Management Software AT-S62 ◆ Menus Interface User’s Guide AT-8500 Series Layer 2+ Fast Ethernet Switches Version 1.4.0 613-000124 Rev.
Copyright © 2006 Allied Telesyn, Inc. All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesyn, Inc. Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation. Netscape Navigator is a registered trademark of Netscape Communications Corporation. All other product names, company names, logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners. Allied Telesyn, Inc.
Contents Preface ............................................................................................................................................................ 21 How This Guide is Organized........................................................................................................................... 22 Document Conventions ....................................................................................................................................
Contents Enabling or Disabling the Telnet Server ...........................................................................................................67 Setting the Baud Rate of the RS-232 Terminal Port ......................................................................................... 68 Setting Fan Control ........................................................................................................................................... 69 Enabling and Disabling Fan Control ...........
AT-S62 Management Software Menus Interface User’s Guide Deleting an Aggregator ............................................................................................................................ 160 Displaying LACP Port or Aggregator Status ............................................................................................ 161 Chapter 9: Port Mirroring ............................................................................................................................
Contents Chapter 13: Classifiers ................................................................................................................................233 Classifier Overview .........................................................................................................................................234 Classifier Criteria ......................................................................................................................................235 Classifier Guidelines......
AT-S62 Management Software Menus Interface User’s Guide Mapping CoS Priorities to Egress Queues ..................................................................................................... 316 Configuring Egress Scheduling ...................................................................................................................... 318 Displaying Port CoS Priorities ........................................................................................................................
Contents Creating an SNMPv3 User Table Entry....................................................................................................386 Deleting an SNMPv3 User Table Entry ....................................................................................................390 Modifying an SNMPv3 User Table Entry ..................................................................................................391 Configuring the SNMPv3 View Table...................................................
AT-S62 Management Software Menus Interface User’s Guide Configuring RSTP Port Settings............................................................................................................... 503 Displaying Port RSTP Status ................................................................................................................... 505 Chapter 23: Multiple Spanning Tree Protocol ........................................................................................... 507 MSTP Overview........
Contents Technical Overview of Generic Attribute Registration Protocol (GARP).........................................................587 Configuring GVRP ..........................................................................................................................................591 Enabling or Disabling GVRP on a Port ...........................................................................................................593 Converting a Dynamic GVRP VLAN ...................................
AT-S62 Management Software Menus Interface User’s Guide Section VII: Management Security ....................................................................... 679 Chapter 30: Web Server .............................................................................................................................. 681 Web Server Overview..................................................................................................................................... 682 Supported Protocols................
Contents Chapter 33: Secure Shell (SSH) Protocol ..................................................................................................737 SSH Overview.................................................................................................................................................738 Support for SSH .......................................................................................................................................738 SSH Server..................................
AT-S62 Management Software Menus Interface User’s Guide STP, RSTP, and MSTP Default Settings........................................................................................................ 792 Spanning Tree Switch Settings ................................................................................................................ 792 STP Default Settings................................................................................................................................
Contents 14
Figures Chapter 2: Starting a Local or Telnet Management Session..................................................................... 39 Figure 1: Connecting a Terminal or PC to the RS232 Terminal Port....................................................................................41 Figure 2: Command Prompt .................................................................................................................................................42 Figure 3: Main Menu...............................
Figures Figure 37: Port Trunking and LACP Menu..........................................................................................................................148 Figure 38: Static Port Trunking Menu .................................................................................................................................148 Figure 39: Create Trunk Menu............................................................................................................................................
AT-S62 Management Software Menus Interface User’s Guide Chapter 15: Quality of Service ................................................................................................................... 267 Figure 82: DiffServ Domain Example .................................................................................................................................274 Figure 83: QoS Voice Application Example................................................................................................
Figures Chapter 21: SNMPv3 .................................................................................................................................... 375 Figure 130: MIB Tree ..........................................................................................................................................................378 Figure 131: SNMPv3 User Configuration Process..............................................................................................................
AT-S62 Management Software Menus Interface User’s Guide Chapter 24: Port-based and Tagged Virtual LANs ................................................................................... 545 Figure 185: Port-based VLAN - Example 1 ........................................................................................................................551 Figure 186: Port-based VLAN - Example 2 ....................................................................................................................
Figures Figure 234: Configure Supplicant Port Access Parameters Menu......................................................................................672 Figure 235: Display Port Access Status Menu....................................................................................................................674 Figure 236: Radius Accounting Menu.................................................................................................................................
Preface This guide contains instructions on how to configure an AT-8500 Series Layer 2+ Fast Ethernet Switch using the menus interface in the AT-S62 management software. For instructions on how to manage the switch from the web browser interface or the command line interface, refer to the AT-S62 Web Browser Interface User’s Guide and the AT-S62 Command Line Interface User’s Guide. These guides are available from the Allied Telesyn web site.
Preface How This Guide is Organized This manual is divided into the following sections. Section I: Basic Operations The chapters in this section explain how to perform basic switch operations, such as setting port parameters, creating port trunks, and viewing the MAC address table. Section II: Advanced Operations The chapters in this section explain some of the more advanced operations, such as using the file system, downloading and uploading files, and configuring Quality of Service.
AT-S62 Management Software Menus Interface User’s Guide Document Conventions This document uses the following conventions: Note Notes provide additional information. Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performing or omitting a specific action may result in bodily injury.
Preface Where to Find Web-based Guides The installation and user guides for all Allied Telesyn products are available in Portable Document Format (PDF) from on our web site at www.alliedtelesyn.com. You can view the documents on-line or download them onto a local workstation or server.
AT-S62 Management Software Menus Interface User’s Guide Contacting Allied Telesyn This section provides Allied Telesyn contact information for technical support as well as sales or corporate information. Online Support You can request technical support online by accessing the Allied Telesyn Knowledge Base from the following web site: www.alliedtelesyn.com/kb. You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions.
Preface New Features History The following subsection contains the new features in the AT-S62 management software. Version 1.4.0 Table 1 lists the new features in version 1.4.0 of the AT-S62 management software. Table 1. New Features in AT-S62 Version 1.4.0 Change Chapter and Procedure Fan Control Feature for the AT-8524POE Switch New feature.
AT-S62 Management Software Menus Interface User’s Guide Table 1. New Features in AT-S62 Version 1.4.0 (Continued) Change Chapter and Procedure 802.1x Port-based Network Access Control Added the following new features to 802.1x authenticator ports: Supplicant mode for supporting multiple supplicants on an authenticator port. For background information, see “Authenticator Ports with Single and Multiple Supplicants” on page 649. Guest VLAN. For background information, see “Guest VLAN” on page 657.
Preface 28
Chapter 1 Overview This chapter reviews the functions of the AT-S62 management software, the types of management sessions supported by the switch, and the management access levels.
Chapter 1: Overview Management Overview The AT-S62 management software allows you to monitor and adjust the operating parameters of an AT-8500 Series switch and includes the following features: Basic operations such as configuring port and switch parameters, enhanced stacking, SNMPv1 and v2c, trunking, and mirroring Advanced operations including file uploads and downloads, event logging, traffic classifiers, access control lists, denial of service defense, Quality of Service (QoS), Class of Service
AT-S62 Management Software Menus Interface User’s Guide Local Management Session To establish a local management session with an AT-8500 Series switch, you connect a terminal or a PC with a terminal emulator program to the RS232 Terminal Port on the switch, using the straight-through RS-232 management cable included with the unit. The RS232 Terminal Port is located on the front panel of the AT-8516F/SC, AT-8524M, and AT-8524POEswitches and the back panel of the AT-8550GB and AT-8550SP switches.
Chapter 1: Overview Telnet Management Session You can remotely manage the switch from a workstation on your network using the Telnet application protocol. This type of management session is referred to in this guide as a remote management session because you do not have to be in the wiring closet where the switch is located. To establish a Telnet management session with a switch, there must be at least one enhanced stacking switch in the subnet with an IP address.
AT-S62 Management Software Menus Interface User’s Guide Web Browser Management Session You can also use a web browser from a management workstation on your network to manage a switch. This too is referred to as remote management because you can be anywhere on your network when managing the device. This method of management, as with Telnet management, requires that the switch have an IP address or be part of an enhanced stack.
Chapter 1: Overview SNMP Management Session Another way to remotely manage the switch is with an SNMP management program. AT-S62 software supports SNMPv1, SNMPv2c, and SNMPv3. You need to be familiar with Management Information Base (MIB) objects to configure a switch using SNMP management.
AT-S62 Management Software Menus Interface User’s Guide Management Access Levels There are two levels of management access in the AT-S62 management software: Manager and Operator. Manager access gives you the power to view and configure all of a switch’s operating parameters. Operator access only allows you to view the operating parameters; you cannot change any values. The switch has two default login accounts. For Manager access, the login name is “manager” and the default password is “friend”.
Chapter 1: Overview 36
Section I Basic Operations The chapters in this section cover a variety of basic switch features and functions.
Section I: Basic Operations
Chapter 2 Starting a Local or Telnet Management Session This chapter contains the procedures for starting a local or Telnet management session on an AT-8500 Series switch.
Chapter 2: Starting a Local or Telnet Management Session Local Management Session To establish a local management session, you connect a terminal or PC with a terminal emulator program to the RS-232 terminal port on the switch. The RS232 Terminal Port is located on the front panel of the AT-8516F/SC, AT-8524M, and AT-8524POEswitches and the back panel of the AT-8550GB and AT-8550SP switches.
AT-S62 Management Software Menus Interface User’s Guide Starting a Local Management Session To start a local management session, perform the following procedure: 1. Connect one end of the straight-through RS232 management cable to the RS232 Terminal Port on the front panel of the switch. AT-85 24 MOD E M Fas t Eth erne t Swit ch COL 100 FULL ACT STAT US FAULT MAST ER RPS PWR Figure 1. Connecting a Terminal or PC to the RS232 Terminal Port 2.
Chapter 2: Starting a Local or Telnet Management Session settings, enter “operator” as the user name. The default password for operator access is “operator”. Usernames and passwords are casesensitive. For information on the two access levels, refer to “Management Access Levels” on page 35. (For instructions on how to change a password, refer to “Configuring the Manager and Operator Passwords” on page 58.) After logging on, you will see the window in Figure 2. This is the command prompt interface.
AT-S62 Management Software Menus Interface User’s Guide Enhanced Stacking When you start a local management session on a switch configured as a Master switch, you can manage all the switches in the enhanced stack from the same management session. This saves you the time and trouble of having to start a separate local management session each time you want to manage a switch in your network. It also saves you from having to go to the different wiring closets where the switches are located.
Chapter 2: Starting a Local or Telnet Management Session Telnet Management Session You can use the Telnet application protocol from a workstation on your network to manage an AT-8500 Series switch. This type of management is referred to as remote management because you do not have to be physically close to the switch to start the session, such as with a local management session. Any workstation on your network that has the application protocol can be used to manage the unit.
AT-S62 Management Software Menus Interface User’s Guide Note You can run only one Telnet management session on a switch at a time. Additionally, you cannot run both a Telnet management session and a local management session on the same switch at the same time. Quitting a Telnet Management Session Section I: Basic Operations To end a Telnet management session, return to the Main Menu and type Q for Quit.
Chapter 2: Starting a Local or Telnet Management Session Saving Your Parameter Changes When you make a change to a switch parameter, the change is, in most cases, immediately activated on the switch as soon as you enter it. However, most parameter changes are initially saved only to temporary memory in the switch and will be lost the next time you reset or power cycle the unit. To permanently save your changes, you must select the S Save Configuration Changes option from the Main Menu.
AT-S62 Management Software Menus Interface User’s Guide Ports 49R and 50R on the AT-8550GB and AT-8550SP Switches This section applies to the 10/100/1000Base-T twisted pair ports 49R and 50R and the SFP and GBIC slots on the AT-8550GB and AT-8550SP switches. Note the following when configuring these ports: Section I: Basic Operations Twisted pair ports 49R and 50R change to the redundant status mode when an SFP or GBIC module is installed and establishes a link with its end node.
Chapter 2: Starting a Local or Telnet Management Session 48 Section I: Basic Operations
Chapter 3 Basic Switch Parameters This chapter contains a variety of information and procedures. There is a discussion on when to assign an IP address to a switch and the different ways to do it. There are also procedures for resetting the switch, activating the switch default settings, and more.
Chapter 3: Basic Switch Parameters When Does a Switch Need an IP Address? One of the tasks to building or expanding a network is deciding which managed switches need to be assigned a unique IP address. The rule used to be that a managed switch needed an IP address if you wanted to manage it remotely, such as with the Telnet application protocol. However, if a network contained a lot of managed switches, having to assign each one an IP address was often cumbersome and time consuming.
AT-S62 Management Software Menus Interface User’s Guide How Do You Assign an IP Address? After you have decided which, if any, switches on your network need an IP address, you must access the AT-S62 software on the switches and assign the addresses. There are two ways in which a switch can obtain an IP address. The first method is for you to assign the IP configuration information manually. The procedure for this is explained in “Configuring an IP Address and Switch Name” on page 52.
Chapter 3: Basic Switch Parameters Configuring an IP Address and Switch Name The procedure in this section explains how to manually assign an IP address, subnet mask, and gateway address to the switch from a local or Telnet management session. (If you want the switch to obtain its IP configuration from a DHCP or BOOTP server on your network, go to the procedure “Activating the BOOTP or DHCP Client Software” on page 55.
AT-S62 Management Software Menus Interface User’s Guide The System Configuration menu is shown in Figure 5. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 System Configuration 1 2 3 4 5 6 7 8 9 - BOOTP/DHCP .............. IP Address .............. Subnet Mask ............. Default Gateway ......... System Name ............. Location ................ Administrator ........... Configure System Time Fan Control Configuration DISABLE 0.0.0.0 0.0.0.
Chapter 3: Basic Switch Parameters 3 - Subnet Mask This parameter specifies the subnet mask for the switch. You must specify a subnet mask if you assigned an IP address to the switch. The subnet mask must be entered in the format: xxx.xxx.xxx.xxx. The default value is 255.255.0.0. 4 - Default Gateway This parameter specifies the default router’s IP address. This address is required if you intend to remotely manage the switch from a management station that is separated from the switch by a router.
AT-S62 Management Software Menus Interface User’s Guide Activating the BOOTP or DHCP Client Software The BOOTP and DHCP application protocols can simplify network management by automatically assigning IP configuration information, such as IP addresses and subnet masks, to your network devices. An AT-8500 Series switch contains the client software for these protocols and can obtain its IP configuration information from a BOOTP or DHCP server on your network.
Chapter 3: Basic Switch Parameters To activate or deactivate the BOOTP or DHCP client software, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 2 to select System Configuration. The System Configuration menu is shown in Figure 5 on page 53. 3. From the System Configuration menu, type 1 to select BOOTP/DHCP.
AT-S62 Management Software Menus Interface User’s Guide Rebooting a Switch This procedure reboots the switch. Note Any configuration changes not save will be lost once the switch reboots. To save your configuration changes, return to the Main Menu and type S to select Save Configuration Changes. To reboot the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2.
Chapter 3: Basic Switch Parameters Configuring the Manager and Operator Passwords There are two levels of management access on an AT-8500 Series switch: manager and operator. When you log in as manager, you can view and configure all of a switch’s operating parameters. When you log in as an operator, you can only view the operating parameters; you cannot change any values. You log in as a manager or an operator by entering the appropriate username and password when you start an AT-S62 management session.
AT-S62 Management Software Menus Interface User’s Guide 4. Type 1 to change the Manager password or type 2 to change the Operator password. 5. When prompted, enter the current manager password. (This step does not apply for the operator password.) 6. When prompted, enter the new manager or operator password. The new password will be case-sensitive. 7. When prompted, re-enter the new password. Note A password can be from 0 to 16 alphanumeric characters. Passwords are case-sensitive.
Chapter 3: Basic Switch Parameters 2. Reboot the switch. For instructions, refer to “Rebooting a Switch” on page 57. 3. When the switch displays “Press B to go to Boot prompt,” type S or s. The switch continues its normal boot up and initialization process. Once complete, the management software automatically logs you in with manager access and displays the command line prompt. You are not prompted for a login username or password. 4. Type menu to display the Main Menu. 5.
AT-S62 Management Software Menus Interface User’s Guide Setting the System Time This procedure explains how to set the switch’s date and time. Setting the date and time is a good idea if you plan to monitor the switch by viewing the events in the event log or if the events are going to be sent to a syslog server. The correct date and time is also important if the management software will be sending traps to your management workstation.
Chapter 3: Basic Switch Parameters The Configure System Time menu is shown in Figure 8. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Configure System Time 1 - System Time ................... 00:04:22 on 01-Jan-1980 2 - SNTP Status ................... Disabled 3 - SNTP Server ................... 0.0.0.0 4 - UTC Offset .................... +0 5 - Daylight Savings Time (DST) ... Enabled 6 - Poll Interval ................. 600 seconds 7 - Last Delta ....
AT-S62 Management Software Menus Interface User’s Guide Note If the switch is obtaining its IP address and subnet mask from a DHCP sever, you can configure the DHCP server to provide the switch with an IP address of an NTP or SNTP server. If you configured the DHCP server to provide this address, then you do not need to enter it here, and you can skip ahead to Step C. The following prompt is displayed: Enter SNTP server IP address -> b. Enter an IP address of an SNTP or NTP server. c.
Chapter 3: Basic Switch Parameters g. Type 6 - Poll Interval to specify the time interval between queries to the SNTP server. The following prompt is displayed: Enter interval to poll SNTP server [60 to 1200] -> 600 h. Enter the number of seconds the switch waits between polling the SNTP or NTP server. The default is 600 seconds. The range is from 60 to 1200 seconds. i. Type 2 to select SNTP Status to enable or disable the SNTP client.
AT-S62 Management Software Menus Interface User’s Guide Configuring the Console Startup Mode You can configure the AT-S62 software to initially display either the Main Menu or the command line interface prompt when you start a local, Telnet, or SSH management session. The default is the command line interface. To change the console startup mode, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2.
Chapter 3: Basic Switch Parameters Configuring the Console Timer The AT-S62 management software uses the console timer, also referred to as the console disconnect interval, to automatically end inactive local and remote management sessions. The management software automatically ends a local or remote management session if a management session is inactive for the length of time specified by the console timer.
AT-S62 Management Software Menus Interface User’s Guide Enabling or Disabling the Telnet Server This procedure explains how to enable or disable the Telnet server on the switch. You might disable the server to prevent individuals from managing the switch with the Telnet application protocol or if you intend to use the Secure Shell (SSH) protocol. Note You cannot disable the Telnet server if there is an active Telnet management session on the switch.
Chapter 3: Basic Switch Parameters Setting the Baud Rate of the RS-232 Terminal Port The default baud rate of the RS-232 Terminal Port on the switch is 9600 bps. To change the baud rate, do the following: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 3 to select Console (Serial/Telnet) Configuration. The Console (Serial/Telnet) Configuration menu is shown in Figure 9 on page 65. 3.
AT-S62 Management Software Menus Interface User’s Guide Setting Fan Control The AT-8524POE switch has a fan control feature that automatically adjusts the speed of four of its five cooling fans based on the ambient temperature of the room or wiring closet where the unit is installed and the load requirements of the PoE devices connected to the ports on the device.
Chapter 3: Basic Switch Parameters The Fan Control Configuration menu is shown in Figure 10. Allied Telesyn Ethernet Switch AT-8524POE - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Fan Control Configuration 1 - Fan Control ...................... Off 2 - Show Fan Control Status R - Return to Previous Menu Enter your selection? Figure 10. Fan Control Configuration Menu 4. Type 1 to toggle the fan control feature On or Off. The default setting is Off.
AT-S62 Management Software Menus Interface User’s Guide Figure 11 illustrates the fan control information. Allied Telesyn Ethernet Switch AT-8524POE - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Show Fan Control Status Fan Control Mode: Off Speed Fan# RPM % Status ------------------------------------------1 10700 100 Ok 2 10750 100 Ok 3 10700 100 Ok 4 10700 100 Ok 5 6200 100 Ok Temperature = 24 C, PoE Current Load = 2.2 Amps (Max. 8.
Chapter 3: Basic Switch Parameters Pinging a Remote System You can instruct the switch to ping a remote device on your network. This procedure is useful in determining whether a valid link exists between the switch and another device. Note the following before performing the procedure: The switch must have an IP address. The device being pinged must be a member of the management VLAN.
AT-S62 Management Software Menus Interface User’s Guide Returning the AT-S62 Software to the Factory Default Values There are two procedures for returning the settings on a switch to the factory default values. The first returns the switch’s settings to the default values, but retains all files in the switch’s file system (i.e., configuration files, SSL certificates, event logs, etc). The second method deletes all the files in the file system, including all configuration files.
Chapter 3: Basic Switch Parameters The following prompt is displayed: This operation requires a switch reboot. Continue? [Yes/No] -> 4. Type Y for yes or N to cancel the procedure. If you respond with yes, the following prompt is displayed: Do you want to reset serial baud rate to 9600 bps? [Yes/No] -> 5. Typing Y for yes will change the baud rate of the RS232 Terminal Port to its default value of 9600 bps. Typing N leaves the baud rate at its current setting.
AT-S62 Management Software Menus Interface User’s Guide The current speed setting of the RS232 console port on the switch is retained. Caution This procedure results in a switch reset. The switch will not forward traffic while it initializes its operating software, a process that takes approximately 20 seconds to complete. Some network traffic may be lost. To delete all files from the file system and return the switch’s operating parameters to the default settings, perform the following procedure: 1.
Chapter 3: Basic Switch Parameters Viewing System Hardware and Software Information The procedure in this section displays hardware and software information about the switch. The information includes the switch’s serial number and MAC address, as well as the status of the power supply and fan. To display this information, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2.
AT-S62 Management Software Menus Interface User’s Guide The System Hardware Information menu is shown in Figure 13. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 System Hardware Status System 1.8V Power ............... System 2.5V Power ............... System 3.3V Power ............... System 5V Power ................. System Temperature (Celsius) .... System Fan 1 Speed .............. System Fan 2 Speed .............. Main Power Supply ............
Chapter 3: Basic Switch Parameters 78 Section I: Basic Operations
Chapter 4 Enhanced Stacking This chapter explains the enhanced stacking feature.
Chapter 4: Enhanced Stacking Enhanced Stacking Overview The enhanced stacking feature can make it easier for you to manage the AT-8500 Series switches in your network. It offers the following benefits: Guidelines You can manage up to 24 switches from one local or remote management session. This eliminates the need of having to initiate a separate management session with each switch in your network. The switches can share the same IP address.
AT-S62 Management Software Menus Interface User’s Guide There are three basic steps to implementing this feature on your network: 1. You must select a switch to function as the master switch of the enhanced stack. The master switch can be any switch that supports enhanced stacking, such as an AT-8000 Series, AT-8400 Series, AT-8500 Series, or AT-9400 Series switch. For networks that consist of more than one subnet, there must be at least one master switch in each subnet.
Chapter 4: Enhanced Stacking Figure 14 is an example of the enhanced stacking feature. Master 1 IP Address 149.32.11.22 Master 2 IP Address 149.32.11.16 Subnet A Router TROP LANIMRET 232-SR TLUAF RETSAM RWP Subnet B Master 1 IP Address 149.32.09.18 Master 2 IP Address 149.32.09.24 Figure 14. Enhanced Stacking Example The example consists of a network of two subnets interconnected with a router.
AT-S62 Management Software Menus Interface User’s Guide Setting a Switch’s Enhanced Stacking Status The enhanced stacking status of the switch can be master switch, slave switch, or unavailable. Each status is described below: Master switch - A master switch of a stack can be used to manage all the other switches in a subnet. Once you establish a local or remote management session with the Master switch, you can access and manage all the switches in the stack.
Chapter 4: Enhanced Stacking The Enhanced Stacking menu is shown in Figure 15. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Enhanced Stacking 1 - Switch State-(M)aster/(S)lave/(U)navailable.... Master 2 - Stacking Services R - Return to Previous Menu Enter your selection? Figure 15. Enhanced Stacking Menu The menu displays the current status of the switch at the end of selection “1 - Switch State.
AT-S62 Management Software Menus Interface User’s Guide Selecting a Switch in an Enhanced Stack Before you perform a procedure on a switch in an enhanced stack, you should first check to be sure that you are performing it on the correct switch. If you assigned system names to your switches, this should be easy. The name of the switch being managed is always displayed at the top of every management menu.
Chapter 4: Enhanced Stacking 3. Type 1 to select Get/Refresh List of Switches. The Master switch polls the subnet for all slave and Master switches that are a part of the enhanced stack and displays a list of the switches in the Stacking Services menu. The Master switch on which you started the management session is not included in the list, nor are any switches with an enhanced stacking status of Unavailable. By default, the switches are sorted in the menu by MAC address.
AT-S62 Management Software Menus Interface User’s Guide Returning to the Master Switch When you have finished managing a slave switch, return to the Main Menu of the slave switch and type Q for Quit. This returns you to the Stacking Services menu. Once you see that menu, you are again addressing the Master switch from where you started the management session.
Chapter 4: Enhanced Stacking 88 Section I: Basic Operations
Chapter 5 SNMPv1 and SNMPv2c Configuration This chapter explains how to activate SNMP management on the switch and how to create, modify, and delete SNMPv1 and SNMPv2c community strings.
Chapter 5: SNMPv1 and SNMPv2c Configuration SNMPv1 and SNMPv2c Overview The Simple Network Management Program (SNMP) is another way for you to manage the switch. This type of management involves viewing and changing the management information base (MIB) objects on the device using an SNMP application program. The AT-S62 management software supports SNMPv1, SNMPv2c, and SNMPv3. This chapter explains how to configure the switch’s software for SNMPv1 and SNMPv2c.
AT-S62 Management Software Menus Interface User’s Guide Access Mode This defines what the community string will allow a network manager to do. There are two access modes: Read and Read/Write. A community string with an access mode of Read can only be used to view but not change the MIB objects on a switch. A community string with a Read/Write access can be used to both view the MIB objects and change them. Operating Status A community string can be enabled or disabled.
Chapter 5: SNMPv1 and SNMPv2c Configuration If you are not interested in receiving traps, then you do not need to enter any IP addresses of trap receivers. Default SNMP Community Strings 92 The AT-S62 management software provides two default community strings: public and private. The public string has an access mode of just Read and the private string has an access mode of Read/Write.
AT-S62 Management Software Menus Interface User’s Guide Enabling or Disabling SNMP Management To enable or disable SNMP management for the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 17.
Chapter 5: SNMPv1 and SNMPv2c Configuration Setting the Authentication Failure Trap As mentioned in the SNMP Overview section in this chapter, a trap is a message sent by the switch to a management workstation or server to signal an operating event, such as when the device is reset. An authentication failure trap is similar to other the traps. It too signals an operating event on the switch. But this trap is somewhat special because it relates to SNMP management.
AT-S62 Management Software Menus Interface User’s Guide Creating an SNMP Community String To create a new SNMP community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 17 on page 93. 3.
Chapter 5: SNMPv1 and SNMPv2c Configuration 5. Enter the new SNMP community string. The name can be up to 32 alphanumeric characters. No spaces or special characters (such as /, #, or &) are allowed. This prompt is displayed: Enter Access Mode [R-Read Only, W-Read/Write]: 6. Specify the access mode for the new SNMP community string. If you specify Read, the community string will only allow you to view the MIB objects on the switch.
AT-S62 Management Software Menus Interface User’s Guide 10. If desired, repeat this procedure starting with Step 4 to create additional community strings. 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 5: SNMPv1 and SNMPv2c Configuration Modifying a Community String To modify a community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 17 on page 93. 3. From the SNMP Configuration menu, type 3 to select Configure SNMPv1 &SNMPv2c Community.
AT-S62 Management Software Menus Interface User’s Guide The menu options are described below: 1 - Add Attributes to Community If a community string has a closed access mode, you can use this selection to add new IP addresses of management workstations that can use the string. You can also use this option to add IP addresses of new trap receivers. To use this option, do the following: 1. From the Modify SNMP Community menu, type 1 to select Add Attributes to Community.
Chapter 5: SNMPv1 and SNMPv2c Configuration 3. If you want to remove the IP address of a management workstation from the community string, enter the IP address at the prompt. Otherwise, just press Return. This prompt is displayed: Enter Trap Receiver IP Addr: 4. If you want to remove the IP address of a trap receiver from the community string, enter the IP address at the prompt. Otherwise, just press Return. 5. After making changes, type R until you return to the Main Menu.
AT-S62 Management Software Menus Interface User’s Guide 3. Type E to enable the community string or D to disable it. This confirmation prompt is displayed: Do you want to change Community Status? (Y/N): [Yes/No] > 4. Type Y to change the string’s status or N to cancel the change. 5. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 5 - Set Community Open Status Use this selection to change a string’s open status.
Chapter 5: SNMPv1 and SNMPv2c Configuration Deleting a Community String To delete an SNMPv1 or SNMPv2c community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 17 on page 93. 3. From the SNMP Configuration menu, type 3 to select Configure SNMPv1 &SNMPv2c Community.
AT-S62 Management Software Menus Interface User’s Guide Displaying the SNMP Community Strings To display the attributes of all the SNMP community strings on the switch, use the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 17 on page 93. 3.
Chapter 5: SNMPv1 and SNMPv2c Configuration 104 Section I: Basic Operations
Chapter 6 Port Parameters The chapter contains the procedures for viewing and adjusting the parameter settings for the individual ports on a switch. It also describes how to display port statistics.
Chapter 6: Port Parameters Displaying Port Status To display the current status and settings of the ports on the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 21.
AT-S62 Management Software Menus Interface User’s Guide Note The speed, duplex mode, and flow control settings will be blank for ports that have not established a link with their end node. To view the settings of a GBIC or SFP module in Port 49 or 50 of an AT-8550GB or AT-8550SP switch, there must be a valid connection between the module’s port and the end node. Otherwise, Ports 49 and 50 in the menu represent the twisted pair ports 49R and 50R. The information in this menu is for viewing purposes only.
Chapter 6: Port Parameters PVID The port’s VLAN identifier (PVID). This number corresponds to the VID of the VLAN in which the port is an untagged member. This column will not include the VIDs of the VLANs where the port is a tagged member. Flow Ctl The flow control setting for the port. Possible values are: Disabled - No flow control on the port. Enabled - Flow control is activated.
AT-S62 Management Software Menus Interface User’s Guide Configuring Port Parameters To configure the parameter settings of a port, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 21 on page 106. 2. From the Port Configuration menu, type 1 to select Port Configuration. The following prompt is displayed: Enter port-list -> 3. Enter the number of the port you want to configure.
Chapter 6: Port Parameters Selections 3, 5, and 6 appear in the menu only when selection 4 Negotiation is set to Manual. When selection 4 is set to Auto, these options are hidden. Note The Port Configuration menu in the figure above is for a 10/100 Mbps twisted pair port. The menu for a fiber optic port will contain a subset of the parameters. If you are configuring multiple ports and the ports have different settings, the Port Configuration menu displays the settings of the lowest numbered port.
AT-S62 Management Software Menus Interface User’s Guide Broadcast frames are different. Broadcast frames are directed to all nodes on the network or all nodes within a particular virtual LAN. Broadcast packets can perform a variety of functions. For example, some network operating systems use broadcast frames to announce the presence of devices on a network. The problem with broadcast frames is that too many of them traversing a network can impact network performance.
Chapter 6: Port Parameters 4 - Negotiation You use this selection to activate or deactivate Auto-Negotiation on a twisted pair port. This parameter has the two settings Auto and Manual. If you select Auto, a twisted pair port uses Auto-Negotiation to set its speed, duplex mode, and MDI/MDI-X settings. This is the default setting. If you select Manual, additional options appear in the menu for manually configuring these port settings.
AT-S62 Management Software Menus Interface User’s Guide 6 - Duplex This selection is used to set the duplex mode of a port. The option only appears when option 4 - Negotiation is set to Manual. The possible settings are: Full Full-duplex Half Half-duplex. 7 - HOL Blocking Prevention Threshold Head of line (HOL) blocking is a problem that occurs when a port on a switch becomes oversubscribed.
