Manual

ManualsBrandsAllied Telesis ManualsComputer HardwareAT-S62

Table Of Contents

Table of Contents
List of Figures
Preface
- How This Guide is Organized
- Document Conventions
- Where to Find Web-based Guides
- Contacting Allied Telesyn
- Management Software Updates
Chapter 1
Overview
- Management Overview
- Local Management Session
- Telnet Management Session
- Web Browser Management Session
- SNMP Management Session
- Management Access Levels
Section I
Basic Operations
- Chapter 2
- Starting a Local or Telnet Management Session
- Chapter 3
- Enhanced Stacking
- Chapter 4
- Basic Switch Parameters
- Chapter 5
- SNMPv1 and SNMPv2c Configuration
- Chapter 6
- Port Parameters
- Chapter 7
- MAC Address Table
- Chapter 8
- Port Trunking
- Chapter 9
- Port Mirroring
- Chapter 10
- Ethernet Statistics
  - Displaying Port Statistics
  - Clearing Port Counters
Section II
Advanced Operations
- Chapter 11
- File System
- Chapter 12
- File Downloads and Uploads
- Chapter 13
- Event Log
- Chapter 14
- Quality of Service
- Chapter 15
- IGMP Snooping
- Chapter 16
- Denial of Service Defense
  - Denial of Service Defense Overview
  - Enabling or Disabling Denial of Service Prevention
Section III
SNMPv3 Operations
- Chapter 17
- SNMPv3 Configuration
Section IV
Spanning Tree Protocols
- Chapter 18
- Spanning Tree and Rapid Spanning Tree Protocols
- Chapter 19
- Multiple Spanning Tree Protocol
Section V
Virtual LANs
- Chapter 20
- Tagged and Port-based Virtual LANs
- Chapter 21
- GARP VLAN Registration Protocol
- Chapter 22
- Multiple VLAN Modes
Section VI
Port Security
- Chapter 23
- MAC Address Security
- Chapter 24
- 802.1x Port-based Access Control
Section VII
Management Security
- Chapter 25
- Web Server
  - Web Server Overview
    - Supported Protocols
    - General Steps to Configuring the Web Server for Encryption
  - Configuring the Web Server
- Chapter 26
- Encryption Keys
- Chapter 27
- Public Key Infrastructure Certificates
- Chapter 28
- Secure Shell (SSH) Protocol
- Chapter 29
- RADIUS and TACACS+ Authentication Protocols
  - TACACS+ and RADIUS Overview
    - Guidelines
  - Configuring Authentication Protocol Settings
    - Displaying RADIUS Status and Settings
- Chapter 30
- Management Access Control List
Section VIII
Web Browser Management
- Chapter 31
- Starting a Web Browser Management Session
  - Starting a Web Browser Management Session
    - Browser Tools
  - Saving Your Parameter Changes
  - Quitting a Web Browser Management Session
- Chapter 32
- Enhanced Stacking
  - Setting a Switch’s Enhanced Stacking Status
  - Selecting a Switch in an Enhanced Stack
    - Returning to the Master Switch
  - Displaying the Enhanced Stacking Status
- Chapter 33
- Basic Switch Parameters
  - Configuring an IP Address and Switch Name
  - Activating the BOOTP and DHCP Client Software
  - Displaying System Information
  - Configuring the Manager and Operator Passwords
  - Rebooting a Switch
  - Pinging a Remote System
  - Returning the AT-S62 Software to the Factory Default Values
- Chapter 34
- SNMPv1 and SNMPv2c Community Strings
  - Enabling or Disabling SNMP Management
  - Creating a New SNMPv1 or SNMPv2c Community String
  - Modifying a Community String
  - Deleting a Community String
  - Displaying the SNMP Status and Community Strings
- Chapter 35
- Port Parameters
  - Configuring Port Parameters
  - Displaying Port Status and Statistics
- Chapter 36
- MAC Address Table
  - Displaying the MAC Address Table
  - Adding Static Unicast and Multicast MAC Addresses
  - Deleting Unicast and Multicast MAC Addresses
  - Changing the Aging Time
- Chapter 37
- Port Trunking
  - Creating a Port Trunk
  - Modifying a Port Trunk
  - Deleting a Port Trunk
  - Displaying the Port Trunks
- Chapter 38
- Port Mirroring
  - Creating a Port Mirror
  - Modifying or Disabling a Port Mirror
  - Deleting a Port Mirror
  - Displaying the Port Mirror
- Chapter 39
- File Downloads and Uploads
  - Downloading a File
  - Uploading a File
- Chapter 40
- Event Log
  - Enabling or Disabling the Event Log
  - Displaying Events
  - Saving the Event Log
  - Clearing the Event Log
- Chapter 41
- Quality of Service
  - Configuring CoS
  - Mapping CoS Priorities to Egress Queues
  - Configuring Egress Scheduling
  - Displaying the CoS Settings
  - Displaying QoS Scheduling
- Chapter 42
- IGMP Snooping
  - Configuring IGMP Snooping
  - Displaying a List of Host Nodes and Multicast Routers
- Chapter 43
- Denial of Service Defense
  - Configuring Denial of Service Attack Defense
  - Displaying the DoS Settings
- Chapter 44
- SNMPv3 Protocol
  - Configuring the SNMPv3 Protocol
  - Enabling the SNMP Protocol
  - Configuring the SNMPv3 User Table
  - Configuring the SNMPv3 View Table
  - Configuring the SNMPv3 Access Table
  - Configuring the SNMPv3 SecurityToGroup Table
  - Configuring the SNMPv3 Notify Table
  - Configuring the SNMPv3 Target Address Table
  - Configuring the SNMPv3 Target Parameters Table
  - Configuring the SNMPv3 Community Table
  - Displaying SNMPv3 Tables
- Chapter 45
- STP, RSTP, and MSTP
  - Enabling or Disabling Spanning Tree
  - Configuring STP
  - Configuring RSTP
  - Configuring MSTP
  - Displaying Spanning Tree Settings
- Chapter 46
- Virtual LANs
  - Creating a New Port-Based or Tagged VLAN
  - Modifying a Port-Based or Tagged VLAN
  - Deleting a Port-Based or Tagged VLAN
  - Displaying VLANs
  - Selecting a VLAN Mode
  - Specifying a Management VLAN
- Chapter 47
- GARP VLAN Registration Protocol
  - Configuring GVRP
  - Enabling or Disabling GVRP on a Port
  - Displaying the GVRP Settings
- Chapter 48
- MAC Address Security
  - Displaying MAC Address Security Levels
- Chapter 49
- 802.1x Port-based Access Control
  - Enabling and Disabling Port-based Access Control
  - Setting Port Roles
  - Configuring Authenticator Port Parameters
  - Configuring Supplicant Port Parameters
  - Displaying the Port-based Access Control Settings
- Chapter 50
- Secure Shell Protocol
  - Configuring the SSH Server
  - Displaying SSH Information
- Chapter 51
- Encryption Keys, PKI, and SSL
  - Displaying Encryption Keys
  - Displaying PKI Settings and Certificates
  - Displaying the SSL Settings
- Chapter 52
- RADIUS and TACACS+ Authentication Protocols
  - Configuring RADIUS and TACACS+
  - Displaying the RADIUS or TACSACS+ Settings
- Chapter 53
- Management Access Control List
  - Creating a Management ACL
  - Adding or Deleting an ACE
  - Displaying the Management ACL
Appendix A
- AT-S62 Default Settings
Appendix B
- SNMPv3 Configuration Examples
  - SNMPv3 Configuration Examples
Index
- Numerics
- A
- B
- C
- D
- E
- F
- G
- H
- I
- K
- L
- M
- N
- O
- P
- Q
- R
- S
- T
- U
- V
- W
- X

Management

Software

AT-S62

◆

User’s Guide

AT-8524M LAYER 2+

FAST ETHERNET SWITCH

VERSION 1.1.1

PN 613-50485-00 Rev C

Summary of content (862 pages)

PAGE 1
Management Software ® AT-S62 ◆ User’s Guide AT-8524M LAYER 2+ FAST ETHERNET SWITCH VERSION 1.1.
PAGE 2
Copyright © 2004 Allied Telesyn, Inc. 960 Stewart Drive Suite B, Sunnyvale, CA 94085 USA All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesyn, Inc. Microsoft is a registered trademark of Microsoft Corporation, Netscape Navigator is a registered trademark of Netscape Communications Corporation.
PAGE 3
Table of Contents List of Figures ......................................................................................................................................................................................................16 Preface ....................................................................................................................................................................................................................25 How This Guide is Organized .........................
PAGE 4
Table of Contents Chapter 3 Enhanced Stacking ........................................................................................................................................................................................... 48 Enhanced Stacking Overview ......................................................................................................................................................................... 49 Guidelines ...............................................................
PAGE 5
AT-S62 User’s Guide Load Distribution Methods .................................................................................................................................................................. 123 Creating a Port Trunk ....................................................................................................................................................................................... 129 Modifying a Port Trunk .................................................................
PAGE 6
Table of Contents Chapter 14 Quality of Service ............................................................................................................................................................................................191 Quality of Service Overview ...........................................................................................................................................................................192 Class of Service (CoS) .............................................
PAGE 7
AT-S62 User’s Guide Configuring the SNMPv3 SecurityToGroup Table ................................................................................................................................. 268 Creating an SNMPv3 SecurityToGroup Table Entry .................................................................................................................... 268 Deleting an SNMPv3 SecurityToGroup Table Entry .................................................................................................
PAGE 8
Table of Contents Summary of Guidelines ......................................................................................................................................................................... 363 Configuring MSTP Bridge Settings ..............................................................................................................................................................369 Configuring the CIST Priority ........................................................................
PAGE 9
AT-S62 User’s Guide Chapter 22 Multiple VLAN Modes ................................................................................................................................................................................... 446 Multiple VLAN Mode Overview .................................................................................................................................................................... 447 802.1Q- Compliant Multiple VLAN mode ..........................................
PAGE 10
Table of Contents Data Authentication ............................................................................................................................................................................... 497 Key Exchange Algorithms ..................................................................................................................................................................... 498 Creating an Encryption Key ........................................................................
PAGE 11
AT-S62 User’s Guide Chapter 30 Management Access Control List ............................................................................................................................................................ 563 Management Access Control List Overview ............................................................................................................................................ 564 Parts of a Management ACE .............................................................................
PAGE 12
Table of Contents Chapter 37 Port Trunking ....................................................................................................................................................................................................628 Creating a Port Trunk .......................................................................................................................................................................................629 Modifying a Port Trunk ....................................
PAGE 13
AT-S62 User’s Guide Configuring the SNMPv3 Access Table ..................................................................................................................................................... 696 Creating an Access Table ...................................................................................................................................................................... 696 Deleting an Access Table Entry ..........................................................................
PAGE 14
Table of Contents Chapter 47 GARP VLAN Registration Protocol ..........................................................................................................................................................775 Configuring GVRP ..............................................................................................................................................................................................776 Enabling or Disabling GVRP on a Port ............................................
PAGE 15
AT-S62 User’s Guide Denial of Service Prevention Default Settings ........................................................................................................................................ 830 STP, RSTP, and MSTP Default Settings ....................................................................................................................................................... 831 Spanning Tree Switch Settings .................................................................................
PAGE 16
List of Figures Chapter 1 Overview ................................................................................................................................................................................................................31 Chapter 2 Starting a Local or Telnet Management Session ................................................................................................................................40 Figure 1: Connecting a Terminal or PC to the RS232 Terminal Port .............
PAGE 17
AT-S62 User’s Guide Figure 24: Head of Line Blocking ................................................................................................................................................................ Figure 25: Flow Control Menu ..................................................................................................................................................................... Figure 26: Back Pressure Menu ........................................................................
PAGE 18
List of Figures Figure 60: Show Port CoS Priorities Menu ............................................................................................................................................... 202 Chapter 15 IGMP Snooping ................................................................................................................................................................................................203 Figure 61: Advanced Configuration Menu ..............................................
PAGE 19
AT-S62 User’s Guide Figure 106: RSTP Menu .................................................................................................................................................................................. 347 Figure 107: RSTP Port Parameters Menu ................................................................................................................................................. 349 Figure 108: Configure RSTP Port Settings Menu ....................................................
PAGE 20
List of Figures Chapter 23 MAC Address Security ...................................................................................................................................................................................454 Figure 149: Port Security Menu ................................................................................................................................................................... 458 Figure 150: Configure Port Security Menu #1 .....................................
PAGE 21
AT-S62 User’s Guide Chapter 30 Management Access Control List ............................................................................................................................................................ 563 Figure 186: Management ACL Menu ........................................................................................................................................................ 568 Chapter 31 Starting a Web Browser Management Session ..............................................
PAGE 22
List of Figures Chapter 39 File Downloads and Uploads .....................................................................................................................................................................644 Figure 218: System Utilities Tab .................................................................................................................................................................. 646 Chapter 40 Event Log ...................................................................
PAGE 23
AT-S62 User’s Guide Figure 259: Monitoring, SNMPv3 Access Table Page .......................................................................................................................... Figure 260: Monitoring, SNMPv3 SecurityToGroup Table Page ..................................................................................................... Figure 261: Monitoring, SNMPv3 Notify Table Page ..............................................................................................................
PAGE 24
List of Figures Chapter 52 RADIUS and TACACS+ Authentication Protocols ............................................................................................................................808 Figure 296: Server-based Authentication Tab (Configuration) ....................................................................................................... 809 Figure 297: TACACS+ Configuration Page .........................................................................................................
PAGE 25
Preface This guide contains instructions on how to configure an AT-8524M Layer 2+ Fast Ethernet Switch using the menu and web browser interfaces of the AT-S62 management software. For instructions on how to manage the switch from the command line interface, refer to the AT-S62 Command Line User’s Guide, available from the Allied Telesyn web site. How This Guide is Organized This manual is divided into seven sections.
PAGE 26
Preface Section III: SNMPv3 Operations The chapter in this section explains how to configure the switch for SNMPv3. (The instructions for SNMPv1 and SNMPv2 are in Section 1, Basic Operations.) Section IV: Spanning Tree Protocols The chapters in this section explain the Spanning Tree, Rapid Spanning Tree, and Multiple Spanning Tree Protocols. Section V: Virtual LANs The chapters in this section explain port-based and tagged VLANs, GVRP, and the multiple VLAN modes.
PAGE 27
AT-S62 User’s Guide Document Conventions This document uses the following conventions: Note Notes provide additional information. Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performing or omitting a specific action may result in bodily injury.
PAGE 28
Preface Where to Find Web-based Guides The installation and user guides for all Allied Telesyn products are available in Portable Document Format (PDF) from on our web site at www.alliedtelesyn.com. You can view the documents on-line or download them onto a local workstation or server.
PAGE 29
AT-S62 User’s Guide Contacting Allied Telesyn This section provides Allied Telesyn contact information for technical support as well as sales or corporate information. Online Support Email and Telephone Support Returning Products You can request technical support online by accessing the Allied Telesyn Knowledge Base from the following web site: http://kb.alliedtelesyn.com. You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions.
PAGE 30
Preface Management Software Updates You can download new releases of management software for our managed products from either of the following Internet sites: ❑ Allied Telesyn web site: http://www.alliedtelesyn.com ❑ Allied Telesyn FTP server: ftp://ftp.alliedtelesyn.com To download new software from the Allied Telesyn FTP server using your workstation’s command prompt, you need FTP client software and you must log in to the server.
PAGE 31
Chapter 1 Overview This chapter reviews the functions of the AT-S62 management software, the types of sessions you can use to access the software, and the management access levels.
PAGE 32
Chapter 1: Overview Management Overview The AT-S62 management software is intended for the AT-8524M switch. You use the software to monitor and adjust the switch’s operating parameters.
PAGE 33
AT-S62 User’s Guide There are four different ways to access the management software on an AT-8524M switch. These methods are referred to in this guide as management sessions. They are: ❑ Local management session ❑ Telnet management session ❑ Web browser management session ❑ SNMP management session The following sections in this chapter briefly describe each type of management session.
PAGE 34
Chapter 1: Overview Local Management Session You establish a local management session with an AT-8524M switch by connecting a terminal or a PC with a terminal emulator program to the RS232 Terminal Port on the switch, using the straight-through RS-232 management cable included with the switch. The RS232 Terminal Port is located on the front panel of the AT-8524M switch.
PAGE 35
AT-S62 User’s Guide Telnet Management Session You can use any management workstation on your network that has the Telnet application protocol to manage an AT-8524M switch. This type of management session is referred to in this guide as a remote management session because you do not have to be in the wiring closet where the switch is located. You can manage the switch from any workstation on the network that has the application protocol.
PAGE 36
Chapter 1: Overview Web Browser Management Session You can also use a web browser from a management workstation on your network to manage a switch. This too is referred to as remote management because you can be anywhere on your network when managing the device. Note For instructions on starting this type of management session, refer to Starting a Web Browser Management Session on page 574.
PAGE 37
AT-S62 User’s Guide SNMP Management Session Another way to remotely manage the switch is with an SNMP management program. AT-S62 software supports SNMPv1, SNMPv2c, and SNMPv3. You need to be very familiar with Management Information Base (MIB) objects to configure a switch using SNMP management.
PAGE 38
Chapter 1: Overview Management Access Levels There are two levels of management access in the AT-S62 management software: Manager and Operator. Manager access gives you the power to view and configure all of a switch’s operating parameters. Operator access only allows you to view the operating parameters; you cannot change any values. The switch has two default login accounts. For Manager access, the login name is “manager” and the default password is “friend”.
PAGE 39
Section I Basic Operations The chapters in this section cover a variety of basic switch features and functions.
PAGE 40
Chapter 2 Starting a Local or Telnet Management Session This chapter contains the procedure for starting a local or Telnet management session on an AT-8524M switch.
PAGE 41
AT-S62 User’s Guide Local Management Session To establish a local management session, you connect a terminal or PC with a terminal emulator program to the RS-232 terminal port on the front panel of the AT-8524M switch. A local management session is so named because you must be close to the switch, usually within a few meters, to start this type of management session. This means you must be in the wiring closet where the switch is located.
PAGE 42
Chapter 2: Starting a Local or Telnet Management Session Starting a Local Management Session To start a local management session, perform the following procedure: 1. Connect one end of the straight-through RS232 management cable to the RS232 Terminal Port on the front panel of the switch. AT-85 24 MOD E M Fas t Eth erne t Swit ch COL 100 FULL ACT STAT US FAULT MAST ER RPS PWR Figure 1 Connecting a Terminal or PC to the RS232 Terminal Port 2.
PAGE 43
AT-S62 User’s Guide 4. When prompted, enter a username and password. To configure the switch settings, enter “manager” as the user name. The default password for manager access is “friend”. To just view the settings, enter “operator” as the user name. The default password for operator access is “operator”. Usernames and passwords are case-sensitive. For information on the two access levels, refer to Management Access Levels on page 38.
PAGE 44
Chapter 2: Starting a Local or Telnet Management Session To select a menu item, type the corresponding letter or number. Pressing the Esc key or typing the letter R in a submenu, returns you to the previous menu. Enhanced Stacking When you start a local management session on a switch that has been configured as a Master switch, you can manage all the switches in the enhanced stack from the same management session.
PAGE 45
AT-S62 User’s Guide Telnet Management Session You can use the Telnet application protocol from a workstation on your network to manage an AT-8524M switch. This type of management is referred to as remote management because you do not have to be physically close to the switch to start the session, such as with a local management session. Any workstation on your network that has the application protocol can be used to manage the unit.
PAGE 46
Chapter 2: Starting a Local or Telnet Management Session Note You can run only one Telnet management session on a switch at a time. Additionally, you cannot run both a Telnet management session and a local management session on the same switch at the same time. Quitting a Telnet Management Session Section I: Basic Operations To end a Telnet management session, return to the Main Menu and type Q for Quit.
PAGE 47
AT-S62 User’s Guide Saving Your Parameter Changes When you make a change to a switch parameter, the change is, in most cases, immediately activated on the switch as soon as you enter it. However, most parameter changes are initially saved only to temporary memory in the switch and will be lost the next time you reset or power cycle the unit. To permanently save your changes, you must select the S Save Configuration Changes option from the Main Menu.
PAGE 48
Chapter 3 Enhanced Stacking This chapter explains the enhanced stacking feature.
PAGE 49
AT-S62 User’s Guide Enhanced Stacking Overview The enhanced stacking feature can make it easier for you to manage the AT-8524M switches in your network. It offers the following benefits: ❑ You can manage up to 24 switches from one local or remote management session. This eliminates the need of having to initiate a separate management session with each switch in your network. ❑ The switches can share the same IP address.
PAGE 50
Chapter 3: Enhanced Stacking There are three basic steps to implementing this feature on your network: 1. You must select a switch to function as the master switch of the enhanced stack. The master switch can be any switch that supports enhanced stacking, such as an AT-8000 Series switch, an AT-8400 Series switch, or an AT-8524M switch. For networks that consist of more than one subnet, there must be at least one master switch in each subnet.
PAGE 51
AT-S62 User’s Guide Figure 4 is an example of the enhanced stacking feature. Master 1 IP Address 149.32.11.22 Master 2 IP Address 149.32.11.16 Subnet A Router TROP LANIMRET 232-SR TLUAF RETSAM RWP Subnet B Master 1 IP Address 149.32.09.18 Master 2 IP Address 149.32.09.24 Figure 4 Enhanced Stacking Example The example consists of a network of two subnets interconnected with a router.
PAGE 52
Chapter 3: Enhanced Stacking Setting a Switch’s Enhanced Stacking Status The enhanced stacking status of the switch can be master switch, slave switch, or unavailable. Each status is described below: ❑ Master switch - A master switch of a stack can be used to manage all the other switches in a subnet. Once you establish a local or remote management session with the Master switch, you can access and manage all the switches in the stack. A master switch must have a unique IP address.
PAGE 53
AT-S62 User’s Guide The Enhanced Stacking menu is shown in Figure 5. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Enhanced Stacking 1 - Switch State-(M)aster/(S)lave/(U)navailable.... Master 2 - Stacking Services R - Return to Previous Menu Enter your selection? Figure 5 Enhanced Stacking Menu The menu displays the current status of the switch at the end of selection “1 - Switch State.
PAGE 54
Chapter 3: Enhanced Stacking Selecting a Switch in an Enhanced Stack Before you perform a procedure on a switch in an enhanced stack, you should first check to be sure that you are performing it on the correct switch. If you assigned system names to your switches, this should be easy. The name of the switch being managed is always displayed at the top of every management menu.
PAGE 55
AT-S62 User’s Guide 3. Type 1 to select Get/Refresh List of Switches. The Master switch polls the subnet for all slave and Master switches that are a part of the enhanced stack and displays a list of the switches in the Stacking Services menu. The Master switch on which you started the management session is not included in the list, nor are any switches with an enhanced stacking status of Unavailable. By default, the switches are sorted in the menu by MAC address.
PAGE 56
Chapter 4 Basic Switch Parameters This chapter contains a variety of information and procedures. There is a discussion on when to assign an IP address to a switch and the different ways to do it. There are also procedures for resetting the switch, activating the switch default settings, and more.
PAGE 57
AT-S62 User’s Guide When Does a Switch Need an IP Address? One of the tasks to building or expanding a network is deciding which managed switches need to be assigned a unique IP address. The rule used to be that a managed switch needed an IP address if you wanted to manage it remotely, such as with the Telnet application protocol. However, if a network contained a lot of managed switches, having to assign each one an IP address was often cumbersome and time consuming.
