product families (BOBCAT, MSP, RSPE) uses the same CLI commands, the same web interface layout, and the same SNMP MIBs, as long as all run HiOS. The software level (L2S, L2A, L3S, L3A) controls which protocols and features are available. Upgrading the software level on existing hardware adds features without replacing the switch.
HiOS Software Levels
Section titled “HiOS Software Levels”L2S (Layer 2 Standard)
Section titled “L2S (Layer 2 Standard)”The base managed feature set. Includes MRP (client and manager), RSTP (802.1D-2004), VLAN (802.1Q), LACP, SNMP v1/v2c/v3, SSH, HTTPS, LLDP, port mirroring, RMON, syslog, and basic QoS (802.1p priority queuing). Available on RSP, RSPE, GREYHOUND 1020/1030, and RED switches.
L2A (Layer 2 Advanced)
Section titled “L2A (Layer 2 Advanced)”Adds IGMP snooping/querier (v1/v2/v3), GVRP, MVRP, MMRP, port-based access control (802.1X) with RADIUS, MAC authentication bypass, guest VLAN, DHCP snooping, IP source guard, dynamic ARP inspection, DoS prevention, ingress/egress ACLs (MAC-based, IPv4-based, VLAN-based), time-based ACLs, advanced QoS with egress shaping and ingress storm protection, and RSPAN. Available on BOBCAT, MSP, RSPE, GREYHOUND 100/103/105/106/1040, and DRAGON MACH4x00.
L3S (Layer 3 Standard)
Section titled “L3S (Layer 3 Standard)”Adds static unicast routing, OSPFv2, RIPv1/v2, VRRP, VLAN-based router interfaces, loopback interfaces, ICMP filtering, and proxy ARP. Available on RSP and RSPE.
L3A (Layer 3 Advanced)
Section titled “L3A (Layer 3 Advanced)”Adds multicast routing: IGMP proxy, DVMRP, PIM-DM (RFC 3973), PIM-SM/SSM (RFC 4601). Adds Equal-Cost Multi-Path (ECMP) routing, ICMP Router Discovery (IRDP), and static route tracking. Available on MSP40, GREYHOUND 1040, and DRAGON MACH4x00.
| Feature | L2S | L2A | L3S | L3A |
|---|---|---|---|---|
| MRP, RSTP, VLAN, LACP | Yes | Yes | Yes | Yes |
| SNMP v3, SSH, HTTPS | Yes | Yes | Yes | Yes |
| 802.1X, RADIUS, ACLs | No | Yes | Yes | Yes |
| DHCP snooping, ARP inspection | No | Yes | Yes | Yes |
| IGMP snooping (advanced) | No | Yes | Yes | Yes |
| Static routing | No | No | Yes | Yes |
| OSPF, RIP, VRRP | No | No | Yes | Yes |
| Multicast routing (PIM) | No | No | No | Yes |
| ECMP | No | No | No | Yes |
HiEOS (Hirschmann Entry Operating System)
Section titled “HiEOS (Hirschmann Entry Operating System)”HiEOS runs on LEMUR lite managed switches. It provides essential Layer 2 switching with a simplified, intuitive web GUI designed for users without specialized IT knowledge. HiEOS includes MRP client, RSTP, ERPS (G.8032), VLAN (802.1Q), IGMP snooping, QoS, SNMP v1/v2/v3, SSH, HTTPS, port mirroring, syslog, and MAC address limit per port.
HiEOS does not include 802.1X, RADIUS, ACLs, DHCP snooping, Layer 3 routing, or the full HiOS CLI command set. It trades feature depth for simplicity and lower cost.
| Capability | HiEOS (LEMUR) | HiOS L2S |
|---|---|---|
| Web GUI | Simplified, responsive | Full HiOS interface |
| CLI | Limited | Full Cisco-like CLI |
| MRP | Client only | Client + Manager |
| RSTP | Yes | Yes |
| ERPS (G.8032) | Yes | No (L2A adds it) |
| 802.1X / RADIUS | No | No (L2A adds it) |
| ACLs | No | No (L2A adds it) |
| Price point | Lower | Higher |
HiSecOS (Hirschmann Security Operating System)
Section titled “HiSecOS (Hirschmann Security Operating System)”HiSecOS runs on the EAGLE40 Next-Generation Firewall. It combines routing and switching with stateful firewall, Deep Packet Inspection (DPI), IPSec VPN, OSPF, and VRRP. Designed to meet IEEE 1686 requirements: audit trail logging, user management with password policies, and role-based access control.
DPI protection suites inspect industrial protocol payloads:
- Industrial Automation Protection Suite: EtherNet/IP enforcer + Modbus enforcer + OPC enforcer
- Substation Protection Suite: IEC 104 enforcer + DNP3 enforcer + GOOSE enforcer + Modbus enforcer
- Unified Protection Suite: combines both suites
Access Methods
Section titled “Access Methods”| Method | Protocol | Default State | Recommended |
|---|---|---|---|
| Web GUI | HTTP / HTTPS | HTTP enabled | HTTPS only |
| CLI | Telnet / SSH | Telnet enabled | SSH only |
| SNMP | v1/v2c/v3 | v1/v2c enabled | SNMPv3 only |
| Serial console | RS-232 / V.24 | Available | Physical access |
The default management IP is 192.168.1.1/24. Default credentials are admin / private (older firmware) or a device-specific password printed on the label (newer firmware). Change the password immediately on first access.
Access the CLI via SSH. HiOS CLI uses Cisco-like syntax:
enable # Enter privileged modeconfigure # Enter configuration modeshow interfaces # Show port statusshow vlan # Show VLAN tableshow mrp # Show MRP statusshow log # Show event logcopy running-config startup-config # Save configurationSNMP Management
Section titled “SNMP Management”HiOS supports SNMP for integration with network management systems. Key MIBs include RFC1213-MIB (standard interface statistics), HIRSCHMANN-MRP-MIB (ring status), and IF-MIB (interface counters). SNMP traps fire for link up/down events, MRP topology changes, authentication failures, and temperature alarms.
Firmware Updates and Configuration Backup
Section titled “Firmware Updates and Configuration Backup”Upload firmware via the web interface at Basic Settings → Load/Save → Software. Test updates on a non-production switch first. Back up the configuration at Basic Settings → Load/Save → Configuration → Download. The configuration file is XML. Store it in version control for history, comparison, and rapid recovery. HiOS supports dual software images: upload the new firmware to the inactive image slot, verify, then switch the active image.
Key Takeaways
Section titled “Key Takeaways”HiEOS trades depth for simplicity
LEMUR switches with HiEOS cost less and configure faster. They lack 802.1X, ACLs, and Layer 3 routing. Use them where those features are unnecessary.
HiSecOS is for firewalls only
EAGLE40 runs HiSecOS with DPI, VPN, and audit trail. It is a separate operating system from HiOS with different CLI syntax.
What Comes Next
Section titled “What Comes Next”HiOS manages individual switches. Managing an entire network of switches requires a network management system. The next section covers HiVision, Hirschmann’s network management software for topology discovery, monitoring, and event management.
References
Section titled “References”- Belden/Hirschmann. (2024). Hirschmann Essentials Product Catalog. Belden Inc.
- Hirschmann. (2024). HiOS Reference Manual. Belden/Hirschmann.
- Hirschmann. (2024). HiSecOS Reference Manual. Belden/Hirschmann.