Chapter 6: Port Parameters The HOL Limit parameter can help prevent this problem from occurring. This parameter sets a threshold on the utilization of a port’s egress queue. When the threshold for a port is exceeded, the switch signals other ports to discard packets to the oversubscribed port. For example, referring to the figure above, when the utilization of the storage capacity of Port D exceeds the threshold, the switch signals the other ports to discard packets destined for Port D.
AT-S62 Management Software Menus Interface User’s Guide Enabled - Flow control is activated. This setting is appropriate only when the end node connected to the port is also using flow control. Auto - The port uses flow control only if it detects that the end node is using it. 2 - Flow Control (Cell Limit) Specifies the number of cells. A cell represents 64 bytes. The range is 1 to 57,344 cells. The default is 57,344. B -Back Pressure Sets backpressure on a port.
Chapter 6: Port Parameters The options on the Back Pressure menu are described below: 1 - Back Pressure Enables and disables backpressure on a port. Possible values are: Disabled The port will not use backpressure. This is the default setting. Enabled The port will use backpressure. 2 - Back Pressure Cell Limit Specifies the number of cells. A cell represents 64 bytes. The range is 1 to 57,344 cells. The default is 8192. L - Rate Limit For instructions, refer to “Setting the Rate Limit” on page 118.
AT-S62 Management Software Menus Interface User’s Guide X - Reset Port Resets the speed and duplex mode of the selected port to the default value of Auto-Negotiation. Also returns the MDI/MDIX setting to the default value of Auto-Detect. 5. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 6: Port Parameters Setting the Rate Limit This feature sets the maximum number of ingress packets the switch ports accept each second. Packets exceeding the threshold are discarded. You can enable the rate limiting threshold independently for multicast, broadcast, and unknown unicast packets. However, the same threshold applies to all packet types. To configure this feature, you must enter a rate limit. This establishes the maximum number of packets the individual ports will accept per second.
AT-S62 Management Software Menus Interface User’s Guide The Rate Limiting menu is shown in Figure 27. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Rate Limiting Configuring Port 1 1 2 3 4 - Broadcast Rate Limiting Status ........... Multicast Rate Limiting Status ........... Unknown Unicast Rate Limiting Status ..... Rate Limit ...............................
Chapter 6: Port Parameters Displaying Port Statistics To display Ethernet port statistics, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 28.
AT-S62 Management Software Menus Interface User’s Guide Broadcast Frames Sent Number of broadcast frames transmitted from the port. Multicast Frames Received Number of multicast frames received on the port. Multicast Frames Sent Number of multicast frames transmitted from the port. Frames 64 Bytes Frames 65 - 127 Bytes Frames 128 - 255 Bytes Frames 256 - 511 Bytes Frames 512 - 1023 Bytes Frames 1024 - 1518 Bytes Number of frames transmitted from the port, grouped by size.
Chapter 6: Port Parameters Clearing Port Counters To return the statistics counters of a port to zero, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 28 on page 120. 1. From the Port Statistics menu, type 2 to select Clear Port Statistics. This prompt is displayed: Enter port-list: 2.
Chapter 7 MAC Address Table The chapter contains the procedures for viewing the static and dynamic MAC address table.
Chapter 7: MAC Address Table MAC Address Overview The AT-8500 Series switch has a MAC address table with a storage capacity of 8,000 entries. The switch uses the table to store the MAC addresses of the network nodes connected to its ports, along with the port number on which each address was learned. The switch learns the MAC addresses of the end nodes by examining the source address of each packet received on a port.
AT-S62 Management Software Menus Interface User’s Guide MAC address table from becoming filled with addresses of nodes that are no longer active. The period of time that the switch waits before purging an inactive dynamic MAC address is called the aging time. This value is adjustable on the AT-8500 Series switch. The default value is 300 seconds (5 minutes). For instructions on changing the aging timer, refer to “Changing the Aging Time” on page 134.
Chapter 7: MAC Address Table Displaying MAC Addresses The management software has two menu selections for displaying the MAC addresses of a switch. One selection displays the static and dynamic unicast MAC addresses while the other displays the static and dynamic multicast addresses. To display the MAC address tables, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 29.
AT-S62 Management Software Menus Interface User’s Guide 3. Select the desired option. The options are explained below: 1 - Display All This selection displays all dynamic addresses learned on the ports of the switch and all static addresses that have been assigned to the ports. An example of a unicast MAC address table is shown in Figure 31.
Chapter 7: MAC Address Table An example of a multicast MAC address table is shown in Figure 32. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Display All Page 1 Total Number of MCAST MAC Addresses: 1 MAC Address VLAN ID Type Port Maps (U:Untagged T:Tagged) -----------------------------------------------------------------------01:00:51:00:00:01 1 Static U:1-4 T: U - Update Display R - Return to Previous Menu Enter your selection? Figure 32.
AT-S62 Management Software Menus Interface User’s Guide 5 - Display Specified MAC Displays the port number on which a MAC address was assigned or learned. In some situations, you might want to know on which port a particular MAC address was learned. You could display the MAC address table and scroll through the list looking for the MAC address. But if the switch is part of a large network, finding the address could prove difficult. This menu option offers an easier way.
Chapter 7: MAC Address Table Adding Static Unicast and Multicast MAC Addresses This section contains the procedure for adding static unicast and multicast MAC addresses to the switch. You can assign up to 255 static addresses per port on an AT-8500 Series switch. To add a static MAC address, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 29 on page 126. 2.
AT-S62 Management Software Menus Interface User’s Guide If you are entering a static multicast address, you must specify the port when the multicast application is located as well as the ports where the host nodes are connected. Assigning the address only to the port where the multicast application is located will prevent the forwarding of the multicast packets to the host nodes. You can specify the ports individually (e.g., 1,4,5), as a range (e.g., 11-14) or both (e.g., 1517,22,24).
Chapter 7: MAC Address Table Deleting Unicast and Multicast MAC Addresses To delete a dynamic or static unicast or multicast address from the MAC address table, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 29 on page 126. 2. From the MAC Address Tables menu, type 2 to select Configure MAC Addresses. The Configure MAC Addresses menu is shown in Figure 33 on page 130. 3.
AT-S62 Management Software Menus Interface User’s Guide Deleting All Dynamic MAC Addresses To delete all dynamic unicast and multicast MAC address from the MAC address table, do the following: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 29 on page 126. 2. From the MAC Address Tables menu, type 2 to select MAC Addresses Configuration. The MAC Addresses Configuration menu is shown in Figure 33 on page 130. 3.
Chapter 7: MAC Address Table Changing the Aging Time The switch uses the aging time to delete inactive dynamic MAC addresses from the MAC address table to prevent the table from becoming full of addresses of inactive nodes. The switch deletes an address from the table when it detects no packets sent to or received from the address after the expiration of the time specified by the aging time. The default setting for the aging time is 300 seconds (5 minutes).
Chapter 8 Static and LACP Port Trunks This chapter contains the procedures for creating, modifying, and deleting static and LACP port trunks.
Chapter 8: Static and LACP Port Trunks Port Trunk Overview A port trunk is an economical way for you to increase the bandwidth between the Ethernet switch and another networking device, such as a network server, router, workstation, or another Ethernet switch. A port trunk is a group of ports that have been grouped together to function as one logical path.
AT-S62 Management Software Menus Interface User’s Guide from another manufacturer; but there is the possibility that the implementations of static trunking on the two devices might not be compatible. It should also be noted that this type of trunk does not provide for redundancy or link backup. If a port in a static trunk loses its link, the trunk’s total bandwidth is reduced.
Chapter 8: Static and LACP Port Trunks LACP Trunk Overview The ports of a static trunk must be untagged members of the same VLAN. A trunk cannot consist of untagged ports from different VLANs. The switch selects the lowest numbered port in the trunk to handle broadcast packets and packets of unknown destination. For example, a trunk of ports 11 to 15 would use port 11 for broadcast packets.
AT-S62 Management Software Menus Interface User’s Guide assumes that the other port is not part of an LACP aggregator. Instead it functions as a normal Ethernet port by forwarding network traffic. However, it does continue to send LACPDU packets. If it begins to receive LACPDU packets, it automatically transitions to an active or standby mode as part of an aggregate trunk.
Chapter 8: Static and LACP Port Trunks Here is how the example might look in table format for the ports on the AT-8500 Series switch. Aggregator Description Aggregator Ports Aggregate Trunk Ports Aggregator 1 1-3 1-3 Aggregator 2 12-14 12-14 Caution The example cited here illustrates a loop in a network. Network loops should be avoided to prevent broadcast storms.
AT-S62 Management Software Menus Interface User’s Guide Here is how this example looks in table format for the ports on the AT-8500 Series switch. Aggregator Description Aggregator Ports Aggregate Trunk Ports Aggregator 1 1-3, 12-14 1-3 12-14 You could, if you wanted, create separate aggregators for the different aggregate trunks in the example above.
Chapter 8: Static and LACP Port Trunks Adminkey Parameter The adminkey is a hexadecimal value from 1 to FFFF that identifies an aggregator. Each aggregator on a switch must have a unique adminkey. The adminkey is limited to a switch. Two aggregators on different switches can have the same adminkey without creating a conflict.
AT-S62 Management Software Menus Interface User’s Guide each trunk. For further information, refer to “Load Distribution Methods” on page 144. LACP Trunk Guidelines Here are the guidelines to follow when creating aggregators: Section I: Basic Operations LACP must be activated on both the switch and the other device. The other device must be 802.3ad-compliant. An aggregator can consist of any number of ports.
Chapter 8: Static and LACP Port Trunks device. If it does not receive LACPDU packets, it functions as a regular Ethernet port, forwarding network traffic while also continuing to transmit LACPDU packets. Load Distribution Methods The port with the highest priority in an aggregate trunk carries broadcast packets and packets with an unknown destination.
AT-S62 Management Software Menus Interface User’s Guide As an example, assume you created a static or LACP aggregate trunk of Ports 7 to 14 on a switch. The table below shows the mappings of the switch ports to the possible values of the last three bits of a MAC or IP address.
Chapter 8: Static and LACP Port Trunks You can assign different load distribution methods to different static trunks on the same switch. The same is true for LACP aggregators. However, it should be noted that all aggregate trunks within an LACP aggregator must use the same load distribution method.
AT-S62 Management Software Menus Interface User’s Guide Managing Static Port Trunks The following procedures explain how to create, modify, and delete static port trunks: “Creating a Static Port Trunk” on page 147 “Modifying a Static Port Trunk” on page 150 “Deleting a Static Port Trunk” on page 152 For background information, refer to “Static Port Trunk Overview” on page 136. Creating a Static Port Trunk This section contains the procedure for creating a static port trunk on a switch.
Chapter 8: Static and LACP Port Trunks The Port Trunking and LACP menu is shown in Figure 37. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Port Trunking and LACP 1 - Static Port Trunking 2 - LACP Configuration R - Return to Previous Menu Enter your selection? Figure 37. Port Trunking and LACP Menu 3. From the Port Trunking and LACP menu, type 1 to select Static Port Trunking. The Static Port Trunking menu is shown in Figure 38.
AT-S62 Management Software Menus Interface User’s Guide DST IP Destination IP address. SRC/DST IP Source address/destination IP address. Status - The operational status of the trunk. Up means at least one port in the trunk has established a link with a port on the other device. Down means no ports in the trunk have established a link with the other device. 4. Type C to select Create Trunk. The Create Trunk menu is shown in Figure 39.
Chapter 8: Static and LACP Port Trunks 8. Type 4 to select Trunk Ports and, when prompted, enter the ports of the trunk. A trunk can contain up to eight ports. You can identify the ports individually (for example, 3,7,10), as a range (for example, 5-11), or both (for example, 2,4,11-14). 9. Type C to select Create Trunk. The port trunk is now active on the switch. 10. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 11.
AT-S62 Management Software Menus Interface User’s Guide 2. From the Port Configuration menu, type 4 to select Port Trunking and LACP. The Port Trunking and LACP menu is shown in Figure 37 on page 148. 3. From the Port Trunking and LACP menu, type 1 to select Static Port Trunking. The Static Port Trunking menu is shown in Figure 38 on page 148. 4. Type M to select Modify Trunk. The following prompt is displayed: Enter Trunk ID: [1 to 6] -> 5. Enter the ID number of the trunk you want to modify.
Chapter 8: Static and LACP Port Trunks SRC/DST MAC - Source address /destination MAC address SRC IP - Source IP address trunking DST IP - Destination IP address trunking SRC/DST IP - Source address /destination IP address For background information on these selections, refer to “Load Distribution Methods” on page 144. 8. To change the ports of a trunk, type 4 to select Trunk Ports and, when prompted, enter the new ports of the trunk. A trunk can contain up to eight ports.
AT-S62 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter Trunk ID: [1 to 6] -> 5. Enter the ID number of the trunk to be deleted. A confirmation prompt is displayed. 6. Type Y for yes to delete the port trunk or N for no to cancel this procedure. The port trunk is deleted from the switch. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 8: Static and LACP Port Trunks Managing LACP Trunks The following procedures explain how to create and manage LACP trunks: “Enabling or Disabling LACP” on page 154 “Setting a LACP System Priority” on page 155 “Creating an Aggregator” on page 156 “Modifying an Aggregator” on page 158 “Deleting an Aggregator” on page 160 “Displaying LACP Port or Aggregator Status” on page 161 For background information, refer to “LACP Trunk Overview” on page 138.
AT-S62 Management Software Menus Interface User’s Guide The LACP (IEEE 8023ad) Configuration menu is shown in Figure 41. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 LACP (IEEE 802.3ad) Configuration 1 2 3 4 5 6 7 8 - LACP Status ....................... Disabled Priority ..........................
Chapter 8: Static and LACP Port Trunks The following prompt is displayed: Enter Priority [0x1 - 0xFFFF]: [0x1 to 0xffff] -> 0x 5. Enter the new value is hexadecimal. The range is 1 to FFFF. The lower the value, the higher the priority. The prefix “0x” indicates that the number is hexadecimal. The new priority value takes effect immediately on the switch. 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S62 Management Software Menus Interface User’s Guide The Create LACP (IEEE 8023ad) Aggregator menu is shown in Figure 41 on page 155. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Create LACP (IEEE 802.3ad) Aggregator 1 2 3 4 C - Aggregator .................. Adminkey .................... 0x0000 Distribution Mode ........... SRC/DST MAC Port Range ..................
Chapter 8: Static and LACP Port Trunks 6. After you configure the parameters, type C to select Create Aggregator. The aggregator is created on the switch. 7. If LACP is not enabled on the switch, perform the procedure “Enabling or Disabling LACP” on page 154 and activate the protocol. 8. Configure LACP on the other network device. 9. Connect the cables to the ports of the aggregator on both the switch and the other network device.
AT-S62 Management Software Menus Interface User’s Guide The Port Trunking and LACP menu is shown in Figure 38 on page 148. 3. Type 2 to select LACP Configuration. The LACP (IEEE 8023ad) Configuration menu is shown in Figure 41 on page 155. 4. Type 4 to select Modify Aggregator. The Modify LACP (IEEE 8023ad) Aggregator menu is shown in Figure 43. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Modify LACP (IEEE 802.
Chapter 8: Static and LACP Port Trunks 3 - Distribution Mode Sets the load distribution method. Possible settings are: SRC MAC - Source MAC address DST MAC - Destination MAC address SRC/DST MAC - Source address /destination MAC address SRC IP - Source IP address trunking DST IP - Destination IP address trunking SRC/DST IP - Source address /destination IP address The default is SRC/DST MAC. For background information, refer to “Load Distribution Methods” on page 144.
AT-S62 Management Software Menus Interface User’s Guide The LACP (IEEE 8023ad) Configuration menu is shown in Figure 41 on page 155. 4. Type 6 to select Delete Aggregator. The following prompt is displayed: Enter Aggregator Name [Max up to 20 alphanumeric characters]: 5. Enter the name of the aggregator you want to delete. The name is case-sensitive. You can delete only one aggregator at a time. A confirmation prompt is displayed. 6. Type Y to delete the aggregator or N to cancel the procedure.
Chapter 8: Static and LACP Port Trunks Figure 44 is an example of the LACP (IEEE 802.3ad Port Status menu. The information in this window is for viewing purposes only. For definitions, refer to the IEEE 802.3ad standard. LACP (IEEE 802.3ad) Port Status Port ............. 01 Aggregator ....... Sales server ACTOR PARTNER ====================================++++++++=========================== Actor Port ............. 06 Partner Port ......... 00 Selected ............... SELECTED Partner System .......
AT-S62 Management Software Menus Interface User’s Guide If there are no active aggregate trunks on the switch, the following message is displayed: No Aggregator with aggregatable Ports Section I: Basic Operations 163
Chapter 8: Static and LACP Port Trunks 164 Section I: Basic Operations
Chapter 9 Port Mirroring This chapter contains the procedures for creating and deleting a port mirror.
Chapter 9: Port Mirroring Port Mirroring Overview The port mirroring feature is used to unobtrusively monitor the ingress and egress traffic on one or more ports by copying the traffic to another port. By connecting a network analyzer to the port where the traffic is being copied, you can monitor the traffic on the other ports without impacting network performance or speed. The port(s) whose traffic is to be mirrored is called the source port(s).
AT-S62 Management Software Menus Interface User’s Guide Creating a Port Mirror To create a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 21 on page 106. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 46.
Chapter 9: Port Mirroring 5. Type 2 to select Mirror-To Port and, when prompted, enter the number of the port to function as the destination port. This is the port where the traffic from the source ports will be copied to and where the network analyzer will be located. You can specify only one destination port. 6. If you want to mirror the ingress (received) traffic on one or more ports, type 3 to select Ingress Mirror Port and, when prompted, enter the ports.
AT-S62 Management Software Menus Interface User’s Guide Disabling a Port Mirror To disable a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 21 on page 106. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 47 on page 167. 3. Type 1 to select Enable/Disable. The following prompt is displayed. Enter Enable(E)/Disable(D): 4.
Chapter 9: Port Mirroring 170 Section I: Basic Operations
Section II Advanced Operations The chapters in this section explain some of the more advanced features of an AT-8500 Series switch.
Section II: Advanced Operations
Chapter 10 File System This chapter describes the AT-S62 file system, and how you can use the file system to copy, rename, and delete system files. This chapter also explains how you can use the file system to select which boot configuration file you want the switch to use the next time the device is reset or power cycled.
Chapter 10: File System File System Overview The AT-S62 management software has a file system of 2 megabytes for storing system files. You can view the file system, as well as copy, rename, and delete files.
AT-S62 Management Software Menus Interface User’s Guide File Naming Conventions The file system is a flat file system which means directories are not supported. Files are uniquely identified by a file name in the following format: filename.ext where: filename is a descriptive name for the file, and may be one to sixteen characters in length. Valid characters are lowercase letters (a–z), uppercase letters (A–Z), digits (0–9), and the following characters: ~ ’ @ # $ % ^ & ( ) _ - { }+.
Chapter 10: File System Working with Boot Configuration Files A boot configuration file contains the commands for configuring the switch’s parameter settings whenever you power cycle or reset the device. The commands in the file recreate the VLANs, port settings, spanning tree settings, port trunks, port mirrors, and so on. You can store multiple boot configuration files on a switch, but only one can be active at a time.
AT-S62 Management Software Menus Interface User’s Guide Phase 1: Creating a Configuration File Before you begin to configure the switch with the parameter settings that you want to save in a new configuration file, you should first create the file. Configuring the parameters first and then creating the new configuration file might cause you to inadvertently change a configuration file you might not want to change. To perform this phase, do the following: 1.
Chapter 10: File System Caution Option 9 - Format Flash Drive should be used with care. It deletes all files in the file system, including configuration files, encryption keys, event logs, etc. For instructions, refer to “Deleting the System Files” on page 74. 4. Type 3 to select Create Configuration File. The following prompt is displayed: Enter the file name (or None): 5. Enter a file name for the new configuration file. The file name can be up to 16 alphanumeric characters. Spaces are allowed.
AT-S62 Management Software Menus Interface User’s Guide Phase 2: Configuring the Switch’s Parameter Settings Now that you have created a configuration file and designated it as the active boot configuration file on the switch, you can now configure the switch’s parameter settings by making those changes that you want the new configuration file to contain.
Chapter 10: File System To select the active boot configuration file for the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 9 to select System Utilities. 3. From the System Utilities menu, type 1 to select File Operations. The File Operations menu is shown in Figure 48 on page 177. 4. Type 1 to select Boot Configuration File. The following prompt is displayed: Enter the file name: 5.
AT-S62 Management Software Menus Interface User’s Guide To view the contents of a configuration file, perform the following procedure: 1. From the File Operations menu, type 7 to select View File. The following prompt is displayed: Enter file name: 2. Enter the name of the configuration file you want to view. The contents of the configuration file are displayed in the View File menu. An example is shown in Figure 49.
Chapter 10: File System Editing a Boot Configuration File You can edit a boot configuration file using a text editor on your management workstation. To edit a file, you must upload it from the switch to your management workstation. You cannot edit a boot configuration file directly on the switch. Once you have edited the file, you can download it back to the switch and make it the active boot configuration file.
AT-S62 Management Software Menus Interface User’s Guide Copying, Renaming, and Deleting System Files Use this procedure to copy, rename, and delete system files. To view a list of system file names, see “Displaying System Files” on page 185. Note Files with the extension UKF are encryption key pairs. These files cannot be copied, renamed, or deleted from the file system. To delete a key pair from the switch, refer to “Deleting an Encryption Key” on page 699.
Chapter 10: File System d. Press any key to return to the File Operations menu. 5. To rename a system file, do the following: a. From the File Operations menu, type 5 to select Rename File. The following prompt is displayed: Enter the source file name: b. Enter the name of the file you want to rename. The following prompt is displayed: Enter the destination file name: c. Enter the new name for the file. You can enter a file name of up to 16 alphanumeric characters, followed by a 3 letter extension.
AT-S62 Management Software Menus Interface User’s Guide Displaying System Files Use this procedure to display a list of the system files currently stored on the switch. For information about shortcuts for specifying file names, see “File Naming Conventions” on page 175. To display a list of current system file names, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 9 to select System Utilities. 3.
Chapter 10: File System The List Files menu is displayed. An example of the menu is shown in Figure 50. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 List Files File Name Device Size (Bytes) Last Modified ------------------------------------------------------------------default.cfg boot.cfg newcfg.cg serverkey150.key ProdSw.cer ProdSw2.
Chapter 11 File Downloads and Uploads This chapter contains procedures for downloading a new AT-S62 image file onto the switch. This chapter also contains procedures for uploading and downloading system files, such as boot configuration files, from the file system in a switch.
Chapter 11: File Downloads and Uploads Downloading a New AT-S62 Image File onto a Switch The procedures in this section explain how to download a new AT-S62 image file onto the switch. These procedures are used to update the AT-S62 image file on a switch with a new version of the file.
AT-S62 Management Software Menus Interface User’s Guide The AT-S62 image file contains the bootloader for the switch. You cannot load the image file and bootloader separately. The following guidelines apply to an Xmodem download: Xmodem can only download the image file onto the switch where you started the local management session. You cannot use Xmodem to download a new image file to a switch accessed through enhanced stacking.
Chapter 11: File Downloads and Uploads Downloading an AT-S62 Image from a Local Management Session Review the “Guidelines” on page 188 before performing the following download procedure. To download a new software image onto a switch from a local management session using Xmodem or TFTP, perform the following procedure: 1. Establish a local management session on the switch where you want to download the new management software. 2. From the Main Menu, type 5 to select System Administration.
AT-S62 Management Software Menus Interface User’s Guide 6. To download the AT-S62 image file using Xmodem, go to Step 7. To download the file using TFTP, do the following: a. Type T. The following prompt is displayed: TFTP Server IP address: b. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: c. Enter the file name of the AT-S62 image file stored on the TFTP server. (Be sure to include the “.img” extension.
Chapter 11: File Downloads and Uploads The following prompt is displayed: You are going to invoke the Xmodem download utility. Do you wish to continue? [Yes/No] Note: Please select 1K Xmodem protocol for faster download. 8. Type Y for Yes. The prompt “Downloading” is displayed. 9. Begin the file transfer. Note The transfer protocol must be Xmodem or 1K Xmodem. As an example, steps 10 through 13 illustrate how to download a file using the Hilgraeve HyperTerminal program. 10.
AT-S62 Management Software Menus Interface User’s Guide 11. Click Browse and specify the location and file to be downloaded onto the switch. 12. Click in the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem. 13. Click Send. The software immediately begins downloading the file onto the switch. The Xmodem File Send window in Figure 54 displays the status of the software download. The download process takes several minutes to complete. Figure 54.
Chapter 11: File Downloads and Uploads Downloading an AT-S62 Image from a Telnet Management Session Review the “Guidelines” on page 188 before performing the following download procedure. To download a new AT-S62 image onto the application block portion of the switch’s flash memory, making it the active image file on the switch, from a Telnet management session using TFTP, perform the following procedure: 1.
AT-S62 Management Software Menus Interface User’s Guide After receiving the file, the switch compares the version numbers of the new and existing image files. If the new image file has the same or an earlier version number as the existing file in the application block, the switch cancels the update process. If the new image file has a newer version number, the switch writes the file to the application block portion of flash memory and then resets.
Chapter 11: File Downloads and Uploads Uploading an AT-S62 Image File Switch to Switch This procedure uploads an AT-S62 software image from a master AT-8500 Series switch to other AT-8500 Series switches in an enhanced stack. Commonly referred to as a switch to switch transfer, this transfer method can simplify the task of updating the AT-S62 image file in the AT-8500 Series switches in an enhanced stack.
AT-S62 Management Software Menus Interface User’s Guide Note The “2 - Stacking Services” selection is only available on a master switch. The Stacking Services menu is shown in Figure 16 on page 85. 3. Type 1 to select Get/Refresh List of Switches. The master switch polls the subnet for the switches in its enhanced stack and displays the switches in the Stacking Services menu. 4. Type 4 to select Load Image/Bootloader File. The following prompt is displayed: Enter the list of switches -> 5.
Chapter 11: File Downloads and Uploads Caution The switch will not forward network traffic while writing the image to flash and during the reset process. This can take several minutes to complete.
AT-S62 Management Software Menus Interface User’s Guide Uploading an AT-S62 Configuration File Switch to Switch This procedure uploads a boot configuration file from a master AT-8500 Series switch to another AT-8500 Series switch in an enhanced stack. This procedure provides you with an easy way of distributing a configuration file to different switches that are to share a similar configuration. For background information on configuration files, refer to “Working with Boot Configuration Files” on page 176.
Chapter 11: File Downloads and Uploads Caution This procedure causes the switch to reset. Some network traffic may be lost. To upload a boot configuration file from the master switch to another switch in an enhanced stack, perform the following procedure: 1. From the Main Menu, type 8 to select Enhanced Stacking. The Enhanced Stacking menu is shown in Figure 15 on page 84. 2. From the Enhanced Stacking menu, type 2 to select Stacking Services.
AT-S62 Management Software Menus Interface User’s Guide 7. Enter the number (Num column in the menu) of the AT-8500 Series switch where you want to upload the configuration file. You can specify more than one switch at a time (for example, 2,4,5). Note An AT-8500 Series configuration file is only compatible with other AT-8500 Series switches. Do not upload the file onto any other type of enhanced stacking switch.
Chapter 11: File Downloads and Uploads Downloading a System File This section contains the following procedures: “Downloading a File from a Local Management Session” on page 203 “Downloading a File from a Telnet Management Session” on page 207 Both procedures are used to download files into a switch’s file system. One procedure downloads files from a local management using either Xmodem or TFTP, and the other explains how to do it from a Telnet management session, which only supports TFTP.
AT-S62 Management Software Menus Interface User’s Guide These guidelines apply to an Xmodem download: Xmodem can only download a file onto the switch where you started the local management session. You cannot use Xmodem to download a file onto a switch accessed through enhanced stacking. The file to be downloaded must be stored on the computer or terminal connected to the RS232 Terminal Port on the switch.
Chapter 11: File Downloads and Uploads 6. To download a system file using Xmodem, go to Step 7. To download a file using TFTP, do the following: a. Type T. The following prompt is displayed: TFTP Server IP address: b. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: c. Enter the name of the file on the TFTP server to download onto the switch. You can specify only one file. The following prompt is displayed: Local File Name: d.
AT-S62 Management Software Menus Interface User’s Guide f. If you downloaded a new configuration file and you want to make it the switch’s active boot file, go to “Setting the Active Boot Configuration File” on page 179. If you downloaded a CA certificate and want to add it to the certificate database, refer to “Adding a Certificate to the Database” on page 722. 7. To download a file using Xmodem, type X at the prompt displayed in Step 5. The following prompt is displayed: Local File Name: 8.
Chapter 11: File Downloads and Uploads The Send File window is shown in Figure 53. Figure 56. Send File Window 12. Click Browse and specify the location and system file to be downloaded onto the switch. 13. Click in the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem. 14. Click Send. The file immediately begins downloading onto the switch. The Xmodem File Send window in Figure 54 displays the status of the download. Figure 57.
AT-S62 Management Software Menus Interface User’s Guide 15. If you downloaded a new configuration file and you want to make it the switch’s active boot file, go to “Setting the Active Boot Configuration File” on page 179. If you downloaded a CA certificate and need to add it to the certificate database, refer to “Adding a Certificate to the Database” on page 722. Downloading a File from a Telnet Management Session Review “Guidelines” on page 202 before performing this procedure.
Chapter 11: File Downloads and Uploads The following message is displayed: Getting the file from Remote TFTP Server - Please wait ... 9. If you have not already done so, start the TFTP server software. After downloading the system file, the switch displays the following message: File received successfully! 10. If you downloaded a new configuration file and want to make it the switch’s active boot file, go to “Setting the Active Boot Configuration File” on page 179.
AT-S62 Management Software Menus Interface User’s Guide Uploading a System File You use the procedures in this section to upload a system file from a switch’s file system to a computer or TFTP server. Here are the system files you are most likely to upload from a switch: Boot configuration file Certificate enrollment request Public encryption key You might, for instance, upload a switch’s configuration file so that you can modify it with a text editor at your management workstation.
Chapter 11: File Downloads and Uploads These guidelines apply to a TFTP upload: Uploading a File from a Local Management Session Your network must have a node with the TFTP server software. You should start the TFTP server software before beginning the download procedure. The switch must have an IP address and subnet mask, such as a master switch of an enhanced stack.
AT-S62 Management Software Menus Interface User’s Guide The following prompt is displayed: Remote File Name: c. Enter a name for the file for when it is stored on the TFTP server. The extension should be the same as in the original file name (for example, “.cfg” for a configuration file and ”.csr” for a CA certificate enrollment request). The following message is displayed: Local File Name: d. Enter the name of the file in the switch’s file system to upload to the TFTP server.
Chapter 11: File Downloads and Uploads Note: Please select '1K Xmodem' protocol for faster upload... 10. Begin the file transfer. Note The transfer protocol must be Xmodem or 1K Xmodem. Steps 11 through 14 illustrate how to upload a file with the Hilgraeve HyperTerminal program. 11. From the HyperTerminal main window, select Receive File from the Transfer pull-down menu, as shown in Figure 58. Figure 58. Local Management Window The Receive File window is shown in Figure 59. Figure 59.
AT-S62 Management Software Menus Interface User’s Guide 15. When prompted, enter a name for the file for when it is stored on your workstation. The filename extension should be the same as in the original name (for example, “.cfg” for a configuration file and ”.csr” for a CA certificate enrollment request). The switch uploads the file from the switch to your computer. This completes the procedure for uploading a file from the switch from a local management session using Xmodem.
Chapter 11: File Downloads and Uploads The following message is displayed: Sending the file to Remote TFTP Server - Please wait ... The switch displays the following message at the completion of the upload process: File sent successfully! The file is now stored on the TFTP server. This completes the procedure for uploading a file from a Telnet management session using TFTP.
Chapter 12 Event Log and Syslog Servers This chapter describes how to view the event messages in the event log and how to configure the switch to send its event messages to a syslog server.