PAGE 58
Chapter 4: Basic Switch Parameters How Do You Assign an IP Address? After you have decided which, if any, switches on your network need an IP address, you must access the AT-S62 software on the switches and assign the addresses. There are two ways in which a switch can obtain an IP address. The first method is for you to assign the IP configuration information manually. The procedure for this is explained in Configuring an IP Address and Switch Name on page 59.
PAGE 59
AT-S62 User’s Guide Configuring an IP Address and Switch Name The procedure in this section explains how to manually assign an IP address, subnet mask, and gateway address to the switch from a local or Telnet management session. (If you want the switch to obtain its IP configuration from a DHCP or BOOTP server on your network, go to the procedure Activating the BOOTP and DHCP Client Software on page 62.
PAGE 60
Chapter 4: Basic Switch Parameters 2. From the System Administration menu, type 2 to select System Configuration. The System Configuration menu is shown in Figure 8. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 System Configuration 1 2 3 4 5 6 7 8 9 - BOOTP/DHCP ........ Disabled IP Address ........ 0.0.0.0 Subnet Mask ....... 0.0.0.0 Default Gateway ... 0.0.0.0 System Name ....... Production Switch Location .......... Bldg. 12 Rm.
PAGE 61
AT-S62 User’s Guide 3 - Subnet Mask This parameter specifies the subnet mask for the switch. You must specify a subnet mask if you assigned an IP address to the switch. The subnet mask must be entered in the format: xxx.xxx.xxx.xxx. The default value is 255.255.0.0. 4 - Default Gateway This parameter specifies the default router’s IP address. This address is required if you intend to remotely manage the switch from a management station that is separated from the switch by a router.
PAGE 62
Chapter 4: Basic Switch Parameters Activating the BOOTP and DHCP Client Software The BOOTP and DHCP application protocols were developed to simplify network management. They are used to automatically assign IP configuration information to the devices on your network, such as an IP address, subnet mask, and a default gateway address. The AT-8524M switch contains the client software for these protocols and can obtain its IP configuration information from a BOOTP or DHCP server on your network.
PAGE 63
AT-S62 User’s Guide The following prompt is displayed: BOOTP/DHCP (E-Enabled, D-Disabled): 4. Type E to enable BOOTP and DHCP services on the switch or D to disable the services and press Return. The default is disabled. Note If you activate the BOOTP/DHCP client software, the switch immediately begins to query the network for a BOOTP or DHCP server. The switch continues to query the network for its IP configuration until it receives a response.
PAGE 64
Chapter 4: Basic Switch Parameters Rebooting a Switch This procedure reboots the switch. Note Any configuration changes not save will be lost once the switch reboots. To save your configuration changes, return to the Main Menu and type S to select Save Configuration Changes. To reboot the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 59. 2.
PAGE 65
AT-S62 User’s Guide Configuring the Manager and Operator Passwords There are two levels of management access on an AT-8524M switch: manager and operator. When you log in as manager, you can view and configure all of a switch’s operating parameters. When you log in as an operator, you can only view the operating parameters; you cannot change any values. You log in as a manager or an operator by entering the appropriate username and password when you start an AT-S62 management session.
PAGE 66
Chapter 4: Basic Switch Parameters Note A password can be from 0 to 16 alphanumeric characters. Passwords are case-sensitive. You should not use spaces or special characters, such as asterisks (*) or exclamation points (!), in a password if you will be managing the switch from a web browser. Many web browsers cannot handle special characters in passwords.
PAGE 67
AT-S62 User’s Guide Setting the System Time This procedure explains how to set the switch’s date and time. Setting the system time is important if you configured the switch to send traps to your management workstations. Traps from a switch where the time has not been set will not contain the correct date and time, making it difficult for you to determine when the events represented by the traps occurred.
PAGE 68
Chapter 4: Basic Switch Parameters The Configure System Time menu is shown in Figure 11. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure System Time 1 2 3 4 5 6 7 - System Time ................... SNTP Status ................... SNTP Server ................... UTC Offset .................... Daylight Savings Time (DST) ... Poll Interval ................. Last Delta .................... 00:04:22 on 01-Jan-1970 Disabled 0.0.0.
PAGE 69
AT-S62 User’s Guide Note If the switch is obtaining its IP address and subnet mask from a DHCP sever, you can configure the DHCP server to provide the switch with an IP address of an NTP or SNTP server. If you configured the DHCP server to provide this address, then you do not need to enter it here, and you can skip ahead to Step C. The following prompt is displayed: Enter SNTP server IP address -> b. Enter an IP address of an SNTP or NTP server. c.
PAGE 70
Chapter 4: Basic Switch Parameters g. Type 6 - Poll Interval to specify the time interval between queries to the SNTP server. The following prompt is displayed: Enter interval to poll SNTP server [60 to 1200] -> 600 h. Enter the number of seconds the switch waits between polling the SNTP or NTP server. The default is 600 seconds. The range is from 60 to 1200 seconds. i. Type 2 to select SNTP Status to enable or disable the SNTP client.
PAGE 71
AT-S62 User’s Guide Configuring the Console Startup Mode You can configure the AT-S62 software to display either the Main Menu or the command line interface prompt whenever you start a local or Telnet management session. The default is the command line interface. To change the console startup mode, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 59. 2.
PAGE 72
Chapter 4: Basic Switch Parameters Configuring the Console Timer The AT-S62 management software uses the console timer, also referred to as the console disconnect interval, to automatically end inactive local and remote management sessions. The management software automatically ends a local or remote management session if does not detect any activity from the management station after the console timer has expired.
PAGE 73
AT-S62 User’s Guide Enabling or Disabling the Telnet Server This procedure explains how to enable and disable the Telnet server on the switch. You might disable the server to prevent individuals from managing the switch with the Telnet application protocol or if you intend to use the Secure Shell (SSH) protocol. To enable or disable the Telnet server, do the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 59. 2.
PAGE 74
Chapter 4: Basic Switch Parameters Setting the Baud Rate of the RS-232 Terminal Port The default baud rate of the RS-232 Terminal Port on the switch is 9600 bps. To change the baud rate, do the following: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 59. 2. From the System Administration menu, type 3 to select Console (Serial/Telnet) Configuration. The Console (Serial/Telnet) Configuration menu is shown in Figure 12 on page 71. 3.
PAGE 75
AT-S62 User’s Guide Pinging a Remote System You can instruct the switch to ping a remote device on your network. This procedure is useful in determining whether a valid link exists between the switch and another device. Note The switch must have an IP address to perform this procedure. To instruct the switch to ping a network device, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 59. 2.
PAGE 76
Chapter 4: Basic Switch Parameters Returning the AT-S62 Software to the Factory Default Values The procedure in this section returns all AT-S62 software parameters, including IP address and subnet mask, if assigned, to the default values. Please note the following before performing this procedure: ❑ Returning all parameter settings to their default values also deletes any port-based or tagged VLANs you created on the switch. ❑ This procedure does not delete files from the AT-S62 file system.
PAGE 77
AT-S62 User’s Guide The following prompt is displayed: This operation requires a switch reboot. Continue? [Yes/No] -> 4. Type Y for yes or N to cancel the procedure. If you respond with yes, the following prompt is displayed: Do you want to reset serial baud rate to 9600 bps? [Yes/No] -> 5. Typing Y for yes will change the baud rate of the RS232 Terminal Port to its default value of 9600 bps. Typing N leaves the baud rate at its current setting.
PAGE 78
Chapter 4: Basic Switch Parameters Viewing System Hardware and Software Information The procedure in this section displays hardware and software information about the switch. The information includes the switch’s serial number and MAC address, as well as the status of the power supply and fan. To display this information, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 59. 2.
PAGE 79
AT-S62 User’s Guide The System Hardware Information menu is shown in Figure 14. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 System Hardware Status System 1.8V Power ............... System 2.5V Power ............... System 3.3V Power ............... System 5V Power ................. System Temperature (Celsius) .... System Fan Speed ................ Main Power Supply ............... Redundant Power Supply .......... 1.79V 2.53V 3.30V 5.
PAGE 80
Chapter 4: Basic Switch Parameters Setting the Switch’s Temperature Threshold You can set a temperature threshold on the switch which, if exceeded, causes the unit to send an SNMP trap to your management workstation. The default threshold is 90° Celsius. To change the temperature threshold for the switch, do the following: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 2 to select System Configuration. 3.
PAGE 81
Chapter 5 SNMPv1 and SNMPv2c Configuration This chapter explains how to activate SNMP management on the switch and how to create, modify, and delete SNMPv1 and SNMPv2c community strings.
PAGE 82
Chapter 5: SNMPv1 and SNMPv2 Community Strings SNMPv1 and SNMPv2c Overview The Simple Network Management Program (SNMP) is another way for you to manage the switch. This type of management involves viewing and changing the management information base (MIB) objects on the device using an SNMP application program. The AT-S62 management software supports SNMPv1, SNMPv2c, and SNMPv3. This chapter explains how to configure the switch’s software for SNMPv1 and SNMPv2c.
PAGE 83
AT-S62 User’s Guide Community String Name You must give the community string a name. The name can be from one to eight alphanumeric characters. Spaces are allowed. Access Mode This defines what the community string will allow a network manager to do. There are two access modes: Read and Read/Write. A community string with an access mode of Read can only be used to view but not change the MIB objects on a switch.
PAGE 84
Chapter 5: SNMPv1 and SNMPv2 Community Strings Each community string can have up to eight trap IP addresses. It does not matter which community strings you assign your trap receivers. When the switch sends a trap, it looks at all the community strings and sends the trap to all trap receivers on all community strings. This is true even for community strings that have a access mode of only Read. If you are not interested in receiving traps, then you do not need to enter any IP addresses of trap receivers.
PAGE 85
AT-S62 User’s Guide Enabling or Disabling SNMP Management To enable or disable SNMP management for the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 59. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 16.
PAGE 86
Chapter 5: SNMPv1 and SNMPv2 Community Strings Setting the Authentication Failure Trap As mentioned in the SNMP Overview section in this chapter, a trap is a message sent by the switch to a management workstation or server to signal an operating event, such as when the device is reset. An authentication failure trap is similar to other the traps. It too signals an operating event on the switch. But this trap is somewhat special because it relates to SNMP management.
PAGE 87
AT-S62 User’s Guide Creating an SNMP Community String To create a new SNMP community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 59. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 16 on page 85. 3. From the SNMP Configuration menu, type 3 to select Configure SNMPv1 & SNMPv2c Community.
PAGE 88
Chapter 5: SNMPv1 and SNMPv2 Community Strings 5. Enter the new SNMP community string. The name can be from one to fifteen alphanumeric characters. Spaces are allowed. This prompt is displayed: Enter Access Mode [R-Read Only, W-Read/Write]: 6. Specify the access mode for the new SNMP community string. If you specify Read, the community string will only allow you to view the MIB objects on the switch.
PAGE 89
AT-S62 User’s Guide Modifying a Community String To modify a community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 59. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 16 on page 85. 3. From the SNMP Configuration menu, type 3 to select Configure SNMPv1 &SNMPv2c Community.
PAGE 90
Chapter 5: SNMPv1 and SNMPv2 Community Strings The menu options are described below: 1 - Add Attributes to Community If a community string has a closed access mode, you can use this selection to add new IP addresses of management workstations that can use the string. You can also use this option to add IP addresses of new trap receivers. To use this option, do the following: 1. From the Modify SNMP Community menu, type 1 to select Add Attributes to Community.
PAGE 91
AT-S62 User’s Guide 3. If you want to remove the IP address of a management workstation from the community string, enter the IP address at the prompt. Otherwise, just press Return. This prompt is displayed: Enter Trap Receiver IP Addr: 4. If you want to remove the IP address of a trap receiver from the community string, enter the IP address at the prompt. Otherwise, just press Return. 5. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 92
Chapter 5: SNMPv1 and SNMPv2 Community Strings Do you want to change Community Status? (Y/N): [Yes/No] -> 4. Type Y to change the string’s status or N to cancel the change. 5. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 5 - Set Community Open Status Use this selection to change a string’s open status. A string with an open status can be used by any network administrator.
PAGE 93
AT-S62 User’s Guide Displaying the SNMP Community Strings To display the attributes of all the SNMP community strings on the switch, use the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 59. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 16 on page 85. 3.
PAGE 94
Chapter 6 Port Parameters The chapter contains the procedures for viewing and adjusting the parameter settings for the individual ports on a switch.
PAGE 95
AT-S62 User’s Guide Displaying Port Status To display the current status and settings of the ports on the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 20.
PAGE 96
Chapter 6: Port Parameters Note The speed, duplex mode, and flow control settings will be blank for ports that have not established a link with their end node. The information in this menu is for viewing purposes only. The columns in the menu are described below: Port The port number. Link The status of the link between the port and the end node connected to the port. Possible values are: Up - indicates that a valid link exists between the port and the end node.
PAGE 97
AT-S62 User’s Guide Flow Ctl The flow control setting for the port. Possible values are: Disabled - No flow control on the port. Enabled - Flow control is activated.
PAGE 98
Chapter 6: Port Parameters Configuring Port Parameters To configure the parameter settings of a port, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 20 on page 95. 2. From the Port Configuration menu, type 1 to select Port Configuration. The following prompt is displayed: Enter port-list -> 3. Enter the number of the port you want to configure. You can specify more than one port at a time.
PAGE 99
AT-S62 User’s Guide If you are configuring multiple ports and the ports have different settings, the Port Configuration menu displays the settings of the lowest numbered port. Once you have configured the settings of the port, all of its settings are copied to the other selected ports. 4. Adjust the port parameters as necessary. You adjust a parameter by typing its number. The parameters are described below. Note A change to a parameter is immediately activated on the port.
PAGE 100
Chapter 6: Port Parameters The problem with broadcast frames is that too many of them traversing a network can impact network performance. The more bandwidth consumed by broadcast frames, the less available for unicast frames. Should the performance of your network be impacted by heavy broadcast traffic, you can use this parameter to limit the number of broadcast frames forwarded by the switch and so limit the number of broadcast frames on your network.
PAGE 101
AT-S62 User’s Guide If you select Auto for Auto-Negotiation, which is the default setting, the switch will set both speed and duplex mode for the port automatically. The switch determines the highest possible common speed between the port and its end node and sets the port to that speed. This helps to ensure that the port and the end node are operating at the highest possible common speed.
PAGE 102
Chapter 6: Port Parameters The possible settings for the duplex mode are Full-duplex and Half-duplex. 7 - HOL Blocking Prevention Threshold Head of line (HOL) blocking is a problem that occurs when a port on a switch becomes oversubscribed. An oversubscribed port is receiving more packets from other switch ports than it can transmit in a timely manner. The problem an oversubscribed port can create is that it can prevent other ports from forwarding packets to each other.
PAGE 103
AT-S62 User’s Guide The HOL Limit parameter can help prevent this problem from occurring. This parameter sets a threshold on the utilization of a port’s egress queue. When the threshold for a port is exceeded, the switch signals other ports to discard packets to the oversubscribed port. For example, referring to the figure above, when the utilization of the storage capacity of Port D exceeds the threshold, the switch signals the other ports to discard packets destined for Port D.
PAGE 104
Chapter 6: Port Parameters The options in the Flow Control menu are described below: 1 - Flow Control Disabled - No flow control on the port. This is the default setting. Enabled - Flow control is activated. This setting is appropriate only when the end node connected to the port is also using flow control. Auto - The port uses flow control only if it detects that the end node is using it. 2 - Flow Control (Cell Limit) Specifies the number of cells. A cell represents 64 bytes.
PAGE 105
AT-S62 User’s Guide Selecting this option displays the Back Pressure menu shown in Figure 26. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Back Pressure Configuring Port 11 1 - Back Pressure ................. Disabled 2 - Back Pressure Cell Limit ......
PAGE 106
Chapter 6: Port Parameters X - Reset Port Resets the speed and duplex mode of the selected port to the default value of Auto-Negotiation. Also returns the MDI/MDIX setting to the default value of Auto-Detect. 5. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 107
AT-S62 User’s Guide Setting the Rate Limit This feature allows you to set the maximum number of ingress packets the switch ports accept each second. Packets exceeding the threshold are discarded. You can enable the rate limiting threshold independently for multicast, broadcast, and unknown unicast packets. However, the same threshold applies to all packet types. To configure this feature, you must enter a rate limit.
PAGE 108
Chapter 6: Port Parameters The Rate Limiting menu is shown in Figure 27. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Rate Limiting Configuring Port 1 1 2 3 4 - Broadcast Rate Limiting Status ........... Multicast Rate Limiting Status ........... Unknown Unicast Rate Limiting Status ..... Rate Limit ...............................
PAGE 109
Chapter 7 MAC Address Table The chapter contains the procedures for viewing the static and dynamic MAC address table.
PAGE 110
Chapter 7: MAC Address Table MAC Address Overview Every hardware device that you connect to your Ethernet network has a unique MAC address assigned to it by the device’s manufacturer. For example, every network interface card (NIC) that you use to connect your computers to your network has a MAC address assigned to it by the adapter’s manufacturer. The AT-8524M Series switch contains a MAC address table with a storage capacity of 8,000 entries.
PAGE 111
AT-S62 User’s Guide The type of MAC address described above is referred to as a dynamic MAC address. Dynamic MAC addresses are addresses that the switch learns by examining the source MAC addresses of the frames received on the ports. Dynamic MAC addresses are not stored indefinitely in the MAC address table. The switch deletes a dynamic MAC address from the table if it does not receive any frames from the node after a specified period of time.
PAGE 112
Chapter 7: MAC Address Table Displaying MAC Addresses The management software has two menu selections for displaying the MAC addresses of a switch. One selection displays the static and dynamic unicast MAC addresses while the other displays the static and dynamic multicast addresses. To display the MAC address tables, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 28.
PAGE 113
AT-S62 User’s Guide 3. Select the desired option. The options are explained below: 1 - Display All This selection displays all dynamic addresses learned on the ports of the switch and all static addresses that have been assigned to the ports. An example of a unicast MAC address table is shown in Figure 30.
PAGE 114
Chapter 7: MAC Address Table An example of a multicast MAC address table is shown in Figure 31.
PAGE 115
AT-S62 User’s Guide 5 - Display Specified MAC Displays the port number on which a MAC address was assigned or learned. In some situations, you might want to know on which port a particular MAC address was learned. You could display the MAC address table and scroll through the list looking for the MAC address. But if the switch is part of a large network, finding the address could prove difficult. This menu option offers an easier way.
PAGE 116
Chapter 7: MAC Address Table Adding Static Unicast and Multicast MAC Addresses This section contains the procedure for adding static unicast and multicast MAC addresses to the switch. You can assign up to 255 static addresses per port on an AT-8524M Series switch. To add a static MAC address, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 28 on page 112. 2.
PAGE 117
AT-S62 User’s Guide to the port where the multicast application is located will result in the failure of the multicast packets to be properly forwarded to the host nodes. You can specify the ports individually (e.g., 1,4,5), as a range (e.g., 11-14) or both (e.g., 15-17,22,24). The following prompt is displayed: Please enter VLAN ID: [1 to 4094] -> 1 7. Enter the VLAN ID where the port is a member. 8. Repeat this procedure starting with Step 3 to enter additional static unicast or multicast MAC addresses.
PAGE 118
Chapter 7: MAC Address Table Deleting Unicast and Multicast MAC Addresses To delete a dynamic or static unicast or multicast address from the MAC address table, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 28 on page 112. 2. From the MAC Address Tables menu, type 2 to select Configure MAC Addresses. The Configure MAC Addresses menu is shown in Figure 32 on page 116. 3.
PAGE 119
AT-S62 User’s Guide Deleting All Dynamic MAC Addresses To delete all dynamic unicast and multicast MAC address from the MAC address table, do the following: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 28 on page 112. 2. From the MAC Address Tables menu, type 2 to select MAC Addresses Configuration. The MAC Addresses Configuration menu is shown in Figure 32 on page 116. 3.
PAGE 120
Chapter 7: MAC Address Table Changing the Aging Time The switch uses the aging time to delete inactive dynamic MAC addresses from the MAC address table. When the switch detects that no packets have been sent to or received from a particular MAC address in the table after the period specified by the aging time, the switch deletes the address. This prevents the table from becoming full of addresses of nodes that are no longer active. The default setting for the aging time is 300 seconds (5 minutes).
PAGE 121
Chapter 8 Port Trunking This chapter contains the procedures for creating, modifying, and deleting port trunks.
PAGE 122
Chapter 8: Port Trunking Port Trunking Overview A port trunk is an economical way for you to increase the bandwidth between two Ethernet switches. A port trunk is a group of ports that have been grouped together to function as one logical path. A port trunk increases the bandwidth between switches and is useful in situations where a single physical data link between switches is insufficient to handle the traffic load.
PAGE 123
AT-S62 User’s Guide ❑ When cabling a trunk, the order of the connections should be maintained on both nodes. The lowest numbered port in a trunk on the switch should be connected to the lowest numbered port of the trunk on the other device, the next lowest numbered port on the switch should be connected to the next lowest numbered port on the other device, and so on. For example, assume that you are connecting a trunk between two AT-8524M switches.
PAGE 124
Chapter 8: Port Trunking ❑ Source IP Address (Layer 3) ❑ Destination IP Address (Layer 3) ❑ Source IP Address / Destination IP Address (Layer 3) The load distribution methods can be divided into two general groups. One group uses MAC addresses (Layer 2) to distribute the traffic and the other uses IP addresses (Layer 3).
PAGE 125
AT-S62 User’s Guide Workstation C Workstation B Workstation D Workstation A AT-8524M Fast Ethernet Switch MODE STATUS LINK FAULT MODE MASTER LINK RPS MODE PWR Switch #1 AT-8524M Fast Ethernet Switch MODE LINK MODE STATUS FAULT MASTER LINK RPS MODE PWR Switch #2 Figure 34 Load Distribution Method Now assume that you configured the port trunk on Switch #1 with the source MAC address load distribution method. The switch might distribute the load as shown in Table 1.
PAGE 126
Chapter 8: Port Trunking For example, when Workstation B sends a packet to the server, Switch #1 uses Port 15 of the trunk to transmit it to Switch #2. An assignment of a source address to a port trunk remains active as long as the source node remains active. If the MAC address times out, the assignment is dropped. If the source node becomes active again and needs to transmit a packet over the trunk, a new assignment is made, either to the same port or to a different port in the trunk.
PAGE 127
AT-S62 User’s Guide When another node sends a packet over the trunk, its address is assigned to the next lowest port in the trunk, and so forth. After an address has been assigned to all the ports in the trunk, the process is repeated starting with the lowest numbered port. Destination address trunking is typically used in a situation where there is one or just a few source nodes transmitting to many destination nodes.
PAGE 128
Chapter 8: Port Trunking Table 3 Switch #2 - Source MAC Address/Destination MAC Address Method Destinations MAC Addresses Workstation A 00A0EE 2313A3 Source MAC Address Server 00B012 DA0231 2 Workstation B 00A134 1A9032 Workstation C 00A301 9083B2 1 Workstation D 001B21 87C6D6 3 1 Even though there is only one source, all the data links in the trunk are used.
PAGE 129
AT-S62 User’s Guide Creating a Port Trunk This section contains the procedure for creating a port trunk on the switch. Be sure to review the guidelines in Port Trunking Overview on page 122 before performing the procedure. Caution Do not connect the cables to the trunk ports on the switches until after you have configured the trunk with the management software. Connecting the cables before configuring the software will create a loop in your network topology.
PAGE 130
Chapter 8: Port Trunking The Port Trunking menu is shown in Figure 35. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Port Trunking ID Name Ports Method Status ---------------------------------------------------C - Create Trunk D - Delete Trunk M - Modify Trunk R - Return to Previous Menu Enter your selection? Figure 35 Port Trunking Menu This menu lists any trunks that already exist on the switch. 3. Type C to select Create Trunk.
PAGE 131
AT-S62 User’s Guide 6. To set the load distribution method, type 3 to toggle the selection through the following possible settings: ❑ SRC MAC - Source MAC address ❑ DST MAC - Destination MAC address ❑ SRC/DST MAC - Source address /destination MAC address ❑ SRC IP - Source IP address trunking ❑ DST IP - Destination IP address trunking ❑ SRC/DST IP - Source address /destination IP address The default is SRC/DST MAC. For background information, refer to Load Distribution Methods on page 123. 7.
PAGE 132
Chapter 8: Port Trunking Modifying a Port Trunk This section contains the procedure for modifying a port trunk on the switch. Be sure to review the guidelines in Port Trunking Overview on page 122 before performing the procedure. Caution If you will be adding or removing ports from the trunk, you should disconnect all data cables from the ports of the trunk on the switch before performing the procedure.
PAGE 133
AT-S62 User’s Guide The Modify Trunk menu is displayed. The menu displays the operating specifications of the selected trunk. An example is shown in Figure 37. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Modify Trunk 1 2 3 4 - Trunk Trunk Trunk Trunk ID ......... Name ....... Method ..... Ports ......
PAGE 134
Chapter 8: Port Trunking 7. To change the ports of a trunk, type 4 to select Trunk Ports and, when prompted, enter the new ports of the trunk. A trunk can contain up to eight ports. You can identify the ports individually (for example, 3,7,10), as a range (for example, 5-11), or both (for example, 2,4,11-14). The new list of ports replaces the existing ports of the trunk. 8. Type M to select Modify Trunk. The modifications to the port trunk are activated on the switch. 9.
PAGE 135
AT-S62 User’s Guide Deleting a Port Trunk Caution Disconnect the cables from the port trunk on the switch before performing the following procedure. Deleting a port trunk without first disconnecting the cables can create loops in your network topology. Data loops can result in broadcast storms and poor network performance. To delete a port trunk from the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. 2. From the Port Menu, type 4 to select Port Trunking.
PAGE 136
Chapter 9 Port Mirroring This chapter contains the procedures for creating and deleting a port mirror.
PAGE 137
AT-S62 User’s Guide Port Mirroring Overview The port mirroring feature allows you to unobtrusively monitor the traffic being received and transmitted on one or more ports on a switch by having the traffic copied to another switch port. You can connect a network analyzer to the port where the traffic is being copied and monitor the traffic on the other ports without impacting network performance or speed. The port(s) whose traffic you want to mirror is called the source port(s).
PAGE 138
Chapter 9: Port Mirroring Creating a Port Mirror To create a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 20 on page 95. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 38. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Port Mirroring 1 - Enable/Disable ....................
PAGE 139
AT-S62 User’s Guide 5. Type 2 to select Mirror-To Port and, when prompted, enter the number of the port to function as the destination port. This is the port where the traffic from the source ports will be copied to and where the network analyzer will be located. You can specify only one destination port. 6. If you want to mirror the ingress (received) traffic on one or more ports, type 3 to select Ingress Mirror Port and, when prompted, enter the ports.
PAGE 140
Chapter 9: Port Mirroring Deleting a Port Mirror To delete a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 20 on page 95. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 39 on page 138. 3. Type 1 to select Enable/Disable. The following prompt is displayed. Enter Enable(E)/Disable(D): 4. Type D to disable the feature.
PAGE 141
Chapter 10 Ethernet Statistics This chapter contains the procedures for displaying data traffic statistics.
PAGE 142
Chapter 10: Ethernet Statistics Displaying Port Statistics To display Ethernet port statistics, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 40.
PAGE 143
AT-S62 User’s Guide Multicast Frames Received Number of multicast frames received on the port. Multicast Frames Sent Number of multicast frames transmitted from the port. Frames 64 Bytes Frames 65 - 127 Bytes Frames 128 - 255 Bytes Frames 256 - 511 Bytes Frames 512 - 1023 Bytes Frames 1024 - 1518 Bytes Number of frames transmitted from the port, grouped by size. CRC Error Number of frames with a cyclic redundancy check (CRC) error but with the proper length (64-1518 bytes) received on the port.
PAGE 144
Chapter 10: Ethernet Statistics Clearing Port Counters To return the statistics counters of a port to zero, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 40 on page 142. 1. From the Port Statistics menu, type 2 to select Clear Port Statistics. This prompt is displayed: Enter port-list: 2.
PAGE 145
Section II Advanced Operations The chapters in this section explain how to manage an AT-8524M switch from a local or Telnet management session.
PAGE 146
Chapter 11 File System This chapter describes the AT-S62 file system, and how you can use the file system to copy, rename, and delete system files. This chapter also explains how you can use the file system to select which boot configuration file you want the switch to use the next time the device is reset or power cycled.
PAGE 147
AT-S62 User’s Guide File System Overview The AT-S62 management software has a file system for storing system files. You can view the file system, as well as copy, rename, and delete files. The following file types are supported by the AT-S62 file system: ❑ Boot configuration files ❑ Public keys ❑ Public certificates ❑ Certificate enrollment requests For an explanation of a boot configuration file, refer to Working with Boot Configuration Files on page 149.
PAGE 148
Chapter 11: File System File Naming Conventions The file system is a flat file system which means directories are not supported. Files are uniquely identified by a file name in the following format: filename.ext where: ❑ filename is a descriptive name for the file, and may be one to sixteen characters in length. Valid characters are lowercase letters (a–z), uppercase letters (A–Z), digits (0–9), and the following characters: ~ ’ @ # $ % ^ & ( ) _ - { }.
PAGE 149
AT-S62 User’s Guide Working with Boot Configuration Files A boot configuration file contains a series of commands that configure the switch’s parameter settings when you power cycle or reset the device. The commands in the file recreate all the VLANs, port settings, spanning tree settings, port trunks, port mirrors, and so on. A switch can contain multiple boot configuration files, but only one can be active on a switch at a time.
PAGE 150
Chapter 11: File System Phase 1: Creating a Configuration File Before you begin to configure the switch with the parameter settings that you want to save in a new configuration file, you should first create the file. Configuring the parameters first and then creating the new configuration file might cause you to inadvertently change a configuration file you might not want to change. To perform this phase, do the following: 1. From the Main Menu, type 5 to select System Administration. 2.
PAGE 151
AT-S62 User’s Guide The following prompt is displayed: Enter the file name (or None): 5. Enter a file name for the new configuration file. The file name can be up to 16 alphanumeric characters. Spaces are allowed. The filename must include the extension “.cfg”. See File Naming Conventions on page 148. Note If the filename already exists, the system displays a message asking if you want to overwrite the existing file. Note You cannot name a configuration file “default.cfg.
PAGE 152
Chapter 11: File System Note Only the active boot configuration file is changed when you select the Save Configuration Changes option in the Main Menu. No other boot configuration files stored on the switch are altered. Phase 3: Selecting the Active Configuration File for the Switch You have now created the configuration file, made the necessary changes to the switch’s parameter settings, and saved the changes.
PAGE 153
AT-S62 User’s Guide The following prompt is displayed: Enter the file name: 5. Enter the file name of the configuration file you want the switch to use the next time it is reset or power cycled. The file name will now appear following selection 1 in the File Operations menu. The file name should be followed by “Exist”, which means that the file exists in the switch’s file system.
PAGE 154
Chapter 11: File System The contents of the configuration file are displayed in the View File menu. An example is shown in Figure 42. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 View File Configuration File: mydefault.
PAGE 155
AT-S62 User’s Guide Here are several guidelines for editing a boot configuration file: ❑ The text editor must be able to store the file as ASCII text. Do not insert special formatting codes, such as boldface or italics into a boot configuration file. ❑ The configuration file must contain AT-S62 command line commands. You enter the commands you want the switch to perform when reset or power cycled. For a description of the commands, refer to the AT-S62 Command Line User’s Guide.
PAGE 156
Chapter 11: File System Copying, Renaming, and Deleting System Files Use this procedure to copy, rename, and delete system files. To view a list of system file names, see Displaying System Files on page 158. Note Files with the extension UKF are encryption key pairs. These files cannot be copied, renamed, or deleted from the file system. To delete a key pair from the switch, refer to Deleting an Encryption Key on page 504.
PAGE 157
AT-S62 User’s Guide 5. To rename a system file, do the following: a. From the File Operations menu, type 5 to select Rename File. The following prompt is displayed: Enter the source file name: b. Enter the name of the file you want to rename. The following prompt is displayed: Enter the destination file name: c. Enter the new name for the file. You can enter a file name of up to 16 alphanumeric characters, followed by a 3 letter extension. You must keep the same extension.
PAGE 158
Chapter 11: File System Displaying System Files Use this procedure to display a list of the system files currently stored on the switch. For information about shortcuts for specifying file names, see File Naming Conventions on page 148. To display a list of current system file names, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 9 to select System Utilities. 3.
PAGE 159
AT-S62 User’s Guide The List Files menu is displayed. An example of the menu is shown in Figure 43. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 List Files File Name Size (Bytes) Last Modified ------------------------------------------------------------------default.cfg boot.cfg newcfg.cg serverkey150.key ProdSw.cer ProdSw2.
PAGE 160
Chapter 12 File Downloads and Uploads This chapter contains procedures for downloading a new AT-S62 image file onto the switch. This chapter also contains procedures for uploading and downloading system files, such as a boot configuration file, from the file system in the switch.
PAGE 161
AT-S62 User’s Guide Downloading the AT-S62 Image File onto a Switch This section contains two procedures for downloading a new AT-S62 image file onto the switch. They are: ❑ Downloading the AT-S62 Image from a Local Management Session on page 162 ❑ Downloading the AT-S62 Image from a Telnet Management Session on page 165 Caution Installing a new AT-S62 image file will invoke a switch reset. Some network traffic may be lost.
PAGE 162
Chapter 12: File Downloads and Uploads of an enhanced stack. You cannot use TFTP on a slave switch, since that type of switch typically does not have an IP address. Instead, you would need to perform the download from a local management session of the switch using Xmodem or, alternatively switch to switch, as explained in Downloading an AT-S62 Image File Switch to Switch on page 167.
PAGE 163
AT-S62 User’s Guide Note Options 3 and 4 are described in Uploading a System File on page 177. 5. Type 1 to select Download Application Image/Bootloader. The following prompt is displayed: Download Method/Protocol [X-Xmodem, T-TFTP]: 6. To download the AT-S62 image file using Xmodem, go to Step 7. To download the file using TFTP, do the following: a. Type T. The following prompt is displayed: TFTP Server IP address: b. Enter the IP address of the TFTP server.
PAGE 164
Chapter 12: File Downloads and Uploads The following prompt is displayed: You are going to invoke the Xmodem download utility. Do you wish to continue? [Yes/No] Note: Please select 1K Xmodem protocol for faster download. 8. Type Y for Yes. The prompt “Downloading” is displayed. 9. Begin the file transfer of the new management software image. Note The transfer protocol must be Xmodem or 1K Xmodem. Steps 10 through 13 illustrate how you would download a file using the Hilgraeve HyperTerminal program. 10.
PAGE 165
AT-S62 User’s Guide 11. Click the Browse button and specify the location and file to be downloaded onto the switch. 12. Click on the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem. 13. Click Send. The software immediately begins to download onto the switch. The Xmodem File Send window in Figure 47 displays current status of the software download. The download process takes a couple minutes to complete.
PAGE 166
Chapter 12: File Downloads and Uploads 3. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 9 on page 64. 4. For the System Utilities menu, type 2 to select Downloads and Uploads. The Downloads and Uploads menu is shown in Figure 44 on page 162. 5. Type 1 to select Download Application Image/Bootloader. The following prompt is displayed: Only TFTP downloads are available for a Telnet access TFTP Server IP address: 6.
PAGE 167
AT-S62 User’s Guide Downloading an AT-S62 Image File Switch to Switch The previous section contained the procedure for downloading an AT-S62 software image onto a switch from a local or Telnet management session. The procedure in this section explains how to download an AT-S62 software image from one AT-8524M switch to another AT-8524M switch. This procedure is useful in networks that contain a large number of AT-8524M switches.
PAGE 168
Chapter 12: File Downloads and Uploads Note You cannot download AT-S62 software onto any other type of enhanced stacking switch other than AT-8524M switches. The following prompt is displayed: Do you want to show remote switch burning flash -> [Yes/No] 6. You can respond with Yes or No to this prompt. It does not affect the download. The following prompt is displayed: Do you want confirmation before downloading each switch -> [Yes/No] 7.
PAGE 169
AT-S62 User’s Guide Downloading an AT-S62 Configuration File Switch to Switch This procedure downloads a boot configuration file from the master AT-8524M switch to another AT-8524M switch in an enhanced stack. The switch where you download the file will mark it as the active boot configuration file, and will automatically reset. Once the reset is complete, the switch will be operating with the parameter settings contained in the downloaded configuration file.
PAGE 170
Chapter 12: File Downloads and Uploads After you enter a name, the following prompt is displayed: Enter the list of switches -> 6. Enter the number (Num column in menu) of the AT-8524M switch where you want to download the configuration file. You can specify more than one switch at a time (for example, 2,4,5). Note An AT-8524M configuration file can be downloaded only onto other AT-8524M switches. Do not attempt to download the file onto any other type of enhanced stacking switch.
PAGE 171
AT-S62 User’s Guide Downloading a System File This section contains the procedures for downloading a system file into the switch’s file system from a management workstation or TFTP server. You can download any of the following files: ❑ Boot configuration file ❑ Public encryption key ❑ CA certificate Note CA certificates and key files are supported only on the version of AT-S62 management software that features SSL, PKI, and SSH security.
PAGE 172
Chapter 12: File Downloads and Uploads server software and the file to be downloaded must be stored on the server. ❑ You should start the TFTP server software before you begin the download procedure. ❑ The switch on which you are downloading the file must have an IP address and subnet mask, such as a master switch of an enhanced stack. You cannot use TFTP on a slave switch, since that type of switch typically does not have an IP address.
PAGE 173
AT-S62 User’s Guide c. Enter the directory path and file name of the system file on the TFTP server to be downloaded to the switch. You can specify only one system file. The following prompt is displayed: Local File Name: d. Enter a name for the system file. This is the name that the switch will store the file as in its file system. The following message is displayed: Getting the file from Remote TFTP Server - Please wait ... e. If you have not already, start the TFTP server software.
PAGE 174
Chapter 12: File Downloads and Uploads 11. From the HyperTerminal main window, select the Transfer menu. Then select Send File from the pull-down menu, as shown in Figure 45. Figure 48 Local Management Window The Send File window is shown in Figure 46. Figure 49 Send File Window 12. Click the Browse button and specify the location and system file to be downloaded onto the switch. 13. Click on the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem. 14.
PAGE 175
AT-S62 User’s Guide The software immediately begins to download onto the switch. The Xmodem File Send window in Figure 47 displays current status of the software download. The download process takes a couple minutes to complete. Figure 50 XModem File Send Window The download is complete when the Downloads and Uploads menu is displayed.
PAGE 176
Chapter 12: File Downloads and Uploads Note Options 3 and 4 in the menu are described in Uploading a System File on page 177. 5. Type 3 to select Download a File. The following prompt is displayed: Only TFTP downloads are available for a Telnet access TFTP Server IP address: 6. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: 7. Enter the directory path and file name of the system file you want to download.
PAGE 177
AT-S62 User’s Guide Uploading a System File The procedures in this section are used to upload a system file from a switch to a computer or TFTP server. A system file can be any of the following: ❑ Boot configuration file ❑ Public key ❑ PKI certificate ❑ Certificate enrollment request Note The certificate file, certificate enrollment request file, and key file are supported only on the version of AT-S62 management software that features SSL and PKI security.
PAGE 178
Chapter 12: File Downloads and Uploads need to perform the upload from a local management session of the switch using Xmodem. Uploading a System File from a Local Management Session This procedure explains how to upload a system file from the switch to a workstation or TFTP server from a local management session using Xmodem or TFTP. To upload a system file, perform the following procedure: 1. Establish a local management session on the switch where you want to upload the system file. 2.
PAGE 179
AT-S62 User’s Guide d. Enter the name of the system file on the switch that you want to upload to the TFTP server. You can specify only one file. You may not use wildcards. The following message is displayed: Sending the file to Remote TFTP Server - Please wait ... Once the switch has uploaded the system file, this message is displayed: File sent successfully! The file is now stored on the TFTP server. You can now download the file onto another AT-8524M switch in your network. 7.
PAGE 180
Chapter 12: File Downloads and Uploads 11. From the HyperTerminal main window, select the Transfer menu. Then select Receive File from the pull-down menu, as shown in Figure 51. Figure 51 Local Management Window The Receive File window is shown in Figure 52. Figure 52 Receive File Window 12. Click the Browse button and specify the location on your computer where you want the system file stored. 13.
PAGE 181
AT-S62 User’s Guide The System Utilities menu is shown in Figure 9 on page 64. 4. For the System Utilities menu, type 2 to select Downloads and Uploads. The Downloads and Uploads menu is shown in Figure 44 on page 162. 5. Type 4 to select Upload a File. The following prompt is displayed: Only TFTP uploads are available for a Telnet access TFTP Server IP address: 6. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: 7. Enter a name for the system file.
PAGE 182
Chapter 13 Event Log This chapter describes the event log.
PAGE 183
AT-S62 User’s Guide Event Log Overview A managed switch is a complex piece of computer equipment that includes both hardware and software. Multiple software features operate simultaneously, interoperating with each other and processing large amounts of network traffic. It is often difficult to determine exactly what is happening when a switch appears not to be operating normally, or what happened when a problem occurs.
PAGE 184
Chapter 13: Event Log Enabling or Disabling the Event Log To enable or disable the event log, do the following: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 53. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 1 2 3 4 5 6 7 - Event Log Event Logging..............Enabled Log Full Action............Wrap Display Output.............
PAGE 185
AT-S62 User’s Guide Displaying Events To view the event log, do the following: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 53 on page 184. 3. Configure options 3 through 7 in the Event Log menu to specify the types of events you want to view. The options are described below: 3 - Display Output Selects an event log. This option has only the one selection Temporary.
PAGE 186
Chapter 13: Event Log Figure 54 shows an example of the event log in the Full display mode. The Normal display mode does not include the Filename, Line Number, and Event ID items. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 S Date Event Log Source File:Line Number Time EventID Event -----------------------------------------------------------------I 2/01/04 09:11:02 073001 garpmain.c:259 garp: GARP initialized I 2/01/04 09:55:15 083001 portconfig.
PAGE 187
AT-S62 User’s Guide ❑ Date/Time - The date and time the event occurred. ❑ Event - The module within the AT-S62 software that generated the event followed by a brief description of the event. For a list of the AT-S62 modules, see Modules on page 187. ❑ Event ID - A unique number that identifies the event. (Displayed only in the Full display mode.) ❑ Filename and Line Number - The subpart of the AT-S62 module and the line number that generated the event. (Displayed only in the Full display mode.
PAGE 188
Chapter 13: Event Log Table 7 AT-S62 Modules Section II: Advanced Operations Module Name Description PKI Public Key Infrastructure PMIRR Port mirroring PSEC Port security (MAC address-based) PTRUNK Port trunking QOS Quality of Service RADIUS RADIUS authentication protocol SNMP SNMP SSH Secure Shell protocol SSL Secure Sockets Layer protocol STP Spanning Tree, Rapid Spanning, and Multiple Spanning Tree protocols SYSTEM Hardware status; Manager and Operator log in and log off events.
PAGE 189
AT-S62 User’s Guide Saving the Event Log The Event Log menu has the selection “S - Save Log to File” for saving the current contents of the log as a file in the file system. Once in the file system, you can either view it or download it to your management workstation. To use the option, first configure options 2 to 7 in the Event Log menu to specify which log entries you want to save. When you select the option, you are asked to specify a filename.
PAGE 190
Chapter 13: Event Log Clearing the Event Log To clear all events from the log, perform the following procedure: 1. From the Main menu, type 5 to select System Administration. 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 53 on page 184. 3. Type C to select Clear Log. A confirmation prompt is displayed, 4. Type Y to clear the log or N to cancel the procedure. The log, if enabled, will immediately begin to learn new events.
PAGE 191
Chapter 14 Quality of Service This chapter contains the procedures for configuring Quality of Service (QoS).
PAGE 192
Chapter 14: Quality of Service Quality of Service Overview When a port on an Ethernet switch becomes oversubscribed—its egress queues contain more packets than the port can handle in a timely manner—the port may be forced to delay the transmission of some packets. This can result in the delay of packets reaching their destinations.
PAGE 193
AT-S62 User’s Guide Each switch port has four egress queues. The queues are Q0, Q1, Q2, and Q3. Q0 is the lowest priority queue and Q3 is the highest. A packet in a high priority egress queue is typically transmitted out a port sooner than a packet in a low priority queue. Table 8 lists the mappings between the eight CoS priority levels and the four egress queues of a switch port. Table 8 Default Mappings of IEEE 802.1p Priority Levels to Priority Queues IEEE 802.
PAGE 194
Chapter 14: Quality of Service You can configure a port to completely ignore the priority levels in its tagged packets and store all the packets in the same egress queue. For instance, perhaps you decide that all tagged packets received on port 4 should be stored in the egress port’s Q3 egress queue, regardless of the priority level in the packets themselves. The procedure for overriding priority levels is explained in Configuring CoS on page 196.
PAGE 195
AT-S62 User’s Guide The problem with this method is that some low priority packets might never be transmitted out the port because a port might never get to the low priority queues. A port handling a large volume of high priority traffic may be so busy transmitting that traffic that it never has an opportunity to get to any packets that are stored in its low priority queues. Weighted Round Robin Priority Scheduling The weighted round robin scheduling method functions as its name implies.
PAGE 196
Chapter 14: Quality of Service Configuring CoS As explained in Quality of Service Overview on page 192, a tagged packet received on a port is placed it into one of four priority queues on the egress port according to the switch’s mapping of 802.1p priority levels to egress priority queues. The default mappings are shown in Table 8 on page 193.
PAGE 197
AT-S62 User’s Guide Note Options 4, 5, and 6 are not available in all versions of the AT-S62 management software. Contact your sales representative to determine if these features are available in your locale. 2. From the Security and Services menu, type 3 to select Class of Service (CoS). The Class of Service (CoS) menu is shown in Figure 56.
PAGE 198
Chapter 14: Quality of Service The Configure Port COS Priorities menu is shown in Figure 57. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Server User: Manager 11:20:02 02-Jan-2004 Configure Port COS Priorities 1 - Port Number ................... 1 2 - Priority (0-7) 0=Low 7=High ... 0 3 - Override Priority (Y/N) ....... N C - Configure COS Priorities R - Return to Previous Menu Enter your selection? Figure 57 Configure Port COS Priorities Menu Menu option 1 cannot be changed. 5.