Chapter 12: Event Log and Syslog Servers Event Log and Syslog Server Overview A managed switch is a complex piece of computer equipment that includes both hardware and software components. Multiple software features operate simultaneously, interoperating with each other and processing large amounts of network traffic. It is often difficult to determine exactly what is happening when a switch appears not to be operating normally, or what happened when a problem occurs.
AT-S62 Management Software Menus Interface User’s Guide Managing the Event Log The following procedures explain how to view the events in the event log as well as how to enable and disable the log.
Chapter 12: Event Log and Syslog Servers The Event Log menu is shown in Figure 60. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 1 2 3 4 5 6 - Event Log Event Logging..............Enabled Display Output.............Temporary (Memory) Display Order..............Chronological Display Mode...............Normal Display Severity...........E,W,I Display Module.............
AT-S62 Management Software Menus Interface User’s Guide 2 - Display Output Selects an event log. This option has only one selection, Temporary. The event log is located in temporary memory. 3- Display Order Controls the order of the events in the log. Choices are Chronological, which displays the events in the order oldest to newest, and Reverse Chronological, which displays the events newest to oldest. The default is Chronological. 4 - Display Mode Controls the format of the event log.
Chapter 12: Event Log and Syslog Servers Table 5.
AT-S62 Management Software Menus Interface User’s Guide Table 5. AT-S62 Modules Module Name Description SSL Secure Sockets Layer protocol STP Spanning Tree, Rapid Spanning, and Multiple Spanning Tree protocols SYSTEM Hardware status; Manager and Operator log in and log off events. TACACS TACACS+ authentication protocol Telnet Telnet TFTP TFTP Time SNTP VLAN Port-based and tagged VLANs, and multiple VLAN modes 4. Once you have set the log filters, type V to select View Log.
Chapter 12: Event Log and Syslog Servers The columns in the log are described below: Modifying the Event Log Full Action S (Severity) - The event’s severity. Table 4 defines the different severity levels. Date/Time - The date and time the event occurred. Event - The module within the AT-S62 software that generated the event followed by a brief description of the event. For a list of the AT-S62 modules, see Table 5 on page 220. Event ID - A unique number that identifies the event.
AT-S62 Management Software Menus Interface User’s Guide The Configure Log Outputs menu is shown in Figure 62. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Configure Log Outputs OutputID Type Status Details ----------------------------------------------------------1 Temporary Enabled Wrap on Full 1 2 3 4 - Create Log Output Modify Log Output Delete Log Output View Log Output Details R - Return to Previous Menu Enter your selection? Figure 62.
Chapter 12: Event Log and Syslog Servers Saving the Event Log The Event Log menu has the selection “S - Save Log to File” for saving the current contents of the log as a file in the file system. Once in the file system, you can either view it or download it to your management workstation. Before selecting the option, configure options 2 to 7 in the Event Log menu to specify which log entries you want to save. When you select the option, you are asked to specify a filename.
AT-S62 Management Software Menus Interface User’s Guide Managing Syslog Server Definitions As explained at the start of this chapter, there are two ways to view the events generated by a switch. One approach is to view the switch’s event log through a local or remote management session. The drawbacks to this approach are that you have to establish a management session with the switch before you can view the log and you can view the log of only one switch at a time.
Chapter 12: Event Log and Syslog Servers Creating a Syslog Server Definition To create a syslog server definition, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 60 on page 218. 3. From the Event Log menu, type L to select Configure Log Outputs. The Configure Log Outputs menu is shown in Figure 62 on page 223. 4. Type 1 to select Create Log Output.
AT-S62 Management Software Menus Interface User’s Guide 3 - Message Generation This enables and disables the syslog server definition. If set to disabled, which is the default, the switch does not send events to the syslog server. When enabled, the switch sends events. The default is disabled. 4 - Message Format The information sent with each event. Choices are: Normal - sends the severity, module, and description. Extended - sends the same as Normal, plus the date, time, and switch’s IP address.
Chapter 12: Event Log and Syslog Servers Table 6. Applicable RFC 3164 Numerical Code and AT-S62 Module Mappings Numerical Code RFC 3164 Facility AT-S62 Module 9 Clock daemon Time- based modules: - TIME (system time and SNTP) - RTC 22 Local use 6 Physical interface and data link modules: - PCFG - PMIRR - PTRUNK - STP - VLAN 23 Local use 7 SYSTEM events related to major exceptions. 16 Local use 0 All other modules and events.
AT-S62 Management Software Menus Interface User’s Guide Table 7. Numerical Code and Facility Level Mappings Numerical Code Facility Level Setting 20 LOCAL4 21 LOCAL5 22 LOCAL6 23 LOCAL7 For example, selecting LOCAL2 as the facility level assigns the numerical code of 18 to all events sent to the syslog server by the switch. 6 - Event Severity The severity of events to be sent by the switch to the syslog server.
Chapter 12: Event Log and Syslog Servers Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Configure Log Outputs OutputIDType Status Details ----------------------------------------------------------1 Temporary Enabled Wrap on Full 2 Syslog Enabled 149.44.44.44 1 2 3 4 - Create Log Output Modify Log Output Delete Log Output View Log Output Details R - Return to Previous Menu Enter your selection? Figure 64.
AT-S62 Management Software Menus Interface User’s Guide For definitions of the parameters, refer to “Creating a Syslog Server Definition” on page 226. You cannot change a definition’s output ID number. 7. When you are finished modifying the settings, type M to select Modify Log Output. The Configure Log Outputs menu is displayed again. 8. To modify additional definitions, repeat this procedure starting with step 4. 9. After making changes, type R until you return to the Main Menu.
Chapter 12: Event Log and Syslog Servers Displaying a Syslog Server Definition To display the details of an existing syslog server definition, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 60 on page 218. 3. From the Event Log menu, type L to select Configure Log Outputs. The Configure Log Outputs menu is shown in Figure 62 on page 223. 4.
Chapter 13 Classifiers This chapter explains classifiers and how you can create classifiers to define traffic flows.
Chapter 13: Classifiers Classifier Overview A classifier defines a traffic flow. A traffic flow consists of packets that share one or more characteristics. A traffic flow can range from being very broad to very specific. An example of the former might be all IP traffic while an example of the latter could be packets with specific source and destination MAC addresses. A classifier consists of a set of criteria. You configure the criteria to match the traffic flow you want the classifier to define.
AT-S62 Management Software Menus Interface User’s Guide is dictated by the QoS policy, as explained in Chapter 15 on page 267. In summary, a classifier is a list of variables that define a traffic flow. You apply a classifier to an ACL or a QoS policy to define the traffic flow you want the ACL or QoS policy to affect or control. Classifier Criteria The criteria of a classifier are defined in the following subsections.
Chapter 13: Classifiers Preamble Destination Address Source Address Type/ Length 64 bits 48 bits 48 bits 16 bits Tag Protocol Identifier 16 bits User Priority CFI 3 bits 1 bit Frame Data CRC 368 to 12000 bits 32 bits VLAN Identifier 12 bits Figure 65. User Priority and VLAN Fields within an Ethernet Frame You can identify a traffic flow of tagged packets using the user priority value.
AT-S62 Management Software Menus Interface User’s Guide Observe the following guidelines when using this variable: This variable must be left blank or set to IP when setting a Layer3 or Layer 4 variable. To specify a protocol by its number, you can enter the value in decimal or hexadecimal format. If you choose hexadecimal, precede the number with the prefix “0x”. IP ToS (Type of Service) (Layer 3) Type of Service (ToS) is a standard field in IP packets.
Chapter 13: Classifiers Observe these guidelines when using this criterion: The Protocol variable must be left blank or set to IP. You cannot specify both an IP ToS value and an IP DSCP value in the same classifier. IP Protocol (Layer 3) You can define a traffic flow by the following Layer 3 protocols: TCP UDP ICMP IGMP IP protocol number If you choose to specify a Layer 3 protocol by its number, you can enter the value in decimal or hexadecimal format.
AT-S62 Management Software Menus Interface User’s Guide Observe this guideline when using these criteria: The Protocol variable must be left blank or set to IP. TCP Source Ports (Layer 4) TCP Destination Ports (Layer 4) Traffic flows can be identified by a source and/or destination TCP port number. A TCP port number is contained within the header of an IP frame. Observe the following guidelines when using these criteria: The Protocol variable must be left blank or set to IP.
Chapter 13: Classifiers Classifier Guidelines 240 Here are the guidelines to follow when creating a classifier: Each classifier represents a separate traffic flow. The variables within a classifier are linked by AND. The more variables specified within a classifier, the more specific it becomes in terms of the defined flow.
AT-S62 Management Software Menus Interface User’s Guide Creating a Classifier This section contains the procedure for creating a classifier. As explained in “Classifier Overview” on page 234, a classifier is a series of variables that you set to define a traffic flow. To create a classifier, do the following: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 1 to select Classifier Configuration.
Chapter 13: Classifiers The Create Classifier menu (page 1) is shown in Figure 68. Allied Telesyn Ethernet Switch AT-8524M - ATS62 Production Switch User: Manager 11:20:02 02-Jan-2006 Create Classifier 01 02 03 04 05 06 07 08 09 10 E C N U R - - Classifier ID: . 2 Description: ... Dst MAC: ....... Src MAC: ....... Eth Format ..... Priority: ...... VLAN ID: ....... Protocol: ...... IP ToS: ........ IP DSCP: .......
AT-S62 Management Software Menus Interface User’s Guide 4. To set a variable, type E to select Edit Parameters. The following prompt is displayed. Enter parameter ID to edit: [1 to 19] ->1 5. Enter the number of the variable you want to configure. You can configure only one parameter at a time. 6. Adjust the new value for the variable. Refer to “Classifier Overview” on page 234 for definitions of the variables. Note Option 1 is used to assign the classifier an ID number.
Chapter 13: Classifiers Modifying a Classifier In order to modify a classifier, you need to know its ID number. To view classifier ID numbers, refer to “Displaying Classifiers” on page 248. You cannot modify a classifier if it belongs to an ACL or QoS policy that is assigned to a port. You must first remove the port assignments from the ACL or policy before you can modify the classifier. To modify a classifier, do the following: 1. From the Main Menu, type 7 to select Security and Services. 2.
AT-S62 Management Software Menus Interface User’s Guide 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 9. To add the modified classifier to an ACL, refer to “Creating an ACL” on page 259 or “Modifying an ACL” on page 261. To add it to a QoS policy, refer to “Managing Flow Groups” on page 283.
Chapter 13: Classifiers Deleting a Classifier This procedure deletes a classifier from the switch. To delete a classifier, you need to know its ID number. To view the classifier ID numbers, refer to “Displaying Classifiers” on page 248. You cannot delete a classifier if it belongs to an ACL or QoS policy. You must first remove a classifier from its ACL and QoS policy assignments before you can delete it. To delete a classifier, do the following: 1.
AT-S62 Management Software Menus Interface User’s Guide Deleting All Classifiers This procedure deletes all classifiers from the switch. To delete individual classifiers, perform “Deleting a Classifier” on page 246. You cannot delete the classifiers if any of them belong to an ACL or QoS policy. All classifiers must be removed from their ACL and QoS policy assignments before you can delete them. To delete all classifiers, do the following: 1. From the Main Menu, type 7 to select Security and Services. 2.
Chapter 13: Classifiers Displaying Classifiers To display the classifiers on a switch, do the following: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 1 to select Classifier Configuration. The Classifier Configuration menu is shown in Figure 67 on page 241. 3. From the Classifier Configuration menu, type 4 to select Show Classifiers. An example of the Show Classifiers window is illustrated in Figure 70.
AT-S62 Management Software Menus Interface User’s Guide Number of Active Associations - The number of current assignments of a classifier to only active ACLs and QoS policy. 4. To view the details of a classifier, type D to select Detail Classifier Display. The following prompt is displayed: Enter Classifier ID : [1 to 9999] -> 1 5. Enter the ID number of the classifier you want to display. The details of the specified classifier are displayed.
Chapter 13: Classifiers 250 Section II: Advanced Operations
Chapter 14 Access Control Lists This chapter explains access control lists (ACL) and how you can use this feature to improve network security and performance.
Chapter 14: Access Control Lists Access Control List (ACL) Overview An ACL is a filter that controls the ingress packets on a port. You can use this feature to control which ingress packets a port will accept and which it will reject. Packets are filtered based on the criteria defined in the classifiers assigned to an ACL. There are several benefits of this feature. One is that it can add to your network security.
AT-S62 Management Software Menus Interface User’s Guide Here is an overview of how the process works. 1. When an ingress packet arrives on a port, the switch checks it against the criteria in the classifiers of all the ACLs, both permit and deny, assigned to that port. 2. If the packet matches the criteria of a permit ACL, the port immediately accepts it. The packet is accepted even if it matches a deny ACL on the same port because a permit ACL overrides a deny ACL. 3.
Chapter 14: Access Control Lists Examples A classifier can be assigned to multiple ACLs. However, a classifier cannot be assigned more than once to a port. Put another way, ACLs that have the same classifier cannot be assigned to the same port. The switch can store up to 64 ACLs. This section contains several examples of ACLs. In this example, port 4 is assigned a deny ACL for the subnet 149.11.11.0. This ACL prevents the port from accepting any traffic originating from that subnet.
AT-S62 Management Software Menus Interface User’s Guide To deny traffic from several subnets on the same port, you can create multiple classifiers and apply them to the same ACL. This example denies traffic on port 4 from three subnets using three classifiers, one for each subnet, assigned to the same ACL. Create Classifier 01 - Classifier ID: ..... 22 02 - Description: ...... 149.11.11 flow . . 12 - Src IP Addr: ..... 149.11.11.0 13 - Src IP Mask: .... 255.255.255.
Chapter 14: Access Control Lists You can achieve the same result by assigning each classifier to a different ACL and assigning the ACLs to the same port, as in this example, again for port 4. Create Access Control Lists (ACL) 1 - ACL ID ................. 4 2 - Description .......... 149.11.11-deny 3 - Action .................. Deny 4 - Classifier List ...... 22 5 - Port List .............. 4 Create Access Control Lists (ACL) 1 - ACL ID ................. 22 2 - Description .......... 149.22.22.
AT-S62 Management Software Menus Interface User’s Guide In this example, the traffic on ports 14 and 15 is restricted to packets from the source subnet 149.44.44.0. All other IP traffic is denied. Classifier ID 11 defines the authorized traffic flow for the ports and is assigned to an ACL with a permit action. Classifier ID 17 defines all IP traffic and is assigned to an ACL with a deny action. Since a permit ACL overrides a deny ACL, the ports accept the traffic from the 149.44.44.
Chapter 14: Access Control Lists The next example limits the ingress traffic on port 17 to IP packets from the subnet 149.22.11.0 and a Type of Service setting of 6, destined to the end node with the IP address 149.22.22.22. All other IP traffic and ARP packets are prohibited. Create Classifier Create Access Control Lists (ACL) 1 - ACL ID ................. 4 2 - Description .......... ToS 6 traffic - permit 3 - Action .................. Permit 4 - Classifier List ...... 6 5 - Port List ..............
AT-S62 Management Software Menus Interface User’s Guide Creating an ACL This procedure explains how to create an ACL. In order to perform this procedure, you need to know the ID numbers of the classifiers you want to assign to the ACL. To view classifier ID numbers, refer to “Displaying Classifiers” on page 248. To create an ACL, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 4 to select Access Control Lists.
Chapter 14: Access Control Lists 4. Type 1 to select ACL ID and, when prompted, enter an ID number for the ACL. Every ACL on the switch must have a unique ID number. The range is 0 to 255. The default is the lowest unused number. This parameter is required. 5. Type 2 to select Description and enter a description for the ACL. A description can be up to 31 alphanumeric characters. Spaces are allowed. This parameter is optional, though recommended.
AT-S62 Management Software Menus Interface User’s Guide Modifying an ACL This procedure explains how to modify an ACL. In order to perform this procedure, you need to know the ID number of the ACL you want to modify. To display ACL ID numbers, refer to “Displaying ACLs” on page 266. If you plan to add classifiers to the ACL, you also need to know the ID numbers of the classifiers. To view classifier ID numbers, refer to “Displaying Classifiers” on page 248.
Chapter 14: Access Control Lists You cannot change an ACL’s ID number. 5. To change the description of the ACL, type 2 to select Description and enter a new description for the ACL. The description can be up to 31 alphanumeric characters. Spaces are allowed. This parameter is optional, though recommended. Assigning each ACL a name will make it easier for you to identify them. 6. To change the ACL’s action, type 3 to select Action.
AT-S62 Management Software Menus Interface User’s Guide Deleting an ACL This procedure deletes an ACL from the switch. In order to perform this procedure, you need to know the ID number of the ACL you want to delete. To display ACL ID numbers, refer to “Displaying ACLs” on page 266. To delete an ACL, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 4 to select Access Control Lists.
Chapter 14: Access Control Lists 5. To delete the ACL, type D to select Destroy ACL. To cancel the procedure, type R to select Return to Previous Menu. A deleted ACL is immediately removed from the switch. 6. To delete additional ACLs, repeat this procedure starting with step 3. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S62 Management Software Menus Interface User’s Guide Deleting All ACLs This procedure deletes all ACLs from the switch. To delete all ACLs, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 4 to select Access Control Lists. The Access Control Lists (ACL) menu is shown in Figure 77 on page 259. 3. From the Access Control Lists (ACL) menu, type P to selection Purge ACLs. Caution No confirmation prompt is displayed.
Chapter 14: Access Control Lists Displaying ACLs To display the ACLs on a switch, perform this procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 4 to select Access Control Lists. The Access Control Lists (ACL) menu is shown in Figure 77 on page 259. 3. From the Access Control Lists (ACL) menu, type 4 to selection Show ACLs. An example of the Show ACLs window is illustrated in Figure 81.
Chapter 15 Quality of Service This chapter describes Quality of Service (QoS).
Chapter 15: Quality of Service Quality of Service Overview Quality of Service allows you to prioritize traffic and/or limit the bandwidth available to it. The concept of QoS is a departure from the original networking protocols, which treated all traffic on the Internet or within a LAN the same. Without QoS, every different traffic type is equally likely to be dropped if a link becomes oversubscribed.
AT-S62 Management Software Menus Interface User’s Guide The QoS functionality described by this chapter sorts packets into various flows, according to the QoS policy that applies to the port the traffic is received on. The switch then allocates resources to direct this traffic according to bandwidth or priority settings in the policy. Each policy is built up out of traffic classes, flow groups and classifiers. In summary, to configure QoS: Create classifiers to sort packets into traffic flows.
Chapter 15: Quality of Service Flow Groups Flow groups are used to group similar traffic flows together, and allow more specific QoS controls to be used, in preference to those specified by the traffic class. Flow groups consist of a small set of QoS parameters and a group of classifiers. Once a flow group has been added to a traffic class it cannot be added to another traffic class. A traffic class may have many flow groups. Traffic is matched in the order of the flow groups.
AT-S62 Management Software Menus Interface User’s Guide The effects of this behavior become evident when using the maximum bandwidth feature of QoS. Here is an example. Suppose you have a policy that assigns 5 Mbps of maximum bandwidth to an egress port. Now assume there are 10 ports on the switch where ingress traffic matches the criteria specified in the classifier assigned to the policy of the egress port.
Chapter 15: Quality of Service Bandwidth Allocation Packet Prioritization Replacing the VLAN tag User Priority, to enable the next switch in the network to process the packet correctly Replacing the TOS precedence or DSCP value, to enable the next switch in the network to process the packet correctly. Bandwidth limiting is configured at the level of traffic classes, and encompasses the flow groups contained in the traffic class.
AT-S62 Management Software Menus Interface User’s Guide Replacing Priorities VLAN Tag User Priorities DSCP Values The traffic class or flow group priority (if set) determines the egress queue a packet is sent to when it egresses this switch, but by default has no effect on how the rest of the network processes the packet. To permanently change the packet’s priority, you need to replace one of two priority fields in the packet header: The User Priority field of the VLAN tag header.
Chapter 15: Quality of Service A simple example of this process is shown in Figure 82, for limiting the amount of bandwidth used by traffic from a particular IP address. In the domain shown, this bandwidth limit is supplied by the class of service represented by a DSCP value of 40. In the next DiffServ domain, this traffic is assigned to the class of service represented by a DSCP value of 3.
AT-S62 Management Software Menus Interface User’s Guide Assign the classifiers to flow groups and the flow groups to traffic classes, with a different traffic class for each DiffServ code point grouping within the DiffServ domain. Give each traffic class the priority and/or bandwidth limiting controls that are required for that type of packet within this part of the domain. These QoS controls need not be the same for each switch. 3.
Chapter 15: Quality of Service Examples Voice Applications Voice applications typically require a small bandwidth but it must be consistent. They are sensitive to latency (interpacket delay) and jitter (delivery delay). Voice applications can be set up to have the highest priority. This example creates two policies that ensure low latency for all traffic sent by and destined to a voice application located on a node with the IP address 149.44.44.44.
AT-S62 Management Software Menus Interface User’s Guide The parts of the policies are: Section II: Advanced Operations Classifier - Defines the traffic flow by specifying the IP address of the node with the voice application. The classifier for Policy 6 specifies the address as a source address since this classifier is part of a policy for packets coming from the application.
Chapter 15: Quality of Service Video Applications Video applications typically require a larger bandwidth than voice applications. Video applications can be set up to have a high priority and buffering, depending on the application. This example creates policies with low latency and jitter for video streams (for example, net conference calls). The policies in Figure 84 assign the packets a priority level of 4 and limit the bandwidth to 5 Mbps. The node containing the application has the IP address 149.44.
AT-S62 Management Software Menus Interface User’s Guide The parts of the policies are: Section II: Advanced Operations Classifier - Specifies the IP address of the node with a video application. The classifier for Policy 17 specifies the address as a source address since this classifier is part of a policy concerning packets coming from the application.
Chapter 15: Quality of Service Critical Database Critical databases typically require a high bandwidth. They also typically require less priority than either voice or video. The policies in Figure 85 assign 50 Mbps bandwidth, with no change to priority, to traffic going to and from a database. The database is located on a node with the IP address 149.44.44.44 on port 1 of the switch. Policy 15 Policy 17 Create Classifier Create Classifier 01 - Classifier ID: ..... 42 02 - Description ....... Database .
AT-S62 Management Software Menus Interface User’s Guide Policy Component Hierarchy The purpose of this example is to illustrate the hierarchy that exists among the components of a QoS policy and how that hierarchy needs to be taken into account when assigning new priority and DSCP values. A new priority can be set at the flow group and traffic class levels, while a new DSCP value can be set at all three levels -- flow group, traffic class and policy.
Chapter 15: Quality of Service Create Classifier 01 - Classifier ID: ..... 1 . 14 - Dst IP Addr ..... 149.11.11.0 15 - Dst IP Mask ..... 255.255.255.0 Create Classifier Create Flow Group 1 - Flow Group ID ......... 1 . 3 - DSCP Value ............. 10 . 9 - Classifier List ............1,2 01 - Classifier ID: ..... 2 . 14 - Dst IP Addr ..... 149.22.22.0 15 - Dst IP Addr ...... 255.255.255.0 Create Traffic Class 1 - Traffic Class ID: ........ 1 . 5 - DSCP value ............. 30 . E - Flow Group List .....
AT-S62 Management Software Menus Interface User’s Guide Managing Flow Groups This section contains the following procedures: Creating a Flow Group “Creating a Flow Group” on page 283 “Modifying a Flow Group” on page 285 “Deleting a Flow Group” on page 287 “Displaying Flow Groups” on page 288 To create a flow group, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service.
Chapter 15: Quality of Service 4. Type 1 to select Create Flow Group. The Create Flow Group menu is shown in Figure 89. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Mar-2006 Create Flow Group 1 2 3 4 5 6 7 8 9 - FlowGroup ID .............. Description ............... DSCP value ................ Priority .................. Remark Priority ........... ToS ....................... Move ToS to Priority ...... Move Priority to ToS ...... Classifier List .......
AT-S62 Management Software Menus Interface User’s Guide 5 - Remark Priority If set to Yes, replaces the user priority value in the packets with the new value specified in option 4, Priority. If set to No, which is the default, the packets retain their preexisting priority level. 6 - ToS Specifies a replacement value to write into the Type of Service (ToS) field of IPv4 packets. The range is 0 to 7. A new ToS value can be set at all three levels: flow group, traffic class, and policy.
Chapter 15: Quality of Service 4. Type 2 to select Modify Flow Group. The following prompt is displayed: Available Flow Group(s): 0-10 Enter Flow Group ID : [0 to 1023] -> 0 5. Enter the ID number of the flow group you want to modify. You can modify only one flow group at a time. The selected flow group is displayed in the Modify Flow Group menu. An example is shown in Figure 90.
AT-S62 Management Software Menus Interface User’s Guide 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting a Flow Group To delete a flow group, do the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service. The Quality of Service (QoS) menu is shown in Figure 87 on page 283. 3.
Chapter 15: Quality of Service 6. Type D to delete the flow group. The flow group is deleted from the switch. The group is removed from any traffic classes to which it is assigned. 7. To delete another flow group, repeat this procedure starting with step 4. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Displaying Flow Groups To display flow groups, do the following procedure: 1.
AT-S62 Management Software Menus Interface User’s Guide The Show Flow Groups menu provides the following information: ID The flow group’s ID number. Description A description of the flow group. Parent Traffic Class ID The ID number of the traffic class to which the flow group is assigned. A flow group can belong to only one traffic class at a time. Active The status of the flow group. If the flow group is part of a QoS policy that is assigned to one or more ports, the flow group is deemed active.
Chapter 15: Quality of Service Managing Traffic Classes This section contains the following procedures: Creating a Traffic Class “Creating a Traffic Class” on page 290 “Modifying a Traffic Class” on page 294 “Deleting a Traffic Class” on page 296 “Displaying Traffic Classes” on page 297 To create a traffic class, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service.
AT-S62 Management Software Menus Interface User’s Guide The Create Traffic Class menu is shown in Figure 95. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Mar-2006 Create Traffic Class 1 2 3 4 5 6 7 8 9 A B D E - Traffic Class ID .......... Description ............... Exceed Action ............. Exceed Remark Value ....... DSCP value ................ Max bandwidth ............. Burst Size ................ Priority .................. Remark Priority .......
Chapter 15: Quality of Service 5 - DSCP value Specifies a replacement value to write into the DSCP (TOS) field of the packets. The range is 0 to 63. A new DSCP value can be set at all three levels: flow group, traffic class, and policy. A DSCP value specified in a flow group overrides a DSCP value specified at the traffic class or policy level. A DSCP value specified at the traffic class level is used only if no value has been specified at the flow group level.
AT-S62 Management Software Menus Interface User’s Guide matches the number being used by the traffic. However, no unused tokens will accumulate in the bucket. If the traffic increases, the excess traffic will be discarded since no tokens are available for handling the increase. If the traffic is below the maximum bandwidth, unused tokens will accumulate in the bucket since the actual bandwidth falls below the specified maximum.
Chapter 15: Quality of Service B - Move ToS to Priority If set to yes, replaces the value in the 802.1p priority field with the value in the ToS priority field for IPv4 packet. If set to No, which is the default, the packets retain their preexisting 802.1p priority level. D - Move Priority to ToS If set to yes, replaces the value in the ToS priority field with the value in the 802.1p priority field on IPv4 packets. If set to No, which is the default, the packets retain their preexisting ToS priority level.
AT-S62 Management Software Menus Interface User’s Guide The selected traffic class is displayed in the Modify Traffic Class menu. An example is shown in Figure 96. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Mar-2006 Modify Traffic Class 1 2 3 4 5 6 7 8 9 A B D E - Traffic Class ID .......... Description ............... Exceed Action ............. Exceed Remark Value ....... DSCP value ................ Max bandwidth ............. Burst Size .............
Chapter 15: Quality of Service Deleting a Traffic Class To delete a traffic class, do the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service. The Quality of Service (QoS) menu is shown in Figure 87 on page 283. 3. From the Quality of Service (QoS) menu, type 2 to select Traffic Class Configuration. The Traffic Class Configuration menu is shown in Figure 94 on page 290. 4.
AT-S62 Management Software Menus Interface User’s Guide 6. Type D to delete the traffic class. The traffic class is deleted from the switch. The class is removed from any policies to which it is assigned. 7. To delete another traffic class, repeat this procedure starting with step 4. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Displaying Traffic Classes To display the traffic classes, do the following procedure: 1.
Chapter 15: Quality of Service The Show Traffic Classes menu provides the following information: ID The traffic class’ ID number. Description A description of the traffic class. Parent Policy ID The ID number of the policy where the traffic class is assigned. A traffic class can belong to only one policy at a time. Active The status of the traffic class. If the traffic class is part of a QoS policy that is assigned to one or more ports, the traffic class is deemed active.
AT-S62 Management Software Menus Interface User’s Guide Managing Policies This section contains the following procedure: Creating a Policy “Creating a Policy” on page 299 “Modifying a Policy” on page 302 “Deleting a Policy” on page 303 “Displaying Policies” on page 304 To create a policy, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service.
Chapter 15: Quality of Service The Create Policy menu is shown in Figure 100. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Mar-2006 Create Policy 1 2 3 4 5 6 7 8 9 A B - Policy ID ................ Description .............. Remark DSCP .............. DSCP value ............... ToS ...................... Move ToS to Priority ..... Move Priority to ToS ..... Send to Mirror Port ...... Traffic Class List ....... Ingress Port List ........ Egress Port .......
AT-S62 Management Software Menus Interface User’s Guide 5 - ToS Specifies a replacement value to write into the Type of Service (ToS) field of IPv4 packets. The range is 0 to 7. A ToS value specified at the policy level is used only if no value has been specified at the flow group and traffic class levels. 6 - Move ToS to Priority If set to yes, replaces the value in the 802.1p priority field with the value in the ToS priority field on IPv4 packets.
Chapter 15: Quality of Service Modifying a Policy To modify a policy, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service. The Quality of Service (QoS) menu is shown in Figure 87 on page 283. 3. Type 3 to select Policy Configuration. The Policy Configuration menu is shown in Figure 99 on page 299. 4. From the Policy Configuration menu, type 2 to select Modify Policy.
AT-S62 Management Software Menus Interface User’s Guide To delete a value from a variable so as to leave it blank, select the variable and then use the backspace key to delete its default value. Specifying an invalid value for a parameter that already has a value causes the parameter to revert to its default value. 7. After you have finished modifying the parameter settings, type M to select Modify Policy.
Chapter 15: Quality of Service Displaying Policies To display policies, do the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service. The Quality of Service (QoS) menu is shown in Figure 87 on page 283. 3. From the Quality of Service (QoS) menu, type 3 to select Policy Configuration. The Policy Configuration menu is shown in Figure 99 on page 299. 4. Type 4 to select Show Policies.
AT-S62 Management Software Menus Interface User’s Guide 5. To display the specifics of a policy, type D to select Detail Policy Display. 6. When prompted, enter the ID number of the policy you want to view. You can display only one policy at a time. The specifications of the policy are displayed in the Detail Policy Display. For definitions of the parameters, refer to “Creating a Policy” on page 299.
Chapter 15: Quality of Service 306 Section II: Advanced Operations
Chapter 16 Class of Service This chapter contains the procedures for configuring Class of Service (CoS).
Chapter 16: Class of Service Class of Service Overview When a port on an Ethernet switch becomes oversubscribed—its egress queues contain more packets than the port can handle in a timely manner—the port may be forced to delay the transmission of some packets, resulting in the delay of packets reaching their destinations.
AT-S62 Management Software Menus Interface User’s Guide Table 8 lists the mappings between the eight CoS priority levels and the four egress queues of a switch port. Table 8. Default Mappings of IEEE 802.1p Priority Levels to Priority Queues IEEE 802.1p Priority Level Port Priority Queue 0 Q1 1 Q0 2 Q0 3 Q1 4 Q2 5 Q2 6 Q3 7 Q3 For example, if a tagged packet with a priority level of 3 entered a port on the switch, the switch would store the packet in Q1 queue on the egress port.