PAGE 199
AT-S62 User’s Guide Note The tagged information in a frame is not changed as the frame traverses the switch. A tagged frame leaves a switch with the same priority level that it had when it entered. The default for this parameter is No, meaning that the priority level of tagged frames is determined by the priority level specified in the frame itself. 8. Type C to select Configure Port COS Priorities. A change to a port CoS setting is immediately activated on the port. 9.
PAGE 200
Chapter 14: Quality of Service Mapping CoS Priorities to Egress Queues This procedure explains how to change the default mappings of CoS priorities to egress priority queues, shown in Table 10 on page 195. This is set at the switch level. You cannot set this at the per-port level. To change the mappings, perform the following procedure. 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 55 on page 196. 2.
PAGE 201
AT-S62 User’s Guide Configuring Egress Scheduling This procedure explains how to select and configure a scheduling method for Class of Service. Scheduling determines the order in which the ports handle packets in their egress queues. For an explanation of the two scheduling methods, refer to Scheduling on page 194. Scheduling is set at the switch level. You cannot set this on a per-port basis. 1. From the Main Menu, type 7 to select Security and Services.
PAGE 202
Chapter 14: Quality of Service Displaying Port CoS Priorities The following procedure displays a menu that lists the current egress priority queue settings for each port. 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 55 on page 196. 2. From the Security and Services menu, type 3 to select Class of Service (CoS). The Class of Service (CoS) menu is shown in Figure 56 on page 197. 3.
PAGE 203
Chapter 15 IGMP Snooping This chapter explains how to activate and configure the Internet Group Management Protocol (IGMP) snooping feature on the switch.
PAGE 204
Chapter 15: IGMP Snooping IGMP Snooping Overview IGMP snooping is best explained by first defining IGMP. This protocol enables routers to create lists of nodes that are members of multicast groups. (A multicast group is a group of end nodes that want to receive multicast packets from a multicast application.) The router creates a multicast membership list by periodically sending out queries to the local area networks connected to its ports.
PAGE 205
AT-S62 User’s Guide Without IGMP snooping a switch would be obligated to flood multicast packets out all of its ports, except the port on which it received the packet. Such flooding of packets can negatively impact switch and network performance. The AT-8524M switch maintains its list of multicast groups through an adjustable timeout value, which controls how frequently it expects to see reports from end nodes that want to remain members of multicast groups, and by processing leave requests.
PAGE 206
Chapter 15: IGMP Snooping Activating IGMP Snooping To activate or deactivate IGMP snooping on the switch and to configure IGMP snooping parameters, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Multicast Configuration menu is shown in Figure 61.
PAGE 207
AT-S62 User’s Guide The options in the menu are defined below: 1 - IGMP Snooping Status Enables and disables IGMP snooping on the switch. After selecting this option, type E to enable or D to disable this feature. 2 - Multicast Host Topology Defines whether there is only one host node per switch port or multiple host nodes per port. Possible settings are Single-Host/Port (Edge) and Multiple Host/Ports (Intermediate).
PAGE 208
Chapter 15: IGMP Snooping When selecting a value for this parameter, it is important to note that the value you enter actually defines the approximate mid-point of a range within which a timeout can occur. Consequently, an actual timeout may occur earlier or later than the value that you enter. The range is from 0.7 to 1.4 of your value. For example, if you leave this parameter set to the default 260 seconds, a timeout can occur from 182 seconds to 364 seconds.
PAGE 209
AT-S62 User’s Guide Displaying a List of Host Nodes You can use the AT-S62 software to display a list of the multicast groups on a switch, as well as the host nodes. To display the list, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 61 on page 206. 2. From the Advanced Configuration menu, type 1 to select IGMP Snooping Configuration. The IGMP Snooping Configuration menu is shown in Figure 62 on page 206.
PAGE 210
Chapter 15: IGMP Snooping HostIP - The IP address of the host node connected to the port. Status - The status of the host node. The options are: Active: The host node is an active member of the group. Left Group: The host node has recently left the group.
PAGE 211
AT-S62 User’s Guide Displaying a List of Multicast Routers A multicast router is a router that is receiving multicast packets from a multicast application and transmitting the packets to host nodes. You can use the AT-S62 software to display a list of the multicast routers that are connected to the switch. To display a list of the multicast routers, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration.
PAGE 212
Chapter 16 Denial of Service Defense This chapter contains procedures on how to configure the switch to protect your network against Denial of Service (DoS) attacks.
PAGE 213
AT-S62 User’s Guide Denial of Service Defense Overview The AT-S62 management software can help protect your network against the following types of Denial of Service attacks. ❑ SYN Flood Attack ❑ SMURF Attack ❑ Land Attack ❑ Teardrop Attack ❑ Ping of Death Attack ❑ IP Options Attack The following subsections briefly describe each type of attack and the mechanism employed by the AT-S62 management software to protect your network.
PAGE 214
Chapter 16: Denial of Service Defense SMURF Attack This DoS attack is instigated by an attacker sending a ICMP Echo (Ping) request containing a broadcast address as the destination address and the address of the victim as the source of the ICMP Echo (Ping) request. This overwhelms the victim with a large number of ICMP Echo (Ping) replies from the other network nodes.
PAGE 215
AT-S62 User’s Guide Here is a overview of how the process takes place. This example assumes that you have activated the feature on port 4 and that you have specified port 1 as the uplink port. The steps below review what happens when an ingress IP packet arrives on port 4: 1. When port 4 receives an ingress IP packet with a destination MAC address learned on uplink port 1, it examines the packet’s destination IP addresses before forwarding the packet. 2.
PAGE 216
Chapter 16: Denial of Service Defense If one is found, the following occurs: ❑ The switch sends a SNMP trap to the management workstations. ❑ The switch port discards the fragment with the invalid offset and, for a one minute period, discards all ingress fragmented IP traffic. Because the CPU only samples the ingress IP traffic, this defense mechanism may catch some, though not necessarily, all of this form of attack. Caution This defense is extremely CPU intensive; use with caution.
PAGE 217
AT-S62 User’s Guide IP Options Attack In the basic scenario of an IP attack, an attacker sends packets containing bad IP options. There are several different types of IP option attacks and the AT-S62 management software does not distinguish between them. The defense mechanism counts the number of ingress IP packets containing IP options received on a port.
PAGE 218
Chapter 16: Denial of Service Defense Enabling or Disabling Denial of Service Prevention To configure DoS defense, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 55 on page 196. 2. From the Security and Services menu, type 2 to select Denial of Service (DoS). The Denial of Service (DoS) Menu is shown in Figure 65.
PAGE 219
AT-S62 User’s Guide The LAN IP Subnet menu is shown in Figure 66. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Lan IP Subnet 1 - IP Address ................. 0.0.0.0 2 - Subnet Mask ................ 0.0.0.0 3 - Uplink Port ................ 26 R - Return to Previous Menu Enter your selection? Figure 66 LAN IP Subnet Menu b.
PAGE 220
Chapter 16: Denial of Service Defense A menu is displayed containing either one or two options, depending on the DoS defense you selected. An example of the menu is shown in Figure 67. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 SYN Flood Configuration Configuring DoS for Port 2 1 - DoS Status ................. Disabled R - Return to Previous Menu Enter your selection? Figure 67 SYN Flood Configuration Menu 6.
PAGE 221
Section III SNMPv3 Operations This section contains the following chapter: ❑ Chapter 17: SNMPv3 Configuration on page 222 221
PAGE 222
Chapter 17 SNMPv3 Configuration This chapter provides a description of the AT-S62 implementation of the SNMPv3 protocol. In addition, it provides procedures that allow you to create and modify SNMPv3 users.
PAGE 223
AT-S62 User’s Guide SNMPv3 Overview The SNMPv3 protocol builds on the existing SNMPv1 and SNMPv2c protocol implementation which is described in Chapter 5: SNMPv1 and SNMPv2c Configuration on page 81. In the SNMPv3 protocol, User-based Security Model (USM) authentication is implemented along with encryption, allowing you to configure a secure SNMP environment. The SNMP terminology changes in the SNMPv3 protocol.
PAGE 224
Chapter 17: SNMPv3 Configuration With the SNMPv3 protocol, you create users, determine the protocol used for message authentication as well as determine if data transmitted between an SNMP agent and an NMS is encrypted. In addition, you have the ability to restrict user privileges by determining the user’s view of the Management Information Bases (MIBs). In this way, you restrict which MIBs the user can display and modify.
PAGE 225
AT-S62 User’s Guide SNMPv3 Privacy Protocol After you have configured an authentication protocol, you have the option of assigning a privacy protocol if you have the encrypted version of the AT-S62 software. In SNMPv3 protocol terminology, privacy is equivalent to encryption. Currently, the DES protocol is the only encryption protocol supported. The DES privacy protocol requires the authentication protocol to be configured as either MD5 or SHA.
PAGE 226
Chapter 17: SNMPv3 Configuration The AT-S62 software supports the MIB tree, starting with the Internet MIBs, as defined by 1.3.6.1. There are two ways to specify a MIB view. You can enter the OID number of the MIB view or its equivalent text name. For example, to specify MIBs in the Internet view, you can enter the OID format “1.3.6.1” or the text name “internet.” In addition, you can define a MIB view that the user can access or a MIB view that the user cannot access.
PAGE 227
AT-S62 User’s Guide To determine the destination of the message, you configure the IP address of the host. This configuration is similar to the SNMPv1 and SNMPv2c configuration.
PAGE 228
Chapter 17: SNMPv3 Configuration First, you create a user in the Configure SNMPv3 User Table. Then you define the MIB view this user has access to in the Configure SNMPv3 View Table. To configure a security group and associate a MIB view to a security group, you configure the Configure SNMPv3 Access Table. Finally, configure the Configure SNMPv3 SecurityToGroup Menu to associate a user to a security group. See Figure 69 for an illustration of how the user configuration tables are linked.
PAGE 229
AT-S62 User’s Guide See Figure 70 for an illustration of how the message notification tables are linked.
PAGE 230
Chapter 17: SNMPv3 Configuration SNMPv3 User Table The Configure SNMPv3 User Table menu allows you to create an SNMPv3 user and provides the options of configuring authentication and privacy protocols. With an authentication protocol configured, users are authenticated when they send and receive messages. In addition, you can configure a privacy protocol and password so messages a user sends and receives are encrypted.
PAGE 231
AT-S62 User’s Guide SNMPv3 SecurityToGroup Table The Configure SNMPv3 SecurityToGroup Table Menu allows you to associate a User Name with a security group called a Group Name. The User Name is previously configured with the Configure SNMPv3 User Table Menu. The security group is previously configured with the Configure SNMPv3 Access Table Menu. Lastly, you can configure a storage type for this table entry which allows you to save the entry to flash memory.
PAGE 232
Chapter 17: SNMPv3 Configuration SNMPv3 Community Table The Configure SNMPv3 Community Table Menu allows you to configure SNMPv1 and SNMPv2c communities. If you are going to use the SNMPv3 Tables to configure SNMPv1 and SNMPv2c communities, start with the SNMPv3 Community Table. See Configuring the SNMPv3 Community Table on page 309. Note Allied Telesyn recommends that you use the procedures described in Chapter 5: SNMPv1 and SNMPv2c Configuration on page 81 to configure the SNMPv1 and SNMPv2c protocols.
PAGE 233
AT-S62 User’s Guide Configuring the SNMPv3 Protocol This section describes how to configure the SNMPv3 protocol using the SNMPv3 Tables. To successfully configure this protocol, you must perform the procedures in the order given. For overview information about SNMPv3, see the SNMPv3 Overview on page 223. In order to allow an NMS to access the switch, you need to enable SNMP access.
PAGE 234
Chapter 17: SNMPv3 Configuration Configuring the SNMPv3 User Table This section contains a description of the SNMPv3 User Table and how to create, delete, and modify table entries. Configure the SNMPv3 User Table first. Creating this table, allows you to create an entry in an SNMPv3 User Table for a User Name.
PAGE 235
AT-S62 User’s Guide The Configure SNMPv3 Table Menu is shown in Figure 71. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure SNMPv3 Table 1 2 3 4 5 6 7 8 9 - SNMP Engine...............
PAGE 236
Chapter 17: SNMPv3 Configuration 5. To create a new user table, type 1 to select Create SNMPv3 Table Entry. The following prompt is displayed: Enter User (Security) Name: 6. Enter a descriptive name of the user. You can enter a name that consists of up to 32-alphanumeric characters. The following prompt is displayed: Enter Authentication Protocol [M-MD5, S-SHA, N-None]: 7. Enter one of the following: M-MD5 This value represents the MD5 authentication protocol.
PAGE 237
AT-S62 User’s Guide Note If you have the non encrypted version of the AT-S62 software, then the Privacy Protocol field is read-only. Note You can only configure the Privacy Protocol if you have configured the Authentication Protocol with the MD5 or SHA values. 9. Select one of the following options: D -DES Select this value to make the DES privacy (or encryption) protocol the privacy protocol for this User Table entry.
PAGE 238
Chapter 17: SNMPv3 Configuration Note The Row Status parameter is a read-only field in the Telnet and Local interfaces. The Active value indicates the SNMPv3 User Table entry takes effect immediately. 12. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 User Table Entry You may want to delete an entry from the SNMPv3 User Table. When you delete an entry in the SNMPv3 User Table, there is no way to undelete, or recover it.
PAGE 239
AT-S62 User’s Guide Modifying the Authentication Protocol and Password To modify the Authentication Protocol and Password in an SNMPv3 User Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 71. 2. From the Configure SNMPv3 Table Menu, type 2 to select Configure SNMPv3 User Table.
PAGE 240
Chapter 17: SNMPv3 Configuration 6. Enter one of the following: M-MD5 This value represents the MD5 authentication protocol. With this selection, users are authenticated with the MD5 authentication protocol after a message is received. This algorithm generates the message digest. The user is authenticated when the authentication protocol checks the message digest. With the MD5 selection, you can configure a Privacy Protocol. S-SHA This value represents the SHA authentication protocol.
PAGE 241
AT-S62 User’s Guide Modifying the Privacy Protocol and Password To modify the Privacy Protocol and Password in an SNMPv3 User Table entry, perform the following procedure. Note You can only configure the Privacy Protocol if you have configured the Authentication Protocol with the MD5 or SHA values. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 71. 2.
PAGE 242
Chapter 17: SNMPv3 Configuration 7. Enter a privacy password of up to 32-alphanumeric characters. The following prompt is displayed: Re-enter Authentication password: 8. Re-enter the password. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Storage Type To modify the Storage Type in an SNMPv3 User Table entry, perform the following procedure. 1.
PAGE 243
AT-S62 User’s Guide N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 User Table to nonvolatile memory. After making changes to an SNMPv3 User Table entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 244
Chapter 17: SNMPv3 Configuration Configuring the SNMPv3 View Table This section contains a description of the SNMPv3 View Table and how to create, delete, and modify table entries. Creating this table, allows you to specify a view using the following parameters: ❑ Subtree OID ❑ Subtree Mask ❑ MIB OID Table View To configure the SNMPv3 View Table, you need to be very familiar with the MIB tree. You can be very specific about the view a user can or cannot access—down to a column or row of the tree.
PAGE 245
AT-S62 User’s Guide The Configure SNMPv3 View Table Menu is shown in Figure 74. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 View Table View Name ................. Subtree OID ............... Subtree Mask .............. View Type ................. Storage Type .............. Row Status ................ internet 1.3.6.
PAGE 246
Chapter 17: SNMPv3 Configuration The following prompt is displayed: Enter Subtree Mask (Hex format): 6. Enter a subtree mask. This is an optional parameter that is used to further refine the value in the View Subtree parameter. This parameter is in binary format. The View Subtree parameter defines a MIB View and the Subtree Mask further restricts a user’s view, for example, to a specific row of the MIB tree. The value of the Subnet Mask parameter is dependent on the subtree you select.
PAGE 247
AT-S62 User’s Guide 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 View Table Entry You may want to delete an entry from the SNMPv3 View Table. After you delete an SNMPv3 View Table entry, there is no way to undelete, or recover it. To delete an entry in the SNMPv3 View Table, perform the following procedure: 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234.
PAGE 248
Chapter 17: SNMPv3 Configuration Modifying an SNMPv3 View Table Entry This section describes how to modify parameters in an SNMPv3 Notify Table entry. See the following procedures: ❑ Modifying a Subtree Mask on page 248 ❑ Modifying a View Type on page 250 ❑ Modifying a Storage Type on page 251 Modifying a Subtree Mask To modify the Subtree Mask parameter in an SNMPv3 View Table entry, perform the following procedure. 1.
PAGE 249
AT-S62 User’s Guide The Modify SNMPv3 View Table Menu is shown in Figure 75. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Modify SNMPv3 View Table View Name ................. Subtree OID ............... Subtree Mask .............. View Type ................. Storage Type .............. Row Status ................ tcp 1.3.6.1.2.1.
PAGE 250
Chapter 17: SNMPv3 Configuration The View Subtree parameter defines a MIB View and the Subtree Mask further restricts a user’s view, for example, to a specific row of the MIB tree. The value of the Subnet Mask parameter is dependent on the subtree you select. See RFC 2575 for detailed information about defining a subnet mask. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 251
AT-S62 User’s Guide The following prompt is displayed: Enter View Type [I-Included, E-Excluded]: 7. Choose one of the following view types: I - Included Enter this value to permit the View Name to see the subtree specified above. E - Excluded Enter this value to not permit the View Name to see the subtree specified above. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 252
Chapter 17: SNMPv3 Configuration 7. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 View Table to the configuration file. After making changes to an SNMPv3 View Table entry with a Volatile storage type, the S - Save Configuration Changes option does not appear on the Main Menu.
PAGE 253
AT-S62 User’s Guide Configuring the SNMPv3 Access Table This section contains a description of the SNMPv3 Access Table and how to create, delete, and modify table entries. The SNMPv3 Access Table allows you to configure a security group. Each user must belong to a security group. After you have configured a security group, use the SecurityToGroup Table to assign users to security groups. See Creating an SNMPv3 SecurityToGroup Table Entry on page 268.
PAGE 254
Chapter 17: SNMPv3 Configuration The Configure SNMPv3 Access Table Menu is shown in Figure 76. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 Access Table Group Name .... Context Prefix. Read View...... Write View .... Notify View ... softwareengineering internet tcp tcp Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
PAGE 255
AT-S62 User’s Guide Note The Context Prefix and the Context Match fields are a read only fields. The Context Prefix field is always set to null. The Context Match field is always set to exact. The following prompt is displayed: Enter Security Model [1-v1, 2-v2c, 3-v3]: 5. Select one of the following SNMP protocols as the Security Model for this Group Name. 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol.
PAGE 256
Chapter 17: SNMPv3 Configuration greatest level of security. You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. The following prompt is displayed: Enter Read View Name: 7. Enter a value that you configured with the View Name parameter in the SNMPv3 View Table. A Read View Name allows the users assigned to this Group Name to view the information specified by the View Table entry. This value does not need to be unique.
PAGE 257
AT-S62 User’s Guide Note The Row Status parameter is a read-only field in the Telnet and Local interfaces. The Active value indicates the SNMPv3 Access Table entry will take effect immediately. 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 Access Table Entry You may want to delete an entry from the SNMPv3 Access Table. After you delete an SNMPv3 Access Table, there is no way to undelete, or recover, it.
PAGE 258
Chapter 17: SNMPv3 Configuration 2-v2c Select this value to associate the Group Name with the SNMPv2c protocol. 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Enter the Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 6. Enter the Security Level of this Group Name. Select one of the following Security Levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol.
PAGE 259
AT-S62 User’s Guide Modifying an SNMPv3 Access Table Entry This section describes how to modify parameters in an SNMPv3 Access Table entry. For each entry in the SNMPv3 Access Table, you can modify the following parameters: ❑ Read View Name ❑ Write View Name ❑ Notify View Name ❑ Storage Type Configure the values of the Read View Name, Write View Name, and Notify View Name parameters with values previously configured with the View Name parameter in the SNMPv3 View Table.
PAGE 260
Chapter 17: SNMPv3 Configuration The Modify SNMPv3 Access Table is shown in Figure 77. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Modify SNMPv3 Access Table Group Name .... Context Prefix. Read View...... Write View .... Notify View ... 1 2 3 4 - Set Set Set Set sales systemmanagers salespeople salespeople Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
PAGE 261
AT-S62 User’s Guide The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol. This security level provides the least security.
PAGE 262
Chapter 17: SNMPv3 Configuration Modifying the Write View Name To modify the Write View Name parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 71 on page 235. 2. From the Configure SNMPv3 Table Menu, type 4 to select Configure SNMPv3 Access Table.
PAGE 263
AT-S62 User’s Guide 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol. This security level provides the least security.
PAGE 264
Chapter 17: SNMPv3 Configuration Modifying the Notify View Name To modify the Notify View Name parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 71 on page 235. 2. From the Configure SNMPv3 Table Menu, type 4 to select Configure SNMPv3 Access Table.
PAGE 265
AT-S62 User’s Guide 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol. This security level provides the least security.
PAGE 266
Chapter 17: SNMPv3 Configuration Modifying the Storage Type To modify the Storage Type parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 71 on page 235. 2. From the Configure SNMPv3 Table Menu, type 4 to select Configure SNMPv3 Access Table.
PAGE 267
AT-S62 User’s Guide 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol. This security level provides the least security.
PAGE 268
Chapter 17: SNMPv3 Configuration Configuring the SNMPv3 SecurityToGroup Table This section contains a description of the SNMPv3 SecurityToGroup Table and how to create, delete, and modify table entries. The SNMPv3 SecurityToGroup Table allows you to associate a User Name with a Group Name. The User Name is configured in the Configure SNMPv3 User Table Menu while the Group Name is configured in the Configure SNMPv3 Access Table Menu.
PAGE 269
AT-S62 User’s Guide The Configure SNMPv3 SecurityToGroup Table Menu is shown in Figure 78. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
PAGE 270
Chapter 17: SNMPv3 Configuration The following prompt is displayed: Enter Group Name: 6. Enter a Group Name that you configured in the SNMPv3 Access Table. See. Creating an SNMPv3 Access Table Entry on page 253. There are four default values for this field: ❑ defaultV1GroupReadOnly ❑ defaultV1GroupReadWrite ❑ defaultV2cGroupReadOnly ❑ defaultV2cGroupReadWrite These values are reserved for SNMPv1 and SNMPv2c implementations.
PAGE 271
AT-S62 User’s Guide Deleting an SNMPv3 SecurityToGroup Table Entry You may want to delete an entry from the SNMPv3 SecurityToGroup Table. When you delete an SNMPv3 SecurityToGroup Table entry, there is no way to undelete, or recover, it. To delete an entry in the SNMPv3 SecurityToGroup Table, perform the following procedure: 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234. Or, from the Main Menu type 5->5->5.
PAGE 272
Chapter 17: SNMPv3 Configuration The following prompt is displayed: Do you want to delete this table entry? (Y/N): [Yes/No]-> 6. Enter Y to delete this SecurityToGroup entry or N to save it. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 SecurityToGroup Table Entry This section describes how to modify parameters in an SNMPv3 SecurityToGroup Table entry.
PAGE 273
AT-S62 User’s Guide The Modify SecurityToGroup Table is displayed as shown Figure 78. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Modify SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
PAGE 274
Chapter 17: SNMPv3 Configuration 3-v3 Select this value to associate the User Name with the SNMPv3 protocol. The following prompt is displayed: Enter Group Name: 7. Enter the new Group Name. This value must match a value configured in the Group Name parameter in the Configure SNMPv3 Access Table. See Creating an SNMPv3 Access Table Entry on page 253. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 275
AT-S62 User’s Guide Select one of the following SNMP protocols: 1-v1 Select this value if this User Name is configured with the SNMPv1 protocol. 2-v2c Select this value if this User Name is configured with the SNMPv2c protocol. 3-v3 Select this value if this User Name is configured with the SNMPv3 protocol. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 7.
PAGE 276
Chapter 17: SNMPv3 Configuration Configuring the SNMPv3 Notify Table This section contains a description of the SNMPv3 Notify Table Menu and how to create, delete, and modify table entries. The Configure SNMPv3 Notify Table Menu allows you to define a name for sending traps. In each Notify Table entry, you define if the switch sends a trap or an inform message. The two message types, trap and inform, have different packet formats.
PAGE 277
AT-S62 User’s Guide The Configure SNMPv3 Notify Table Menu is shown in Figure 80. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 Notify Table Notify Name ...................... Notify Tag ....................... Notify Type ...................... Storage Type ..................... Row Status .......................
PAGE 278
Chapter 17: SNMPv3 Configuration I-Inform Indicates this notify table is used to send inform messages. With this message type, the switch expects a response from the authoritative entity. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 7. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Notify Table to the configuration file.
PAGE 279
AT-S62 User’s Guide Note To display a Group Name and its associated parameters from the Configure SNMPv3 SecurityToGroup Table Menu, type N to display the Next Page and P to display the previous page. 3. To delete an SNMPv3 Notify Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Notify Name: 4. Enter a Notify Name. The following prompt is displayed: Do you want to delete this table entry? (Y/N): [Yes/No]-> 5.
PAGE 280
Chapter 17: SNMPv3 Configuration The Modify SNMPv3 Notify Table Menu is displayed as shown in Figure 81. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Modify SNMPv3 Notify Table Notify Name ................... Notify Tag..................... Notify Type.................... Storage Type .................. Row Status ....................
PAGE 281
AT-S62 User’s Guide Modifying a Notify Type To modify the Notify Type parameter in an SNMPv3 Notify Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 71 on page 235. 2. From the Configure SNMPv3 Table Menu, type 6 to select Configure SNMPv3 Notify Table.
PAGE 282
Chapter 17: SNMPv3 Configuration Modifying a Storage Type To modify the Storage Type parameter in an SNMPv3 Notify Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 71 on page 235. 2. From the Configure SNMPv3 Table Menu, type 6 to select Configure SNMPv3 Notify Table.
PAGE 283
AT-S62 User’s Guide Configuring the SNMPv3 Target Address Table This section contains a description of the SNMPv3 Target Address Table Menu and how to create, delete, and modify table entries. You use the SNMPv3 Target Address Table Menu to assign the IP address of a host that is used for generating notifications. The Configure SNMPv3 Target Address Table Menu is linked internally to the Configure SNMPv3 Notify Table through the Tag List parameter.
PAGE 284
Chapter 17: SNMPv3 Configuration Creating an SNMPv3 Target Address Table Entry To create an entry in the Configure SNMPv3 Target Address Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 71 on page 235. 2. From the Configure SNMPv3 Table Menu, type 7 to select Configure SNMPv3 Target Address Table.
PAGE 285
AT-S62 User’s Guide Use the following format for an IP address: XXX.XXX.XXX.XXX The following prompt is displayed: Enter UDP Port#: [0 to 65535]-> 162 6. Enter a UDP port. You can enter a UDP port in the range of 0 to 65,535. The default UDP port is 162. The following prompt is displayed: Enter Timeout (10mS): [0 to 2147483647]-> 1500 7. Enter a timeout value in milliseconds. When an Inform message is generated, it requires a response from the switch.
PAGE 286
Chapter 17: SNMPv3 Configuration This name can consist of up to 32-alphanumeric characters. The value configured here must match the value configured with the Target Parameters Name parameter in the Configure SNMPv3 Target Parameters Table. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 11.
PAGE 287
AT-S62 User’s Guide The Configure SNMPv3 Target Address Table Menu is shown in Figure 84 on page 297. Note To display a Group Name and its associated parameters from the Configure SNMPv3 SecurityToGroup Table Menu, type N to display the Next Page and P to display the previous page. 3. To delete an SNMPv3 Target Address Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Target Address Name: 4. Enter a Target Address Name.
PAGE 288
Chapter 17: SNMPv3 Configuration Modifying a Target IP Address To modify the target IP address in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 71 on page 235. 2. From the Configure SNMPv3 Table Menu, type 7 to select Configure SNMPv3 Target Address Table.
PAGE 289
AT-S62 User’s Guide 4. To change the Target IP Address, type 1 to select Set Target IP Address. The following prompt is displayed: Enter Target Address Name: 5. Enter a previously configured Target Address Name. This is the name of the SNMP manager, or host, that manages the SNMP activity on your switch. You can enter a name of up to 32alphanumeric characters. The following prompt is displayed: Enter IP Address: 6. Enter the IP address of the host. Use the following format for an IP address: XXX.XXX.XXX.
PAGE 290
Chapter 17: SNMPv3 Configuration This is the name of the SNMP manager, or host, that manages the SNMP activity on your switch. You can enter a name of up to 32alphanumeric characters. The following prompt is displayed: Enter UDP Port#: [0 to 65535]-> 162 6. Enter a UDP port. You can enter a UDP port in the range of 0 to 65,535. The default UDP port is 162. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 291
AT-S62 User’s Guide 6. Enter a timeout value in milliseconds. When an Inform message is generated, it requires a response from the switch. The timeout value determines how long the switch considers the Inform message an active message. This parameter applies to Inform messages only. The range is from 0 to 2,147,483,647 milliseconds. The default value is 1500 milliseconds. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 292
Chapter 17: SNMPv3 Configuration 6. Enter the number of times the switch will retry, or resend, the Inform message. The range is 0 to 255 retries. The default is 3 retries. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Address Tag List To modify the Target Address Tag List parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1.
PAGE 293
AT-S62 User’s Guide Modifying the Target Parameters Field To modify the Target Parameters field in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 71 on page 235. 2. From the Configure SNMPv3 Table Menu, type 7 to select Configure SNMPv3 Target Address Table.
PAGE 294
Chapter 17: SNMPv3 Configuration Modifying the Storage Type To modify the Storage Type parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 71 on page 235. 2. From the Configure SNMPv3 Table Menu, type 7 to select Configure SNMPv3 Target Address Table.
PAGE 295
AT-S62 User’s Guide 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 296
Chapter 17: SNMPv3 Configuration Configuring the SNMPv3 Target Parameters Table This section contains a description of the SNMPv3 Target Parameters Table and how to create, delete, and modify table entries. The SNMPv3 Target Parameters Table links the user security information with the message notification information configured in the Configure SNMPv3 Notify Table Menu and Configure SNMPv3 Target Address Table Menu.
PAGE 297
AT-S62 User’s Guide There are three functions you can perform with the Configure SNMPv3 Target Parameters Table Menu. ❑ Creating an SNMPv3 Target Parameters Table Entry on page 297 ❑ Deleting an SNMPv3 Target Parameters Table Entry on page 300 ❑ Modifying an SNMPv3 Target Parameters Table Entry on page 301 Creating an SNMPv3 Target Parameters Table Entry To create an entry in the Configure SNMPv3 Target Parameters Table, perform the following procedure. 1.
PAGE 298
Chapter 17: SNMPv3 Configuration 3. To create an SNMPv3 Target Parameters Table, type 1 to select Create SNMPv3 Table Entry. The following prompt is displayed: Enter Target Parameters Name: 4. Enter a name of the Target Parameters. Enter a value of up to 32-alphanumeric characters. Note You are prompted to enter a value for the Message Processing Model parameter only if you select SNMPv1 or SNMPv2c as the Security Model.
PAGE 299
AT-S62 User’s Guide 7. Select one of the following Security Levels: Note The value you configure for the Security Level must match the value configured for the User Name in the Configure SNMPv3 User Table Menu. See Creating an SNMPv3 User Table Entry on page 234. N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol.
PAGE 300
Chapter 17: SNMPv3 Configuration entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Note The Row Status parameter is a read-only field in the Telnet and Local interfaces. The Active value indicates the SNMPv3 Target Parameters Table entry will take effect immediately. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 301
AT-S62 User’s Guide 5. Enter Y to delete the SNMPv3 Target Address Table entry or N to save it. 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 Target Parameters Table Entry This section provides procedures for modifying parameters in an SNMPv3 Target Parameters Table entry. The parameter values configured in the Target Parameters Table must match those configured in the other tables.
PAGE 302
Chapter 17: SNMPv3 Configuration Note You cannot modify an entry in the SNMPv3 Target Parameter Table that contains a value of “default” in the Target Parameters Name field. Modifying the Security Name (User Name) In the AT-S62 implementation of the SNMPv3 protocol, the Security Name and the User Name parameters are equivalent. In the SNMPv3 Target Parameters Table Menu, the Security Name and the User Name parameters are used interchangeably.
PAGE 303
AT-S62 User’s Guide The Modify SNMPv3 Target Parameters Table Menu is shown in Figure 85. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Modify SNMPv3 Target Parameters Table Target Parameters Name ... Message Processing Model . Security Model............ Security Name ............ Security Level ........... Storage Type ............. Row Status ...............
PAGE 304
Chapter 17: SNMPv3 Configuration Modifying the Security Model For the Security or User Name you have selected, the value of the Security Model parameter in an SNMPv3 Target Parameter Table entry must match the value of the Security Model parameter in the SNMPv3 Access Table entry. Caution If the values of the Security Model parameter in the SNMPv3 User Table and the SNMPv3 Target Parameter Table entry do not match, notification messages are not generated on behalf of this User (Security) Name.
PAGE 305
AT-S62 User’s Guide 2-v2c Select this value if this User Name is associated with the SNMPv2c protocol. 3-v3 Select this value if this User Name is associated with the SNMPv3 protocol. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 306
Chapter 17: SNMPv3 Configuration Select one of the following Security Levels: Note The value you configure for the Security Level must match the value configured for the User Name in the Configure SNMPv3 User Table Menu. See Creating an SNMPv3 User Table Entry on page 234. N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol.
PAGE 307
AT-S62 User’s Guide The Configure SNMPv3 Table Menu is shown in Figure 71 on page 235. 2. From the Configure SNMPv3 Table Menu, type 8 to select Configure SNMPv3 Target Address Table. The Configure SNMPv3 Target Parameters Table Menu is shown in Figure 84. 3. From the Configure SNMPv3 Target Parameters Table Menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Target Parameters Table Menu is shown in Figure 85 on page 303. 4.
PAGE 308
Chapter 17: SNMPv3 Configuration 2. From the Configure SNMPv3 Table Menu, type 8 to select Configure SNMPv3 Target Address Table. The Configure SNMPv3 Target Parameters Table Menu is shown in Figure 84. 3. From the Configure SNMPv3 Target Parameters Table Menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Target Parameters Table Menu is shown in Figure 85 on page 303. 4. To modify the Storage Type, type 5 to select Storage Type.
PAGE 309
AT-S62 User’s Guide Configuring the SNMPv3 Community Table This section contains a description of the SNMPv3 Community Table and how to create, delete, and modify table entries. The SNMPv3 Community Table allows you to create SNMPv1 and SNMPv2c Communities using the SNMPv3 Tables. Allied Telesyn does not recommend that you use the menu described in this section to configure SNMPv1 and SNMPv2c communities. Instead, use the procedures described in Chapter 5: SNMPv1 and SNMPv2c Configuration on page 81.
PAGE 310
Chapter 17: SNMPv3 Configuration For each SNMPv3 Community Table entry, you can configure the following parameters: ❑ Community Index ❑ Community Name ❑ Security Name ❑ Transport Tag ❑ Storage Type In addition, you can display the entries configured with the Configure SNMPv1 & SNMPv2c Community Menu in the Configure SNMPv3 Community Table Menu. However, you cannot modify an SNMPv1 & SNMPv2c Community Table entry with the Configure SNMPv3 Community Table Menu.
PAGE 311
AT-S62 User’s Guide The Configure SNMPv3 Community Table Menu is shown in Figure 86. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
PAGE 312
Chapter 17: SNMPv3 Configuration The following prompt is displayed: Enter Security Name: 6. Enter the name of an SNMPv1 and SNMPv2c user. This name must be unique. Enter a value of up to 32alphanumeric characters. Note Do not use a value configured with the User Name parameter in the SNMPv3 User Table. The following prompt is displayed: Enter Transport Tag: 7. Enter a name of up to 32-alphanumeric characters for the Transport Tag.
PAGE 313
AT-S62 User’s Guide 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 Community Table Entry You may want to delete an entry from the SNMPv3 Community Table. When you delete an entry in the SNMPv3 Community Table, there is no way to undelete or recover it. To delete an entry in the SNMPv3 Community Table, perform the following procedure: 1.
PAGE 314
Chapter 17: SNMPv3 Configuration Modifying an SNMPv3 Community Table Entry For each entry in the SNMPv3 Community Table, you can modify the following parameters: ❑ Community Name ❑ Security Name ❑ Transport Tag ❑ Storage Type However, you cannot modify the Community Index parameter.
PAGE 315
AT-S62 User’s Guide The Modify SNMPv3 Community Table Menu is shown in Figure 87. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2004 Modify SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
PAGE 316
Chapter 17: SNMPv3 Configuration Modifying the Security Name To modify the Security Name parameter in an SNMPv3 Community Table entry, perform the following procedure: 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 234. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 71 on page 235. 2. From the Configure SNMPv3 Table Menu, type 9 to select Configure SNMPv3 Community Table.
PAGE 317
AT-S62 User’s Guide 2. From the Configure SNMPv3 Table Menu, type 9 to select Configure SNMPv3 Community Table. The Configure SNMPv3 Community Table Menu is shown in Figure 86 on page 311. 3. From the Configure SNMPv3 Community Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Community Table Menu is shown in Figure 87 on page 315. 4. To change the Transport Tag, type 3 to select Set Transport Tag. The following prompt is displayed: Enter Community Index: 5.
PAGE 318
Chapter 17: SNMPv3 Configuration The following prompt is displayed: Enter Community Index: 5. Enter the Community Index of the Storage Type you want to change. The following prompt is displayed: Enter Storage type [V-volatile, N-NonVolatile]: 6. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to an entry in the SNMPv3 Community Table to the configuration file.
PAGE 319
AT-S62 User’s Guide Displaying SNMPv3 Table Menus The procedures in this section describe how to display the SNMPv3 Tables.
PAGE 320
Chapter 17: SNMPv3 Configuration The Display SNMPv3 Table Menu is shown in Figure 88.
PAGE 321
AT-S62 User’s Guide Displaying the Display SNMPv3 View Table Menu This section describes how to display the Display SNMPv3 View Table Menu. For information about the SNMPv3 View Table parameters, see Creating an SNMPv3 View Table Entry on page 244. To display the Display SNMPv3 View Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Displaying the Display SNMPv3 User Table Menu on page 319. Or, from the Main Menu type 5->5->6. 2.
PAGE 322
Chapter 17: SNMPv3 Configuration Displaying the Display SNMPv3 Access Table Menu This section describes how to display the Display SNMPv3 Access Table Menu. For information about the SNMPv3 Access Table parameters, see Creating an SNMPv3 Access Table Entry on page 253. To display the Display SNMPv3 Access Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Displaying the Display SNMPv3 User Table Menu on page 319. Or, from the Main Menu type 5->5->6. 2.
PAGE 323
AT-S62 User’s Guide Displaying the Display SNMPv3 SecurityToGroup Table Menu This section describes how to display the Display SNMPv3 SecurityToGroup Table Menu. For more information about the parameters in the SNMPv3 SecurityToGroup Table Menu, see Creating an SNMPv3 SecurityToGroup Table Entry on page 268. To display the Display SNMPv3 SecurityToGroup Table Menu, perform the following procedure. 1.
PAGE 324
Chapter 17: SNMPv3 Configuration Displaying the Display SNMPv3 Notify Table Menu This section describes how to display the Display SNMPv3 Notify Table Menu. For information about the SNMPv3 Notify Table parameters, see Creating an SNMPv3 Notify Table Entry on page 276. To display the Display SNMPv3 Notify Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Displaying the Display SNMPv3 User Table Menu on page 319. Or, from the Main Menu type 5->5->6. 2.
PAGE 325
AT-S62 User’s Guide Displaying the Display SNMPv3 Target Address Table Menu This section describes how to display the Display SNMPv3 Target Address Table Menu. For information about the SNMPv3 Target Address Table parameters, see Creating an SNMPv3 Target Address Table Entry on page 284. To display the Display SNMPv3 Target Address Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Displaying the Display SNMPv3 User Table Menu on page 319.
PAGE 326
Chapter 17: SNMPv3 Configuration Displaying the Display SNMPv3 Target Parameters Table Menu This section describes how to display the Display SNMPv3 Target Parameters Table Menu. For information about the SNMPv3 Target Parameters Table parameters, see Creating an SNMPv3 Target Parameters Table Entry on page 297. To display the Display SNMPv3 Target Parameters Table Menu, perform the following procedure. 1.
PAGE 327
AT-S62 User’s Guide Displaying the Display SNMPv3 Community Table Menu This section describes how to display the Display SNMPv3 Community Table Menu. For information about the SNMPv3 Community Table parameters, see Creating an SNMPv3 Community Table Entry on page 310. To display the Display SNMPv3 Community Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Displaying the Display SNMPv3 User Table Menu on page 319. Or, from the Main Menu type 5->5->6. 2.
PAGE 328
Section IV Spanning Tree Protocols The chapters in this section explain the spanning tree protocols.
PAGE 329
Chapter 18 Spanning Tree and Rapid Spanning Tree Protocols This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). The chapter also contains procedures on how to adjust the STP and RSTP bridge and port parameters.
PAGE 330
Chapter 18: STP and RSTP STP and RSTP Overview The performance of a Ethernet network can be severely impaired by the existence of a data loop in the network topology. A data loop exists when two or more nodes on a network can transmit data to each other over more than one data path. The problem that data loops pose is that Ethernet packets can become caught in repeating cycles, referred to as broadcast storms, that needlessly consume network bandwidth and can significantly reduce network performance.
PAGE 331
AT-S62 User’s Guide Bridge Priority and the Root Bridge The first task that bridges running spanning tree perform is the selection of a root bridge. A root bridge distributes network topology information to the other network bridges and is used by the other bridges to determine if there are redundant paths in the network. A root bridge is selected by the bridge priority number, also referred to as the bridge identifier, and sometimes the bridge’s MAC address.
PAGE 332
Chapter 18: STP and RSTP Path Costs and Port Costs After the root bridge has been selected, the bridges must determine if the network contains redundant paths. If one is found, they must select a preferred path while placing the redundant paths in a backup or blocking state. Where there is only one path between a bridge and the root bridge, the bridge is referred to as the designated bridge and the port through which the bridge is communicating with the root bridge is referred to as the root port.
PAGE 333
AT-S62 User’s Guide Table 14 lists the STP port costs with Auto-Detect when a port is part of a port trunk. Table 14 STP Auto-Detect Port Trunk Costs Port Speed Port Cost 10 Mbps 4 100 Mbps 4 1000 Mbps 2 Table 15 lists the RSTP port costs with Auto-Detect. Table 15 RSTP Auto-Detect Port Costs Port Speed Port Cost 10 Mbps 2,000,000 100 Mbps 200,000 1000 Mbps 20,000 Table 16 lists the RSTP port costs with Auto-Detect when the port is part of a port trunk.
PAGE 334
Chapter 18: STP and RSTP Port Priority If two paths have the same cost, the bridges must choose between them to select a preferred path. In some instances this can involve the use of the port priority parameter. This parameter is used as a tie-breaker when two paths have the same cost. The lower the value, the higher the priority given to the port. The range for port priority is 0 to 240. As with bridge priority, this range is broken into increments, in this case multiples of 16.
PAGE 335
AT-S62 User’s Guide To forestall the formation of temporary data loops during topology changes, a port designated to change from blocking to forwarding passes through two additional states—listening and learning—before it begins to forward frames. The amount of time a port spends in these states is set by the forwarding delay value. This value states the amount of time that a port spends in the listening and learning states prior to changing to the forwarding state.
PAGE 336
Chapter 18: STP and RSTP Point-to-Point Ports and Edge Ports Note This section applies only to RSTP and MSTP. Part of the task of configuring RSTP is defining the port types on the bridge. This relates to the device(s) connected to the port. With the port types defined, RSTP can reconfigure a network much quicker than STP when a change in network topology is detected.
PAGE 337
AT-S62 User’s Guide If a port is operating in half-duplex mode and is not connected to any further bridges participating in STP or RSTP, then the port is an edge port. Figure 98 illustrates an edge port on an AT-8524M switch. The port is connected to an Ethernet hub, which in turn is connected to a series of Ethernet workstations. This is an edge port because it is connected to a device operating at half-duplex mode and there are no participating STP or RSTP devices connected to it.
PAGE 338
Chapter 18: STP and RSTP Mixed STP and RSTP Network RSTP IEEE 802.1w is fully compliant with STP IEEE 802.1d. Your network can consist of bridges running both protocols. STP and RSTP in the same network can operate together to create a single spanning tree domain. There is no reason not to activate RSTP on an AT-8524M switch even when all other switches are running STP. The switch can combine its RSTP with the STP of the other switches. The switch monitors the traffic on each port for BPDU packets.
PAGE 339
AT-S62 User’s Guide You can avoid this problem by not activating spanning tree or by connecting VLANs using tagged instead of untagged ports. (For information on tagged and untagged ports, refer to Chapter 20, Tagged and Port-based Virtual LANs on page 385.) Another approach is to use the Multiple Spanning Tree Protocol, explained in Chapter 19 on page 352, which allows you to create multiple spanning trees within a network.
PAGE 340
Chapter 18: STP and RSTP Enabling or Disabling a Spanning Tree Protocol The AT-S62 software supports STP, RSTP, and MSTP. (MSTP is explained in Chapter 19 on page 352.) Only one spanning tree protocol can be active on the switch at a time. Before you can enable a spanning tree protocol, you must first select it as the active spanning tree protocol on the switch. After you have selected it as the active protocol, you can then configure it and enable or disable it.
PAGE 341
AT-S62 User’s Guide 4. If you selected STP as the active spanning tree protocol, go to Configuring STP on page 342 for further instructions. If you selected RSTP, go to Configuring RSTP on page 347. If you selected MSTP, go to Chapter 19 on page 352. Note Once you have configured the spanning tree parameters, perform Steps 5 through 7 to enable spanning tree. 5. To enable or disable spanning tree, type 1 to select Spanning Tree Status.
PAGE 342
Chapter 18: STP and RSTP Configuring STP This section contains the following procedures: ❑ Configuring STP Bridge Settings, next ❑ Configuring STP Port Settings on page 344 Configuring STP Bridge Settings This section contains the procedure for configuring a bridge’s STP settings. Caution The default STP parameters are adequate for most networks. Changing them without prior experience and an understanding of how STP works might have a negative effect on your network. You should consult the IEEE 802.