Chapter 16: Class of Service Table 9. Customized Mappings of IEEE 802.1p Priority Levels to Priority Queues IEEE 802.1p Priority Level Port Priority Queue 4 Q2 5 Q3 6 Q3 7 Q3 The procedure for changing the default mappings is found in “Mapping CoS Priorities to Egress Queues” on page 316. Note that because all ports must use the same priority-to-egress queue mappings, these mappings are applied at the switch level. They cannot be set on a per-port basis.
AT-S62 Management Software Menus Interface User’s Guide Note Scheduling is set at the switch level. You cannot set this on a perport basis. Strict Priority Scheduling With this type of scheduling, a port transmits all packets out of higher priority queues before transmitting any from the lower priority queues. For instance, as long as there are packets in Q3 it does not handle any packets in Q2.
Chapter 16: Class of Service In this example, the port transmits a maximum number of 15 packets from Q3 before moving to Q2, from which it transmits up to 10 packets, and so forth.
AT-S62 Management Software Menus Interface User’s Guide Configuring CoS As explained in “Class of Service Overview” on page 308, a tagged packet received on a port is placed it into one of four priority queues on the egress port according to the switch’s mapping of 802.1p priority levels to egress priority queues. The default mappings are shown in Table 8 on page 309. You can override the mappings at the port level by assigning the packets a temporary priority level.
Chapter 16: Class of Service 2. From the Security and Services menu, type 5 to select Class of Service (CoS). The Class of Service (CoS) menu is shown in Figure 104. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Class of Service (CoS) Number of CoS Queues: 4 1 - Configure Port CoS Priorities 2 - Map CoS Priority to Egress Queue 3 - Configure Egress Scheduling 4 - Show Port CoS Priorities R - Return to Previous Menu Enter your selection? Figure 104.
AT-S62 Management Software Menus Interface User’s Guide Menu option 1 cannot be changed. 5. Type 2 to select Priority (0 - 7). The following prompt is displayed: Enter new value -> [0 to 7] 6. Enter the new temporary priority value of 0 to 7 for the untagged frames received on the port. For example, to assign a temporary priority level of 4 to the ingress untagged packets, enter 4. The default is 0.
Chapter 16: Class of Service Mapping CoS Priorities to Egress Queues This procedure explains how to change the default mappings of CoS priorities to egress priority queues, shown in Table 10 on page 311. This is set at the switch level. You cannot set this at the per-port level. To change the mappings, perform the following procedure. 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 103 on page 313. 2.
AT-S62 Management Software Menus Interface User’s Guide 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 16: Class of Service Configuring Egress Scheduling This procedure explains how to select and configure a scheduling method for Class of Service. Scheduling determines the order in which the ports handle packets in their egress queues. For an explanation of the two scheduling methods, refer to “Scheduling” on page 310. Scheduling is set at the switch level. You cannot set this on a per-port basis. 1. From the Main Menu, type 7 to select Security and Services.
AT-S62 Management Software Menus Interface User’s Guide 6. Return to the Main Menu and type S to select Save Configuration Changes.
Chapter 16: Class of Service Displaying Port CoS Priorities The following procedure displays a menu that lists the current CoS priority level settings for each port. 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 103 on page 313. 2. From the Security and Services menu, type 5 to select Class of Service (CoS). The Class of Service (CoS) menu is shown in Figure 104 on page 314. 3.
AT-S62 Management Software Menus Interface User’s Guide deactivated and the port is using the priority levels contained within the frames. If Yes, the override is activated and the tagged packets are assigned the temporary priority level shown in the Priority column.
Chapter 16: Class of Service 322 Section II: Advanced Operations
Chapter 17 IGMP Snooping This chapter explains how to activate and configure the Internet Group Management Protocol (IGMP) snooping feature on the switch.
Chapter 17: IGMP Snooping IGMP Snooping Overview IGMP enables routers to create lists of nodes that are members of multicast groups. (A multicast group is a group of end nodes that want to receive multicast packets from a multicast application.) The router creates a multicast membership list by periodically sending out queries to the local area networks connected to its ports. A node wanting to become a member of a particular multicast group responds to a query by sending a report.
AT-S62 Management Software Menus Interface User’s Guide security by restricting the flow of multicast packets only to those switch ports connected to host nodes. Without IGMP snooping a switch would have to flood multicast packets out all of its ports, except the port on which it received the packet. Such flooding of packets can negatively impact switch and network performance.
Chapter 17: IGMP Snooping Configuring IGMP Snooping To configure the IGMP snooping parameters on the switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Multicast Configuration menu is shown in Figure 109. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Advanced Configuration 1 - IGMP Snooping Configuration R - Return to Previous Menu Enter your selection? Figure 109.
AT-S62 Management Software Menus Interface User’s Guide The options in the menu are defined below: 1 - IGMP Snooping Status Enables and disables IGMP snooping on the switch. After selecting this option, type E to enable or D to disable this feature. 2 - Multicast Host Topology Defines whether there is only one host node per switch port or multiple host nodes per port. Possible settings are Single-Host/Port (Edge) and Multiple Host/Ports (Intermediate).
Chapter 17: IGMP Snooping A value of 0 disables the timer. A switch with a disabled timer never times out inactive host nodes or multicast routers. 4 - Maximum Multicast Groups Specifies the maximum number of multicast groups the switch will learn. This parameter is useful with networks that contain a large number of multicast groups. You can use the parameter to prevent the switch’s MAC address table from filling up with multicast addresses, leaving no room for dynamic or static MAC addresses.
AT-S62 Management Software Menus Interface User’s Guide Displaying a List of Host Nodes To view a list of the multicast groups and host nodes on a switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 109 on page 326. 2. From the Advanced Configuration menu, type 1 to select IGMP Snooping Configuration. The IGMP Snooping Configuration menu is shown in Figure 110 on page 326. 3.
Chapter 17: IGMP Snooping Port/TrunkID - The port on the switch where a host node of the multicast group is connected. If the host node is connected to the switch through a trunk, the trunk ID number, not the port number, is displayed. HostIP - The IP address of the host node connected to the port. IGMP Ver. - The version of IGMP being used by the host. Exp. Time - The number of seconds remaining before the host is timed out if no further IGMP reports are received from it.
AT-S62 Management Software Menus Interface User’s Guide Displaying a List of Multicast Routers A multicast router is a router that is receiving multicast packets from a multicast application and transmitting the packets to host nodes. You can use the AT-S62 software to display a list of the multicast routers that are connected to the switch. To display a list of the multicast routers, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration.
Chapter 17: IGMP Snooping 332 Section II: Advanced Operations
Chapter 18 Denial of Service Defenses This chapter contains procedures on how to configure the switch to protect your network against Denial of Service (DoS) attacks.
Chapter 18: Denial of Service Defenses Denial of Service Defense Overview The AT-S62 management software can help protect your network against the following types of Denial of Service attacks. SYN Flood Attack SMURF Attack Land Attack Teardrop Attack Ping of Death Attack IP Options Attack The following subsections describe each type of attack and the mechanism employed by the AT-S62 management software to protect your network.
AT-S62 Management Software Menus Interface User’s Guide SMURF Attack This DoS attack is instigated by an attacker sending a ICMP Echo (Ping) request containing a broadcast address as the destination address and the address of the victim as the source of the ICMP Echo (Ping) request. This overwhelms the victim with a large number of ICMP Echo (Ping) replies from the other network nodes.
Chapter 18: Denial of Service Defenses which is connected to the device that leads outside your network. The steps below review what happens when an ingress IP packet from the local device arrives on port 4: 1. When port 4 receives an ingress IP packet with a destination MAC address learned on uplink port 1, it examines the packet’s source IP address. 2.
AT-S62 Management Software Menus Interface User’s Guide Teardrop Attack An attacker sends an IP packet in several fragments with a bogus offset value, used to reconstruct the packet, in one of the fragments to a victim. The victim is unable to reassemble the packet, possibly causing it to freeze operations. The defense mechanism for this type of attack has all ingress IP traffic received on a port sent to the switch’s CPU.
Chapter 18: Denial of Service Defenses Note This defense mechanism requires some involvement by the switch’s CPU, though not as much as the Teardrop defense. This will not impact the forwarding of traffic between the switch ports, but it can affect the handling of CPU events, such as the processing of IGMP packets and spanning tree BPDUs. For this reason, Allied Telesyn recommends limiting the use of this defense, activating it only on those ports where an attack is most likely to originate.
AT-S62 Management Software Menus Interface User’s Guide Implementing this feature requires configuring the port mirroring feature as follows: Activate port mirroring. Specify a destination port. Do not specify any source ports. The source ports are defined by the Denial of Service defense mechanism. For instructions, refer to “Creating a Port Mirror” on page 167.
Chapter 18: Denial of Service Defenses Enabling or Disabling Denial of Service Prevention To configure DoS defense, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 103 on page 313. 2. From the Security and Services menu, type 3 to select Denial of Service (DoS). The Denial of Service (DoS) Menu is shown in Figure 113.
AT-S62 Management Software Menus Interface User’s Guide The LAN IP Subnet menu is shown in Figure 114. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Lan IP Subnet 1 - IP Address ................. 0.0.0.0 2 - Subnet Mask ................ 0.0.0.0 3 - Uplink Port ................ 26 R - Return to Previous Menu Enter your selection? Figure 114. LAN IP Subnet Menu b.
Chapter 18: Denial of Service Defenses A menu is displayed containing either one or two options, depending on the DoS defense you selected. An example of the menu is shown in Figure 115. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 SYN Flood Configuration Configuring DoS for Port 2 1 - DoS Status ................. Disabled R - Return to Previous Menu Enter your selection? Figure 115. SYN Flood Configuration Menu 6.
Chapter 19 Power Over Ethernet This chapter contains the procedures for configuring Power over Ethernet (PoE) for the AT-8524POE switch. Sections in the chapter include: “Power Over Ethernet Overview” on page 344 “Setting the PoE Threshold” on page 348 “Configuring PoE Port Settings” on page 350 “Displaying PoE Status and Settings” on page 352 Note This chapter applies only to the AT-8524POE switch.
Chapter 19: Power Over Ethernet Power Over Ethernet Overview The twisted pair ports on the AT-8524POE switch offer the same features as the twisted pair ports on the other switches in the series. As such, they can operate at 10 or 100 Mbps, feature Auto-Negotiation and Auto-MDI/ MDI-X, and so forth. These ports, however, also offer Power over Ethernet (PoE). PoE is a mechanism for supplying power to network devices over the same twisted pair cables used to carry network traffic.
AT-S62 Management Software Menus Interface User’s Guide PoE Implementation on the AT-8524POE Switch A standard Ethernet twisted pair cable contains four pairs of strands for a total of eight strands. 10/100 Mbps network traffic requires only four strands, leaving four strands in the cable unused. The strands that carry the network traffic are 1, 2, 3, and 6, and the spare strands are 4, 5, 7, and 8. The IEEE 802.
Chapter 19: Power Over Ethernet Port Prioritization This section explains port prioritization, a mechanism by which the switch determines which ports are to receive PoE in the event the needs of the powered devices exceed the available power resources of the switch. This discussion does not apply to the AT-8524POE switch since its power supply can deliver the maximum of 15.4 W to all 24 based ports simultaneously.
AT-S62 Management Software Menus Interface User’s Guide PoE Device Classes The IEEE 802.3af standard specifies four levels of classes for powered devices. The classes are defined by power usage. The classes are: 0 - 0.44 W to 12.95 W 1 - 0.44 W to 3.84 W 2 - 3.84 W to 6.49 W 3 - 6.49 W to 12.95 W (The standard actually specifies five levels; the fifth is reserved for future use.) You cannot adjust this on a powered device. It is set by the manufacturer.
Chapter 19: Power Over Ethernet Setting the PoE Threshold The PoE threshold is a percentage of the total maximum PoE power on the switch, which for the AT-8524POE switch is 400 W. If the total power requirements of the powered devices exceed this threshold, the switch sends an SNMP trap to your management workstation and enters an event in the event log. At the default setting of 95%, the threshold is exceeded when the PoE devices require more than 380 W, which is 95% of 400 W. The threshold is adjustable.
AT-S62 Management Software Menus Interface User’s Guide Options 2, Maximum Available Power, displays the maximum amount of PoE for the switch. For the AT-8524POE switch, this value is 400W. This value cannot be changed. 4. From the PoE Global Configuration menu, type 1 to select Power Threshold. The following prompt is displayed: Enter percentage of power limit threshold : [1 to 100] > 95 Enter the new threshold as a percentage of the total available PoE power on the switch.
Chapter 19: Power Over Ethernet Configuring PoE Port Settings This procedure enables and disables PoE on a port. This procedure also sets a port’s priority level and its maximum power usage. To configure PoE port settings, do the following: 1. From the Main Menu, type 6 to select Advanced Configuration. 2. From the Advanced Configuration menu, type 2 to select Power Over Ethernet Configuration. The Power Over Ethernet Configuration menu is shown in Figure 116 on page 348. 3.
AT-S62 Management Software Menus Interface User’s Guide 6. To change the port’s priority, type 2 to select Power Priority and, when prompted, type C for Critical, H for High, or L for Low. A port can belong to only one priority level at a time. The default is Low. For an explanation of this parameter, refer to “Port Prioritization” on page 346. 7. To change the maximum amount of power the port can supply to the device, type 3 to select Power Limit and enter a new value in milliwatts.
Chapter 19: Power Over Ethernet Displaying PoE Status and Settings Use this procedure to display PoE status and settings at the switch or port level. To display PoE information, do the following: 1. From the Main Menu, type 6 to select Advanced Configuration. 2. From the Advanced Configuration menu, type 2 to select Power Over Ethernet Configuration. The Power Over Ethernet Configuration menu is shown in Figure 116 on page 348. 3.
AT-S62 Management Software Menus Interface User’s Guide 1 - PoE Global Status Menu This selection displays the following window: Allied Telesyn Ethernet Switch AT-8524POE - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 PoE Global Status Max Available Power ...... Consumed Power ........... Available Power .......... Power Usage .............. Min Shutdown Voltage ..... Max Shutdown Voltage ..... 400 W 25 W 375W 6.25 percent 44.0 V 57.
Chapter 19: Power Over Ethernet 2 - Summary All Ports Status Menu This selection display an abbreviated status report of PoE on the individual switch ports. For more detailed information, refer to selection 3.
AT-S62 Management Software Menus Interface User’s Guide 3 - Detailed Ports Status Menu When you select this option, you are prompted to enter the port(s) you want to view. You can specify more than one port at a time. Once you have specified the port, the selection displays the following window: Allied Telesyn Ethernet Switch AT-8524POE - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 PoE Detailed Port Status Port: 4 PoE Function ........... Power Status ........... Power Consumed .........
Chapter 19: Power Over Ethernet Power Priority The port priority. This can be Critical, High, or Low. For an explanation of this parameter, refer to “Port Prioritization” on page 346. To adjust this value, refer to “Configuring PoE Port Settings” on page 350. Power Class The IEEE 802.3af class of the device. For an explanation of this parameter, refer to “PoE Device Classes” on page 347. This parameter cannot be changed.
AT-S62 Management Software Menus Interface User’s Guide 4 - PoE Device Information This selection displays the hardware and firmware version numbers of the PoE chipset used in the switch. This selection is intended for troubleshooting purposes and displays the following window: Allied Telesyn Ethernet Switch AT-8524POE - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 PoE Device Information MCU Device Info: Hardware Version ......... Firmware Version ......... Build Number .............
Chapter 19: Power Over Ethernet 358 Section II: Advanced Operations
Chapter 20 Networking Stack The AT-S62 management software allows you to perform a few basic functions on the switch’s TCP/IP stack. The functions include viewing the switch’s Address Resolution Protocol (ARP) table and routing table. The switch uses these tables when performing a management function that requires it to interact with another network device.
Chapter 20: Networking Stack Managing the Address Resolution Protocol Table The switch has an Address Resolution Protocol (ARP) table for storing IP addresses of network devices and their corresponding MAC addresses. The switch uses the table whenever you issue a management command that requires the switch’s AT-S62 management software to interact with another device on the network.
AT-S62 Management Software Menus Interface User’s Guide Note The switch does not use the ARP table to move packets through its switching matrix. The switch refers to the table only when performing a management function that involves interaction with another network node. Displaying the ARP Table To view the switch’s ARP table, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2.
Chapter 20: Networking Stack The Display ARP Table menu is shown in Figure 125. Allied Telesyn Ethernet Switch AT-8524POE - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Display ARP Table Interface IP Address MAC Address Type --------------------------------------------------------loopback 127.0.0.1 00:00:00:00:00:00 PERMANENT eth0 149.22.22.22 00:30:84:32:8A:5B TEMPORARY eth0 149.22.22.1 00:30:84:32:12:42 TEMPORARY eth0 149.22.22.101 00:30:84:32:8A:1B TEMPORARY eth0 149.22.22.
AT-S62 Management Software Menus Interface User’s Guide Deleting an ARP Entry To delete an entry from the ARP table, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 6 on page 57. 3. From the System Utilities menu, type 6 to select Networking Stack.
Chapter 20: Networking Stack The switch begins to add new entries to the table as it performs new management functions in conjunction with other network devices. Configuring the ARP Table Timeout Value Inactive temporary entries in the ARP table are timed out according to the ARP cache timeout value. This parameter prevents the table from becoming full with inactive entries. The default setting is 400 seconds. To set this value, perform the following procedure: 1.
AT-S62 Management Software Menus Interface User’s Guide Displaying the Routing Table The routing table is used by the switch when the IP address of a remote node specified in a management command is not on the same physical network as the switch. The table contains the IP address of the next hop to reaching the remote network or device. For example, the switch might refer to the table if you instructed it to download a new AT-S62 image file from a network server that was on a different physical network.
Chapter 20: Networking Stack The information in this table is for viewing purposes only. The columns are defined here: Destination The IP address of a destination network, subnetwork, or end node. Mask A filter used to designate the active part of the destination IP address. A binary 1 in the mask indicates an active bit in the address while a binary 0 indicates an inactive corresponding bit.
AT-S62 Management Software Menus Interface User’s Guide Displaying the TCP Connections Table The TCP connections table lists the active Telnet, SSH, and web browser management sessions on a switch and includes the IP addresses of the management stations. You can use the table to determine the number of active, remote active management sessions open on a switch, as well as identify the management stations. To view the TCP Connections Table, perform the following procedure: 1.
Chapter 20: Networking Stack This table is for viewing purposes only. The columns in the table are defined here. Total Number of TCP Listening sockets The number of active listening sockets. There can be a maximum of three listening sockets. One is for the Telnet server, another for SSH, and the last for the web browser server. If a server is disabled, its listening socket does not appear in the table.
AT-S62 Management Software Menus Interface User’s Guide A web browser management session can have more than one TCP connection open at a time. The different connections carry different packets of the management session. You cannot change any of the information in this table. The only operating parameter on the switch that affects management TCP connections that you can adjust, other than enabling or disabling the servers, is the TCP port used by the web browser server.
Chapter 20: Networking Stack Deleting a TCP Connection This procedure explains how you can use the TCP connections table to end a remote Telnet, SSH or web browser management session on a switch. This procedure is useful if a manager forgot to log out after ending a session or if you suspect that an unauthorized person is accessing the switch’s management software.
AT-S62 Management Software Menus Interface User’s Guide Displaying the TCP Global Information Table The TCP Global Information table displays TCP status and statistics. To view the table, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 6 on page 57. 3.
Chapter 20: Networking Stack Max connections The maximum number of TCP connections allowed. Active Opens The number of active TCP opens. Active opens initiate connections. Passive Opens The number of TCP passive opens. Passive opens are issued to wait for a connection from another host. Attempt Fails The number of failed connection attempts. Established Resets The number of connections established but have not been reset. Current Established The number of current connections.
Section III SNMPv3 Operations This section contains the following chapter: Section III: SNMPv3 Chapter 21: “SNMPv3” on page 375 373
Section III: SNMPv3
Chapter 21 SNMPv3 This chapter provides a description of the AT-S62 implementation of the SNMPv3 protocol. In addition, it provides procedures that allow you to create and modify SNMPv3 users.
Chapter 21: SNMPv3 SNMPv3 Overview The SNMPv3 protocol builds on the existing SNMPv1 and SNMPv2c protocol implementation which is described in Chapter 5: “SNMPv1 and SNMPv2c Configuration” on page 89. In the SNMPv3 protocol, Userbased Security Model (USM) authentication is implemented along with encryption, allowing you to configure a secure SNMP environment. The SNMP terminology changes in the SNMPv3 protocol.
AT-S62 Management Software Menus Interface User’s Guide MIBs the user can display and modify. In addition, you can restrict the types of messages the switch can send on behalf of a user. After you have created a user, you define SNMPv3 message notification. This consists of determining where messages are sent and what types of messages can be sent. This configuration is similar to the SNMPv1 and SNMPv2c configuration because you configure IP addresses of trap receivers, or hosts.
Chapter 21: SNMPv3 If you assign a DES privacy protocol to a user, then you are also required to assign a privacy password. If you choose to not assign the privacy to DES, then SNMPv3 messages are sent in plain text format. Note You are able to configure the Privacy Protocol only if you are using the encrypted version of the AT-S62 software. SNMPv3 MIB Views The SNMPv3 protocol allows you to configure MIB views for users and groups.
AT-S62 Management Software Menus Interface User’s Guide In addition, you can define a MIB view that the user can access or a MIB view that the user cannot access. When you want to permit a user to access a MIB view, you include a particular view. When you want to deny a user access to a MIB view, you exclude a particular view. After you specify a MIB Subtree view you have the option of further restricting a view by defining a Subtree Mask.
Chapter 21: SNMPv3 Security Model Authentication Level Privacy Protocol Group To configure the SNMP security information, you associate a user and its related information—View, Security Level, Security Model, Authentication Level, Privacy Protocol and Group—with the type of message and the host IP address. SNMPv3 Tables The SNMPv3 configuration is neatly divided into configuring SNMPv3 user information and configuring the message notification.
AT-S62 Management Software Menus Interface User’s Guide In general, you focus on configuring security groups and then add and delete users from the groups as needed. For example, you may want to have two groups—one for manager privileges and a second one for operator privileges. See Appendix B, “SNMPv3” on page 375 for an example of manager and operator configurations. After you configure an SNMPv3 user, you need to configure SNMPv3 message notification.
Chapter 21: SNMPv3 For a more detailed description of the SNMPv3 Tables, see the following subsections: “SNMPv3 User Table” on page 382 “SNMPv3 View Table” on page 382 “SNMPv3 SecurityToGroup Table” on page 383 “SNMPv3 Notify Table” on page 383 “SNMPv3 Target Address Table” on page 383 “SNMPv3 Target Parameters Table” on page 383 “SNMPv3 Community Table” on page 384 SNMPv3 User Table The Configure SNMPv3 User Table menu allows you to create an SNMPv3 user and provides the option
AT-S62 Management Software Menus Interface User’s Guide Configure SNMPv3 View Table Menu. For example, the Read View allows group members to view the specified portion of the OID MIB table. The Write View allows group members to write to, or modify, the MIBs in the specified MIB view. The Notify View allows group members to send trap messages defined by the MIB view. Lastly, you can configure a storage type for this table entry which allows you to save this view to flash memory.
Chapter 21: SNMPv3 SNMPv3 View Table, SNMPv3 Access Table, and SNMPv3 SecurityToGroup Table. Lastly, you can configure a storage type for this table entry which allows you to save the entry to flash memory. SNMPv3 Community Table The Configure SNMPv3 Community Table Menu allows you to configure SNMPv1 and SNMPv2c communities. If you are going to use the SNMPv3 Tables to configure SNMPv1 and SNMPv2c communities, start with the SNMPv3 Community Table.
AT-S62 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Protocol This section describes how to configure the SNMPv3 protocol using the SNMPv3 Tables. To successfully configure this protocol, you must perform the procedures in the order given. For overview information about SNMPv3, see the “SNMPv3 Overview” on page 376. In order to allow an NMS to access the switch, you need to enable SNMP access.
Chapter 21: SNMPv3 Configuring the SNMPv3 User Table This section contains a description of the SNMPv3 User Table and how to create, delete, and modify table entries. Configure the SNMPv3 User Table first. Creating this table, allows you to create an entry in an SNMPv3 User Table for a User Name.
AT-S62 Management Software Menus Interface User’s Guide The Configure SNMPv3 Table Menu is shown in Figure 133. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Configure SNMPv3 Table 1 2 3 4 5 6 7 8 9 - SNMP Engine...............
Chapter 21: SNMPv3 5. To create a new user table, type 1 to select Create SNMPv3 Table Entry. The following prompt is displayed: Enter User (Security) Name: 6. Enter a descriptive name of the user. You can enter a name that consists of up to 32-alphanumeric characters. The following prompt is displayed: Enter Authentication Protocol [M-MD5, S-SHA, N-None]: 7. Enter one of the following: M-MD5 This value represents the MD5 authentication protocol.
AT-S62 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter Privacy Protocol [D-DES, N-None]: Note If you have the non encrypted version of the AT-S62 software, then the Privacy Protocol field is read-only. Note You can only configure the Privacy Protocol if you have configured the Authentication Protocol with the MD5 or SHA values. 9.
Chapter 21: SNMPv3 an SNMPv3 User Table entry with a NonVolatile storage type, the S Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Note The Row Status parameter is a read-only field in the Telnet and Local interfaces. The Active value indicates the SNMPv3 User Table entry takes effect immediately. 12. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S62 Management Software Menus Interface User’s Guide Modifying an SNMPv3 User Table Entry This section describes how to modify parameters in an SNMPv3 Notify Table entry.
Chapter 21: SNMPv3 4. To change the authentication protocol and password, type 1 to select Set Authentication Protocol & Password. The following prompt is displayed: Enter User Name: 5. Enter the User Name of the User Table you want to modify. The following prompt is displayed: Enter Authentication Protocol [M-MD5, S-SHA, N-None]: 6. Enter one of the following: M-MD5 This value represents the MD5 authentication protocol.
AT-S62 Management Software Menus Interface User’s Guide The following prompt is displayed: Please enter privacy password to regenerate privacy key. 9. Enter the Privacy Password for this User Name. The following prompt is displayed: Re-enter Privacy password: 10. Re-enter the password. 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 21: SNMPv3 D -DES Select this value to make the DES privacy (or encryption) protocol the privacy protocol for this User Table entry. With this selection, messages transmitted between the host and the switch are encrypted with the DES protocol. N -None Select this value if you do not want a privacy protocol for this User Table entry. With this selection, messages transmitted between the host and the switch are not encrypted. If you select None, proceed to step 9.
AT-S62 Management Software Menus Interface User’s Guide Enter User (Security) Name: 5. Enter the User Name. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 6. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 User Table to nonvolatile memory.
Chapter 21: SNMPv3 Configuring the SNMPv3 View Table This section contains a description of the SNMPv3 View Table and how to create, delete, and modify table entries. Creating this table, allows you to specify a view using the following parameters: Subtree OID Subtree Mask MIB OID Table View To configure the SNMPv3 View Table, you need to be very familiar with the MIB tree. You can be very specific about the view a user can or cannot access—down to a column or row of the tree.
AT-S62 Management Software Menus Interface User’s Guide The Configure SNMPv3 View Table Menu is shown in Figure 136. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2006 Configure SNMPv3 View Table View Name ................. Subtree OID ............... Subtree Mask .............. View Type ................. Storage Type .............. Row Status ................ internet 1.3.6.
Chapter 21: SNMPv3 The text format is for TCP/IP is: tcp The following prompt is displayed: Enter Subtree Mask (Hex format): 6. Enter a subtree mask. This is an optional parameter that is used to further refine the value in the View Subtree parameter. This parameter is in binary format. The View Subtree parameter defines a MIB View and the Subtree Mask further restricts a user’s view, for example, to a specific row of the MIB tree.
AT-S62 Management Software Menus Interface User’s Guide Note The Row Status parameter is a read-only field in the Telnet and Local interfaces. The Active value indicates the SNMPv3 View Table entry takes effect immediately. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 View Table Entry You may want to delete an entry from the SNMPv3 View Table.
Chapter 21: SNMPv3 Modifying an SNMPv3 View Table Entry This section describes how to modify parameters in an SNMPv3 Notify Table entry. See the following procedures: “Modifying a Subtree Mask” on page 400 “Modifying a View Type” on page 401 “Modifying a Storage Type” on page 403 Modifying a Subtree Mask To modify the Subtree Mask parameter in an SNMPv3 View Table entry, perform the following procedure. 1.
AT-S62 Management Software Menus Interface User’s Guide 4. To modify the Subtree Mask for this view, type 1 to select Set Subtree Mask. The following prompt is displayed: Enter View Name: 5. Enter an existing View Name. The following prompt is displayed: Enter View Subtree (OID format/Text Name): 6. Enter Subtree that this view will or will not be permitted to display. You can enter either a numeric value in hex format or the equivalent text name. For example, the OID hex format for TCP/IP is: 1.3.6.1.2.
Chapter 21: SNMPv3 2. From the Configure SNMPv3 Table Menu, type 3 to select Configure SNMPv3 View Table. The Configure SNMPv3 View Table Menu is shown in Figure 136 on page 397. 3. From the Configure SNMPv3 View Table Menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Table Menu is shown in Figure 137 on page 400. 4. To modify the View Type, type 2 to select Set View Type. The following prompt is displayed: Enter View Name: 5. Enter a View Name that was previously configured.
AT-S62 Management Software Menus Interface User’s Guide Modifying a Storage Type To modify the Storage Type parameter in an SNMPv3 View Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 386. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 133 on page 387. 2. From the Configure SNMPv3 Table Menu, type 3 to select Configure SNMPv3 View Table.
Chapter 21: SNMPv3 Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S62 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Access Table This section contains a description of the SNMPv3 Access Table and how to create, delete, and modify table entries. The SNMPv3 Access Table allows you to configure a security group. Each user must belong to a security group. After you have configured a security group, use the SecurityToGroup Table to assign users to security groups. See “Creating an SNMPv3 SecurityToGroup Table Entry” on page 421.
Chapter 21: SNMPv3 The Configure SNMPv3 Access Table Menu is shown in Figure 138. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2006 Configure SNMPv3 Access Table Group Name .... Context Prefix. Read View...... Write View .... Notify View ... softwareengineering internet tcp tcp Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
AT-S62 Management Software Menus Interface User’s Guide Note The Context Prefix and the Context Match fields are a read only fields. The Context Prefix field is always set to null. The Context Match field is always set to exact. The following prompt is displayed: Enter Security Model [1-v1, 2-v2c, 3-v3]: 5. Select one of the following SNMP protocols as the Security Model for this Group Name. 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol.
Chapter 21: SNMPv3 this security level to encrypt messages using a privacy protocol and authenticate SNMP users. This level provides the greatest level of security. You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. The following prompt is displayed: Enter Read View Name: 7. Enter a value that you configured with the View Name parameter in the SNMPv3 View Table.
AT-S62 Management Software Menus Interface User’s Guide SNMPv3 Access Table to the configuration file. After making changes to an SNMPv3 Access Table entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Note The Row Status parameter is a read-only field in the Telnet and Local interfaces. The Active value indicates the SNMPv3 Access Table entry will take effect immediately. 11.
Chapter 21: SNMPv3 5. Enter the Security Model of this Group Name. Select one of the following security levels: 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol. 2-v2c Select this value to associate the Group Name with the SNMPv2c protocol. 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Enter the Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 6. Enter the Security Level of this Group Name.
AT-S62 Management Software Menus Interface User’s Guide The following prompt is displayed: 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 Access Table Entry This section describes how to modify parameters in an SNMPv3 Access Table entry.
Chapter 21: SNMPv3 The Modify SNMPv3 Access Table is shown in Figure 139. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Modify SNMPv3 Access Table Group Name .... Context Prefix. Read View...... Write View .... Notify View ... 1 2 3 4 - Set Set Set Set sales systemmanagers salespeople salespeople Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
AT-S62 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol. This security level provides the least security.
Chapter 21: SNMPv3 Modifying the Write View Name To modify the Write View Name parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 386. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 133 on page 387. 2. From the Configure SNMPv3 Table Menu, type 4 to select Configure SNMPv3 Access Table.
AT-S62 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol.
Chapter 21: SNMPv3 Modifying the Notify View Name To modify the Notify View Name parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 386. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 133 on page 387. 2. From the Configure SNMPv3 Table Menu, type 4 to select Configure SNMPv3 Access Table.
AT-S62 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol.
Chapter 21: SNMPv3 Modifying the Storage Type To modify the Storage Type parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 386. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 133 on page 387. 2. From the Configure SNMPv3 Table Menu, type 4 to select Configure SNMPv3 Access Table.
AT-S62 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol.
Chapter 21: SNMPv3 S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S62 Management Software Menus Interface User’s Guide Configuring the SNMPv3 SecurityToGroup Table This section contains a description of the SNMPv3 SecurityToGroup Table and how to create, delete, and modify table entries. The SNMPv3 SecurityToGroup Table allows you to associate a User Name with a Group Name. The User Name is configured in the Configure SNMPv3 User Table Menu while the Group Name is configured in the Configure SNMPv3 Access Table Menu.
Chapter 21: SNMPv3 The Configure SNMPv3 SecurityToGroup Table Menu is shown in Figure 140. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2006 Configure SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
AT-S62 Management Software Menus Interface User’s Guide 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Enter Group Name: 6. Enter a Group Name that you configured in the SNMPv3 Access Table. See. “Creating an SNMPv3 Access Table Entry” on page 405.
Chapter 21: SNMPv3 Deleting an SNMPv3 SecurityToGroup Table Entry You may want to delete an entry from the SNMPv3 SecurityToGroup Table. When you delete an SNMPv3 SecurityToGroup Table entry, there is no way to undelete, or recover, it. To delete an entry in the SNMPv3 SecurityToGroup Table, perform the following procedure: 1. Follow steps 1 through 3 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 386. Or, from the Main Menu type 5->5->5.
AT-S62 Management Software Menus Interface User’s Guide The following prompt is displayed: Do you want to delete this table entry? (Y/N): [Yes/No]-> 6. Enter Y to delete this SecurityToGroup entry or N to save it. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 SecurityToGroup Table Entry This section describes how to modify parameters in an SNMPv3 SecurityToGroup Table entry.
Chapter 21: SNMPv3 The Modify SecurityToGroup Table is displayed as shown Figure 140. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Modify SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
AT-S62 Management Software Menus Interface User’s Guide 3-v3 Select this value to associate the User Name with the SNMPv3 protocol. The following prompt is displayed: Enter Group Name: 7. Enter the new Group Name. This value must match a value configured in the Group Name parameter in the Configure SNMPv3 Access Table. See “Creating an SNMPv3 Access Table Entry” on page 405. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 21: SNMPv3 6. Enter the Security Model configured for this User Name. You cannot change the value of the Security Model parameter. Select one of the following SNMP protocols: 1-v1 Select this value if this User Name is configured with the SNMPv1 protocol. 2-v2c Select this value if this User Name is configured with the SNMPv2c protocol. 3-v3 Select this value if this User Name is configured with the SNMPv3 protocol.
AT-S62 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Notify Table This section contains a description of the SNMPv3 Notify Table Menu and how to create, delete, and modify table entries. The Configure SNMPv3 Notify Table Menu allows you to define a name for sending traps. In each Notify Table entry, you define if the switch sends a trap or an inform message. The two message types, trap and inform, have different packet formats.
Chapter 21: SNMPv3 The Configure SNMPv3 Notify Table Menu is shown in Figure 142. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2006 Configure SNMPv3 Notify Table Notify Name ...................... Notify Tag ....................... Notify Type ...................... Storage Type ..................... Row Status .......................
AT-S62 Management Software Menus Interface User’s Guide I-Inform Indicates this notify table is used to send inform messages. With this message type, the switch expects a response from the authoritative entity. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 7. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Notify Table to the configuration file.
Chapter 21: SNMPv3 The Configure SNMPv3 Notify Table Menu is shown in Figure 142 on page 430. Note To display a Group Name and its associated parameters from the Configure SNMPv3 SecurityToGroup Table Menu, type N to display the Next Page and P to display the previous page. 3. To delete an SNMPv3 Notify Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Notify Name: 4. Enter a Notify Name.
AT-S62 Management Software Menus Interface User’s Guide 3. From the Configure SNMPv3 Notify Table Menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Notify Table Menu is displayed as shown in Figure 143. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Modify SNMPv3 Notify Table Notify Name ................... Notify Tag..................... Notify Type.................... Storage Type .................. Row Status ....................
Chapter 21: SNMPv3 Modifying a Notify Type To modify the Notify Type parameter in an SNMPv3 Notify Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 386. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 133 on page 387. 2. From the Configure SNMPv3 Table Menu, type 6 to select Configure SNMPv3 Notify Table.
AT-S62 Management Software Menus Interface User’s Guide Modifying a Storage Type To modify the Storage Type parameter in an SNMPv3 Notify Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 386. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 133 on page 387. 2. From the Configure SNMPv3 Table Menu, type 6 to select Configure SNMPv3 Notify Table.
Chapter 21: SNMPv3 Configuring the SNMPv3 Target Address Table This section contains a description of the SNMPv3 Target Address Table Menu and how to create, delete, and modify table entries. You use the SNMPv3 Target Address Table Menu to assign the IP address of a host that is used for generating notifications. The Configure SNMPv3 Target Address Table Menu is linked internally to the Configure SNMPv3 Notify Table through the Tag List parameter.
AT-S62 Management Software Menus Interface User’s Guide Creating an SNMPv3 Target Address Table Entry To create an entry in the Configure SNMPv3 Target Address Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 386. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 133 on page 387. 2.
Chapter 21: SNMPv3 5. Enter the IP address of the host. Use the following format for an IP address: XXX.XXX.XXX.XXX The following prompt is displayed: Enter UDP Port#: [0 to 65535]-> 162 6. Enter a UDP port. You can enter a UDP port in the range of 0 to 65,535. The default UDP port is 162. The following prompt is displayed: Enter Timeout (10mS): [0 to 2147483647]-> 1500 7. Enter a timeout value in milliseconds. When an Inform message is generated, it requires a response from the switch.
AT-S62 Management Software Menus Interface User’s Guide 10. Enter a Target Parameters name. This name can consist of up to 32-alphanumeric characters. The value configured here must match the value configured with the Target Parameters Name parameter in the Configure SNMPv3 Target Parameters Table. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 11.
Chapter 21: SNMPv3 The Configure SNMPv3 Target Address Table Menu is shown in Figure 146 on page 450. Note To display a Group Name and its associated parameters from the Configure SNMPv3 SecurityToGroup Table Menu, type N to display the Next Page and P to display the previous page. 3. To delete an SNMPv3 Target Address Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Target Address Name: 4. Enter a Target Address Name.
AT-S62 Management Software Menus Interface User’s Guide Modifying a Target IP Address To modify the target IP address in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 386. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 133 on page 387. 2. From the Configure SNMPv3 Table Menu, type 7 to select Configure SNMPv3 Target Address Table.
Chapter 21: SNMPv3 The following prompt is displayed: Enter Target Address Name: 5. Enter a previously configured Target Address Name. This is the name of the SNMP manager, or host, that manages the SNMP activity on your switch. You can enter a name of up to 32alphanumeric characters. The following prompt is displayed: Enter IP Address: 6. Enter the IP address of the host. Use the following format for an IP address: XXX.XXX.XXX.XXX 7. After making changes, type R until you return to the Main Menu.
AT-S62 Management Software Menus Interface User’s Guide 5. Enter a previously configured Target Address Name. This is the name of the SNMP manager, or host, that manages the SNMP activity on your switch. You can enter a name of up to 32alphanumeric characters. The following prompt is displayed: Enter UDP Port#: [0 to 65535]-> 162 6. Enter a UDP port. You can enter a UDP port in the range of 0 to 65,535. The default UDP port is 162. 7. After making changes, type R until you return to the Main Menu.
Chapter 21: SNMPv3 This is the name of the SNMP manager, or host, that manages the SNMP activity on your switch. You can enter a name of up to 32alphanumeric characters. The following prompt is displayed: Enter Timeout (10mS): [0 to 2147483647]-> 1500 6. Enter a timeout value in milliseconds. When an Inform message is generated, it requires a response from the switch. The timeout value determines how long the switch considers the Inform message an active message.
AT-S62 Management Software Menus Interface User’s Guide This is the name of the SNMP manager, or host, that manages the SNMP activity on your switch. You can enter a name of up to 32alphanumeric characters. The following prompt is displayed: Enter Retries:[0 to 255]-> 3 6. Enter the number of times the switch will retry, or resend, the Inform message. The range is 0 to 255 retries. The default is 3 retries. 7. After making changes, type R until you return to the Main Menu.
Chapter 21: SNMPv3 The following prompt is displayed: Enter Tag List: Enter a Tag List of up to 256 alphanumeric characters. Use a space to separate entries. This list consists of a tag or list of tags you configured in a Configure SNMPv3 Notify Table entry with the Notify Tag parameter. See “Creating an SNMPv3 Notify Table Entry” on page 429. 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S62 Management Software Menus Interface User’s Guide 6. Enter a Target Parameters Name. The value configured here must match the value configured with the Target Parameters Name parameter in the Configure SNMPv3 Target Parameters Table. This name can consist of up to 32-alphanumeric characters. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 21: SNMPv3 V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Target Address Table to the configuration file. After making changes to an SNMPv3 Target Address Table entry with a Volatile storage type, the S - Save Configuration Changes option does not appear on the Main Menu. N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 Target Address Table to the configuration file.
AT-S62 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Target Parameters Table This section contains a description of the SNMPv3 Target Parameters Table and how to create, delete, and modify table entries. The SNMPv3 Target Parameters Table links the user security information with the message notification information configured in the Configure SNMPv3 Notify Table Menu and Configure SNMPv3 Target Address Table Menu.
Chapter 21: SNMPv3 Creating an SNMPv3 Target Parameters Table Entry “Deleting an SNMPv3 Target Parameters Table Entry” on page 453 “Modifying an SNMPv3 Target Parameters Table Entry” on page 454 To create an entry in the Configure SNMPv3 Target Parameters Table, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 386. Or, from the Main Menu type 5->5->5.
AT-S62 Management Software Menus Interface User’s Guide Enter a value of up to 32-alphanumeric characters. Note You are prompted to enter a value for the Message Processing Model parameter only if you select SNMPv1 or SNMPv2c as the Security Model. If you select the SNMPv3 protocol as the Security Model, then the Message Processing Model is automatically assigned to SNMPv3. The following prompt is displayed: Enter User (Security) Name: 5. Enter a User Name.
Chapter 21: SNMPv3 N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol. This security level provides the least security. Note If you have selected SNMPv1 or SNMPv2c, N-NoAuthNoPriv is the only security level you can select. A-AuthNoPriv This option represents authentication, but no privacy protocol.
AT-S62 Management Software Menus Interface User’s Guide 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 Target Parameters Table Entry You may want to delete an entry from the SNMPv3 Target Parameters Table. When you delete an SNMPv3 Target Parameters Table entry, there is no way to undelete, or recover, it. To delete an entry in the SNMPv3 Target Parameters Table, perform the following procedure: 1.
Chapter 21: SNMPv3 Modifying an SNMPv3 Target Parameters Table Entry This section provides procedures for modifying parameters in an SNMPv3 Target Parameters Table entry. The parameter values configured in the Target Parameters Table must match those configured in the other tables. For a more detailed explanation, see “Creating an SNMPv3 Target Parameters Table Entry” on page 450.
AT-S62 Management Software Menus Interface User’s Guide When you modify the Security Name parameter, you must use a value that you configured with the User Name parameter in the Configure SNMPv3 User Table Menu. If you do not use a value configured with the User Name parameter, messages are not sent on behalf of this User Name. See “Creating an SNMPv3 User Table Entry” on page 386. To modify the Security Name parameter in an SNMPv3 Target Parameter Table entry, perform the following procedure. 1.
Chapter 21: SNMPv3 4. To change the Security Name parameter, type 1 to select Set Security Name. The following prompt is displayed: Enter Target Parameters Name: 5. Enter a previously configured Target Parameters Name. Enter a value of up to 32-alphanumeric characters. The following prompt is displayed: Enter User (Security) Name: 6. Enter a User Name. Enter a value that you previously configured with the Configure SNMPv3 User Table Menu. You can enter a value of up to 32alphanumeric characters. 7.
AT-S62 Management Software Menus Interface User’s Guide The Configure SNMPv3 Target Parameters Table Menu is shown in Figure 146. 3. From the Configure SNMPv3 Target Parameters Table Menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Target Parameters Table Menu is shown in Figure 147 on page 455. 4. To change the Security Model, type 2 to select Security Model. The following prompt is displayed: Enter Target Parameters Name: 5. Enter a previously configured Target Parameters Name.
Chapter 21: SNMPv3 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 133 on page 387. 2. From the Configure SNMPv3 Table Menu, type 8 to select Configure SNMPv3 Target Address Table. The Configure SNMPv3 Target Parameters Table Menu is shown in Figure 146. 3. From the Configure SNMPv3 Target Parameters Table Menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Target Parameters Table Menu is shown in Figure 147 on page 455. 4.
AT-S62 Management Software Menus Interface User’s Guide A-AuthNoPriv This option represents authentication, but no privacy protocol. Select this security level if you want to authenticate SNMP users, but you do not want to encrypt messages using a privacy protocol.You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. P-AuthPriv This option represents authentication and the privacy protocol.
Chapter 21: SNMPv3 5. Enter a previously configured Target Parameters Name. Enter a value of up to 32-alphanumeric characters. The following prompt is displayed: Enter Message Processing Model[1-v1,2-v2c,3-v3]: 6. Select one of the following SNMP protocols that is used to process, or send messages: 1-v1 Select this value to process messages with the SNMPv1 protocol. 2-v2c Select this value to process messages with the Security Name, or User Name, with the SNMPv2c protocol.
AT-S62 Management Software Menus Interface User’s Guide 5. Enter a previously configured Target Parameters Name. Enter a value of up to 32-alphanumeric characters. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 6. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Target Parameters Table to the configuration file.
Chapter 21: SNMPv3 Configuring the SNMPv3 Community Table This section contains a description of the SNMPv3 Community Table and how to create, delete, and modify table entries. The SNMPv3 Community Table allows you to create SNMPv1 and SNMPv2c Communities using the SNMPv3 Tables. Allied Telesyn does not recommend that you use the menu described in this section to configure SNMPv1 and SNMPv2c communities. Instead, use the procedures described in Chapter 5: “SNMPv1 and SNMPv2c Configuration” on page 89.
AT-S62 Management Software Menus Interface User’s Guide For each SNMPv3 Community Table entry, you can configure the following parameters: Community Index Community Name Security Name Transport Tag Storage Type In addition, you can display the entries configured with the Configure SNMPv1 & SNMPv2c Community Menu in the Configure SNMPv3 Community Table Menu. However, you cannot modify an SNMPv1 & SNMPv2c Community Table entry with the Configure SNMPv3 Community Table Menu.
Chapter 21: SNMPv3 The Configure SNMPv3 Community Table Menu is shown in Figure 148. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2006 Configure SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
AT-S62 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter Security Name: 6. Enter the name of an SNMPv1 and SNMPv2c user. This name must be unique. Enter a value of up to 32-alphanumeric characters. Note Do not use a value configured with the User Name parameter in the SNMPv3 User Table. The following prompt is displayed: Enter Transport Tag: 7. Enter a name of up to 32-alphanumeric characters for the Transport Tag.
Chapter 21: SNMPv3 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 Community Table Entry You may want to delete an entry from the SNMPv3 Community Table. When you delete an entry in the SNMPv3 Community Table, there is no way to undelete or recover it. To delete an entry in the SNMPv3 Community Table, perform the following procedure: 1.
AT-S62 Management Software Menus Interface User’s Guide Modifying an SNMPv3 Community Table Entry For each entry in the SNMPv3 Community Table, you can modify the following parameters: Community Name Security Name Transport Tag Storage Type However, you cannot modify the Community Index parameter.
Chapter 21: SNMPv3 The Modify SNMPv3 Community Table Menu is shown in Figure 149. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2006 Modify SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
AT-S62 Management Software Menus Interface User’s Guide Modifying the Security Name To modify the Security Name parameter in an SNMPv3 Community Table entry, perform the following procedure: 1. Follow steps 1 through 3 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 386. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 133 on page 387. 2. From the Configure SNMPv3 Table Menu, type 9 to select Configure SNMPv3 Community Table.
Chapter 21: SNMPv3 The Configure SNMPv3 Table Menu is shown in Figure 133 on page 387. 2. From the Configure SNMPv3 Table Menu, type 9 to select Configure SNMPv3 Community Table. The Configure SNMPv3 Community Table Menu is shown in Figure 148 on page 464. 3. From the Configure SNMPv3 Community Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Community Table Menu is shown in Figure 149 on page 468. 4. To change the Transport Tag, type 3 to select Set Transport Tag.
AT-S62 Management Software Menus Interface User’s Guide 3. From the Configure SNMPv3 Community Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Community Table Menu is shown in Figure 149 on page 468. 4. To change the Storage Type, type 4 to select Set Storage Type. The following prompt is displayed: Enter Community Index: 5. Enter the Community Index of the Storage Type you want to change. The following prompt is displayed: Enter Storage type [V-volatile, N-NonVolatile]: 6.
Chapter 21: SNMPv3 Displaying SNMPv3 Table Menus The procedures in this section describe how to display the SNMPv3 Tables.
AT-S62 Management Software Menus Interface User’s Guide The Display SNMPv3 Table Menu is shown in Figure 150.
Chapter 21: SNMPv3 Displaying the Display SNMPv3 View Table Menu This section describes how to display the Display SNMPv3 View Table Menu. For information about the SNMPv3 View Table parameters, see “Creating an SNMPv3 View Table Entry” on page 396. To display the Display SNMPv3 View Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Displaying the Display SNMPv3 User Table Menu” on page 472. Or, from the Main Menu type 5->5->6. 2.
AT-S62 Management Software Menus Interface User’s Guide Displaying the Display SNMPv3 Access Table Menu This section describes how to display the Display SNMPv3 Access Table Menu. For information about the SNMPv3 Access Table parameters, see “Creating an SNMPv3 Access Table Entry” on page 405. To display the Display SNMPv3 Access Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Displaying the Display SNMPv3 User Table Menu” on page 472.
Chapter 21: SNMPv3 Displaying the Display SNMPv3 SecurityToGroup Table Menu This section describes how to display the Display SNMPv3 SecurityToGroup Table Menu. For more information about the parameters in the SNMPv3 SecurityToGroup Table Menu, see “Creating an SNMPv3 SecurityToGroup Table Entry” on page 421. To display the Display SNMPv3 SecurityToGroup Table Menu, perform the following procedure. 1.
AT-S62 Management Software Menus Interface User’s Guide Displaying the Display SNMPv3 Notify Table Menu This section describes how to display the Display SNMPv3 Notify Table Menu. For information about the SNMPv3 Notify Table parameters, see “Creating an SNMPv3 Notify Table Entry” on page 429. To display the Display SNMPv3 Notify Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Displaying the Display SNMPv3 User Table Menu” on page 472.
Chapter 21: SNMPv3 Displaying the Display SNMPv3 Target Address Table Menu This section describes how to display the Display SNMPv3 Target Address Table Menu. For information about the SNMPv3 Target Address Table parameters, see “Creating an SNMPv3 Target Address Table Entry” on page 437. To display the Display SNMPv3 Target Address Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Displaying the Display SNMPv3 User Table Menu” on page 472.
AT-S62 Management Software Menus Interface User’s Guide Displaying the Display SNMPv3 Target Parameters Table Menu This section describes how to display the Display SNMPv3 Target Parameters Table Menu. For information about the SNMPv3 Target Parameters Table parameters, see “Creating an SNMPv3 Target Parameters Table Entry” on page 450. To display the Display SNMPv3 Target Parameters Table Menu, perform the following procedure. 1.
Chapter 21: SNMPv3 Displaying the Display SNMPv3 Community Table Menu This section describes how to display the Display SNMPv3 Community Table Menu. For information about the SNMPv3 Community Table parameters, see “Creating an SNMPv3 Community Table Entry” on page 463. To display the Display SNMPv3 Community Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in “Displaying the Display SNMPv3 User Table Menu” on page 472. Or, from the Main Menu type 5->5->6.
Section IV Spanning Tree Protocols The chapters in this section explain the spanning tree protocols.
Section IV: Spanning Tree Protocols
Chapter 22 Spanning Tree and Rapid Spanning Tree Protocols This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). The chapter also contains procedures on how to adjust the STP and RSTP bridge and port parameters.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols STP and RSTP Overview The performance of a Ethernet network can be severely impaired by the existence of a physical loop in the network topology. A loop exists when two or more nodes on a network can transmit data to each other over more than one traffic path.
AT-S62 Management Software Menus Interface User’s Guide Bridge Priority and the Root Bridge The first task that bridges running spanning tree perform is the selection of a root bridge. A root bridge distributes network topology information to the other network bridges and is used by the other bridges to determine if there are redundant paths in the network. A root bridge is selected by the bridge priority number, also referred to as the bridge identifier, and sometimes the bridge’s MAC address.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols the bridge is communicating with the root bridge is referred to as the root port. If redundant paths exist, the bridges that are a part of the paths must determine which path will be the primary, active path, and which path(s) will be placed in the standby, blocking mode. This is accomplished by an determination of path costs.
AT-S62 Management Software Menus Interface User’s Guide Table 14 lists the RSTP port costs with Auto-Detect. Table 14. RSTP Auto-Detect Port Costs Port Speed Port Cost 10 Mbps 2,000,000 100 Mbps 200,000 1000 Mbps 20,000 Table 15 lists the RSTP port costs with Auto-Detect when the port is part of a port trunk. Table 15. RSTP Auto-Detect Port Trunk Costs Port Speed Port Cost 10 Mbps 20,000 100 Mbps 20,000 1000 Mbps 2,000 You can override Auto-Detect and set the port cost manually.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols Table 16. Port Priority Value Increments Port Priority Increment Increment Port Priority 0 0 8 128 1 16 9 144 2 32 10 160 3 48 11 176 4 64 12 192 5 80 13 208 6 96 14 224 7 112 15 240 Forwarding Delay and Topology Changes If there is a change in the network topology due to a failure, removal, or addition of any active components, the active topology also changes.
AT-S62 Management Software Menus Interface User’s Guide Note The forwarding delay parameter applies only to ports on the switch that are operating STP-compatible mode. Hello Time and Bridge Protocol Data Units (BPDU) The bridges that are part of a spanning tree domain communicate with each other using a bridge broadcast frame that contains a special section devoted to carrying STP or RSTP information. This portion of the frame is referred to as the bridge protocol data unit (BPDU).
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols If a bridge port is operating in full-duplex mode, than the port is functioning as a point-to-point port. Figure 159 illustrates two AT-8524M switches that have been connected with one data link. With the link operating in fullduplex, the ports are point-to-point ports.
AT-S62 Management Software Menus Interface User’s Guide A port can be both a point-to-point and an edge port at the same time. It operates in full-duplex and has no STP or RSTP devices connected to it. Figure 161 illustrates a port functioning as both a point-to-point and edge port. AT-8524M Fast Ethernet Switch MODE LINK MODE STATUS FAULT MASTER LINK RPS MODE PWR Point-to-Point and Edge Port Workstation (Full-duplex Mode) Figure 161.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols to communicate with each other. Sales VLAN Production VLAN AT-8524M Fast Ethernet Switch MODE STATUS LINK FAULT MODE MASTER LINK RPS MODE PWR Blocked Port Blocked Data Link AT-8524M Fast Ethernet Switch MODE LINK MODE Sales VLAN STATUS FAULT MASTER LINK RPS MODE PWR Production VLAN Figure 162.
AT-S62 Management Software Menus Interface User’s Guide Enabling or Disabling a Spanning Tree Protocol The AT-S62 software supports STP, RSTP, and MSTP. (MSTP is explained in Chapter 23 on page 507.) Only one spanning tree protocol can be active on the switch at a time. Before you can configure or enable a spanning tree protocol, you must first select it as the active spanning tree protocol on the switch. After you have selected it as the active protocol, you can then configure it and enable or disable it.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols 4. If you selected STP as the active spanning tree protocol, go to “Configuring STP” on page 495 for further instructions. If you selected RSTP, go to “Configuring RSTP” on page 501. If you selected MSTP, go to Chapter 23, “Multiple Spanning Tree Protocol” on page 507. Note Once you have configured the spanning tree parameters, perform Steps 5 through 7 to enable spanning tree. 5.
AT-S62 Management Software Menus Interface User’s Guide Configuring STP This section contains the following procedures: Configuring STP Bridge Settings ”Configuring STP Bridge Settings”, next “Configuring STP Port Settings” on page 497 “Displaying STP Port Settings” on page 499 This section contains the procedure for configuring a bridge’s STP settings. Caution The default STP parameters are adequate for most networks.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols The bridge hello time, bridge forwarding, and bridge max age parameters will have two values if STP is enabled on the switch (for example, Bridge Forwarding .. 15/15). The first number is the configured value on the switch for the parameter and the second is the value the switch obtained from the root bridge and is actually using for the parameter.
AT-S62 Management Software Menus Interface User’s Guide Note The aging time for BPDUs is different from the aging time used by the MAC address table. 5 - Bridge Identifier The MAC address of the switch. This value cannot be changed. 6 - Root Bridge The MAC address of the root bridge of the spanning tree domain. This value cannot be changed and is only displayed when spanning tree is activated on the switch. 7 - Root Priority The priority value on the root bridge of the spanning tree domain.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols The STP Port Parameters menu is shown in Figure 165. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 User: Manager 11:20:02 02-Jan-2006 STP Port Parameters 1 - Configure STP Port Settings 2 - Display STP Port Configuration R - Return to Previous Menu Enter your selection? Figure 165. STP Port Parameters Menu 3. Type 1 to select Configure STP Port Settings. The following prompt is displayed: Start Port to Configure [1 to 26] -> 4.
AT-S62 Management Software Menus Interface User’s Guide 1 - Port Priority This parameter is used as a tie breaker when two or more ports are determined to have equal costs to the root bridge. The range is 0 to 240 in increments of 16. The default value is 8 (priority value 128). For a list of the increments, refer to Table 16, “Port Priority Value Increments” on page 488.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols The Display STP Port Configuration menu is shown in Figure 167.
AT-S62 Management Software Menus Interface User’s Guide Configuring RSTP This section contains the following procedures: Configuring RSTP Bridge Settings ”Configuring RSTP Bridge Settings”, next “Configuring RSTP Port Settings” on page 503 “Displaying Port RSTP Status” on page 505 This section contains the procedure for configuring a bridge’s RSTP settings. Caution The default RSTP parameters are adequate for most networks.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols The bridge hello time, bridge forwarding, and bridge max age parameters will have two values if RSTP is enabled on the switch (for example, Bridge Forwarding..15/15). The first number is the configured value on the switch for the parameter and the second is the value the switch obtained from the root bridge and is currently using for the parameter.
AT-S62 Management Software Menus Interface User’s Guide When you select a value for maximum age, observe the following rules: MaxAge must be greater than (2 x (HelloTime + 1)) MaxAge must be less than (2 x (ForwardingDelay - 1)) 6 - Bridge Identifier The bridge identifier of the switch. The identifier consists of the switch’s bridge priority value and MAC address. The values are separated by a slash (/). To change the switch’s priority value, use option 2, Bridge Priority.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols The RSTP Port Parameters menu is shown in Figure 169. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 RSTP Port Parameters 1 - Configure RSTP Port Settings 2 - Display RSTP Port Configuration 3 - Display RSTP Port State R - Return to Previous Menu Enter your selection? Figure 169. RSTP Port Parameters Menu 3. Type 1 to select Configure RSTP Port Settings.
AT-S62 Management Software Menus Interface User’s Guide 6. Adjust the settings as needed. The parameters are explained below. 1 - Port Priority This parameter functions as a tie breaker when two or more ports have equal costs to the root bridge. The range is 0 to 240 in increments of 16. The default value is 8 (priority value 128). For a list of the increments, refer to Table 16, “Port Priority Value Increments” on page 488.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols 3 - Display RSTP Port State This selection displays a menu that contains the following RSTP operating status for a port: Port - The port number. State - Identifies the RSTP state of the port. Possible states are: discarding, learning, and forwarding. A state of disabled means the port has not established a link with its end node. Role - Indicates the RSTP role of the port. Possible roles are: root, alternate, backup, and designated.
Chapter 23 Multiple Spanning Tree Protocol This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP). The chapter also explains how to adjust multiple spanning tree bridge and port parameters.
Chapter 23: Multiple Spanning Tree Protocol MSTP Overview As explained in the previous chapter, STP and RSTP are single-instance spanning trees that search for physical loops across all VLANs in a bridged network. When loops are detected, the protocols stop the loops by placing one or more bridge ports in a blocking state.
AT-S62 Management Software Menus Interface User’s Guide Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MSTIs). A MSTI can span any number of switches. An AT-8500 Series switch can support up to 16 MSTIs at a time. To create a MSTI, you first assign it a number, referred to as the MSTI ID. The range is 1 to 15. (The switch comes with a default MSTI with an MSTI ID of 0.
Chapter 23: Multiple Spanning Tree Protocol Figure 172 illustrates the same two AT-8524M switches and the same two virtual LANs. But in this example, the two switches are running MSTP and the two VLANs have been assigned to different spanning tree instances. Both links remain active now that they reside in different MSTIs, enabling the VLANs to forward traffic over their respective direct link.
AT-S62 Management Software Menus Interface User’s Guide A MSTI can contain more than one VLAN. This is illustrated in Figure 173 where there are two AT-8524M switches with four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains the Sales and Presales VLANs and MSTI 2 contains the Design and Engineering VLANs.
Chapter 23: Multiple Spanning Tree Protocol MSTI Guidelines Here are several guidelines to keep in mind about MSTIs: An AT-8500 Series can support up to 16 spanning tree instances, including the CIST, at a time. A MSTI can contain any number of VLANs. A VLAN can belong to only one MSTI at a time. A switch port can belong to more than one spanning tree instance at a time. This allows you to assign a port as an untagged and tagged member of VLANs that belong to different MSTIs.
AT-S62 Management Software Menus Interface User’s Guide two or more ports have equal costs to a regional root bridge. Again, as with the internal path cost, you can assign a port a different priority value for each of its MSTIs. Multiple Spanning Tree Regions Another important concept of MSTP is regions. A MSTP region is defined as a group of bridges that share exactly the same MSTI characteristics.
Chapter 23: Multiple Spanning Tree Protocol Figure 174 illustrates the concept of regions. It shows one MSTP region consisting of two AT-8524M switches. Each switch in the region has the same configuration name and revision level. The switches also have the same five VLANs and the VLANs are associated with the same MSTIs.
AT-S62 Management Software Menus Interface User’s Guide The AT-8500 Series switch determines regional boundaries by examining the MSTP BPDUs received on the ports. A port that receives a MSTP BPDU from another bridge with regional information different from its own is considered to be a boundary port and the bridge connected to the port as belonging to another region. The same is true for any ports connected to bridges running the singleinstance spanning tree STP or RSTP.
Chapter 23: Multiple Spanning Tree Protocol Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree instance called the Common and Internal Spanning Tree (CIST). This instance has an MSTI ID of 0. This instance has unique features and functions that make it different from the MSTIs that you create yourself. First, you cannot delete this instance and you cannot change its MSTI ID.
AT-S62 Management Software Menus Interface User’s Guide MSTP with STP and RSTP MSTP is fully compatible with STP and RSTP. If a port on an AT-8500 Series switch running MSTP receives STP BPDUs, the port sends only STP BPDU packets. If a port receives RSTP BPDUs, the port sends MSTP BPDUs because RSTP can process MSTP BPDUs. A port connected to a bridge running STP or RSTP is considered a boundary port of the MSTP region and the bridge as belonging to a different region.