PAGE 343
AT-S62 User’s Guide 2. Adjust the bridge STP settings as needed. The parameters are described below. 1 - Bridge Priority The priority number for the bridge. This number is used to determine the root bridge for RSTP. The bridge with the lowest priority number is selected as the root bridge. If two or more bridges have the same priority value, the bridge with the numerically lowest MAC address becomes the root bridge.
PAGE 344
Chapter 18: STP and RSTP 3. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 4. To change STP port settings, go to the next procedure. Configuring STP Port Settings To adjust STP port parameters, perform the following procedure: 1. From the Spanning Tree Configuration menu, type 3 to select STP Configuration. The STP Menu is shown in Figure 102 on page 342. 2. From the STP Menu, type P to select STP Port Parameters.
PAGE 345
AT-S62 User’s Guide The Configure STP Port Settings menu is shown in Figure 104. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure STP Port Settings Configuring Ports 4-4 1 - Port Priority ..... 128 2 - Port Cost ......... Automatic-Update R - Return to Previous Menu Enter your selection? Figure 104 Configure STP Port Settings Menu 6. Adjust the settings as desired. The parameters are described below.
PAGE 346
Chapter 18: STP and RSTP Displaying STP Port Settings To display STP port settings, perform the following procedure: 1. From the Spanning Tree Configuration menu, type 3 to select STP Configuration. The STP Menu is shown in Figure 102 on page 342. 2. From the STP Menu, type P to select STP Port Parameters. The STP Port Parameters menu is shown in Figure 103 on page 344. 3. From the STP Port Parameters menu, type 2 to select Display STP Port Configuration.
PAGE 347
AT-S62 User’s Guide Configuring RSTP This section contains the following procedures: ❑ Configuring RSTP Bridge Settings, next ❑ Configuring RSTP Port Settings on page 349 Configuring RSTP Bridge Settings This section contains the procedure for configuring a bridge’s RSTP settings. Caution The default RSTP parameters are adequate for most networks. Changing them without prior experience and an understanding of how RSTP works might have a negative effect on your network. You should consult the IEEE 802.
PAGE 348
Chapter 18: STP and RSTP 2. Adjust the parameters as needed. The parameters are defined below. 1 - Force Version This selection determines whether the bridge will operate with RSTP or in an STP-compatible mode. If you select RSTP, the bridge will operate all ports in RSTP, except for those ports that receive STP BPDU packets. If you select Force STP Compatible, the bridge will operate in RSTP, using the RSTP parameter settings, but it will send only STP BPDU packets out the ports.
PAGE 349
AT-S62 User’s Guide 6 - Bridge Identifier The MAC address of the bridge. The bridge identifier is used as a tie breaker in the selection of the root bridge when two or more bridges have the same bridge priority value. This value cannot be changed. 3. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Configuring RSTP Port Settings To adjust RSTP port parameters, perform the following procedure: 1.
PAGE 350
Chapter 18: STP and RSTP The Configure RSTP Port Settings menu is shown in Figure 108. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure RSTP Port Settings Configuring Ports 4-4 1 2 3 4 - Port Priority ...... Port Cost .......... Point-to-Point ..... Edge Port .......... 128 Automatic Update Auto Detect Yes R - Return to Previous Menu Enter your selection? Figure 108 Configure RSTP Port Settings Menu 6. Adjust the settings as needed.
PAGE 351
AT-S62 User’s Guide Displaying Port RSTP Status The RSTP Port Parameters menu has two selections for displaying a variety of RSTP port information. The two menu selections are discussed below. 2 - Display RSTP Port Configuration This selection displays a menu that contains the current port settings for the following RSTP parameters: Port - The port number. Edge-Port - Whether or not the port is operating as an edge port. The possible settings are Yes and No.
PAGE 352
Chapter 19 Multiple Spanning Tree Protocol This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP). The chapter also explains how to adjust spanning tree bridge and port parameters.
PAGE 353
AT-S62 User’s Guide MSTP Overview As explained in the previous chapter, STP and RSTP are single-instance spanning trees that search for physical loops across all VLANs in a bridged network. When loops are detected, the protocols stop the loops by placing one or more bridge ports in a blocking state. As explained in Spanning Tree and VLANs on page 338, activating STP or RSTP can result in VLAN fragmentation when VLANs that span multiple bridges are interconnected with untagged ports.
PAGE 354
Chapter 19: Multiple Spanning Tree Protocol Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MSTIs). A MSTI can span any number of switches. An AT-8524M switch can support up to 16 MSTIs at a time. To create a MSTI, you first assign it a number, referred to as the MSTI ID. The range is 1 to 15. (The switch comes with a default MSTI with an MSTI ID of 0.
PAGE 355
AT-S62 User’s Guide If the switches were running STP or RSTP, one of the links would be blocked because the links constitute a physical loop. Which link would be blocked would depend on the STP or RSTP bridge settings. In the example, the link between the two parts of the Production VLAN is blocked, resulting in a loss of communications between the two parts of the Production VLAN.
PAGE 356
Chapter 19: Multiple Spanning Tree Protocol Figure 110 illustrates the same two AT-8524M switches and the same two virtual LANs. But in this example, the two switches are running MSTP and the two VLANs have been assigned to different spanning tree instances. Both links remain active now that they reside in different MSTIs, enabling the VLANs to forward traffic over their respective direct link.
PAGE 357
AT-S62 User’s Guide A MSTI can contain more than one VLAN. This is illustrated in Figure 111 where there are two AT-8524M switches with four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains the Sales and Presales VLANs and MSTI 2 contains the Design and Engineering VLANs.
PAGE 358
Chapter 19: Multiple Spanning Tree Protocol MSTI Guidelines Here are several guidelines to keep in mind about MSTIs: ❑ An AT-8524M can support up to 16 spanning tree instances, including the CIST, at a time. ❑ A MSTI can contain any number of VLANs. ❑ A VLAN can belong to only one MSTI at a time. ❑ A switch port can belong to more than one spanning tree instance at a time. This allows you to assign a port as a tagged and untagged member of VLANs that belong to different MSTIs.
PAGE 359
AT-S62 User’s Guide The revision level is an arbitrary number you assign to a region. You can use the number to keep track of the revision level of a region’s configuration. For example, you might use this value to maintain the number of times you revise a particular MSTP region. It is not important that you maintain this number, only that each bridge in a region have the same number. The bridges of a particular region must also have the same VLANs.
PAGE 360
Chapter 19: Multiple Spanning Tree Protocol Figure 112 illustrates the concept of regions. It shows one MSTP region consisting of two AT-8524M switches. Each switch in the region has the same configuration name and revision level. The switches also have the same five VLANs and the VLANs are associated with the same MSTIs.
PAGE 361
AT-S62 User’s Guide The AT-8524M switch determines regional boundaries by examining the MSTP BPDUs received on the ports. A port that receives a MSTP BPDU from another bridge with regional information different from its own is considered to be a boundary port and the bridge connected to the port as belonging to another region. The same is true for any ports connected to bridges running the singleinstance spanning tree STP or RSTP. Those ports are also considered as part of another region.
PAGE 362
Chapter 19: Multiple Spanning Tree Protocol ❑ The regional root of a MSTI must be in the same region as the MSTI. Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree instance called the Common and Internal Spanning Tree (CIST). This instance has an MSTI ID of 0. This instance has unique features and functions that make it different from the MSTIs that you create yourself. First, you cannot delete this instance and you cannot change its MSTI ID.
PAGE 363
AT-S62 User’s Guide MSTP with STP and RSTP MSTP is fully compatible with STP and RSTP. If a port on an AT-8524M running MSTP receives STP BPDUs, the port sends only STP BPDU packets. If a port receives RSTP BPDUs, the port sends MSTP BPDUs since RSTP can process MSTP BPDUs. A port connected to a bridge running STP or RSTP is considered a boundary port of the MSTP region and the bridge as belonging to a different region. An MSTP region can be considered as a virtual bridge.
PAGE 364
Chapter 19: Multiple Spanning Tree Protocol ❑ An MSTI cannot span multiple regions. ❑ Each MSTI must have a regional root for locating loops in the instance. MSTIs can share the same regional root or have different roots. A regional root is determined by the MSTI priority value and a bridge’s MAC address. ❑ The regional root of a MSTI must be in the same region as the MSTI. ❑ The CIST must have a regional root for communicating with other regions and single-instance spanning trees.
PAGE 365
AT-S62 User’s Guide This is illustrated in Figure 113. Port 8 in Switch A is a member of a VLAN assigned to MSTI ID 7 while Port 1 is a member of a VLAN assigned to MSTI ID 10. The BPDUs transmitted by port 8 to Switch B would indicate that the port is a member of both CIST and MSTI 7, while the BPDUs from Port 1 would indicate the port is a member of the CIST and MSTI 10.
PAGE 366
Chapter 19: Multiple Spanning Tree Protocol A problem can arise if you assign some VLANs to MSTIs while leaving others just to CIST. The problem is illustrated in Figure 114. The network is the same as the previous example. The only difference is that the VLAN containing Port 8 on Switch A has not been assigned to an MSTI, and belongs only to CIST with its MSTI ID 0.
PAGE 367
AT-S62 User’s Guide This is illustrated in Figure 115. The example show two switches, each residing in a different region. Port 5 in Switch A is a boundary port. It is an untagged member of the Accounting VLAN, which has been associated with MSTI 4. Port 15 is a tagged and untagged member of three different VLANs, all associated to MSTI 12. If both switches were a part of the same region, there would be no problem since the ports reside in different spanning tree instances.
PAGE 368
Chapter 19: Multiple Spanning Tree Protocol Here is an example. Let’s assume that you have two regions that contain the following VLANS: Region 1 VLANs Sales Presales Marketing Advertising Technical Support Product Management Project Management Accounting Region 2 VLANs Hardware Engineering Software Engineering Technical Support Product Management CAD Development Accounting The two regions share three VLANs: Technical Support, Product Management, and Accounting.
PAGE 369
AT-S62 User’s Guide Configuring MSTP Bridge Settings This section contains the procedure for configuring a bridge’s MSTP settings. Note You cannot configure the MSTP parameters until you have selected the protocol as the active spanning tree protocol on the switch. For instructions, refer to Enabling or Disabling a Spanning Tree Protocol on page 340. 1. From the Main Menu, type 3 to select Spanning Tree Menu. The Spanning Tree Menu is shown in Figure 101 on page 340. 2.
PAGE 370
Chapter 19: Multiple Spanning Tree Protocol 3. Adjust the MSTP settings as needed. Changes are immediately activated on the switch. The selections are described below. 1 - Force Version This selection determines whether the bridge operates with MSTP or in an STP-compatible mode. If you select MSTP, the bridge operates all ports in MSTP, except for those ports that receive STP or RSTP BPDU packets.
PAGE 371
AT-S62 User’s Guide 5 - Max Hops MSTP regions use this parameter to discard BPDUs. The Max Hop counter in a BPDU is decremented every time the BPDU crosses an MSTP region boundary. Once the counter reaches zero, the BPDU is deleted. The range is 1 to 40 hops. The default is 20. 6 - Configuration Name The name of the MSTP region. The range is 0 (zero) to 32 alphanumeric characters in length. The name, which is casesensitive, must be the same on all bridges in a region.
PAGE 372
Chapter 19: Multiple Spanning Tree Protocol Configuring the CIST Priority This procedure explains how to adjust the bridge’s CIST priority. Note You cannot configure MSTP parameters until you have selected the protocol as the active spanning tree protocol on the switch. For instructions, refer to Enabling or Disabling a Spanning Tree Protocol on page 340. This procedure starts from the MSTP Menu.
PAGE 373
AT-S62 User’s Guide 2. To change the CIST priority, type 1. The following prompt is displayed: Enter new priority [the value will be multiplied by 4096]: [0 to 15] -> 3. Enter the increment that represents the new CIST priority value. The range is 0 (zero) to 61,440 in increments of 4,096, with 0 being the highest priority. For a list of the increments, refer to Table 12, Bridge Priority Value Increments on page 331. 4. After making changes, type R until you return to the Main Menu.
PAGE 374
Chapter 19: Multiple Spanning Tree Protocol Creating, Deleting, and Modifying MSTI IDs The following procedures explain how to create, delete, and modify MSTI IDs. Note You cannot configure MSTP parameters until you have selected the protocol as the active spanning tree protocol on the switch. For instructions, refer to Enabling or Disabling a Spanning Tree Protocol on page 340. This procedure starts from the MSTP Menu.
PAGE 375
AT-S62 User’s Guide Regional Root ID Identifies the regional root for the MSTI by its MAC address. Path Cost Specifies the path cost from the bridge to the regional root. If the bridge is the regional root, the value is 0. Associated VLANs Specifies the VIDs of the VLANs that have been associated with the MSTI ID. The table does not include the CIST. The table is empty if no MSTI IDs have been created. Creating an MSTI ID To create an MSTI ID, do the following: 1.
PAGE 376
Chapter 19: Multiple Spanning Tree Protocol 3. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an MSTI ID To change the MSTI priority value for an MSTI, do the following: 1. From the MSTI Menu, type 3 to select MSTI Configuration Menu. The following prompt is displayed: Enter the MSTI ID to be modified: [1 to 15] -> 2. Enter the MSTP IDs that you want to modify. The range is 1 to 15. You can specify only one MSTI ID at a time.
PAGE 377
AT-S62 User’s Guide Associating VLANs to MSTI IDs When you create a new MSTI ID, you are given the opportunity of associating VLANs to it. But, once a MSTI ID is created, there might come a time when you want to add more VLANs to it, or perhaps remove VLANs. This procedure explains how to associate VLANs on the switch to an existing MSTI ID and also how to remove VLANs. Before performing this procedure, note the following: ❑ You must create a MSTI ID before you can assign VLANs to it.
PAGE 378
Chapter 19: Multiple Spanning Tree Protocol The VLAN-MSTI Association Menu is shown in Figure 119.
PAGE 379
AT-S62 User’s Guide The MSTI ID retains any VLANs already associated with it when new VLANs are added. 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Removing a VLAN from an MSTI ID To remove a VLAN from an MSTP ID, do the following: 1. From the VLAN-MSTI Association Menu, type 2 to select Delete VLANs from MSTI. The following prompt is displayed: Enter the MSTI ID [0 to 15] -> 2.
PAGE 380
Chapter 19: Multiple Spanning Tree Protocol Configuring MSTP Port Settings To configure a port’s MSTP parameters, perform the following procedure: 1. From the MSTP Menu, type P to select MSTP Port Parameters. The MSTP Port Parameters menu is shown in Figure 120.
PAGE 381
AT-S62 User’s Guide 4. Adjust the port settings as needed. The selections are described below: 1 - Port Priority This parameter is used as a tie breaker when two or more ports are determined to have equal costs to the regional root bridge. The range is 0 to 240 in increments of 16. The default value is 8 (priority value 128). For a list of the increments, refer to Table 17, Port Priority Value Increments on page 334.
PAGE 382
Chapter 19: Multiple Spanning Tree Protocol 5 - Edge Port This parameter defines whether the port is functioning as an edge port. For an explanation of this parameter, refer to Point-to-Point Ports and Edge Ports on page 336. C - Check Migration To RSTP on Selected Ports (MCHECK) The MCHECK parameter appears only when MSTP is enabled. This parameter resets a RSTP port, allowing it to send RSTP BPDUs. When an RSTP bridge receives STP BPDUs on an RSTP port, the port transmits STP BPDUs.
PAGE 383
AT-S62 User’s Guide Displaying MSTP Port Settings and Status The MSTP Port Parameters menu, shown in Figure 120 on page 380, has two selections for displaying a variety of MSTP port information. The two menu selections are described below. (To display the menu, from the MSTP Menu, type P to select MSTP Port Parameters.
PAGE 384
Section V Virtual LANs The chapters in this section explain virtual LANs (VLANs).
PAGE 385
Chapter 20 Tagged and Port-based Virtual LANs This chapter contains background information on tagged and portbased virtual LANs (VLANs). It also contains the procedures for creating, modifying, and deleting VLANs from a local or Telnet management session.
PAGE 386
Chapter 20: Tagged and Port-based Virtual LANs VLAN Overview A VLAN is a group of ports on an Ethernet switch that form a logical Ethernet segment. The ports of a VLAN form an independent traffic domain where the traffic generated by the nodes of a VLAN remains within the VLAN. With VLANs, you can segment your network through the switch’s management software and so be able to group nodes with related functions into their own separate, logical LAN segments.
PAGE 387
AT-S62 User’s Guide But with VLANS, you can change the LAN segment assignment of an end node connected to the switch through the switch’s AT-S62 management software. VLAN memberships can be changed any time through the management software without moving the workstations physically, or having to change group memberships by moving cables from one switch port to another. Additionally, a virtual LAN can span more than one switch.
PAGE 388
Chapter 20: Tagged and Port-based Virtual LANs Port-based VLAN Overview As explained in the VLAN Overview on page 386, a VLAN consists of a group of ports on one or more Ethernet switches that form an independent traffic domain. Traffic generated by the end nodes of a VLAN remains within the VLAN and does not cross over to the end nodes of other VLANs unless there is an interconnection device, such as a router or Layer 3 switch.
PAGE 389
AT-S62 User’s Guide If a VLAN spans multiple switches, then the VID for the VLAN on the different switches should be the same. The switches are then able to recognize and forward frames belonging to the same VLAN even though the VLAN spans multiple switches. For example, if you had a port-based VLAN titled Marketing that spanned three AT-8524M switches, you would assign the Marketing VLAN on each switch the same VID.
PAGE 390
Chapter 20: Tagged and Port-based Virtual LANs For example, if you were creating a port-based VLAN on a switch and you had assigned the VLAN the VID 5, the PVID for each port in the VLAN would need to be assigned the value 5. Some switches and switch management programs require that you assign the PVID value for each port manually. However, the AT-S62 management software performs this task automatically.
PAGE 391
AT-S62 User’s Guide VLANs that span switches, many ports could end up being used ineffectively just to interconnect the various VLANs. Port-based Example 1 Figure 122 illustrates an example of one AT-8524M Fast Ethernet Switch with three port-based VLANs. (For purposes of the following examples, the Default_VLAN is not shown.
PAGE 392
Chapter 20: Tagged and Port-based Virtual LANs Each VLAN has been assigned a unique VID. You assign this number when you create a VLAN. The ports have been assigned PVID values. The management software automatically assigns the PVIDs when you create the VLAN. The PVID of a port is the same as the VID to which the port is an untagged member. In the example, each VLAN has one port connected to the router. The router interconnects the various VLANs and functions as a gateway to the WAN.
PAGE 393
AT-S62 User’s Guide Port-based Example 2 Figure 123 illustrates more port-based VLANs. In this example, two VLANs, Sales and Engineering, span two Ethernet switches.
PAGE 394
Chapter 20: Tagged and Port-based Virtual LANs The table below lists the port assignments for the Sales, Engineering, and Production VLANs on the switches: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) AT-8524M Switch (top) Ports 1 - 6, 18 (PVID 2) Ports 9 - 11, 14, 20 (PVID 3) Ports 21 - 24 (PVID 4) AT-8524M Switch (bottom) Ports 1 - 6 (PVID 2) none Ports 13, 19-24 (PVID 3) ❑ Sales VLAN - This VLAN spans both switches.
PAGE 395
AT-S62 User’s Guide Tagged VLAN Overview The second type of user-configured VLAN is the tagged VLAN. VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assigned to the ports determine VLAN membership. The VLAN information within an Ethernet frame is referred to as a tag or tagged header.
PAGE 396
Chapter 20: Tagged and Port-based Virtual LANs ❑ Tagged and Untagged Ports ❑ Port VLAN Identifier Note For an explanation of VLAN name and VLAN identifier, refer back to VLAN Name and VLAN Identifier on page 388. Tagged and Untagged Ports You need to specify which ports will be members of the VLAN. In the case of a tagged VLAN, this will usually be a combination of both untagged ports and tagged ports. You specify which ports are tagged and which untagged when you create the VLAN.
PAGE 397
AT-S62 User’s Guide General Rules for Creating a Tagged VLAN Below is a summary of the rules to observe when creating a tagged VLAN. ❑ Each tagged VLAN must be assigned a unique VID. If a particular VLAN spans multiple switches, each part of the VLAN on the different switches must be assigned the same VID. ❑ A tagged port can be a member of multiple VLANs. ❑ An untagged port can be an untagged member of only one VLAN at a time. ❑ The AT-8524M can support up to 255 tagged VLANS.
PAGE 398
Chapter 20: Tagged and Port-based Virtual LANs Tagged VLAN Example Figure 124 illustrates how tagged ports can be used to interconnect IEEE 802.1Q-based products. Engineering VLAN (VID 3) Legacy Server Production VLAN (VID 4) Sales VLAN (VID 2) AT-8524M Fast Ethernet Switch MODE STATUS LINK FAULT MODE MASTER LINK RPS MODE PWR AT-8524M Ethernet Switch IEEE 802.
PAGE 399
AT-S62 User’s Guide The port assignments for the VLANs are as follows: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) Untagged Ports Tagged Ports Untagged Ports Tagged Ports Untagged Ports Tagged Ports AT-8524M Switch (top) 1 to 5, 18 (PVID 2) 8, 16 9 to 11, 20 (PVID 3) 8, 16 21 to 24 (PVID 4) 8 AT-8524M Switch (bottom) 1 to 5 (PVID 2) 15 19 to 24 (PVID 3) 15 none none This example is nearly identical to the Port-based Example 2 on page 393.
PAGE 400
Chapter 20: Tagged and Port-based Virtual LANs Creating a Port-based or Tagged VLAN To create a new port-based or tagged VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 125. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 VLAN Configuration 1 2 3 4 5 6 7 - Ingress Filtering Status ........ Enabled VLANs Mode ......................
PAGE 401
AT-S62 User’s Guide The Configure VLANs menu is shown in Figure 126. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure VLANs 1 2 3 4 - Create VLAN Modify VLAN Delete VLAN Reset to Default VLAN R - Return to Previous Menu Enter your selection? Figure 126 Configure VLANs Menu 3. From the Configure VLANs menu, type 1 to select Create VLAN. The Create VLAN menu is shown in Figure 127.
PAGE 402
Chapter 20: Tagged and Port-based Virtual LANs Note A VLAN must be assigned a name. 5. Type 2 to select VLAN ID (VID) and enter a VID value for the new VLAN. The permitted range of the VID value is 1 to 4094. Note A VLAN must have a VID. The management software will use the next available VID number on the switch as the default value. If this VLAN will be unique in your network, then its VID should also be unique.
PAGE 403
AT-S62 User’s Guide 9. Press any key. The VLAN Configuration menu in Figure 125 on page 400 is redisplayed. 10. To verify that the VLAN was created correctly, type 5 to select Show VLANs. 11. Check to see that the VLAN contains the appropriate ports. 12. Repeat this procedure to create additional VLANs. 13. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 404
Chapter 20: Tagged and Port-based Virtual LANs Example of Creating a Port-based VLAN The following procedure creates the Sales VLAN illustrated in Port-based Example 1 on page 391. This VLAN will be assigned a VID of 2 and will consist of four untagged ports, Ports 1 to 4. The VLAN will not contain any tagged ports. To create the Sales VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 125 on page 400. 2.