Chapter 23: Multiple Spanning Tree Protocol The CIST must have a regional root for communicating with other regions and single-instance spanning trees. MSTP is compatible with STP and RSTP. A port transmits CIST information even when it’s associated with another MSTI ID. However, in determining network loops, MSTI takes precedence over CIST. (This is explained more in “Associating VLANs to MSTIs” on page 518.) Note The AT-S62 implementation of MSTP complies with the IEEE 802.
AT-S62 Management Software Menus Interface User’s Guide At first glance, it might appear that since both ports belong to CIST, a loop would exist between the switches and that MSTP would block a port to stop the loop. However, within a region, MSTI takes precedence over CIST. When Switch B receives a packet from Switch A, it uses MSTI, not CIST, to determine whether a loop exists. And since both ports on Switch A belong to different MSTIs, Switch B determines that no loop exists.
Chapter 23: Multiple Spanning Tree Protocol bridges in different regions. The result can be a physical loop, which spanning tree disables by blocking ports. This is illustrated in Figure 177. The example show two switches, each residing in a different region. Port 5 in Switch A is a boundary port. It is an untagged member of the Accounting VLAN, which has been associated with MSTI 4. Port 15 is a tagged and untagged member of three different VLANs, all associated to MSTI 12.
AT-S62 Management Software Menus Interface User’s Guide Here is an example. Let’s assume that you have two regions that contain the following VLANS: Region 1 VLANs Sales Presales Marketing Advertising Technical Support Product Management Project Management Accounting Region 2 VLANs Hardware Engineering Software Engineering Technical Support Product Management CAD Development Accounting The two regions share three VLANs: Technical Support, Product Management, and Accounting.
Chapter 23: Multiple Spanning Tree Protocol Selecting MSTP as the Active Spanning Tree Protocol To select and activate MSTP as the active spanning tree protocol on the switch, or to disable spanning tree, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Menu is shown in Figure 163 on page 493. 2. To change the active version of spanning tree on the switch, type 2 to select Active Protocol Version.
AT-S62 Management Software Menus Interface User’s Guide Configuring MSTP Bridge Settings This section contains the procedure for configuring a bridge’s MSTP settings. Note You cannot configure the MSTP parameters until you have selected the protocol as the active spanning tree protocol on the switch. For instructions, refer to “Selecting MSTP as the Active Spanning Tree Protocol” on page 522. 1. From the Main Menu, type 3 to select Spanning Tree Menu.
Chapter 23: Multiple Spanning Tree Protocol The hello time, forwarding delay, and max age parameters will have two values if MSTP is enabled on the switch (for example, Forwarding Delay .. 15/15). The first number is the configured value on the switch for the parameter and the second is the value the switch obtained from the root bridge and is actually using for the parameter. The switch displays only the configured values for these parameters if multiple spanning tree is not enabled on the switch. 3.
AT-S62 Management Software Menus Interface User’s Guide 5 - Max Hops MSTP regions use this parameter to discard BPDUs. The Max Hop counter in a BPDU is decremented every time the BPDU crosses an MSTP region boundary. Once the counter reaches zero, the BPDU is deleted. The range is 1 to 40 hops. The default is 20. 6 - Configuration Name The name of the MSTP region. The range is 0 (zero) to 32 alphanumeric characters in length. The name, which is case-sensitive, must be the same on all bridges in a region.
Chapter 23: Multiple Spanning Tree Protocol Configuring the CIST Priority This procedure explains how to adjust the bridge’s CIST priority. Note You cannot configure MSTP parameters until you have selected the protocol as the active spanning tree protocol on the switch. For instructions, refer to “Selecting MSTP as the Active Spanning Tree Protocol” on page 522. This procedure starts from the MSTP Menu.
AT-S62 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter new priority [the value will be multiplied by 4096]: [0 to 15] -> 3. Enter the increment that represents the new CIST priority value. The range is 0 (zero) to 61,440 in increments of 4,096, with 0 being the highest priority. For a list of the increments, refer to Table 11, “Bridge Priority Value Increments” on page 485. The change is immediately implemented on the switch. 4.
Chapter 23: Multiple Spanning Tree Protocol Creating, Deleting, and Modifying MSTIs The following procedures explain how to create, delete, and modify spanning tree instances. Note You cannot configure MSTP parameters until you have selected the protocol as the active spanning tree protocol on the switch. For instructions, refer to “Selecting MSTP as the Active Spanning Tree Protocol” on page 522. This procedure starts from the MSTP Menu.
AT-S62 Management Software Menus Interface User’s Guide Regional Root ID Identifies the regional root for the MSTI by its MAC address. Path Cost Specifies the path cost from the bridge to the regional root. If the bridge is the regional root, the value is 0. Associated VLANs Specifies the VIDs of the VLANs that have been associated with the MSTI ID. The table does not include the CIST. The table is empty if no MSTI IDs have been created. Creating an MSTI To create an MSTI, do the following: 1.
Chapter 23: Multiple Spanning Tree Protocol Deleting an MSTI To delete an MSTI, do the following: 1. From the MSTI Menu, type 2 to select Delete MSTI. The following prompt is displayed: Enter the MSTI ID to be deleted: [1 to 15] -> 2. Enter the ID number of the MSTI you want to delete. The range is 1 to 15. (You cannot delete CIST, which has a value of 0.) You can delete only one MSTI at a time. The selected MSTI is deleted from the switch. All associated VLANs are returned to CIST. 3.
AT-S62 Management Software Menus Interface User’s Guide those VLANs you no longer want associated with the MSTI. If you do not want to change the current associates, just press Return. To view the VIDs of the VLANs on the switch, refer to “Displaying VLANs” on page 569. The MSTI modifications are immediately activated on the switch. 5. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 23: Multiple Spanning Tree Protocol Associating VLANs to MSTI IDs When you create a new MSTI, you are given the opportunity to associate VLANs to it. But once a MSTI is created, there might come a time when you want to add more VLANs, or perhaps remove VLANs from it. This procedure explains how to associate VLANs on the switch to an existing MSTI and also how to remove VLANs. Before performing this procedure, note the following: You must create an MSTI before you can assign VLANs to it.
AT-S62 Management Software Menus Interface User’s Guide The VLAN-MSTI Association Menu is shown in Figure 181.
Chapter 23: Multiple Spanning Tree Protocol A prompt similar to the following is displayed: Enter the list of VLANs: 3. Enter the VLAN ID of the virtual LAN you want to associate with the MSTI. You can enter more than one VLAN at a time (for example, 2,4,7). The new VLAN associations are added to the existing associations in the MSTI. To view VIDs, refer to “Displaying VLANs” on page 569. New VLAN associations are immediately implemented on the switch. 4.
AT-S62 Management Software Menus Interface User’s Guide 2. Enter the ID number of the MSTI you want to associate a VLAN. 3. A prompt similar to the following is displayed: Enter the list of VLANs: 4. Enter the VLAN ID of the virtual LAN that you want to associate with the MSTI. You can enter more than one VLAN at a time (for example, 2,4,7) (To view VIDs, refer to “Displaying VLANs” on page 569.) The existing VLANs associations are removed from the MSTI when the new VLANs are added.
Chapter 23: Multiple Spanning Tree Protocol Configuring MSTP Port Settings As explained in “Ports in Multiple MSTIs” on page 512, MSTP port settings are divided into two groups. The parameters in the first group are set just once on a port. The setting for a generic port parameter applies to all MSTIs in which the port is a member.
AT-S62 Management Software Menus Interface User’s Guide 2. Type 1 to select Configure Generic Port Settings. The following prompt is displayed: Start port to configure: [1 to 26] -> 3. Enter the number of the port you want to configure. To configure a range of ports, enter the first port of the range. The following prompt is displayed: End port to configure: [1 to 26] -> 4 4. Enter the last port of the range. To configure just one port, enter the same port here as in Step 3.
Chapter 23: Multiple Spanning Tree Protocol Table 18 lists the MSTP port costs with the Auto setting when the port is part of a port trunk. Table 18. Auto External Path Trunk Costs Port Speed Port Cost 10 Mbps 20,000 100 Mbps 20,000 1000 Mbps 2,000 2 - Point-to-Point This parameter defines whether the port is functioning as a point-topoint port. For an explanation of this parameter, refer to “Point-to-Point Ports and Edge Ports” on page 489.
AT-S62 Management Software Menus Interface User’s Guide The following prompt is displayed: Start port to configure: [1 to 26] -> 1 4. Enter the number of the port to be configured. To configure a range of ports, enter the first port of the range. The following prompt is displayed: End port to configure: [1 to 26] -> 1 5. Enter the last port of the range. To configure just one port, enter the same port here as in Step 3. Configure Per Spanning Tree Port Settings Menu is shown in Figure 184.
Chapter 23: Multiple Spanning Tree Protocol Table 19. MSTP Auto Update Port Costs Port Speed Port Cost 10 Mbps 2,000,000 100 Mbps 200,000 1000 Mbps 20,000 Table 20 lists the MSTP port costs with Auto Update when the port is part of a port trunk. Table 20. MSTP Auto Update Port Trunk Costs Port Speed Port Cost 10 Mbps 20,000 100 Mbps 20,000 1000 Mbps 2,000 Parameter changes are immediately activated on the port. 7. After making changes, type R until you return to the Main Menu.
AT-S62 Management Software Menus Interface User’s Guide Displaying MSTP Port Settings and Status The MSTP Port Parameters menu, shown in Figure 182 on page 536, has two selections for displaying a variety of MSTP port information. The two menu selections are described below. (To display the menu, from the MSTP Menu, type P to select MSTP Port Parameters.
Chapter 23: Multiple Spanning Tree Protocol 542 Section IV: Spanning Tree Protocols
Section V Virtual LANs The chapters in this section explain virtual LANs (VLANs).
Section V: Virtual LANs
Chapter 24 Port-based and Tagged Virtual LANs This chapter contains background information on port-based and tagged virtual LANs (VLANs). It also contains the procedures for creating, modifying, and deleting VLANs from a local or Telnet management session.
Chapter 24: Port-based and Tagged Virtual LANs VLAN Overview A VLAN is a group of ports on an Ethernet switch that form a logical Ethernet segment. The ports of a VLAN form an independent traffic domain where the traffic generated by the nodes of a VLAN remains within the VLAN. With VLANs, you can segment your network through the switch’s management software and so be able to group nodes with related functions into their own separate, logical LAN segments.
AT-S62 Management Software Menus Interface User’s Guide management software. VLAN memberships can be changed any time through the management software without moving the workstations physically, or having to change group memberships by moving cables from one switch port to another. Additionally, a virtual LAN can span more than one switch. This means that the end nodes of a VLAN do not need to be connected to the same switch and so are not restricted to being in the same physical location.
Chapter 24: Port-based and Tagged Virtual LANs Port-based VLAN Overview As explained in the “VLAN Overview” on page 546, a VLAN consists of a group of ports on one or more Ethernet switches that form an independent traffic domain. Traffic generated by the end nodes of a VLAN remains within the VLAN and does not cross over to the end nodes of other VLANs unless there is an interconnection device, such as a router or Layer 3 switch.
AT-S62 Management Software Menus Interface User’s Guide If a VLAN spans multiple switches, then the VID for the VLAN on the different switches should be the same. The switches are then able to recognize and forward frames belonging to the same VLAN even though the VLAN spans multiple switches. For example, if you had a port-based VLAN titled Marketing that spanned three AT-8500 Series switches, you would assign the Marketing VLAN on each switch the same VID.
Chapter 24: Port-based and Tagged Virtual LANs automatically assigns a PVID to a port, making it identical to the VID of the VLAN to which the port is a member, when you assign the port as an untagged member to a VLAN. General Rules for Creating a Portbased VLAN Drawbacks of Port-based VLANs 550 Below is a summary of the general rules to observe when creating a portbased VLAN. Each port-based VLAN must be assigned a unique VID.
AT-S62 Management Software Menus Interface User’s Guide Port-based Example 1 Figure 185 illustrates an example of one AT-8524M Fast Ethernet Switch with three port-based VLANs. (For purposes of the following examples, the Default_VLAN is not shown.) Engineering VLAN (VID 3) Sales VLAN (VID 2) Production VLAN (VID 4) AT-8524M Fast Ethernet Switch AT-8524M Ethernet Switch MODE LINK MODE Port 4 Port 12 STATUS FAULT MASTER LINK RPS MODE PWR Port 22 WAN Router Figure 185.
Chapter 24: Port-based and Tagged Virtual LANs Each VLAN has been assigned a unique VID. You assign this number when you create a VLAN. The ports have been assigned PVID values. The management software automatically assigns the PVIDs when you create the VLAN. The PVID of a port is the same as the VID to which the port is an untagged member. In the example, each VLAN has one port connected to the router. The router interconnects the various VLANs and functions as a gateway to the WAN.
AT-S62 Management Software Menus Interface User’s Guide Port-based Example 2 Figure 186 illustrates more port-based VLANs. In this example, two VLANs, Sales and Engineering, span two Ethernet switches.
Chapter 24: Port-based and Tagged Virtual LANs The table below lists the port assignments for the Sales, Engineering, and Production VLANs on the switches: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) AT-8524M Switch (top) Ports 1 - 6, 18 (PVID 2) Ports 9 - 11, 14, 20 (PVID 3) Ports 21 - 24 (PVID 4) AT-8524M Switch (bottom) Ports 1 - 6 (PVID 2) Ports 13, 19-24 (PVID 3) none Sales VLAN - This VLAN spans both switches.
AT-S62 Management Software Menus Interface User’s Guide Tagged VLAN Overview The second type of user-configured VLAN is the tagged VLAN. VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assigned to the ports determine VLAN membership. The VLAN information within an Ethernet frame is referred to as a tag or tagged header.
Chapter 24: Port-based and Tagged Virtual LANs Note For an explanation of VLAN name and VLAN identifier, refer back to VLAN Name and “VLAN Identifier” on page 548. Tagged and Untagged Ports You need to specify which ports will be members of the VLAN. In the case of a tagged VLAN, this will usually be a combination of both untagged ports and tagged ports. You specify which ports are tagged and which untagged when you create the VLAN.
AT-S62 Management Software Menus Interface User’s Guide Tagged VLAN Example Figure 187 illustrates how tagged ports can be used to interconnect IEEE 802.1Q-based products. Engineering VLAN (VID 3) Legacy Server Production VLAN (VID 4) Sales VLAN (VID 2) AT-8524M Fast Ethernet Switch MODE STATUS LINK FAULT MODE MASTER LINK RPS MODE PWR AT-8524M Ethernet Switch IEEE 802.
Chapter 24: Port-based and Tagged Virtual LANs The port assignments for the VLANs are as follows: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) Untagged Ports Tagged Ports Untagged Ports Tagged Ports Untagged Ports Tagged Ports AT-8524 M Switch (top) 1 to 5, 18 (PVID 2) 8, 16 9 to 11, 20 (PVID 3) 8, 16 21 to 24 (PVID 4) 8 AT-8524 M Switch (bottom) 1 to 5 (PVID 2) 15 19 to 24 (PVID 3) 15 none none This example is nearly identical to the “Port-based Example 2” on
AT-S62 Management Software Menus Interface User’s Guide Creating a Port-based or Tagged VLAN To create a new port-based or tagged VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 188. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 VLAN Configuration 1 2 3 4 5 6 7 - Ingress Filtering Status ........ Enabled VLANs Mode ......................
Chapter 24: Port-based and Tagged Virtual LANs The Configure VLANs menu is shown in Figure 189. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Configure VLANs 1 2 3 4 - Create VLAN Modify VLAN Delete VLAN Reset to Default VLAN R - Return to Previous Menu Enter your selection? Figure 189. Configure VLANs Menu 3. From the Configure VLANs menu, type 1 to select Create VLAN. The Create VLAN menu is shown in Figure 190.
AT-S62 Management Software Menus Interface User’s Guide multiple switches, then the name for the VLAN should be the same on each switch where nodes of the VLAN are connected. Note A VLAN must be assigned a name. 5. Type 2 to select VLAN ID (VID) and enter a VID value for the new VLAN. The permitted range of the VID value is 1 to 4094. Note A VLAN must have a VID. The management software will use the next available VID number on the switch as the default value.
Chapter 24: Port-based and Tagged Virtual LANs A port set to the 802.1x authenticator or supplicant role must be changed to the 802.1x none role before you can change its untagged VLAN assignment. After the VLAN assignment is made, you can return the port’s role to authenticator or supplicant, if desired. Note Option 5, Protected Ports, in the Create VLAN menu is not used to create port-based and tagged VLANs. It must be left in the “No” default setting.
AT-S62 Management Software Menus Interface User’s Guide Example of Creating a Port-based VLAN The following procedure creates the Sales VLAN illustrated in “Port-based Example 1” on page 551. This VLAN will be assigned a VID of 2 and will consist of four untagged ports, Ports 1 to 4. The VLAN will not contain any tagged ports. To create the Sales VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 188 on page 559.
Chapter 24: Port-based and Tagged Virtual LANs Example of Creating a Tagged VLAN The following procedure creates the Engineering VLAN in the top switch illustrated in “Tagged VLAN Example” on page 557. This VLAN will be assigned a VID of 3. It will consist of four untagged ports, Ports 9 to 11 and 20, and two tagged ports, Ports 8 and 16. To create the example Engineering VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration.
AT-S62 Management Software Menus Interface User’s Guide Modifying a VLAN You can use this procedure to add or remove ports from a port-based or tagged VLAN. You can also use this procedure to change a VLAN’s name. Note To modify a VLAN, you need to know its VID. To view VLAN VIDs, refer to “Displaying VLANs” on page 569. To modify a VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 188 on page 559. 2.
Chapter 24: Port-based and Tagged Virtual LANs The following prompt is displayed: Enter new value -> [1 to 4096] -> 5. Enter the VID of the VLAN you want to modify. The Modify VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 192. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Modify VLAN 1 2 3 4 5 - VLAN Name .............. VLAN ID (VID) .......... Tagged Ports ........... Untagged Ports .........
AT-S62 Management Software Menus Interface User’s Guide 3 - Tagged Ports Use this selection to add or remove tagged ports from the VLAN. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 7-9), or both (e.g., 2,5,7-9). When adding or removing tagged ports, observe the following guidelines: The new list of tagged ports will replace the existing tagged ports. If the VLAN contains tagged ports and you want to remove them all, enter 0 (zero) for this value.
Chapter 24: Port-based and Tagged Virtual LANs Any untagged ports removed from a VLAN are automatically returned to the Default_VLAN as untagged ports. If you added or removed from the VLAN a port with one or more static MAC addresses assigned to it, you must update the static addresses by deleting their entries from the MAC address table and reentering them again using the VID of the VLAN to which the port has been moved to.
AT-S62 Management Software Menus Interface User’s Guide Displaying VLANs To view the name, VID number, and member ports of all the VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 188 on page 559. 2. From the VLAN Configuration menu, type 5 to select Show VLANs. An example of the Show VLANs menu is shown in Figure 193.
Chapter 24: Port-based and Tagged Virtual LANs VLAN Type The VLAN type. The possible settings are: Port Based - The VLAN is a port-based or tagged VLAN. GARP - The VLAN was automatically created by GARP. Protected - The VLAN is a protected ports VLAN. Protocol - If this column is blank, the VLAN is a port-based, tagged, or protected ports VLAN. If it contains “GARP,” the VLAN or the port is a dynamic GVRP VLAN or a dynamic GVRP port of a static VLAN. Member Port(s) The untagged and tagged ports of a VLAN.
AT-S62 Management Software Menus Interface User’s Guide Deleting a VLAN This procedure deletes port-based and tagged VLANs from the switch. All untagged ports in a deleted VLAN are returned to the Default_VLAN. Note To delete a VLAN, you need to know its VID. To view VLAN VIDs, refer to “Displaying VLANs” on page 569. To delete a VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 188 on page 559. 2.
Chapter 24: Port-based and Tagged Virtual LANs 5. Enter the VID of the VLAN you want to delete. You can specify only one VID at a time. Note You cannot delete the Default_VLAN, which has a VID of 1. The Delete VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 195. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Delete VLAN 1 2 3 4 5 6 - VLAN Name .............. VLAN ID (VID) .......... VLAN Type ..............
AT-S62 Management Software Menus Interface User’s Guide 8. Press any key. 9. Repeat this procedure starting with Step 4 to delete other VLANs. 10. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 24: Port-based and Tagged Virtual LANs Deleting All VLANs This section contains the procedure for deleting all port-based and tagged VLANs, except the Default_VLAN, on a switch. To delete selected VLANs, perform the procedure “Deleting a VLAN” on page 571. To delete all VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 188 on page 559. 2.
AT-S62 Management Software Menus Interface User’s Guide 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 24: Port-based and Tagged Virtual LANs Displaying PVIDs The following procedure displays a menu that lists the PVIDs for all the ports on the switch. To display the PVID settings on the switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 188 on page 559. 2. From the VLAN Configuration menu, type 6 to select Show PVIDs. The Show PVIDs menu is shown in Figure 196.
AT-S62 Management Software Menus Interface User’s Guide Enabling or Disabling Ingress Filtering There are rules a switch follows when it receives and forwards an Ethernet frame. There are rules for frames as they enter a port (called ingress rules) and rules for when a frame is transmitted out a port (called egress rules). A switch does not accept and forward a frame unless the frame passes the ingress and egress rules. There are quite a few ingress and egress rules for Fast Ethernet switches.
Chapter 24: Port-based and Tagged Virtual LANs tagged frame, without regard to the status of ingress filtering. You can enable or disable ingress filtering on a per switch basis. You cannot set this per port. The default setting for ingress filtering is disabled. To enable or disable ingress filtering, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 188 on page 559. 2.
AT-S62 Management Software Menus Interface User’s Guide Specifying a Management VLAN The management VLAN is the VLAN on which an AT-8500 Series switch expects to receive management packets. This VLAN is important if you will be managing a switch remotely, using the enhanced stacking feature of the switch, or activating the BOOTP or DHCP client. Management packets are packets generated by a management workstation when you manage a switch using the Telnet application protocol, SSH, or a web browser.
Chapter 24: Port-based and Tagged Virtual LANs Now assume that you decide to create a VLAN called NMS with a VID of 24 for the sole purpose of remote network management. For this, you need to create the NMS VLAN on each AT-8500 Series switch that you want to manage remotely, being sure to assign each NMS VLAN the VID of 24. Then you need to be sure that the uplink and downlink ports connecting the switches together are either tagged or untagged members of the NMS VLAN.
Chapter 25 GARP VLAN Registration Protocol This chapter describes the GARP VLAN Registration Protocol (GVRP).
Chapter 25: GARP VLAN Registration Protocol Basic Overview of GARP VLAN Registration Protocol (GVRP) The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information. The main purpose of GVRP is to allow switches to automatically discover some of the VLAN information that would otherwise have to be manually configured in each switch. This can be helpful in networks where VLANs span more than one switch.
AT-S62 Management Software Menus Interface User’s Guide Figure 197 provides an example of how GVRP works. Switch #1 Static VLAN Sales VID=11 AT-8524M Port 1 Port 4 AT-8524M Switch #2 Port 15 Port 17 Switch #3 Static VLAN Sales VID=11 AT-8524M Figure 197. GVRP Example Switches #1 and #3 contain the Sales VLAN, but Switch #2 does not. Consequently, the end nodes of the two parts of the Sales VLANs are unable to communicate with each other.
Chapter 25: GARP VLAN Registration Protocol 3. Switch #2 sends a PDU out port 15 containing all of the VIDs of the VLANs on the switch, including the new GVRP_VLAN_11 VLAN with its VID of 11. (It should be noted that port 15 is not yet a member of the VLAN. Ports are added to VLANs when they receive, not send a PDU.) 4. Switch #3 receives the PDU on port 17 and, after examining it, notes that one of the VLANs on Switch #2 has the VID 11, which matches the VID of an already existing VLAN on the switch.
AT-S62 Management Software Menus Interface User’s Guide switches can result in GVRP incompatibility problems. GVRP and Network Security You can convert dynamic GVRP VLANs and dynamic GVRP port assignments to static VLANs and static port assignments. The procedure for this is found in “Modifying a VLAN” on page 565. The default port settings on the switch for GVRP is active, meaning that the ports participate in GVRP.
Chapter 25: GARP VLAN Registration Protocol GVRP-inactive Intermediate Switches The presence of a GVRP-inactive switch between GVRP-active devices may impact the ability of GVRP to automatically configure the VLANs in your switches. You might need to take this into account when implementing GVRP in your network.
AT-S62 Management Software Menus Interface User’s Guide Technical Overview of Generic Attribute Registration Protocol (GARP) The purpose of the Generic Attribute Registration Protocol (GARP) is to provide a generic framework whereby devices in a bridged LAN, for example, end stations and switches, can register and de-register attribute values, such as VLAN Identifiers, with each other.
Chapter 25: GARP VLAN Registration Protocol The architecture of GARP is shown in Figure 198. Switch GARP Participant GARP Participant GARP Application GARP Application GIP MAC Layer: Port 1 GARP PDUs GID LLC GARP PDUs LLC GARP PDUs GARP PDUs GID MAC Layer: Port 2 Figure 198.
AT-S62 Management Software Menus Interface User’s Guide Applicant and Registrar. This is shown in Figure 199. GID Attribute ... state: Attribute C state: Attribute B state: Attribute A state: Applicant State Registrar State Figure 199. GID Architecture GARP registers and de-registers attribute values through GARP messages sent at the GID level. A GARP Participant that wishes to make a declaration (an Applicant registering an attribute value) sends a JoinIn or JoinEmpty message.
Chapter 25: GARP VLAN Registration Protocol To control the Applicant state machine, an Applicant Administrative Control parameter is provided. This parameter determines whether or not the Applicant state machine participates in GARP protocol exchanges. The default value has the Applicant participating in the exchanges. To control the Registrar state machine, a Registrar Administrative Control parameter is provided.
AT-S62 Management Software Menus Interface User’s Guide Configuring GVRP This section contains the procedure for configuring GVRP. The timers in the following menus are in increments of centi seconds, which are hundredths of a second. To configure GVRP, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 188 on page 559. 2. From the VLAN Configuration menu, type 8 to select Configure GARPGVRP.
Chapter 25: GARP VLAN Registration Protocol The following prompt is displayed: Enter your new value (E-Enabled, D-Disabled): 6. Choose one of the following: E to enable GIP. D to disable GIP. Note Do not disable GIP if you intend to use GVRP. GIP is required to propagate VLAN information among the ports of the switch. Caution The following steps change the three GVRP timers. The settings for these timers must be the same on all GVRP-active devices in your network. 7.
AT-S62 Management Software Menus Interface User’s Guide Enabling or Disabling GVRP on a Port This procedure enables and disables GVRP on a switch port. The default setting for GVRP on a port is enabled. Only those ports where GVRP is enabled transmit PDUs. Note To protect against unauthorized access to restricted areas of your network, Allied Telesyn recommends disabling GVRP on unused ports and those ports that are connected to GVRP-inactive devices.
Chapter 25: GARP VLAN Registration Protocol The Configure GVRP Port Settings Menu is shown in Figure 202. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Configure GVRP Port Settings Configuring Port 1-2 1 - Port Mode ............. Normal R - Return to Previous Menu Enter your selection? Figure 202. Configure GVRP Port Settings Menu 6. Type 1 - Port Mode. The following prompt is displayed: Enter mode (0-Normal, 1-None): [0 to 1] -> 0 7.
AT-S62 Management Software Menus Interface User’s Guide 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Your changes are saved.
Chapter 25: GARP VLAN Registration Protocol Converting a Dynamic GVRP VLAN This procedure converts a dynamic GVRP VLAN into a static VLAN. You can perform this procedure to permanently retain the VLANs the switch learned through GVRP. Note This procedure cannot convert a dynamic GVRP port in a static VLAN into a static port. For that you must manually modify the static VLAN, specifying the dynamic port as either a tagged or untagged member of the VLAN.
AT-S62 Management Software Menus Interface User’s Guide Displaying GVRP Parameters and Statistics To display GVRP counters, database, state machine, and GIP connected ports ring, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 188 on page 559. 2. From the VLAN Configuration menu, type 8 to select Configure GARPGVRP. The GARP-GVRP Menu is shown in Figure 200 on page 591. 3.
Chapter 25: GARP VLAN Registration Protocol GVRP Counters Option 1 - Display GVRP Counters in the Other GARP Port Parameters displays the GVRP Counters Menu (page 1) as shown in Figure 205.
AT-S62 Management Software Menus Interface User’s Guide Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 GVRP Counters Receive: -------GARP Messages: --------------LeaveAll JoinEmpty JoinIn LeaveEmpty LeaveIn Empty Bad Message Bad Attribute Transmit: --------7 0 68 0 0 5 0 0 LeaveAll JoinEmpty JoinIn LeaveEmpty LeaveIn Empty 77 58 285 1 0 21 P - Previous Page U - Updated Display R - Return to Previous Menu Enter your selection? Figure 206.
Chapter 25: GARP VLAN Registration Protocol Table 21. GVRP Counters Parameter 600 Meaning Receive Discarded: Port Not Listening Number of GARP PDUs discarded because the port that received the PDUs was not listening, that is, MODE=NONE was set on the port. Transmit Discarded: Port Not Sending Number of GARP PDUs discarded because the port that the PDUs were to be transmitted on was not sending, that is, MODE=NONE was set on the port.
AT-S62 Management Software Menus Interface User’s Guide Table 21. GVRP Counters Parameter Section V: VLANs Meaning Receive GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages received for all attributes in the GARP application. Transmit GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages transmitted for all attributes in the GARP application. Receive GARP Messages: LeaveIn Total number of GARP LeaveIn messages received for all attributes in the GARP application.
Chapter 25: GARP VLAN Registration Protocol GVRP Database Option 2 - Display GVRP Database in the Other GARP Port Parameters displays the GVRP Database Menu as shown in Figure 207.
AT-S62 Management Software Menus Interface User’s Guide GIP Connected Ports Ring Option 3 - Display GIP Connected Ports Ring in the Other GARP Port Parameters displays the GIP Connected Ports Ring Menu as shown in Figure 208.
Chapter 25: GARP VLAN Registration Protocol GVRP State Machine Option 4 - Display GVRP State Machine in the Other GARP Port Parameters displays the GVRP State Machine Menu (page 1) as shown in Figure 209. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 GVRP State Machine Enter a VLAN ID for displaying the state machine: [1 to 4094] -> 1 Figure 209.
AT-S62 Management Software Menus Interface User’s Guide Table 24. GVRP State Machine Parameters Parameter App Meaning Applicant state machine for the GID index on that particular port.
Chapter 25: GARP VLAN Registration Protocol Table 24. GVRP State Machine Parameters Parameter Reg Meaning Registrar state machine for the GID index on that particular port. One of: “Mt” Empty “Lv3” Leaving substate 3 (final Leaving substate) “Lv2” Leaving substate 2 “Lv1” Leaving substate 1 “Lv” Leaving substate (initial Leaving substate) “In” In “Fix” Registration Fixed “For” Registration Forbidden The initialized state for the Registrar is Mt.
Chapter 26 Multiple VLAN Modes This chapter describes the multiple VLAN modes and how to select a mode.
Chapter 26: Multiple VLAN Modes Multiple VLAN Mode Overview Multiple VLAN modes simplify the task of configuring the switch in network environments that require a high degree of network segmentation. In a multiple VLAN mode, the ports on a switch are prohibited from forwarding traffic to each other and can only forward traffic to a user designated uplink port. These configurations isolate the traffic on each port from all other ports, while providing the ports with access to an uplink port.
AT-S62 Management Software Menus Interface User’s Guide WAN. This port is placed as a tagged port in each VLAN. Thus, while the switch ports are separated from each other in their individual VLANs, they all have access to the uplink port. The uplink port also has its own VLAN, where it is an untagged member. This VLAN is called Uplink_VLAN. Note In 802.1Q Multiple VLAN mode, the device connected to the uplink port must be IEEE 802.1Q-compliant. An example of the 802.
Chapter 26: Multiple VLAN Modes VLAN Name VID Untagged Port Tagged Port Client_VLAN_19 19 19 25 Client_VLAN_20 20 20 25 Client_VLAN_21 21 21 25 Client_VLAN_22 22 22 25 Client_VLAN_23 23 23 25 Client_VLAN_24 24 24 25 Uplink_VLAN 25 25 Client_VLAN_26 26 26 25 This highly segmented configuration is useful in situations where traffic generated by each end node or network segment connected to a port on the switch needs to be kept separate from all other network traffic, but st
AT-S62 Management Software Menus Interface User’s Guide Non-802.1Q Compliant Multiple VLAN Mode Unlike the 802.1Q-compliant VLAN mode, which isolates port traffic by placing each port in a separate VLAN, this mode forms one VLAN with a VID of 1 that encompasses all ports. Traffic isolation is established through port mapping. The result, however, is the same. Ports are permitted to forward traffic only to the designated uplink port and to no other port, even when they receive a broadcast packet.
Chapter 26: Multiple VLAN Modes Selecting a VLAN Mode The following procedure explains how to select a VLAN mode. Available modes are: User configured VLAN mode (port-based and tagged VLANs) IEEE 802.1Q Compliant Multiple VLAN mode Non-IEEE 802.1Q Compliant Multiple VLAN mode Note Any port-based or tagged VLANs you created are not retained when you change the VLAN mode from the user configured mode to a multiple VLAN mode and, at some point, reset the switch.
AT-S62 Management Software Menus Interface User’s Guide Displaying VLAN Information To view the VLANs on the switch while the unit is operating in Multiple VLAN mode, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 188 on page 559. 2. From the VLAN Configuration menu, type 6 to select Show VLANs. An example of the Show VLANs menu is shown in Figure 211.
Chapter 26: Multiple VLAN Modes 614 Section V: VLANs
Chapter 27 Protected Ports VLANs This chapter explains protected ports VLANs.
Chapter 27: Protected Ports VLANs Protected Ports VLAN Overview The purpose of a protected ports VLAN is to allow multiple ports on the switch to share the same uplink port but not share traffic with each other. This feature has some of the same characteristics as the multiple VLAN modes described in the previous chapter, but it offers several advantages. One is that it provides more flexibility. With the multiple VLAN modes, you can select only one uplink port which is shared by all the other ports.
AT-S62 Management Software Menus Interface User’s Guide To create a protected ports VLAN, you perform many of the same steps that you do when you create a new port-based or tagged VLAN. You give it a name and a unique VID, and you indicate which of the ports will be tagged and untagged. What makes creating this type of VLAN different is that as part of the procedure you must create the individual groups within the VLAN by assigning the ports to their groups. Here is an example of a protected ports VLAN.
Chapter 27: Protected Ports VLANs 618 A protected ports VLAN can contain any number of groups. A group can contain any number of ports. The ports of a group can be tagged or untagged. Each group must be assigned a unique group number on the switch. The number can be from 1 to 256. A protected ports VLAN can contain more than one uplink port. An uplink port can be either tagged or untagged.
AT-S62 Management Software Menus Interface User’s Guide Creating a Protected Ports VLAN To create a new protected ports VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. 2. From the VLAN Configuration Menu, type 4 to select Configure VLANs. Note If the menu does not include selection 4, Configure VLANs, the switch is running a multiple VLAN mode. To change the switch’s VLAN mode, refer to “Selecting a VLAN Mode” on page 612. 3.
Chapter 27: Protected Ports VLANs Note A VLAN must be assigned a name. 6. Type 2 to select VLAN ID (VID. The following prompt is displayed: Enter new value -> [2 to 4094] -> 7. Type a VID value for the new VLAN. The range for the VID value is 2 to 4094. The AT-S62 management software uses the next available VID number on the switch as the default value.
AT-S62 Management Software Menus Interface User’s Guide 12. Type C to select Create VLAN. The following prompt is displayed: Enter Uplink Ports (4 - 12) -> The prompt will show the ports that you specified as belonging to the VLAN. 13. Enter the port in the VLAN that will function as the uplink port for the different VLAN groups. You can select more than one uplink port.
Chapter 27: Protected Ports VLANs Modifying a Protected Ports VLAN Please note the following before you perform this procedure: To modify this type of VLAN, you must recreate it by reselecting the uplink port(s) and reassigning the ports to the groups. For this reason Allied Telesyn recommends that before you perform this procedure you first display the details of the protected ports VLAN you want to modify and write down on paper the VLAN’s current configuration (i.e.
AT-S62 Management Software Menus Interface User’s Guide The Modify VLAN Menu is shown in Figure 191 on page 565. 4. Type 1 to select VLAN ID (VID). The following prompt is displayed: Enter new value -> [1 to 4096] -> 5. Enter the VID of the VLAN you want to modify. The Modify VLAN Menu expands to contain all relevant information about the VLAN, as shown in Figure 213.
Chapter 27: Protected Ports VLANs 3 - Tagged Ports Use this selection to add or remove tagged ports from the VLAN. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 7-9), or both (e.g., 2,5,7-9). The new list of tagged ports will replace the existing tagged ports. 4 - Untagged Ports Use this selection to add or remove untagged ports from the VLAN. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 79), or both (e.g., 2,5,7-9).
AT-S62 Management Software Menus Interface User’s Guide After you have created all of the groups, this prompt is displayed: SUCCESS - Press any key to continue. Press any key to continue. The modified protected ports VLAN and its groups are now active on the switch. 12. Press any key to return to the Configure VLANs Menu. 13. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 27: Protected Ports VLANs Displaying a Protected Port VLAN To view the name, VID number, and member ports of all the VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 188 on page 559. 2. From the VLAN Configuration menu, type 5 to select Show VLANs. The Show VLANs Menu is shown in Figure 214.
AT-S62 Management Software Menus Interface User’s Guide Untagged (U) / Tagged (T) - The ports of the VLAN. Tagged ports are designated with a “T” and untagged ports with a “U.” 3. To view additional information about a protected ports VLAN, type D to select Detail Information Display. The following prompt is displayed: Enter new value -> 4. Enter the VID of the protected ports VLAN whose information you want to view. An example of the Show VLANs window for a protect ports VLAN is shown in Figure 215.
Chapter 27: Protected Ports VLANs Deleting a Protected Ports VLAN All untagged ports in a deleted protected ports VLAN are automatically returned to the Default_VLAN. To delete a protected ports VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration Menu is shown in Figure 188 on page 559. 2. From the VLAN Configuration Menu, type 4 to select Configure VLANs. The Configure VLANs Menu is shown in Figure 189 on page 560.
AT-S62 Management Software Menus Interface User’s Guide Note You cannot delete the Default_VLAN, which has a VID of 1. The Delete VLAN Menu expands to contain all relevant information about the VLAN, as shown in Figure 217. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Delete VLAN 1 2 3 4 5 - VLAN Name .............. VLAN ID (VID) .......... Tagged Ports ........... Untagged Ports ......... Protected Ports ........
Chapter 27: Protected Ports VLANs 9. Repeat this procedure starting with Step 4 to delete other VLANs. 10. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Section VI Port Security The chapters in this section explain the port security features of the AT-8524M switch The chapters include: Section VI: Port Security Chapter 28: “MAC Address-based Port Security” on page 633 Chapter 29: “802.
Section VI: Port Security
Chapter 28 MAC Address-based Port Security This chapter explains how you can use the dynamic and static MAC addresses learned and assigned to the ports of the switch to control which end nodes can forward packets through the device.
Chapter 28: MAC Address-based Port Security MAC Address-based Port Security Overview This feature can enhance the security of your network. You can use it to control which end nodes can forward frames through the switch, and so prevent unauthorized individuals from accessing your network or particular parts of the network. This type of network security uses a frame’s source MAC address to determine whether the switch should forward a frame or discard it.
AT-S62 Management Software Menus Interface User’s Guide Secured A port set to this security level forwards packets only using static MAC addresses. The port does not learn dynamic MAC addresses and deletes any it has already learned. The port discards an ingress packet if its source MAC address is not specified as a static address.
Chapter 28: MAC Address-based Port Security Guidelines 636 Discard the invalid frame and send an SNMP trap. (SNMP must be enabled on the switch for the trap to be sent.) Discard the invalid frame, send an SNMP trap, and disable the port. Here are the guidelines to observe when using this type of port security: This security method only applies to ingress packets on a port and not to egress packets.
AT-S62 Management Software Menus Interface User’s Guide Configuring MAC Address-based Port Security To set the port security level, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 5 to select Port Security. The Port Security menu is shown in Figure 218.
Chapter 28: MAC Address-based Port Security The menu displays the current security level on the selected port. If you are configuring a range of ports and the ports have different security levels, the menu displays the current security level of the lowest number port. Note The D - Select Default Port Security option in the menu sets the security mode for the port to the default value of Automatic. 5. Press 1 to change the port security on your specified port list.
AT-S62 Management Software Menus Interface User’s Guide Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Configure Port Security Configuring Port Security 4 1 2 3 4 - Security Mode ..................... Threshold ......................... Intruder Action ................... Port Participating ................ Limited 100 Discard No D - Set Default Port Security R - Return to Previous Menu Enter your selection? Figure 220.
Chapter 28: MAC Address-based Port Security 10. If you selected the trap or disable intrusion action, type 4 to toggle the Port Participating option to Yes. This option applies only when the intrusion action is set to trap or disable. This option does not apply when intrusion action is set to discard. If this option is set to No when intrusion action is set to trap or disable, the port discards invalid packets, but it does not send the SNMP trap or disable the port.
AT-S62 Management Software Menus Interface User’s Guide Displaying Port Security Levels To view the current security levels for the ports on the switch, do the following: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 5 to select Port Security. The Port Security menu is shown in Figure 218 on page 637. 3. From the Port Security menu, type 2 to select Display Port Security. The Display Port Security menu is shown in Figure 221.
Chapter 28: MAC Address-based Port Security Intruder Action The column specifies the action taken by a port if it receives an invalid frame while operating in the Limited security mode. Discard: The port discards invalid frames. This is the default. Send Trap: The port discards invalid frames and sends a trap. Disable Port: The port discards invalid frames, sends a trap, and disables the port.
Chapter 29 802.1x Port-based Network Access Control This chapter explains 802.1x Port-based Network Access Control and how you can use this feature to restrict access to the network ports on the switch. Sections are as follows: Section VI: Port Security “IEEE 802.1x Port-based Network Access Control Overview” on page 644 “Setting Port Roles” on page 662 “Enabling and Disabling 802.
Chapter 29: 802.1x Port-based Network Access Control IEEE 802.1x Port-based Network Access Control Overview The AT-S62 management software offers you several different methods for protecting your network and its resources from unauthorized access. For instance, Chapter 28, “MAC Address-based Port Security” on page 633, explains how to restrict network access using the source MAC addresses of the end nodes in your network. This chapter explains yet another way. This method, referred to as 802.
AT-S62 Management Software Menus Interface User’s Guide Authenticator - The authenticator is a port on the switch that prohibits network access by a supplicant until the supplicant has been validated by the RADIUS server. Authentication server - The authentication server is the network device that has the RADIUS server software. This is the device that does the actual authenticating of the supplicants. The AT-8500 Series switch does not authenticate any of the supplicants connected to its ports.
Chapter 29: 802.1x Port-based Network Access Control Port Roles None Role Part of the task of implementing this feature is specifying the roles of the ports on the switch. A port can have one of three roles: None Authenticator Supplicant A switch port in the None role does not participate in port-based access control. Any device can connect to the port and send traffic through it and receive traffic from it without being validated.
AT-S62 Management Software Menus Interface User’s Guide authentication is not tied to any specific computer or node. An end user can log on from any system and still be verified by the RADIUS server as a valid user of the switch and network. This authentication method requires 802.1x client software on the supplicant nodes. MAC address-based authentication An alternative method is to use the MAC address of a node as the username and password combination for the device.
Chapter 29: 802.1x Port-based Network Access Control Force-unauthorized - Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate. The port forwards EAPOL frames, but discards all other traffic. This setting is analogous to disabling a port. As mentioned earlier, the switch itself does not authenticate the user names and passwords from the clients. That function is performed by the authentication server, which contains the RADIUS server software.
AT-S62 Management Software Menus Interface User’s Guide Authenticator Ports with Single and Multiple Supplicants An authenticator port has two operating modes. The modes relate to the number of clients using the port and, in situations where an authenticator port is supporting more than one client, whether just one client or all the clients must log on to use the switch port. The operating modes are: Single Multiple Single Operating Mode The Single operating mode is used in two situations.
Chapter 29: 802.
AT-S62 Management Software Menus Interface User’s Guide 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT AT-9400 Series Switch L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 3 5 7 9 11 15 17 19 TERMINAL PORT 21 23R 1000 LINK / ACT L/A L/A 23 24 6 8 10 12 14 16 18 20 22 24R 23 24 MASTER RPS POWER D/C 4 STATUS FAULT SFP SFP D/C 2 Gigabit Ethernet Switch ACT COL 13 L/A SFP 2 4 6 8 10 12 14 16 18 20 22 24R
Chapter 29: 802.1x Port-based Network Access Control If the clients are connected to an 802.1x-compliant device, such as another AT-8500 Series switch, you can automate the initial log on and reauthentications by configuring one of the switch ports as a supplicant. In this manner, the log on and reauthentications are performed automatically. eliminating the need for relying on an individual to perform the task. This scenario is illustrated in Figure 225.
AT-S62 Management Software Menus Interface User’s Guide 1 3 5 7 9 11 13 15 17 19 21 23R AT-9400 Series Switch (A) AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 SFP 3 5 7 9 11 15 17 19 TERMINAL PORT 21 23R SFP 1000 LINK / 23 MASTER RPS 24 POWER D/C 4 6 8 10 12 14 16 18 20 22 24R 23 2 24 Port 6: Role: None or Role: Authenticator Operating Mode: Single Piggy-back Mode: Enabled STATUS FAULT ACT L/A L/A
Chapter 29: 802.1x Port-based Network Access Control An example of this authenticator operating mode is illustrated in Figure 227. The clients are connected to a hub or non-802.1x-compliant switch which is connected to an authenticator port on an AT-8500 Series switch. If the authenticator port is set to use the 802.1x authentication method, each client must be given a separate username and password combination to log on to and forward traffic through the AT-8500 Series switch.
AT-S62 Management Software Menus Interface User’s Guide not be logged on to the port. Also note that the ports where the clients are connected on switch B are set to the none role. This is because a client can log on only once. If, in this example, you were to make a client’s port an authenticator, the client would have to log on twice when trying to access switch A, once on its port on switch B as well as the authenticator port on switch A. This is not permitted.
Chapter 29: 802.1x Port-based Network Access Control Providing network users with access to their network resources while also maintaining network security is often achieved through the use of VLANs. As explained in “VLAN Overview” on page 546, a VLAN is an independent traffic domain where the traffic generated by the nodes within the VLAN is restricted to nodes of the same VLAN, unless there is a router or Layer 3 interconnection device.
AT-S62 Management Software Menus Interface User’s Guide Multiple Operating Mode The initial authentication on an authenticator port running in the Multiple operating mode is handled in the same fashion as with the Single operating mode. If the switch receives a valid VLAN ID or name from the RADIUS server, it moves the authenticator port to the designated VLAN and changes the port to the authorized state.
Chapter 29: 802.1x Port-based Network Access Control Note The Guest VLAN feature is only supported on an authenticator port in the Single operating mode. RADIUS Accounting The AT-S62 management software supports RADIUS accounting for switch ports set to the Authenticator role. This feature sends information to the RADIUS server about the status of its supplicants. You can view this information on the RADIUS server to monitor network activity and use.
AT-S62 Management Software Menus Interface User’s Guide General Steps Following are the general steps to implementing 802.1x Port-based Network Access Control and RADIUS accounting on the switch: 1. You must install RADIUS server software on one or more of your network servers or management stations. Authentication protocol server software is not available from Allied Telesyn. Funk Software Steel-Belted Radius and Free Radius have been verified as fully compatible with the AT-S62 management software.
Chapter 29: 802.1x Port-based Network Access Control 802.1x Port-based Network Access Control Guidelines The following are general guidelines to using this feature: Ports operating under port-based access control do not support dynamic MAC address learning. The appropriate port role for a port on an AT-8500 Series switch connected to a RADIUS authentication server is None. The authentication server must be a member of the management VLAN.
AT-S62 Management Software Menus Interface User’s Guide An authenticator port cannot be part of a static port trunk, LACP port trunk, or port mirror. If a switch port set to the supplicant role is connected to a port on another switch that is not set to the authenticator role, the port, after a timeout period, assumes that it can send traffic without having to log on. GVRP must be disabled on an authenticator port. When 802.
Chapter 29: 802.1x Port-based Network Access Control Setting Port Roles This procedure sets port roles. For an explanation of port roles, refer to “Port Roles” on page 646. You must set up the port roles before you enable port access control. To set port roles, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 103 on page 313. 2. From the Security and Services menu, type 2 to select Port Access Control (802.1X).
AT-S62 Management Software Menus Interface User’s Guide The Configure Port Access Role menu is shown in Figure 230. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Marketing User: Manager 11:20:02 02-Mar-2006 Configure Port Access Role Configuring Port 3 1 - Port Role ......... None R - Return to Previous Menu Enter your selection? Figure 230. Configure Port Access Role Menu 5. Type 1 to select Port Role.
Chapter 29: 802.1x Port-based Network Access Control Enabling and Disabling 802.1x Port-based Network Access Control This procedure explains how to enable and disable port-based access control on the switch. If you have not assigned port roles and configured the parameter settings, you should skip this procedure and go first to “Setting Port Roles” on page 662.
AT-S62 Management Software Menus Interface User’s Guide Configuring Authenticator Port Parameters Note A port must already be set to the authenticator role before you can configure its settings. For instructions on how to change the role of a port, refer to “Setting Port Roles” on page 662. To configure the parameters of an authenticator port, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 103 on page 313. 2.
Chapter 29: 802.1x Port-based Network Access Control The Configure Authenticator Port Access Parameters menu is shown in Figure 232. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Marketing User: Manager 11:20:02 02-Mar-2006 Configure Authenticator Port Access Parameters Configuring Port 3 0 1 2 3 4 5 6 7 8 9 A B C D E - Authentication Mode ...... Supplicant Mode .......... Port Control ............. Quiet Period ............. TX Period ................ Reauth Enabled ........... Reauth Period ......
AT-S62 Management Software Menus Interface User’s Guide 1 - Supplicant Mode This parameter can take the following values on an authenticator port: Single: Configures the authenticator port to accept only one authentication. This supplicant mode should be used together with the piggy-back mode. When an authenticator port is set to the Single mode and the piggy-back mode is disabled, only the one client who is authenticated can use the port. Packets from or to other clients on the port are discarded.
Chapter 29: 802.1x Port-based Network Access Control 3 - Quiet Period The quiet period is the number of seconds that the port remains in the quiet state following a failed authentication exchange with the client. The default value is 60 seconds. The range is 0 to 65,535 seconds. 4 - TX Period This parameter sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request. The default value is 30 seconds.
AT-S62 Management Software Menus Interface User’s Guide For additional information, refer to “Supplicant and VLAN Associations” on page 655. B - Secure VLAN This parameter controls the action of an authenticator port to subsequent authentications after the initial authentication where VLAN assignments have been added to the user accounts on the RADIUS server. This parameter only applies when the port is operating in the Multiple operating mode.
Chapter 29: 802.1x Port-based Network Access Control D - Piggyback Mode This parameter controls who can use the switch port in cases where there are multiple clients using the port (e.g., the switch port is connected to an Ethernet hub). If set to enabled, the port allows all clients on the port to piggy-back onto the initial client’s authentication, forwarding all packets after one client is authenticated.
AT-S62 Management Software Menus Interface User’s Guide Configuring Supplicant Port Parameters To configure supplicant port parameters, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 103 on page 313. 2. From the Security and Services menu, type 2 to select Port Access Control (802.1X). The Port Access Control (802.1X) menu is shown in Figure 229 on page 662. 3.
Chapter 29: 802.1x Port-based Network Access Control The Configure Supplicant Port Access Parameters menu is shown in Figure 232. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Marketing User: Manager 11:20:02 02-Mar-2006 Configure Supplicant Port Access Parameters Configuring Port 5-8 1 2 3 4 5 6 - Auth Period........... Held Period........... Max Start ........... Start Period.......... User Name: ........... User Password: .......
AT-S62 Management Software Menus Interface User’s Guide characters, such as asterisks or exclamation points. The username is case sensitive. 6 - User Password This parameter specifies the password for the switch port. The port sends the password to the authentication server for verification when the port logs on to the network. The password can be from 1 to 16 alphanumeric characters (A to Z, a to z, 1 to 9). Do not use spaces or special characters, such as asterisks or exclamation points.
Chapter 29: 802.1x Port-based Network Access Control Displaying the Port Access Parameters To display the port access parameters for the ports on the switch, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 103 on page 313. 2. From the Security and Services menu, type 2 to select Port Access Control (802.1X). The Port Access Control (802.1X) menu is shown in Figure 229 on page 662. 3.
AT-S62 Management Software Menus Interface User’s Guide AuthMode The port’s authentication mode: 802.1x or MAC Based. For further information, refer to “Authentication Modes” on page 646. Port Role Port access role configured for the port. The possible settings are None, Authenticator, or Supplicant. State State of the port. The state field is dependent on whether a port is configured as an authenticator or a supplicant.
Chapter 29: 802.1x Port-based Network Access Control Configuring RADIUS Accounting The AT-S62 management software supports RADIUS accounting for ports operating in the Authenticator role. The accounting information sent by the switch to a RADIUS server includes the date and time when clients log on and log off, as well as the number of packets sent and received by a switch port during a client session. For background information on this feature, refer to “RADIUS Accounting” on page 658.
AT-S62 Management Software Menus Interface User’s Guide 4. Adjust the following parameters as necessary. 1 - Status This parameter activates or deactivates RADIUS accounting on the switch. Select Enabled to activate the feature or Disabled to deactivate it. The default is Disabled. 2 - Port This parameter specifies the UDP port for RADIUS accounting. The default is port 1813. 3 - Type This parameter specifies the type of RADIUS accounting. The default is Network. This value cannot be changed.
Chapter 29: 802.
Section VII Management Security The chapters in this section explain the management security features of the AT-S62 software.
Section VII: Management Security
Chapter 30 Web Server The chapter provides an overview of the web server feature and the procedure for configuring the server.
Chapter 30: Web Server Web Server Overview The AT-S62 management software comes with web server software so you can remotely manage a switch with a web browser from a management workstation on your network. (For instructions on how to manage a switch with a web browser, refer to the AT-S62 Web Browser Interface User’s Guide.) The web server can operate in two modes. The first is referred to as nonsecure HTTP mode.
AT-S62 Management Software Menus Interface User’s Guide Configuring the Web Server This procedure explains how to enable and disable the web server and how to configure the HTTP and HTTPS settings from a local or Telnet management session. The default setting for the web server is enabled, with the non-secure HTTP mode as the active web server mode. Before configuring the web server, note the following: You cannot make any changes to the HTTP or HTTPS settings while the web server is enabled.
Chapter 30: Web Server Menu option 4 is displayed only for HTTPS operation. The option is hidden for HTTP. 3. Type 1 to select Status to toggle the web server between enabled and disabled. To configure the web server, you must first disable it. Toggle between the following values: Enabled - Enables the web server. This is the default setting. Disabled - Disables the web server. (If you are making any changes to the web server settings, you must first disable it.) 4.
AT-S62 Management Software Menus Interface User’s Guide General Steps to Configuring the Web Server for Encryption There are several procedures you need to perform in order to implement HTTPS and web browser encryption on the switch. This section is here to provide you with the general steps and the procedures for performing them. There is a section for configuring the web server with a self-signed certificate and another for a public or private CA certificate.
Chapter 30: Web Server 6. Once you have received the appropriate certificates from the CA, download them into the AT-S62 file system from your management workstation or a TFTP server, as explained in “Downloading a System File” on page 202. 7. Add the certificates to the certificate database, as explained in “Adding a Certificate to the Database” on page 722. 8. Configure the web server on the switch by activating HTTPS and specifying the key pair used to create the enrollment request as the active key.
Chapter 31 Encryption Keys This chapter describes how to improve the security of your switches with encryption keys. Because of the complexity of the feature, two overview sections are provided. The Basic Overview section offers a general review of the purpose of this feature along with relevant guidelines. For additional information, refer to the Technical Overview section.
Chapter 31: Encryption Keys Basic Overview Protecting your managed switches from unauthorized management access is an important role for a network manager. Network operations and security can be severely compromised should an intruder gain access to critical switch information, such as a manager’s login username and password, and use that information to alter a switch’s configuration settings.
AT-S62 Management Software Menus Interface User’s Guide Encryption Key Length To create a key pair, you must specify its length. The length is given in bits. The range is 512 to 1,536 bits, in increments of 256 bits. The default is 512 bits. The general rule on key lengths is that the longer the key, the more difficult it is for someone to break (decipher).
Chapter 31: Encryption Keys Technical Overview The encryption feature provides the following data security services: Data Encryption data encryption data authentication key exchange algorithms key creation and storage Data encryption for switches is driven by the need for organizations to keep sensitive data private and secure. Data encryption operates by applying an encryption algorithm and key to the original data (the plaintext) to convert it into an encrypted form (the ciphertext).
AT-S62 Management Software Menus Interface User’s Guide algorithm and key. For a given input block of plaintext ECB always produces the same block of ciphertext. Cipher Block Chaining (CBC) is the most popular form of DES encryption. CBC also operates on 64-bit blocks of data, but includes a feedback step which chains consecutive blocks so that repetitive plaintext data, such as ASCII blanks, does not yield identical ciphertext.
Chapter 31: Encryption Keys public and private key pair cannot be randomly assigned, but must be generated together. In a typical scenario, a decryption station generates a key pair and then distributes the public key to encrypting stations. This distribution does not need to be kept secret, but it must be protected against the substitution of the public key by a malicious third party. Another use for asymmetrical encryption is as a digital signature.
AT-S62 Management Software Menus Interface User’s Guide The two most commonly used one-way hash algorithms are MD5 (Message Digest 5, defined in RFC 1321) and SHA-1 (Secure Hash Algorithm, defined in FIPS-180-1). MD5 returns a 128-bit hash and SHA-1 returns a 160-bit hash. MD5 is faster in software than SHA-1, but SHA-1 is generally regarded to be slightly more secure. HMAC is a mechanism for calculating a keyed Message Authentication Code which can use any one-way hash function.
Chapter 31: Encryption Keys The security of the Diffie-Hellman algorithm depends on these values. Public key values less than 768 bits in length are considered to be insecure. A Diffie-Hellman exchange starts with both parties generating a large random number. These values are kept secret, while the result of a public key operation on the random number is transmitted to the other party. A second public key operation, this time using the random number and the exchanged value, results in the shared secret.
AT-S62 Management Software Menus Interface User’s Guide Creating an Encryption Key This section contains the procedure for creating an encryption key pair. Caution Key generation is a CPU-intensive process. Because this process may affect switch behavior, Allied Telesyn recommends performing it when the switch is not connected to a network or during periods of low network activity. To create an encryption key pair, perform the following procedure: 1.
Chapter 31: Encryption Keys The Key Management menu is shown in Figure 239.
AT-S62 Management Software Menus Interface User’s Guide The Create Key menu is shown in Figure 240. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Create Key 1 2 3 4 5 - Key ID ............. 0 Key Type ........... RSA-Private Key Length ......... 512 Key Description .... Generate Key U - Update Display R - Return to Previous Menu Enter your selection? Figure 240. Create Key Menu 5. Type 1 to select Key ID.
Chapter 31: Encryption Keys 9. Type 4 to create a key description. The following prompt is displayed: Enter new Description -> 10. Enter a description for the key. For instance, the description could reflect the key’s function (for example, Sales switch SSL key). You can enter up to 40 alphanumeric characters including spaces. 11. Type 5 to generate the key. The following message is displayed: Key generation will take some time. Please wait... The management software begins to create the key.
AT-S62 Management Software Menus Interface User’s Guide Deleting an Encryption Key This section contains the procedure for deleting an encryption key pair from the switch. Note the following before performing this procedure. Deleting a key pair from the key management database also deletes the key’s corresponding “.UKF” file from the AT-S62 file system. You cannot delete a key pair if it is being used by SSL or SSH.
Chapter 31: Encryption Keys Modifying an Encryption Key The Key Management menu has a selection for modifying the description of an encryption key. This is the only item of a key you can modify. This procedure starts from the Key Management menu. If you are unsure how to display the menu, perform steps 1 to 3 in “Creating an Encryption Key” on page 695. To change the description of a key, perform the following procedure: 1. From the Key Management menu, type 3 to select Modify Key.
AT-S62 Management Software Menus Interface User’s Guide Exporting an Encryption Key The following procedure exports the public key of a key pair into the AT-S62 file system. (The management software does not allow you to export a private key.) Before performing this procedure, please note the following: The only circumstance in which you are likely to perform this procedure is if you are using an SSH client that does not upload the key automatically when you start an SSH management session.
Chapter 31: Encryption Keys Note Key Type is a read-only field. You cannot change this value. 3. Type 3 to toggle Key File Format to specify the format of the key. Possible settings are: HEX - Indicates an internal format for storing files. Select this value for SSL configuration. This is the default. SSH - Indicates a format for a SSH1 environment. This is the correct setting for a key intended for an SSH1 client. SH2 - Indicates a format for a SSH2 environment.
AT-S62 Management Software Menus Interface User’s Guide Importing an Encryption Key Use the following procedure to import a public key from the AT-S62 file system into the key management database. If a file contains both public and private keys, only the public key is imported. The private key is ignored. Note It is unlikely you will ever have reason to perform this procedure. The switch can only use those keys it has generated itself. This procedure starts from the Key Management menu.
Chapter 31: Encryption Keys 3. Type 3 to select Key File Format to choose the format of the key. Selections are: HEX - Indicates an internal format for storing files. Select this value for SSL configuration. This is the default. SSH - Indicates a format for a SSH1 environment. This is the correct setting for a key intended for an SSH1 client. SH2 - Indicates a format for a SSH2 environment. This is the correct setting for a key intended for an SSH2 client. 4.
Chapter 32 PKI Certificates and SSL This chapter contains the procedures for creating Public Key Infrastructure (PKI) certificates for web server security. Because of the complexity of this feature, two overview sections are provided. The Basic Overview section offers a general review of the purpose of certificates along with relevant guidelines. For additional information, refer to the Technical Overview section.
Chapter 32: PKI Certificates and SSL Basic Overview This chapter explains how to implement encryption for your web browser management sessions. Encryption can protect your managed switches from unauthorized access by making it impossible for an intruder monitoring network traffic to decipher the contents of the management packets exchanged between your workstation and a switch during a web browser management session.
AT-S62 Management Software Menus Interface User’s Guide general use, but will only be used by you and other network managers, you might decide that the switch’s certificate need not be issued by this type of CA. Some large companies have private CAs. This is a person or group within the company with the responsibility of issuing certificates for the company’s network equipment. The value of a private CA is that the company can keep track of the certificates and control access to various network devices.
Chapter 32: PKI Certificates and SSL You cannot use quotation marks. To use the following special characters {=,+<>#;\}, type a “\” before the character Here are a few examples. This distinguished name contains only one part, the name of the switch: cn=Production Switch This distinguished name omits the common name, but includes everything else: ou=Network Support,o=XYZ Inc.
AT-S62 Management Software Menus Interface User’s Guide SSL and Enhanced Stacking Secure Sockets Layer (SSL) is supported in an enhanced stack, but only when all switches in the stack are using the feature. A web server can operate in one of two modes -- HTTP or HTTPS. When a switch’s web server is operating in HTTP, management packets are transmitted in plaintext. When it operates in HTTPS, management packets are sent encrypted.
Chapter 32: PKI Certificates and SSL Guidelines 710 Here are guidelines to creating certificates: A certificate can have only one public key. A switch can only use those certificates with keys it generated itself. You can create multiple certificates on a switch, but the device will only use the certificate whose key pair has been designated as the active key pair for the switch’s web server. Most web browsers support both unsecured (plaintext) and secured (encrypted) operation.