PAGE 405
AT-S62 User’s Guide Example of Creating a Tagged VLAN The following procedure creates the Engineering VLAN in the top switch illustrated in Tagged VLAN Example on page 398. This VLAN will be assigned a VID of 3. It will consist of four untagged ports, Ports 9, 10, 11, and 20, and two untagged ports, Ports 8 and 16. To create the example Engineering VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration.
PAGE 406
Chapter 20: Tagged and Port-based Virtual LANs Modifying a VLAN You can use this procedure to add or remove ports from a port-based or tagged VLAN. You can also use this procedure to change a VLAN’s name. Note To modify a VLAN, you need to know its VID. To view VLAN VIDs, refer to Displaying VLANs on page 410. To modify a VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 125 on page 400. 2.
PAGE 407
AT-S62 User’s Guide The following prompt is displayed: Enter new value -> [1 to 4096] -> 5. Enter the VID of the VLAN you want to modify. The Modify VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 129. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Server User: Manager 11:20:02 02-Jan-2004 Modify VLAN 1 2 3 4 - VLAN Name .............. VLAN ID (VID) .......... Tagged Ports ........... Untagged Ports .........
PAGE 408
Chapter 20: Tagged and Port-based Virtual LANs 3 - Tagged Ports Use this selection to add or remove tagged ports from the VLAN. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 7-9), or both (e.g., 2,5,7-9). When adding or removing tagged ports, observe the following guidelines: ❑ The new list of tagged ports will replace the existing tagged ports. ❑ If the VLAN contains tagged ports and you want to remove them all, enter 0 (zero) for this value.
PAGE 409
AT-S62 User’s Guide If you added or removed from the VLAN a port with one or more static MAC addresses assigned to it, you must update the static addresses by deleting their entries from the MAC address table and reentering them again using the VID of the VLAN to which the port has been moved to. For information on how to add static MAC addresses, refer to Adding Static Unicast and Multicast MAC Addresses on page 116.
PAGE 410
Chapter 20: Tagged and Port-based Virtual LANs Displaying VLANs To view the name, VID number, and member ports of all the VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 125 on page 400. 2. From the VLAN Configuration menu, type 5 to select Show VLANs. An example of the Show VLANs menu is shown in Figure 130.
PAGE 411
AT-S62 User’s Guide Deleting a VLAN This procedure deletes port-based and tagged VLANs from the switch. All untagged ports in a deleted VLAN are returned to the Default_VLAN. Note To delete a VLAN, you need to know its VID. To view VLAN VIDs, refer to Displaying VLANs on page 410. To delete a VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 125 on page 400. 2.
PAGE 412
Chapter 20: Tagged and Port-based Virtual LANs Note You cannot delete the Default_VLAN, which has a VID of 1. The Delete VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 132. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Server User: Manager 11:20:02 02-Jan-2004 Delete VLAN 1 2 3 4 - VLAN Name .............. VLAN ID (VID) .......... Tagged Ports ........... Untagged Ports .........
PAGE 413
AT-S62 User’s Guide 9. Repeat this procedure starting with Step 4 to delete other VLANs. 10. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 414
Chapter 20: Tagged and Port-based Virtual LANs Deleting All VLANs This section contains the procedure for deleting all port-based and tagged VLANs, except the Default_VLAN, on a switch. To delete selected VLANs, perform the procedure Deleting a VLAN on page 411. To delete all VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 125 on page 400. 2.
PAGE 415
AT-S62 User’s Guide Displaying PVIDs and Port Priorities The following procedure displays a menu that lists the PVIDs for all the ports on the switch. The menu also contains the current priority queue settings for each port. To display the PVID settings on the switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 125 on page 400. 2. From the VLAN Configuration menu, type 6 to select Show PVIDs.
PAGE 416
Chapter 20: Tagged and Port-based Virtual LANs Enabling or Disabling Ingress Filtering There are rules a switch follows when it receives and forwards an Ethernet frame. There are rules for frames as they enter a port (called ingress rules) and rules for when a frame is transmitted out a port (called egress rules). A switch does not accept and forward a frame unless the frame passes the ingress and egress rules. There are quite a few ingress and egress rules for Fast Ethernet switches.
PAGE 417
AT-S62 User’s Guide Activating or deactivating ingress filtering has no effect on the switch’s handling of priority tags. A switch will always examines a priority tag in a tagged frame, without regard to the status of ingress filtering. In most cases, you will probably want to leave ingress filtering activated on the switch, which is the default. You can enable or disable ingress filtering on a per switch basis. You cannot set this per port.
PAGE 418
Chapter 20: Tagged and Port-based Virtual LANs Specifying a Management VLAN The management VLAN is the VLAN on which an AT-8524M switch expects to receive management packets. This VLAN is important if you will be managing a switch remotely or using the enhanced stacking feature of the switch. Management packets are packets generated by a management workstation when you manage a switch using the Telnet application protocol or a web browser.
PAGE 419
AT-S62 User’s Guide Now assume that you decide to create a VLAN called NMS with a VID of 24 for the sole purpose of remote network management. For this, you need to create the NMS VLAN on each AT-8524M switch that you want to manage remotely, being sure to assign each NMS VLAN the VID of 24. Then you need to be sure that the uplink and downlink ports connecting the switches together are either tagged or untagged members of the NMS VLAN.
PAGE 420
Chapter 21 GARP VLAN Registration Protocol This chapter describes the GARP VLAN Registration Protocol (GVRP).
PAGE 421
AT-S62 User’s Guide Basic Overview of GARP VLAN Registration Protocol (GVRP) The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information. The main purpose of GVRP is to allow switches to automatically discover some of the VLAN information that would otherwise have to be manually configured in each switch. This can be helpful in networks where VLANs span more than one switch.
PAGE 422
Chapter 21: GARP VLAN Registration Protocol Figure 134 provides an example of how GVRP works. Switch #1 Static VLAN Sales VID=11 AT-8524M Port 1 Port 4 AT-8524M Switch #2 Port 15 Port 17 Switch #3 Static VLAN Sales VID=11 AT-8524M Figure 134 GVRP Example Switches #1 and #3 contain the Sales VLAN, but Switch #2 does not. Consequently, the end nodes of the two parts of the Sales VLANs are unable to communicate with each other.
PAGE 423
AT-S62 User’s Guide 3. Switch #2 sends a PDU out port 15 containing all of the VIDs of the VLANs on the switch, including the new GVRP_VLAN_11 VLAN with its VID of 11. (It should be noted that port 15 is not yet a member of the VLAN. Ports are added to VLANs when they receive, not send a PDU.) 4. Switch #3 receives the PDU on port 17 and, after examining it, notes that one of the VLANs on Switch #2 has the VID 11, which matches the VID of an already existing VLAN on the switch.
PAGE 424
Chapter 21: GARP VLAN Registration Protocol ❑ Resetting a switch erases all dynamic GVRP VLANs and dynamic GVRP port assignments. The switch relearns the dynamic assignments as it receives PDUs from the other switches. ❑ GVRP has three timers that you can set: join timer, leave timer, and leave all timer. The values for these timers must be set the same on all switches running GVRP. Timers with different values on different switches can result in GVRP compatibility problems.
PAGE 425
AT-S62 User’s Guide GVRP-inactive Intermediate Switches The presence of a GVRP-inactive switch between GVRP-active devices may impact the ability of GVRP to automatically configure the VLANs in your switches. You may need to take this into account when implementing GVRP in your network. One of the problems poised by the introduction of a GVRP-inactive device is that an GVRP-inactive device will probably not forward PDUs, thus preventing the GVRP-active switches from sharing VLAN information.
PAGE 426
Chapter 21: GARP VLAN Registration Protocol Technical Overview of Generic Attribute Registration Protocol (GARP) The purpose of the Generic Attribute Registration Protocol (GARP) is to provide a generic framework whereby devices in a bridged LAN, for example, end stations and switches, can register and de-register attribute values, such as VLAN Identifiers, with each other.
PAGE 427
AT-S62 User’s Guide The architecture of GARP is shown in Figure 135. Switch GARP Participant GARP Participant GARP Application GARP Application GIP MAC Layer: Port 1 GARP PDUs GID LLC GARP PDUs LLC GARP PDUs GARP PDUs GID MAC Layer: Port 2 Figure 135 GARP Architecture The GARP Application component of the GARP Participant is responsible for defining the semantics associated with the parameter values and operators received in GARP PDUs, and for generating GARP PDUs for transmission.
PAGE 428
Chapter 21: GARP VLAN Registration Protocol An instance of GID consists of the set of state machines that define the current registration and declaration state of all attribute values associated with the GARP Participant. Separate state machines exist for the Applicant and Registrar. This is shown in Figure 136. GID Attribute ...
PAGE 429
AT-S62 User’s Guide The Applicant is therefore looking after the interests of all would-be Participants. This allows the Registrar to be very simple. The job of the Registrar is to record whether an attribute is registered, in the process of being de-registered, or is not registered for an instance of GID. To control the Applicant state machine, an Applicant Administrative Control parameter is provided.
PAGE 430
Chapter 21: GARP VLAN Registration Protocol Configuring GVRP This section contains the procedure for configuring GVRP. The timers in the following menus are in increments of centi seconds, which are hundredths of a second. To configure GVRP, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 125 on page 400. 2. From the VLAN Configuration menu, type 8 to select Configure GARPGVRP.
PAGE 431
AT-S62 User’s Guide 6. Choose one of the following: E to enable GIP. D to disable GIP. Note Do not disable GIP if you intend to use GVRP. GIP is required to propagate VLAN information among the ports of the switch. Caution The following steps change the three GVRP timers. The settings for these timers must be the same on all GVRP-active devices in your network. 7. Type 3 - GVRP Join Timer to change the value of the Join Timer.
PAGE 432
Chapter 21: GARP VLAN Registration Protocol Enabling or Disabling GVRP on a Port This procedure enables and disables GVRP on a switch port. The default setting for GVRP on a port is enabled. Only those ports where GVRP is enabled transmit PDUs. Note Allied Telesyn recommends disabling GVRP on unused ports and those ports that are connected to GVRP-inactive devices. This will protect against unauthorized access to restricted areas of your network.
PAGE 433
AT-S62 User’s Guide 5. Enter a port. You can configure more than one port at a time. The Configure GVRP Port Settings Menu is shown in Figure 139. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure GVRP Port Settings Configuring Port 1-2 1 - Port Mode ............. Normal R - Return to Previous Menu Enter your selection? Figure 139 Configure GVRP Port Settings Menu 6. Type 1 - Port Mode.
PAGE 434
Chapter 21: GARP VLAN Registration Protocol 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Your changes are saved.
PAGE 435
AT-S62 User’s Guide Converting a Dynamic GVRP VLAN This procedure converts a dynamic GVRP VLAN into a static VLAN. You can perform this procedure to permanently retain the VLANs the switch learned through GVRP. Note This procedure cannot convert a dynamic GVRP port in a static VLAN into a static port. For that you must manually modify the static VLAN, specifying the dynamic port as either a tagged or untagged member of the VLAN.
PAGE 436
Chapter 21: GARP VLAN Registration Protocol Displaying GVRP Parameters and Statistics To display GVRP counters, database, state machine, and GIP connected ports ring, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 125 on page 400. 2. From the VLAN Configuration menu, type 8 to select Configure GARPGVRP. The GARP-GVRP Menu is shown in Figure 137 on page 430. 3.
PAGE 437
AT-S62 User’s Guide GVRP Counters Option 1 - Display GVRP Counters in the Other GARP Port Parameters displays the GVRP Counters Menu (page 1) as shown in Figure 142.
PAGE 438
Chapter 21: GARP VLAN Registration Protocol Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 GVRP Counters Receive: -------GARP Messages: --------------LeaveAll JoinEmpty JoinIn LeaveEmpty LeaveIn Empty Bad Message Bad Attribute Transmit: --------7 0 68 0 0 5 0 0 LeaveAll JoinEmpty JoinIn LeaveEmpty LeaveIn Empty 77 58 285 1 0 21 P - Previous Page U - Updated Display R - Return to Previous Menu Enter your selection? Figure 143 GVRP Counters Menu (
PAGE 439
AT-S62 User’s Guide Table 20 GVRP Counters Section V: Virtual LANs Parameter Meaning Receive Discarded: Port Not Listening Number of GARP PDUs discarded because the port that received the PDUs was not listening, that is, MODE=NONE was set on the port. Transmit Discarded: Port Not Sending Number of GARP PDUs discarded because the port that the PDUs were to be transmitted on was not sending, that is, MODE=NONE was set on the port.
PAGE 440
Chapter 21: GARP VLAN Registration Protocol Table 20 GVRP Counters Section V: Virtual LANs Parameter Meaning Transmit GARP Messages: JoinIn Total number of GARP JoinIn messages transmitted for all attributes in the GARP application. Receive GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages received for all attributes in the GARP application. Transmit GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages transmitted for all attributes in the GARP application.
PAGE 441
AT-S62 User’s Guide GVRP Database Option 2 - Display GVRP Database in the Other GARP Port Parameters displays the GVRP Database Menu as shown in Figure 144.
PAGE 442
Chapter 21: GARP VLAN Registration Protocol GIP Connected Ports Ring Option 3 - Display GIP Connected Ports Ring in the Other GARP Port Parameters displays the GIP Connected Ports Ring Menu as shown in Figure 145.
PAGE 443
AT-S62 User’s Guide GVRP State Machine Option 4 - Display GVRP State Machine in the Other GARP Port Parameters displays the GVRP State Machine Menu (page 1) as shown in Figure 146. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 GVRP State Machine Enter a VLAN ID for displaying the state machine: [1 to 4094] -> 1 Figure 146 GVRP State Machine Menu (page 1) Entering a VLAN ID displays the GVRP State Machine Menu (page 2) as shown in Figure 147.
PAGE 444
Chapter 21: GARP VLAN Registration Protocol Table 23 GVRP State Machine Parameters Parameter Meaning App Applicant state machine for the GID index on that particular port.
PAGE 445
AT-S62 User’s Guide Table 23 GVRP State Machine Parameters Parameter Meaning App (Continued) Non-Participant Management state: “Von” Very Anxious Observer “Aon” Anxious Observer “Qon” Quiet Observer “Lon” Leaving Observer “Vpn” Very Anxious Passive Member “Apn” Anxious Passive Member “Qpn” Quiet Passive Member “Van” Very Anxious Active Member “Aan” Anxious Active Member “Qan” Quiet Active Member “Lan” Leaving Active Member The initialized state for the Applicant is Vo.
PAGE 446
Chapter 22 Multiple VLAN Modes This chapter describes the multiple VLAN modes and how to select a mode.
PAGE 447
AT-S62 User’s Guide Multiple VLAN Mode Overview The Multiple VLAN modes can simplify the task of configuring the switch in network environments that require a high degree of network segmentation. In a multiple VLAN mode, the ports on a switch are prohibited from forwarding traffic to each other and are only allowed to forward traffic to a user designated uplink port. These configurations isolate the traffic on each port from all other ports, while providing the ports with access to the uplink port.
PAGE 448
Chapter 22: Multiple VLAN Modes A user designated port on the switch functions as an uplink port, which can be connected to a shared device, such as a router for access to a WAN. This port is placed as a tagged port in each VLAN. Thus, while the switch ports are separated from each other in their individual VLANs, they all have access to the uplink port. The uplink port also has its own VLAN, where it is an untagged member. This VLAN is called Uplink_VLAN. Note In 802.
PAGE 449
AT-S62 User’s Guide VLAN Name VID Untagged Port Tagged Port Client_VLAN_16 16 16 25 Client_VLAN_17 17 17 25 Client_VLAN_18 18 18 25 Client_VLAN_19 19 19 25 Client_VLAN_20 20 20 25 Client_VLAN_21 21 21 25 Client_VLAN_22 22 22 25 Client_VLAN_23 23 23 25 Client_VLAN_24 24 24 25 Uplink_VLAN 25 25 Client_VLAN_26 26 26 25 This highly segmented configuration is useful in situations where traffic generated by each end node or network segment connected to a port on the
PAGE 450
Chapter 22: Multiple VLAN Modes Another difference with this mode is that the uplink port is untagged. Consequently, you would want to use this mode when the device connected to the uplink port is not IEEE 802.1Q compatible, meaning that the device cannot handle tagged packets. Note When the uplink port receives a packet with a destination MAC address that is not in the MAC address table, the port will broadcast the packet to all switch ports.
PAGE 451
AT-S62 User’s Guide Selecting a VLAN Mode The following procedure explains how to select a VLAN mode. Available modes are: ❑ User configured VLAN mode (port-based and tagged VLANs) ❑ IEEE 802.1Q Compliant Multiple VLAN mode ❑ Non-IEEE 802.1Q Compliant Multiple VLAN mode Note Any port-based or tagged VLANs you created are not retained when you change the VLAN mode from the user configured mode to a multiple VLAN mode and, at some point, reset the switch.
PAGE 452
Chapter 22: Multiple VLAN Modes Displaying VLAN Information To view the VLANs on the switch while the unit is operating in Multiple VLAN mode, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 125 on page 400. 2. From the VLAN Configuration menu, type 6 to select Show VLANs. An example of the Show VLANs menu is shown in Figure 148.
PAGE 453
Section VI Port Security The chapters in this section explain the port security features of the AT-8524M switch The chapters include: ❑ Chapter 23: MAC Address Security on page 454 ❑ Chapter 24: 802.
PAGE 454
Chapter 23 MAC Address Security This chapter explains how you can use the dynamic or static MAC addresses learned or assigned on the ports of the switch to control which end nodes can forward packets through the device. The sections in this chapter include: ❑ MAC Address Security Overview on page 455 ❑ Configuring MAC Address Port Security on page 458 ❑ Displaying Port Security Levels on page 461 Note This type of port security does not apply to ports located on optional GBIC modules.
PAGE 455
AT-S62 User’s Guide MAC Address Security Overview This feature can enhance the security of your network. You can use it to control which end nodes can forward frames through the switch, and so prevent unauthorized individuals from accessing your network or particular parts of the network. This type of network security uses a frame’s source MAC address to determine whether the switch should forward a frame or discard it. The source address is the MAC address of the end node that sent the frame.
PAGE 456
Chapter 23: MAC Address Security Secured The Secured security level instructs a port to forward frames using only static MAC address. The port will not learn any dynamic MAC addresses and will delete any dynamic addressees that it has already learned. Only those end nodes whose MAC addresses have been entered as static addresses will be able to forward frames through the port.
PAGE 457
AT-S62 User’s Guide Intrusion action defines what a port will do when it receives an invalid frame. For a port operating under either the Secured or Locked security mode, the intrusion action is always the same. The port discards invalid frames. But with the Limited security mode you can specify an intrusion action. The options are: ❑ Discard the invalid frame. ❑ Discard the invalid frame and send an SNMP trap. (SNMP must be enabled on the switch for the trap to be sent.
PAGE 458
Chapter 23: MAC Address Security Configuring MAC Address Port Security To set the port security level, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 5 to select Port Security. The Port Security menu is shown in Figure 149.
PAGE 459
AT-S62 User’s Guide 5. Press 1 to change the port security on your specified port list. The following prompt appears: Enter new mode (A-Automatic, L-Limited, S-Secured, K-locKed): 6. Select the desired security level. For definitions of the security levels, refer to MAC Address Security Overview on page 455. If you select Automatic, which disables port security on the port, return to the Main Menu to save your change.
PAGE 460
Chapter 23: MAC Address Security 8. To set the intrusion action for a port in the limited security mode, do the following: a. Type 3 to select Intruder Action. The following prompt is displayed: Enter intruder action: (N-Discard, T-Trap, DDisable): b. Select the desired action: N - Discard: The port discards invalid frames. This is the default. T - Trap: The port discards invalid frames and sends an SNMP trap. D - Disable: The port discards invalid frames, sends a SNMP trap, and disables the port. 9.
PAGE 461
AT-S62 User’s Guide Displaying Port Security Levels To view the current security levels for the ports on the switch, do the following: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 5 to select Port Security. The Port Security menu is shown in Figure 149 on page 458. 3. From the Port Security menu, type 2 to select Display Port Security. The Display Port Security menu is shown in Figure 152.
PAGE 462
Chapter 23: MAC Address Security Intruder Action The column specifies the action taken by a port if it receives an invalid frame. ❑ Discard: The port discards invalid frames. This is the default. ❑ Send Trap: The port discards invalid frames and sends a trap. This applies only to the Limited security mode. ❑ Disable Port: The port discards invalid frames, sends a trap, and disables the port. This applies only to the Limited security mode.
PAGE 463
Chapter 24 802.1x Port-based Access Control This chapter explains 802.1x Port-based Access Control and how you can use this feature to restrict access to the ports on the switch. Sections are as follows: ❑ 802.
PAGE 464
Chapter 24: 802.1x Port-based Access Control 802.1x Port-based Access Control Overview The AT-S62 management software provides you with several different methods for protecting your network and its resources from unauthorized access. For instance, Chapter 23, MAC Address Security on page 454, explains how you can restrict network access based on the MAC addresses of the end nodes in your network. This chapter explains yet another way. This method is referred to as portbased access control (IEEE 802.1x).
PAGE 465
AT-S62 User’s Guide ❑ Authentication server - The authentication server is the network device that has the RADIUS server software. This is the device that will do the actual authenticating of the user names and password from the supplicants. The AT-8524M switch itself does not authenticate the username and passwords from the clients. Rather, it acts as an intermediary between the supplicants and the authentication server during the authentication process.
PAGE 466
Chapter 24: 802.1x Port-based Access Control Port Roles Part of the task to implementing this feature is specifying the roles of the ports on the switch. A port can have one of three roles: ❑ None ❑ Authenticator ❑ Supplicant None Role A port in the none role does not participate in port-based access control. Any device can connect to the port and send traffic through it and receive traffic from it without having to provide a username and password. This is the default setting for a port.
PAGE 467
AT-S62 User’s Guide AT-8524M Fast Ethernet Switch MODE STATUS Port 24 in None Role Port 2 in Authenticator Role Supplicant with 802.1x Client Software RADIUS Authentication Server Figure 153 Example of the Authenticator Role As mentioned earlier, the switch itself does not authenticate the user names and passwords from the clients. That is the responsibility of the authentication server, which contains the RADIUS server software.
PAGE 468
Chapter 24: 802.1x Port-based Access Control AT-8524M Fast Ethernet Switch MODE STATUS Switch A Port 6 in Authenticator Role RADIUS Authentication Server Port 11 in Supplicant Role AT-8524M Fast Ethernet Switch MODE STATUS Switch B Figure 154 Example of the Supplicant Role Note The use of this port role should be strictly limited. Otherwise, undesired switch operation may result. The port role should only be used when the link will carry traffic from just one client or only management traffic.
PAGE 469
AT-S62 User’s Guide The information sent by the switch to the RADIUS server for an event includes: ❑ The port number where the event occurred. ❑ The date and time when the event occurred. ❑ The number of packets transmitted and received by the port during a supplicant’s session. (This information is sent when the client logs off.) You can also configure the accounting feature to send interim updates so you can monitor which clients are still active.
PAGE 470
Chapter 24: 802.1x Port-based Access Control 3. You must configure the RADIUS client software in the AT-S62 management software. You will need to provide the following information: ❑ The IP addresses of up to three RADIUS servers. ❑ The encryption key used by the authentication servers. The instructions for this step are in Configuring Authentication Protocol Settings on page 557. 4. You must configure the port access control settings on the switch. This involves the following: ❑ Specifying the port roles.