AT-S62 Management Software Menus Interface User’s Guide Technical Overview The Secure Sockets Layer (SSL) feature is a security protocol that provides a secure and private TCP connection between a client and server. SSL can be used with many higher layer protocols including HTTP, File Transfer Protocol (FTP) and Net News Transfer Protocol (NNTP). Most web browsers and servers support SSL, and its most common deployment is for secure connections between a client and server over the Internet.
Chapter 32: PKI Certificates and SSL SSL uses asymmetrical (Public Key) encryption to establish a connection between client and server, and symmetrical (Secret Key) encryption for the data transfer phase. User Verification An SSL connection has two phases: handshake and data transfer. The handshake initiates the SSL session, during which data is securely transmitted between a client and server. During the handshake, the following occurs: 1. The client and server establish the SSL version they are to use.
AT-S62 Management Software Menus Interface User’s Guide To verify the authenticity of a server, the server has a public and private key. The public key is given to the user. SSL uses certificates for authentication. A certificate binds a public key to a server name. A Certification Authority issues certificates after checking that a public key belongs to its claimed owner. There are several agencies that are trusted to issue certificates.
Chapter 32: PKI Certificates and SSL this, and other attacks, PKI provides a means for secure transfer of public keys by linking an identity and that identity’s public key in a secure certificate. Warning While a certificate binds a public key to a subject to ensure the public key’s security, it does not guarantee that the security of the associated private key has not been breached.
AT-S62 Management Software Menus Interface User’s Guide Elements of a Public Key Infrastructure A Public Key Infrastructure is a set of applications which manage the creation, retrieval, validation and storage of certificates. A PKI consists of the following key elements: At least one Certification Authority (CA), which issues and revokes certificates. At least one publicly accessible repository, which stores certificates and Certificate Revocation Lists.
Chapter 32: PKI Certificates and SSL to be the root CA. This CA issues certificates to the next level down in the hierarchy (for example, regional headquarters), who become subordinate CAs and issue certificates to the next level down, and so on. A hierarchy may have as many levels as needed. Certificate hierarchies allow validation of certificates through certificate chains and cross-certification.
AT-S62 Management Software Menus Interface User’s Guide PKI Standards The following standards are supported by the switch: draft-ietf-pkix-roadmap-05 — PKIX Roadmap RFC 1779 — A String Representation of Distinguished Names RFC 2459 — PKIX Certificate and CRL Profile RFC 2511 — PKIX Certificate Request Message Format PKCS #10 v1.
Chapter 32: PKI Certificates and SSL Creating a Self-signed Certificate This section contains the procedure for creating a self-signed certificate. Please review the following before you perform the procedure: For a general review of all the steps to configuring the switch for a selfsigned certificate, refer to “General Steps for a Self-signed Certificate” on page 685.) The switch’s time and date must be set before creating a self-signed certificate.
AT-S62 Management Software Menus Interface User’s Guide The Public Key Infrastructure (PKI) Configuration menu is shown in Figure 243. Allied Telesyn Ethernet Switch AT-8524M - ATS62 Production Switch User: Manager 11:20:02 02-Jan-2006 Public Key Infrastructure (PKI) Configuration 1 - Maximum Number of Certificates....... 256 2 - X509 Certificate Management 3 - Generate Enrollment Request R - Return to Previous Menu Enter your selection? Figure 243. Public Key Infrastructure (PKI) Configuration Menu 4.
Chapter 32: PKI Certificates and SSL Note In the X509 Certificate Management Menu, MTrust means manually trusted. This field indicates that you verified the certificate. The Source field indicates the certificate was generated on the switch. 5. Type 1 to select Create Self-Signed Certificate. The Create Self-Signed Certificate menu is shown in Figure 245.
AT-S62 Management Software Menus Interface User’s Guide 9. Enter the ID number of the encryption key you want to use to create the certificate. The encryption key must already exist on the switch. (If you have forgotten the key ID number, return to the Key Management menu to view the keys on the switch.) The value can be from 0 to 65,535. 10. Type 3 to select Format to choose the encoding format for the certificate. Possible settings are: DER - Indicates the certificate contents are in a binary format.
Chapter 32: PKI Certificates and SSL Adding a Certificate to the Database Once you have created a certificate or received a certificate from a public or private CA, you need to add it into the certificate database to make it available for use by the switch’s web server. After you add a certificate to the certificate database, it appears in the X509 Certificate Management menu. During the procedure you are asked to specify the certificate’s filename.
AT-S62 Management Software Menus Interface User’s Guide 6. Type 1 to select Certificate Name and enter a name for the certificate. This is the name for the certificate as it will appear in the certificate database list. You can enter up to 24 alphanumeric characters. Spaces are allowed. No extension is needed. You might want to include in the name the filename of the certificate in the file system.
Chapter 32: PKI Certificates and SSL 10. Type 5 to select Add Certificate to add the certificate to the certificate database. The management software adds the certificate to the database, a process that requires only a few seconds. 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S62 Management Software Menus Interface User’s Guide Modifying a Certificate The procedure in this section modifies a certificate. (The certificate to be modified must be in the certificate database.) Here are the certificate items you can modify: State - trusted or untrusted Type - EE, CA, or Self Note These parameters have no affect on the operation of a certificate. They are only included for informational purposes when the certificate is displayed in the certificate database.
Chapter 32: PKI Certificates and SSL 3. Type 2 to select State and specify if a certificate is trusted or untrusted. Trusted - This value indicates you have verified that the certificate is from a trusted CA. This is the default. Untrusted - This value indicates the certificate is from an untrusted CA either because you have not verified the CA or you have verified the CA is untrusted. 4. Type 3 to specify the type assigned to the certificate.
AT-S62 Management Software Menus Interface User’s Guide Deleting a Certificate The procedure in this section deletes a certificate from the certificate database. Please note the following before performing this procedure: Deleting a certificate from the database does not delete it from the switch. It continues to reside in the AT-S62 file system. To completely remove a certificate from the switch, you must also delete it from the file system.
Chapter 32: PKI Certificates and SSL Viewing a Certificate This procedure displays information about a certificate, such as its distinguished name and serial number. This procedure starts from the X509 Certificate Management menu. If you are unsure how to access the menu, perform steps 1 to 4 in the procedure “Adding a Certificate to the Database” on page 722. To view the details of a certificate, perform the following procedure: 1.
AT-S62 Management Software Menus Interface User’s Guide The View Certificate Details menu (page 2) is shown in Figure 249. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 View Certificate Details Subject ......... CN=149.44.44.44 Issuer .......... CN=149.44.44.44 MD5 Fingerprint...4E:76:06:FA:F6:C1:DA:FF:4D:E9:76:02:1D:8F:DA:CB SHA1 Fingerprint..
Chapter 32: PKI Certificates and SSL Generating an Enrollment Request To request a certificate from a public or private CA, you need to generate an enrollment request. The request contains the public key for the certificate, a distinguished name, and other information. The request is stored as a file with a “.csr” extension in the AT-S62 file system, from where you can upload it onto your management workstation or FTP server for submission to the CA.
AT-S62 Management Software Menus Interface User’s Guide 5. From the Public Key Infrastructure (PKI) Configuration Menu, type 3 to generate an enrollment request. The Generate Enrollment Request Menu is shown in Figure 250. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Generate Enrollment Request Menu 1 2 3 4 5 - Request Name.................... KeyPair ID ..................... 0 Format ......................... PEM Type .........................
Chapter 32: PKI Certificates and SSL PEM - Creates the certificate in the Privacy Enhanced Mail (PEM) format, which is an ASCII format. Note Option 4, Type, cannot be changed. The PKCS10 value indicates the internal format of an enrollment request. 11. Type 5 to select Generate Enrollment Request. Once the switch has finished generating the request, you will see a message similar to the following. Enrollment request is being generated. Please wait ...Done. Enrollment Request available in file [Switch 12.
AT-S62 Management Software Menus Interface User’s Guide Installing CA Certificates onto a Switch This section lists the procedures for installing a certificate created by a public or private CA onto the switch. It should be noted that a CA generated certificate will consist of several certificates, with a minimum of two. All the certificates from the CA must be installed on the switch. Note A CA certificate can only be used on the switch where you created its certificate request.
Chapter 32: PKI Certificates and SSL Configuring PKI Option 1 - Maximum Number of Certificates in the Public Key Infrastructure (PKI) Configuration menu controls the maximum number of certificates you can add to the certificate database. The range is 12 to 256. The default value is 256. There should be little cause or need for you to adjust this value. To display the Public Key Infrastructure (PKI) Configuration menu, perform steps 1 to 3 of the procedure “Creating a Self-signed Certificate” on page 718.
AT-S62 Management Software Menus Interface User’s Guide Configuring SSL To configure the SSL protocol, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 9 to select Secure Socket Layer (SSL). The Secure Socket Layer (SSL) menu is shown in Figure 251. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 Secure Socket Layer (SSL) 1 - Maximum Number of Sessions.........
Chapter 32: PKI Certificates and SSL 736 Section VII: Management Security
Chapter 33 Secure Shell (SSH) Protocol The chapter contains overview information about the Secure Shell (SSH) protocol and the procedure for configuring this protocol on a switch from a local or Telnet management session.
Chapter 33: Secure Shell (SSH) Protocol SSH Overview Secure management is increasingly important in modern networks, as the ability to easily and effectively manage switches and the requirement for security are two universal requirements. Switches are often remotely managed using remote sessions via the Telnet protocol. This method, however, has a serious security problem—it is only protected by plaintext usernames and passwords which are vulnerable to wiretapping and password guessing.
AT-S62 Management Software Menus Interface User’s Guide Tunnelling of TCP/IP traffic Note Non-encrypted Secure Shell sessions serve no purpose. SSH Server The AT-S62 management software includes SSH server software. When the SSH server is activated, your remote management sessions of the switch from a management station that has SSH client software will be encrypted. Note If your switch is in a network protected by a firewall, you may need to configure the firewall to permit SSH connections.
Chapter 33: Secure Shell (SSH) Protocol SSH and Enhanced Stacking The AT-S62 management software allows for encrypted SSH management sessions between a management workstation and a master switch of an enhanced stack, but not with slave switches, as explained in this section. When you remotely manage a slave switch, all management communications are conducted through the master switch using the enhanced stacking feature.
AT-S62 Management Software Menus Interface User’s Guide Guidelines General Steps to Configuring SSH Below are the guidelines to observe when configuring SSH: SSH requires two encryption key pairs. One key pair will function as the host key and the other the server key. For instructions on creating keys, refer to “Creating an Encryption Key” on page 695. The two encryption key pairs must be of different lengths of at least one increment (256 bits) apart.
Chapter 33: Secure Shell (SSH) Protocol Configuring the SSH Server This section describes how to configure the SSH server software on the switch. For a description of all the steps required to configure an SSH server, see “General Steps to Configuring SSH” on page 741. This procedure assumes that you have already created the two key pairs. If you have not created the keys, go to “Creating an Encryption Key” on page 695. While you are configuring the SSH feature, you must disable the SSH server.
AT-S62 Management Software Menus Interface User’s Guide 3. Select 1 - SSH Server Status to enable or disable the SSH server. 4. Choose from one of the following: Disabled - While you are configuring SSH, you must set this field to Disabled. This is the default. Enabled - Select this value to enable the SSH server. Select this value after you have finished configuring SSH and want to log on to the server. Note You cannot disable the SSH server when there is an active SSH connection.
Chapter 33: Secure Shell (SSH) Protocol Displaying SSH Information To display SSH server information, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 8 to select Secure Shell (SSH). The Secure Shell (SSH) Menu is shown in Figure 253 on page 742. 3. From the Secure Shell (SSH) menu, select 6 - Show Server information to display the SSH Server data. The Show Server Information Menu is shown in Figure 254.
AT-S62 Management Software Menus Interface User’s Guide Section VII: Management Security Host Key ID: Indicates the host key ID defined for SSH. Host Key Bits: Indicates the number of bits in the host key. Server Key ID: Indicates the server key ID defined for SSH. Server Key Bits: Indicates the number of bits in the server key. Server Key Expiry: Indicates the length of time, in hours, until the server key is regenerated.
Chapter 33: Secure Shell (SSH) Protocol 746 Section VII: Management Security
Chapter 34 TACACS+ and RADIUS Authentication Protocols This chapter explains how to configure the parameter settings for the two authentication protocols TACACS+ and RADIUS.
Chapter 34: TACACS+ and RADIUS Authentication Protocols TACACS+ and RADIUS Overview TACACS+ and RADIUS are authentication protocols for enhancing the security of your network. (TACACS+ is an acronym for Terminal Access Controller Access Control System. RADIUS is an acronym for Remote Authentication Dial In User Services.) In general terms, these authentication protocols transfer the task of authenticating network access from a network device to an authentication protocol server.
AT-S62 Management Software Menus Interface User’s Guide If the combination is valid, the authentication protocol server notifies the switch and the switch completes the login process, allowing the manager to manage the switch. If the username and password are invalid, the authentication protocol server notifies the switch and the switch cancels the login. Authorization defines what a manager can do once logged in to a switch.
Chapter 34: TACACS+ and RADIUS Authentication Protocols password up to 16 characters. Spaces are allowed in both a username and password, but special characters, such as asterisks and exclamation points, should be avoided. – Assigning each combination an authorization level. How this is achieved differs depending on the server software you are using. TACACS+ controls this through the sixteen (0 to 15) different levels of the Privilege attribute.
AT-S62 Management Software Menus Interface User’s Guide defaults to the standard manager and operator accounts. Note For more information on TACACS+, refer to the RFC 1492 standard. For more information on RADIUS, refer to the RFC 2865 standard.
Chapter 34: TACACS+ and RADIUS Authentication Protocols Configuring TACACS+ Authentication Protocol Settings To configure the TACACS+ settings on the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Configuration menu is shown in Figure 255.
AT-S62 Management Software Menus Interface User’s Guide 5. To configure the TACACS+ parameters, type 3 to select TACACS+ Configuration. The TACACS+ Client Configuration menu is shown in Figure 256. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 User: Manager 11:20:02 02-Jan-2006 TACACS+ Client Configuration 1 2 3 4 5 - TAC TAC TAC TAC TAC Server 1 .................. Server 2 .................. Server 3 .................. Global Secret ............. Timeout ................... 0.0.0.0 0.0.0.0 0.0.0.
Chapter 34: TACACS+ and RADIUS Authentication Protocols 5 - TAC Timeout This parameter specifies the maximum amount of time the switch waits for a response from a TACACS+ server before assuming the server will not respond. If the timeout expires and the server has not responded, the switch queries the next TACACS+ server in the list. If there are not any more servers, the switch defaults to the standard Manager and Operator accounts. The default is 10 seconds. The range is 1 to 60 seconds. 7.
AT-S62 Management Software Menus Interface User’s Guide Configuring RADIUS Authentication Protocol Settings To configure the RADIUS settings on the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Menu is shown in Figure 255 on page 752.
Chapter 34: TACACS+ and RADIUS Authentication Protocols The RADIUS Client Configuration menu is shown in Figure 257. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 RADIUS Client Configuration 1 2 3 4 5 6 - Global Encryption Key ............. Global Server Timeout period....... RADIUS Server 1 Configuration ..... RADIUS Server 2 Configuration ..... RADIUS Server 3 Configuration ..... Show Status ATI 10 second(s) 0.0.0.0 0.0.0.0 0.0.0.
AT-S62 Management Software Menus Interface User’s Guide Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2006 RADIUS Server 1 Configuration 1 - Server IP Address ................. 0.0.0.0 2 - Server Authentication UDP Port .... 1812 3 - Server Encryption Key ............. R - Return to Previous Menu Enter your selection? Figure 258.
Chapter 34: TACACS+ and RADIUS Authentication Protocols Displaying RADIUS Status and Settings The RADIUS Client Configuration menu shown in Figure 257 on page 756 has a selection that displays the RADIUS client software settings.
Chapter 35 Management Access Control List This chapter explains how to create an access control list (ACL) to restrict Telnet and web browser management access to the switch.
Chapter 35: Management Access Control List Management ACL Security Overview This chapter explains how to restrict remote management access to a switch by creating a management access control list (management ACL). This feature controls which management stations can remotely manage the device using the Telnet application protocol or a web browser.
AT-S62 Management Software Menus Interface User’s Guide corresponding bit of the address, while a “0” indicates that it should not. If you are filtering on a specific IP address, use the mask 255.255.255.255. If you are filtering on a subnet, the mask would depend on the address. For example, to allow all management stations in the subnet 149.11.11.0 to manage the switch, you would enter the mask 255.255.255.0.
Chapter 35: Management Access Control List Examples Following are several examples of ACEs. This ACE allows the management station with the IP address 149.11.11.11 to remotely manage the switch using either the Telnet application protocol or a web browser, and to ping the device: IP Address: Mask: Application Type: 149.11.11.11 255.255.255.255 All If the management ACL contained only the above ACE, then only that management station would be allowed to remotely manage the switch.
AT-S62 Management Software Menus Interface User’s Guide The two ACEs in this management ACL permit remote management from the management station with the IP address 149.11.11.11 and all management stations in the subnet 149.22.22.0: ACE #1 IP Address: Mask: Application Type: 149.11.11.11 255.255.255.255 All ACE #2 IP Address: Mask: Application Type: 149.22.22.0 255.255.255.0 All This example allows the management station with the IP address 149.11.11.
Chapter 35: Management Access Control List Enabling or Disabling the Management ACL This procedure enables and disables the management ACL. When enabled, only those management stations specified in the ACL are allowed to manage the switch remotely using the Telnet application protocol or a web browser. When the feature is disabled, the management software on the switch can be accessed remotely from any management workstation.
AT-S62 Management Software Menus Interface User’s Guide A change to the status of the management ACL is immediately activated on the switch. Note If you activate this feature from a Telnet management session, your management session will end and you will not be able to reestablish it should the management ACL not contain an ACE with the IP address or subnet address of your management workstation. 4. After making changes, type R until you return to the Main Menu.
Chapter 35: Management Access Control List Creating an ACE To create a new ACE in the management ACL, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 7 to select Management ACL. The Management ACL Configuration menu is shown in Figure 260 on page 764. 3. From the Management ACL Configuration menu, type 2 to select Create Management ACL Entry.
AT-S62 Management Software Menus Interface User’s Guide Telnet - Permits Telnet management. Web - Permits web browser management. Ping - Permits the management workstation to ping the switch. All - Permits all of the above. You can specify more than one by separating the selections with a comma (for example, “Telnet,Ping”). The new ACE is added to the ACL. 8. After making your changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 35: Management Access Control List Modifying an ACE To modify an ACE, you need to know its identification number. To view the identification numbers of the ACEs, refer to “Displaying the ACEs” on page 771. To modify an ACE, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 7 to select Management ACL.
AT-S62 Management Software Menus Interface User’s Guide 5. Make the desired changes to the entry by selecting the corresponding option and entering a new value. You cannot change an entry’s ID number. For information on an entry’s IP address, network mask, and applications, refer to steps 5, 6, and 7 in the procedure “Creating an ACE” on page 766. 6. After entering your changes, type M to select Modify Management ACL Entry. Your changes are immediately implemented on the switch. 7.
Chapter 35: Management Access Control List Deleting an ACE To delete an ACE, you need to know its identification number. To view the identification numbers of the ACEs, refer to “Displaying the ACEs” on page 771. Note If you are managing the switch from a Telnet management session and the management ACL is active, your management session will end and you will not be able to reestablish it if you delete the ACE that specifies your management workstation. To delete an ACE, perform the following procedure: 1.
AT-S62 Management Software Menus Interface User’s Guide Displaying the ACEs To display the ACEs in the management ACL, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 52. 2. From the System Administration menu, type 7 to select Management ACL. The Management ACL Configuration menu is shown in Figure 260 on page 764. 3.
Chapter 35: Management Access Control List 772 Section VII: Management Security
Appendix A AT-S62 Default Settings This appendix lists the AT-S62 factory default settings.
Appendix A: AT-S62 Default Settings Basic Switch Default Settings This section lists the default settings for basic switch parameters.
AT-S62 Management Software Menus Interface User’s Guide Note Login names and passwords are case-sensitive. RS-232 Port Default Settings The following table lists the RS-232 Terminal Port default settings. RS-232 Port Setting SNTP Default Settings Default Data Bits 8 Stop Bits 1 Parity None Flow Control None Baud Rate 9600 bps The following table lists the SNTP default settings.
Appendix A: AT-S62 Default Settings Administration Setting System Software Default Settings Default DHCP Disabled MAC Address Aging Time 300 seconds The following table lists the system software default settings. System Software Setting Console Startup Mode AT-8524POE Fan Control Default Setting Command line The following table lists the default setting for the fan control feature on the AT-8524POE switch.
AT-S62 Management Software Menus Interface User’s Guide Denial of Service Defense Default Settings The following table lists the default settings for the Denial of Service defense feature. Denial of Service Defense Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.
Appendix A: AT-S62 Default Settings Enhanced Stacking Default Setting The following table lists the enhanced stacking default setting.
AT-S62 Management Software Menus Interface User’s Guide Event Log Default Settings The following table lists the event log default settings.
Appendix A: AT-S62 Default Settings GVRP Default Settings This section provides the default settings for GVRP.
AT-S62 Management Software Menus Interface User’s Guide IGMP Snooping Default Settings The following table lists the IGMP Snooping default settings.
Appendix A: AT-S62 Default Settings MAC Address-based Security Default Settings The following table lists the MAC address security default settings.
AT-S62 Management Software Menus Interface User’s Guide Management Access Control List Default Setting The following table lists the default setting for the Management Access Control List.
Appendix A: AT-S62 Default Settings PKI Default Settings The following table lists the PKI default settings, including the generate enrollment request settings.
AT-S62 Management Software Menus Interface User’s Guide Port Configuration Default Settings The following table lists the port configuration default settings.
Appendix A: AT-S62 Default Settings 802.1x Port-Based Network Access Control Default Settings The following table describes the 802.1x Port Access Control default settings. 802.1x Port Access Control Setting Default Port Access Control Disabled Authentication Method RADIUS EAP Port Role None The following table lists the default settings for RADIUS accounting.
AT-S62 Management Software Menus Interface User’s Guide Authenticator Port Setting Default VLAN Assignment Enabled Secure VLAN On Control Direction Both Piggyback Mode Disabled Guest VLAN None The following table lists the default settings for a supplicant port.
Appendix A: AT-S62 Default Settings Power Over Ethernet The following table describes the Power over Ethernet (PoE) default settings. This feature only applies to the AT-8524POE switch. PoE Setting 788 Default PoE Status Enabled Port PoE Status Enabled Maximum Port Power 15.
AT-S62 Management Software Menus Interface User’s Guide Class of Service The following table lists the default mappings of IEEE 802.1p priority levels to egress port priority queues. IEEE 802.
Appendix A: AT-S62 Default Settings Server-Based Authentication Default Settings This section describes the server-based authentication, RADIUS, and TACACS+ client default settings. Server-Based Authentication Default Settings RADIUS Default Settings The following table describes the server-based authentication default settings.
AT-S62 Management Software Menus Interface User’s Guide SNMP Default Settings The following table describes the SNMPv1 and SNMPv2c default settings.
Appendix A: AT-S62 Default Settings STP, RSTP, and MSTP Default Settings This section provides the spanning tree, STP RSTP, and MSTP, default settings. Spanning Tree Switch Settings The following table describes the Spanning Tree Protocol default settings for the switch. STP Switch Setting STP Default Settings Default Spanning Tree Status Disabled Active Protocol Version RSTP The following table describes the STP default settings.
AT-S62 Management Software Menus Interface User’s Guide MSTP Default Settings The following table lists the MSTP default settings.
Appendix A: AT-S62 Default Settings SSH Default Settings The following table lists the SSH default settings.
AT-S62 Management Software Menus Interface User’s Guide SSL Default Settings The following table lists the SSL default settings.
Appendix A: AT-S62 Default Settings VLAN Default Settings This section provides VLAN default settings.
AT-S62 Management Software Menus Interface User’s Guide Web Server Default Settings The following table lists the web server default settings.
Appendix A: AT-S62 Default Settings 798
Appendix B SNMPv3 Configuration Examples This appendix provides two examples of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to use as an aid when configuring the SNMPv3 protocol.
Appendix B: SNMPv3 Configuration Examples SNMPv3 Configuration Examples This appendix provides SNMPv3 configuration examples for the following types of users: Manager Operator In addition an SNMPv3 Configuration Table is provided to record your SNMPv3 configuration. For more information about the SNMPv3 protocol, see Chapter 21, “SNMPv3” on page 375. SNMPv3 Manager Configuration This section provides a sample configuration for a Manager with a User Name of systemadmin24.
AT-S62 Management Software Menus Interface User’s Guide Configure SNMPv3 SecurityToGroup Table User Name:systemadmin24 Security Model:v3 Group Name: Managers Storage Type: NonVolatile Configure SNMPv3 Notify Table Notify Name: sysadminTrap Notify Tag: sysadminTag Notify Type: Trap Storage Type: NonVolatile Configure SNMPv3 Target Address Table Target Address Name: host451 Target IP Address: 198.35.11.
Appendix B: SNMPv3 Configuration Examples Configure SNMPv3 View Table Menu View Name: internet View Subtree OID: 1.3.6.1 (or internet) Subtree Mask: View Type: Included Storage Type: NonVolatile Configure SNMPv3 Access Table Group Name: Operators Security Model: SNMPv3 Security Level: Authentication Read View Name: internet Write View Name: Notify View Name: SNMPv3 Worksheet This section supplies a table that you can use a worksheet when configuring SNMPv3.
AT-S62 Management Software Menus Interface User’s Guide SNMPv3 Parameters (Continued) Security Model Security Level Read View Name Write View Name Notify View Name Storage Type SNMPv3 SecurityToGroup Table User Name Security Model Group Name Storage Type SNMPv3 Notify Table Notify Name Notify Tag Notify Type Storage Type SNMPv3 Target Address Table Target Address Name Target IP Address UDP Port Timeout Retries Tag List Target Parms Name Storage Type SNMPv3 Target Parameters Table Target Parameters Name Use
Appendix B: SNMPv3 Configuration Examples SNMPv3 Parameters (Continued) Security Model Security Level Storage Type 804
Appendix C Standards and Features 10/100Base-TX Twisted Pair Ports IEEE 802.1d Bridging IEEE 802.3 10Base-T IEEE 802.3u 100Base-TX IEEE 802.3u Auto-Negotiation IEEE 802.3x 10/100 Mbps Flow Control / Backpressure — Auto-MDI/MDIX — Head of Line Blocking — Four Egress Queues Per Port Fiber Optic Ports (AT-8516F/SC Switch) IEEE 802.1d Bridging IEEE 802.
Appendix C: Standards and Features — Type of Service Replacement — Type of Service to 802.1q Priority Replacement — 802.1q Priority to Type of Service Replacement — Maximum Bandwidth Control — Burst Size Control — Support for Ingress and Egress Ports IEEE 802.1p Class of Service with Strict and Weighted Round Robin Scheduling — Port Access Control Lists — Ingress Packet Rate Limiting Spanning Tree Protocols IEEE 802.1D Spanning Tree Protocol IEEE 802.
AT-S62 Management Software Menus Interface User’s Guide IEEE 802.3ac VLAN Tag Frame Extension IEEE 802.1P GARP VLAN Registration Protocol RFC 1112 IGMP Snooping (Ver. 1.0) RFC 2236 IGMP Snooping (Ver. 2.0) RFC 3376 IGMP Snooping (Ver. 3.0) IEEE 802.
Appendix C: Standards and Features — Encryption Keys — Secure Shell (SSH) (Vers. 1.3, 1.5, 2.0) — Management Access Control List Management MIBs RFC 1213 MIB-II RFC 1215 TRAP MIB RFC 1493 Bridge MIB RFC 2863 Interface Group MIB RFC 1643 Ethernet-like MIB RFC 2674 IEEE 802.
AT-S62 Management Software Menus Interface User’s Guide — MAC address table with a storage capacity of 8K entries — 2 megabyte file system Denial of Service Defenses Smurf SYN Flood Teardrop Land IP Option Ping of Death Management Access Methods Enhanced Stacking™ Out-of-band management (serial port) In-band management (over the network) using Telnet, SSH, web browser, or SNMP Management Interfaces Menus Command Line Web Browser SNMP v1, v2, & v3 809
Appendix C: Standards and Features 810
Index Numerics 802.1x Port-based Network Access Control access role, configuring 662 authentication process 645 authenticator port configuring 665 described 645 configuring 662 disabling 664 enabling 664 guidelines 660 overview 644 port parameters, displaying 674 port role, configuring 662 port roles 646 supplicant port configuring 671 described 644 802.
Index editing 182 overview 176 selecting 179 selecting active 179 Boot Protocol (BootP) activating 55 deactivating 55 default setting 775 defined 55 BPDU.
AT-S62 Management Software Menus Interface User’s Guide data encryption, described 690 daylight savings time (DST) default setting 775 setting 63 default values, AT-S62 software 773 default VLAN name 548 Denial of Service (DoS) defense configuring 340 default settings 777 mirror port 342 overview 334 DER certificate format 731 DES privacy protocol 377 DES.
Index displaying GVRP state machine 604 parameters 597 statistics 597 enabling on a port 593 GIP connected ports ring 603 guidelines 584 GVRP counters 598 GVRP state machine, displaying 604 intermediate switches 586 overview 582 parameters, displaying 597 security issues 585 statistics, displaying 597 GARP.
AT-S62 Management Software Menus Interface User’s Guide displaying status 161 enabling or disabling protocol 154 guidelines 143 modifying aggregator 158 Land attack 335 limited port security mode, described 634 Link Aggregation Control Protocol (LACP) port trunk port priority described 142 Link Aggregation Control Protocol.
Index deleting 530 list 528 modifying 530 removing a VLAN association 534 port priority 528 Multiple Spanning Tree Protocol (MSTP) activating 522 associating VLANs to MSTI IDs 532 associations 512 bridge forwarding delay 524 bridge hello time 524 bridge identifier 525 bridge max age 524 configuration name 513, 525 connecting VLANs 519 default settings 793 diagram 510 edge port 538 force version 524 max hops 525 MSTI ID creating 528 deleting 528 modifying 530 MSTI priority, defined 515 overview 508 point-to
AT-S62 Management Software Menus Interface User’s Guide port mirror creating 167 deleting 169 destination port 166 source port 166 port mirroring, described 166 port mode parameter 594 port parameters, configuring general 109 Multiple Spanning Tree Protocol (MSTP) 536 Rapid Spanning Tree Protocol (RSTP) 503 Spanning Tree Protocol (STP) 497 port priorities, displaying 320, 576 port priority default setting 792 described 487 Rapid Spanning Tree Protocol (RSTP) 505 Spanning Tree Protocol (STP) 499 port priori
Index bridge max age 502 bridge parameters, configuring 501 bridge priority 502 default settings 792 disabling 493 edge port, configuring 505 enabling 493 force version 502 point-to-point port, configuring 505 port configuration, displaying 505 port cost 505 port parameters, configuring 503 port priority 505 port state, displaying 506 rate limit, setting 118 reg (registrar state machine) parameter 606 regional root ID parameter 529 regional root path cost parameter 529 regional root, described 515 remote m
AT-S62 Management Software Menus Interface User’s Guide deleting 409 displaying 475 modifying notify view 416 read view 411 storage type 418 write view name 414 SNMPv3 Access Table, described 382 SNMPv3 community 462 SNMPv3 Community Table entry creating 463 deleting 466 displaying 480 modifying community name 467 security name 469 storage type 470 transport tag 469 SNMPv3 Community Table, described 384 SNMPv3 Engine ID, defined 377 SNMPv3 Notify Table entry creating 429 deleting 431 displaying 477 modifyi
Index port settings, configuring 497 port settings, displaying 499 spanning tree, default setting 792 SSH server status parameter 743 SSH. See Secure Shell (SSH) SSL key ID, configuring 684 SSL messages 712 SSL.
AT-S62 Management Software Menus Interface User’s Guide V versions supported (SSH) parameter 744 VID. See VLAN ID view type, modifying 401 virtual LAN (VLAN) creating 559, 563, 619 default settings 796 defined 546 deleting 571, 574 displaying 569, 613, 626 modifying 565, 622 multiple 802.
Index 822