PAGE 471
AT-S62 User’s Guide Note Connecting multiple supplicants to a port set to the authenticator role does not conform to the IEEE 802.1x standard, can introduce security risks, and can result in undesirable switch behavior. To avoid this, Allied Telesyn recommends not using the authenticator role on a port that is connected to more than one end node, such as a port connected to another switch or a hub. ❑ A username and password combination is not tied to the MAC address of an end node.
PAGE 472
Chapter 24: 802.1x Port-based Access Control ❑ Ports used to interconnect switches should typically be set to the none role, as illustrated in Figure 155. AT-8524M Fast Ethernet Switch MODE Port 6 in None Role STATUS Switch A Port 24 in None Role Port 21 in None Role RADIUS Authentication Server AT-8524M Fast Ethernet Switch MODE STATUS Switch B Ports in Authenticator Role Supplicants with 802.
PAGE 473
AT-S62 User’s Guide Enabling and Disabling Port-based Access Control This procedure explains how to enable and disable port-based access control on the switch. If you have not assigned port roles and configured the parameter settings, you should skip this procedure and go first to Setting Port Roles on page 474. To enable or disable Port-based Access Control, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services.
PAGE 474
Chapter 24: 802.1x Port-based Access Control Setting Port Roles This procedure sets port roles. For an explanation of port roles, refer to Port Roles on page 466. 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 55 on page 196. 2. From the Security and Services menu, type 1 to select Port Access Control (802.1X). The Port Access Control (802.1X) menu is shown in Figure 156 on page 473. 3. In the Port Access Control (802.
PAGE 475
AT-S62 User’s Guide 8. Once you have set port roles, you can go to the next procedure to configure port security parameters or, if you do not want to change the default values, you can go to Enabling and Disabling Port-based Access Control on page 473 and activate the feature.
PAGE 476
Chapter 24: 802.1x Port-based Access Control Configuring Authenticator Port Parameters Note A port must be set to the authenticator role before you can configure its settings. For instructions on how to set a port’s role, refer to Setting Port Roles on page 474. To configure authenticator port parameters, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 55 on page 196. 2.
PAGE 477
AT-S62 User’s Guide The Configure Authenticator Port Access Parameters menu is shown in Figure 159. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure Authenticator Port Access Parameters Configuring Port 3 1 2 3 4 5 6 7 8 - Port Control ............. Quiet Period ............. TX Period ................ Reauth Period ............ Supplicant Timeout ....... Server Timeout ........... Max Requests ............. Control Direction ........
PAGE 478
Chapter 24: 802.1x Port-based Access Control 2 - Quiet Period Sets the number of seconds that the port remains in the quiet state following a failed authentication exchange with the client. The default value is 60 seconds. The range is 0 to 65,535 seconds. 3 - TX Period Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request. The default value is 30 seconds. The range is 1 to 65,535 seconds.
PAGE 479
AT-S62 User’s Guide The two selections are: ❑ Ingress - An authenticator port, when in the unauthorized state, will discard all ingress broadcast and multicast packets from the client. while forwarding all egress broadcast and multicast traffic to the same client. This is the default. ❑ Both - An authenticator port, when in the unauthorized state, will not forward ingress or egress broadcast and multicast packets from or to the client until the client has logged on. 7.
PAGE 480
Chapter 24: 802.1x Port-based Access Control Configuring Supplicant Port Parameters Note A port must be set to the supplicant role before you can configure its settings. For instructions on how to set a port’s role, refer to Setting Port Roles on page 474. To configure supplicant port parameters, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 55 on page 196. 2.
PAGE 481
AT-S62 User’s Guide The Configure Supplicant Port Access Parameters menu is shown in Figure 159. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure Supplicant Port Access Parameters Configuring Port 5-8 1 2 3 4 5 6 - Auth Period........... Held Period........... Max Start............. Start Period.......... User Name............. User Password.........
PAGE 482
Chapter 24: 802.1x Port-based Access Control network. The username can be from 1 to 64 alphanumeric characters (A to Z, a to z, 1 to 9). Do not use spaces or special characters, such as asterisks or exclamation points. The username is case-sensitive. 6 - User Password Specifies the password for the port. The port sends the password to the authentication server for verification when the port logs on to the network. The password can contain alphanumeric characters (A to Z, a to z, 1 to 9).
PAGE 483
AT-S62 User’s Guide Configuring RADIUS Accounting The AT-S62 management software supports RADIUS accounting for ports operating in the Authenticator role. The accounting information sent by the switch to a RADIUS server includes the date and time when clients log on and log off, as well as the number of packets sent and received by a port during a client session. For background information on this feature, refer to RADIUS Accounting on page 468. This feature is disabled by default on the switch.
PAGE 484
Chapter 24: 802.1x Port-based Access Control 4. Configure the parameters as needed. Changes take affect immediately on the switch. The parameters are defined below. 1 - Status Activates and deactivate RADIUS accounting on the switch. Select Enabled to activate the feature or Disabled to deactivate it. The default is Disabled. 2 - Port Specifies the UDP port for RADIUS accounting. The default is port 1813. 3 - Type Specifies the type of RADIUS accounting. The default is Network.
PAGE 485
Section VII Management Security The chapters in this section explain the management security features of the AT-S62 software.
PAGE 486
Chapter 25 Web Server The chapter provides an overview of the web server feature and the procedure for configuring the server.
PAGE 487
AT-S62 User’s Guide Web Server Overview The AT-S62 management software comes with web server software so you can remotely manage a switch with a web browser from a management workstation on your network. (The instructions for managing a switch with a web browser are contained in the chapters in Section VII, Web Browser Management, of this manual.) The web server can operate in two modes. The first is referred to as nonsecure HTTP mode.
PAGE 488
Chapter 25: Web Server General Steps to Configuring the Web Server for Encryption There are several procedures you need to perform in order to implement HTTPS and web browser encryption on the switch. This section is here to provide you with the general steps and the procedures for performing them. There is a section for configuring the web server with a self-signed certificate and another for a public or private CA certificate.
PAGE 489
AT-S62 User’s Guide 6. Once you have received the appropriate certificates from the CA, download them into the AT-S62 file system from your management workstation or a TFTP server, as explained in Downloading a System File on page 171. 7. Add the certificates to the certificate database, as explained in Adding a Certificate to the Database on page 528. 8. Configure the web server on the switch by activating HTTPS and specifying the key pair used to create the enrollment request as the active key.
PAGE 490
Chapter 25: Web Server Configuring the Web Server This procedure explains how to enable and disable the web server and how to configure the HTTP and HTTPS settings from a local or Telnet management session. The default setting for the web server is enabled, with the non-secure HTTP mode as the active web server mode. Before configuring the web server, please note the following: ❑ You cannot make any changes to the HTTP or HTTPS settings while the web server is enabled.
PAGE 491
AT-S62 User’s Guide Menu option 4 is displayed only for HTTPS operation. The option is hidden for HTTP. 3. Type 1 to select Status to toggle the web server between enabled and disabled. To configure the web server, you must first disable it. Toggle between the following values: Enabled - Enables the web server. This is the default setting. Disabled - Disables the web server. (If you are making any changes to the web server settings, you must first disable it.) 4.
PAGE 492
Chapter 26 Encryption Keys This chapter describes how to improve the security of your switches with encryption keys. Because of the complexity of the feature, two overview sections are provided. The Basic Overview section offers a general review of the purpose of this feature along with relevant guidelines. For additional information, refer to the Technical Overview section.
PAGE 493
AT-S62 User’s Guide Basic Overview Protecting your managed switches from unauthorized management access is an important role for a network manager. Network operations and security can be severely compromised should an intruder gain access to critical switch information, such as a manager’s login username and password, and use that information to alter a switch’s configuration settings.
PAGE 494
Chapter 26: Encryption Keys SSH encryption requires two key pairs on the switch— a server key pair and a host key pair. You then configure the Secure Shell protocol server software on the switch, as explained in Chapter 28, Secure Shell (SSH) Protocol on page 543, by specifying the keys as the host and server SSH keys. Encryption Key Length To create a key pair, you must specify its length. The length is given in bits. The range is 512 to 1,536 bits, in increments of 256 bits. The default is 512 bits.
PAGE 495
AT-S62 User’s Guide Technical Overview The encryption feature provides the following data security services: ❑ data encryption ❑ data authentication ❑ key exchange algorithms ❑ key creation and storage Data Encryption Data encryption for switches is driven by the need for organizations to keep sensitive data private and secure. Data encryption operates by applying an encryption algorithm and key to the original data (the plaintext) to convert it into an encrypted form (the ciphertext).
PAGE 496
Chapter 26: Encryption Keys ❑ Electronic Code Book (ECB) is the fundamental DES function. Plaintext is divided into 64-bit blocks which are encrypted with the DES algorithm and key. For a given input block of plaintext ECB always produces the same block of ciphertext. ❑ Cipher Block Chaining (CBC) is the most popular form of DES encryption.
PAGE 497
AT-S62 User’s Guide Asymmetrical (Public Key) Encryption Asymmetrical encryption algorithms use two keys—one for encryption and one for decryption. The encryption key is called the public key because it cannot be used to decrypt a message and therefore does not have to be kept secret. Only the decryption, or private key, needs to be kept secret. The other name for this type of algorithm is public key encryption. The public and private key pair cannot be randomly assigned, but must be generated together.
PAGE 498
Chapter 26: Encryption Keys Typically a MAC is calculated using a keyed one-way hash algorithm. A keyed one-way hash function operates on an arbitrary-length message and a key. It returns a fixed length hash.
PAGE 499
AT-S62 User’s Guide The Diffie-Hellman algorithm, which is used by the AT-S62 management software, is one of the more commonly used key exchange algorithms. It is not an encryption algorithm because messages cannot be encrypted using Diffie-Hellman. Instead, it provides a method for two parties to generate the same shared secret with the knowledge that no other party can generate that same value. It uses public key cryptography and is commonly known as the first public key algorithm.
PAGE 500
Chapter 26: Encryption Keys Creating an Encryption Key This section contains the procedure for creating an encryption key pair. Caution Key generation is a CPU-intensive process. Because this process may affect switch behavior, Allied Telesyn recommends performing it when the switch is not connected to a network or during periods of low network activity. To create an encryption key pair, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2.
PAGE 501
AT-S62 User’s Guide The Key Management menu is shown in Figure 165.
PAGE 502
Chapter 26: Encryption Keys The Create Key menu is shown in Figure 166. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Create Key 1 2 3 4 5 - Key ID ............. 0 Key Type ........... RSA-Private Key Length ......... 512 Key Description .... Generate Key U - Update Display R - Return to Previous Menu Enter your selection? Figure 166 Create Key Menu 5. Type 1 to select Key ID.
PAGE 503
AT-S62 User’s Guide 9. Type 4 to create a key description. The following prompt is displayed: Enter new Description -> 10. Enter a description for the key. For instance, the description could reflect the key’s function (for example, Sales switch SSL key). You can enter up to 40 alphanumeric characters including spaces. 11. Type 5 to generate the key. The following message is displayed: Key generation will take some time. Please wait... The management software begins to create the key.
PAGE 504
Chapter 26: Encryption Keys Deleting an Encryption Key This section contains the procedure for deleting an encryption key pair from the switch. Note the following before performing this procedure. ❑ Deleting a key pair from the key management database also deletes the key’s corresponding “.UKF” file from the AT-S62 file system. ❑ You cannot delete a key pair if it is being used by SSL or SSH. You must first either disable the SSL or SSH server software or reconfigure the software by specifying another key.
PAGE 505
AT-S62 User’s Guide Modifying an Encryption Key The Key Management menu has a selection for modifying the description of an encryption key. This is the only item of a key you can modify. This procedure starts from the Key Management menu. If you are unsure how to display the menu, perform steps 1 to 3 in Creating an Encryption Key on page 500. To change the description of a key, perform the following procedure: 1. From the Key Management menu, type 3 to select Modify Key.
PAGE 506
Chapter 26: Encryption Keys Exporting an Encryption Key The following procedure exports the public key of a key pair into the AT-S62 file system. (The management software does not allow you to export a private key.) Before performing this procedure, please note the following: ❑ The only circumstance in which you are likely to perform this procedure is if you are using an SSH client that does not upload the key automatically when you start an SSH management session.
PAGE 507
AT-S62 User’s Guide Note Key Type is a read-only field. You cannot change this value. 3. Type 3 to toggle Key File Format to specify the format of the key. Possible settings are: HEX - Indicates an internal format for storing files. Select this value for SSL configuration. This is the default. SSH - Indicates a format for a SSH1 environment. This is the correct setting for a key intended for an SSH1 client. SH2 - Indicates a format for a SSH2 environment.
PAGE 508
Chapter 26: Encryption Keys Importing an Encryption Key Use the following procedure to import a public key from the AT-S62 file system into the key management database. If a file contains both public and private keys, only the public key is imported. The private key is ignored. Note It is very unlikely you will ever have reason to perform this procedure. The switch can use only those keys it has generated itself. This procedure starts from the Key Management menu.
PAGE 509
AT-S62 User’s Guide 3. Type 3 to select Key File Format to choose the format of the key. Selections are: HEX - Indicates an internal format for storing files. Select this value for SSL configuration. This is the default. SSH - Indicates a format for a SSH1 environment. This is the correct setting for a key intended for an SSH1 client. SH2 - Indicates a format for a SSH2 environment. This is the correct setting for a key intended for an SSH2 client. 4.
PAGE 510
Chapter 27 Public Key Infrastructure Certificates This chapter contains the procedures for creating Public Key Infrastructure (PKI) certificates for web server security. Because of the complexity of this feature, two overview sections are provided. The Basic Overview section offers a general review of the purpose of certificates along with relevant guidelines. For additional information, refer to the Technical Overview section.
PAGE 511
AT-S62 User’s Guide Basic Overview This chapter explains how to implement encryption for your web browser management sessions. Encryption can protect your managed switches from unauthorized access by making it impossible for an intruder monitoring network traffic to decipher the contents of the management packets exchanged between your workstation and a switch during a web browser management session. Web browser encryption involves an encryption key pair and a digital document called a certificate.
PAGE 512
Chapter 27: Public Key Infrastructure Certificates Public CAs issue certificates typically intended for use by the general public. Since a certificate for an AT-8524M switch is not intended for general use, but will only be used by you and other network managers, you might decide that the switch’s certificate need not be issued by this type of CA. Some large companies have private CAs.
PAGE 513
AT-S62 User’s Guide A certificate name does not have to contain all of these parts. You can use as many or as few as you want. You separate the parts with a comma. You can use alphanumeric characters, as well as spaces in the name strings. You cannot use quotation marks. To use the following special characters {=,+<>#;\}, type a “\” before the character Here are a few examples.
PAGE 514
Chapter 27: Public Key Infrastructure Certificates SSL and Enhanced Stacking Secure Sockets Layer (SSL) is supported in an enhanced stack, but only when all switches in the stack are using the feature. A web server can operate in one of two modes -- HTTP or HTTPS. When a switch’s web server is operating in HTTP, management packets are transmitted in plaintext. When it operates in HTTPS, management packets are sent encrypted.
PAGE 515
AT-S62 User’s Guide Guidelines Here are guidelines for creating certificates: ❑ A certificate can have only one public key. ❑ A switch can use only those certificates that contain a key that it generated itself. ❑ You can create multiple certificates on a switch, but the device will only use the certificate whose key pair has been designated as the active key pair for the switch’s web server. ❑ Most web browsers support both unsecured (plaintext) and secured (encrypted) operation.
PAGE 516
Chapter 27: Public Key Infrastructure Certificates Technical Overview The Secure Sockets Layer (SSL) feature is a security protocol that provides a secure and private TCP connection between a client and server. SSL can be used with many higher layer protocols including HTTP, File Transfer Protocol (FTP) and Net News Transfer Protocol (NNTP). Most web browsers and servers support SSL, and its most common deployment is for secure connections between a client and server over the Internet.
PAGE 517
AT-S62 User’s Guide All application data messages are authenticated by SSL with a message authentication code (MAC). The MAC is a checksum that is created by the sender and is sent as part of the encrypted message. The recipient recalculates the MAC, and if the values match, the sender’s identity is verified. The MAC also ensures that the message has not been tampered with by a third party because any change to the message changes the MAC.
PAGE 518
Chapter 27: Public Key Infrastructure Certificates The Application data message encapsulates the encrypted application data. Authentication Authentication is the process of ensuring both the web site and the end user are genuine. In other words, they are not imposters. Both the server and an individual users need to be authenticated. This is especially important when transmitting secure data over the Internet. To verify the authenticity of a server, the server has a public and private key.
PAGE 519
AT-S62 User’s Guide Digital Signatures The second main service provided by public key encryption is digital signing. Digital signatures both confirm the identity of the message’s supposed sender and protect the message from tampering. Therefore they provide message authentication and non-repudiation. It is very difficult for the signer of a message to claim that the message was corrupted, or to deny that it was sent.
PAGE 520
Chapter 27: Public Key Infrastructure Certificates ❑ The owner’s identity details, such as name, company and address. ❑ The owner’s public key, and information about the algorithm with which it was produced. ❑ The identity details of the organization which issued the certificate. ❑ The issuer’s digital signature and the algorithm used to produce it. ❑ The period for which the certificate is valid.
PAGE 521
AT-S62 User’s Guide An organization may own a Certification Authority and issue certificates for use within its own networks. In addition, an organization’s certificates may be accepted by another network, after an exchange of certificates has validated a certificate for use by both parties. As an alternative, an outside CA may be used. The switch can interact with the CA, whether a CA is part of the organization or not, by sending the CA requests for certification.
PAGE 522
Chapter 27: Public Key Infrastructure Certificates Out-of-band verification involves both the owner of a certificate and the user who wishes to verify that certificate generating a one-way hash (a fingerprint) of the certificate. These two hashes must then be compared using at least one non-network-based communication method. Examples of suitable communication methods are mail, telephone, fax, or transfer by hand from a storage device such as a smartcard or floppy disk.
PAGE 523
AT-S62 User’s Guide Before the switch can use a certificate, it must be retrieved and manually added to the switch’s Certificate Database, which is stored in RAM memory. The switch attempts to validate the certificate, and if validation is successful the certificate’s public key is available for use.
PAGE 524
Chapter 27: Public Key Infrastructure Certificates Creating a Self-signed Certificate This section contains the procedure for creating a self-signed certificate. Please review the following before you perform the procedure: ❑ For a general review of all the steps to configuring the switch for a self-signed certificate, refer to General Steps for a Self-signed Certificate on page 488.) ❑ The switch’s time and date must be set before you create a selfsigned certificate.
PAGE 525
AT-S62 User’s Guide 3. From the Keys/Certificate menu, select 3 to select Public Key Infrastructure (PKI) Configuration. The Public Key Infrastructure (PKI) Configuration menu is shown in Figure 169. Allied Telesyn Ethernet Switch AT-8524M - ATS62 Production Switch User: Manager 11:20:02 02-Jan-2004 Public Key Infrastructure (PKI) Configuration 1 - Maximum Number of Certificates.......
PAGE 526
Chapter 27: Public Key Infrastructure Certificates The Certificate Database portion of the window lists the certificates currently in the database. These could be certificates that you created or had a CA create. The switch’s web server can only use a certificate if it is in the database. Note In the X509 Certificate Management Menu, MTrust means manually trusted. This field indicates that you verified the certificate. The Source field indicates the certificate was generated on the switch. 5.
PAGE 527
AT-S62 User’s Guide 9. Enter the ID number of the encryption key you want to use to create the certificate. The encryption key must already exist on the switch. (If you have forgotten the key ID number, return to the Key Management menu to view the keys on the switch.) The value can be from 0 to 65,535. 10. Type 3 to select Format to choose the encoding format for the certificate. Possible settings are: DER - Indicates the certificate contents are in a binary format. This is the default.
PAGE 528
Chapter 27: Public Key Infrastructure Certificates Adding a Certificate to the Database Once you have created a certificate or received a certificate from a public or private CA, you need to add it into the certificate database to make it available for use by the switch’s web server. After you add a certificate to the certificate database, it appears in the X509 Certificate Management menu. During the procedure, you are asked to specify the certificate’s filename.
PAGE 529
AT-S62 User’s Guide 6. Type 1 to select Certificate Name and enter a name for the certificate. This is the name for the certificate as it will appear in the certificate database list. You can enter up to 24 alphanumeric characters. Spaces are allowed. No extension is needed. You might want to include in the name the filename of the certificate in the file system. This will make it easier for you to match a certificate in the database with its corresponding file in the file system.
PAGE 530
Chapter 27: Public Key Infrastructure Certificates 10. Type 5 to select Add Certificate to add the certificate to the certificate database. The management software adds the certificate to the database, a process that requires only a few seconds. 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 531
AT-S62 User’s Guide Modifying a Certificate The procedure in this section modifies a certificate. (The certificate to be modified must be in the certificate database.) Here are the certificate items you can modify: ❑ State - trusted or untrusted ❑ Type - EE, CA, or Self Note These parameters have no affect on the operation of a certificate. They are included only for informational purposes when the certificate is displayed in the certificate database.
PAGE 532
Chapter 27: Public Key Infrastructure Certificates 3. Type 2 to select State and specify if a certificate is trusted or untrusted. Trusted - This value indicates you have verified that the certificate is from a trusted CA. This is the default. Untrusted - This value indicates the certificate is from an untrusted CA either because you have not verified the CA or you have verified the CA is untrusted. 4. Type 3 to specify the type assigned to the certificate.
PAGE 533
AT-S62 User’s Guide Deleting a Certificate The procedure in this section deletes a certificate from the certificate database. Please note the following before performing this procedure: ❑ Deleting a certificate from the database does not delete it from the switch. It continues to reside in the AT-S62 file system. To completely remove a certificate from the switch, you must also delete it from the file system. For instructions, refer to Copying, Renaming, and Deleting System Files on page 156.
PAGE 534
Chapter 27: Public Key Infrastructure Certificates Viewing a Certificate This procedure displays information about a certificate, such as its distinguished name and serial number. This procedure starts from the X509 Certificate Management menu. If you are unsure how to access the menu, perform steps 1 to 4 in the procedure Adding a Certificate to the Database on page 528. To view the details of a certificate, perform the following procedure: 1.
PAGE 535
AT-S62 User’s Guide 3. Type N to see the second page of certificate details. The View Certificate Details menu (page 2) is shown in Figure 175. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 View Certificate Details Subject ......... CN=149.44.44.44 Issuer .......... CN=149.44.44.44 MD5 Fingerprint...4E:76:06:FA:F6:C1:DA:FF:4D:E9:76:02:1D:8F:DA:CB SHA1 Fingerprint..
PAGE 536
Chapter 27: Public Key Infrastructure Certificates MD5 Fingerprint - Indicates the MD5 algorithm. This value provides a unique sequence for each certificate consisting of 16 bytes. SHA1 Fingerprint - Indicates the Secure Hash Algorithm. This value provides a unique sequence for each certificate consisting of 20 bytes.
PAGE 537
AT-S62 User’s Guide Generating an Enrollment Request To request a certificate from a public or private CA, you need to generate an enrollment request. The request contains the public key for the certificate, a distinguished name, and other information. The request is stored as a file with a “.csr” extension in the AT-S62 file system, from where you can upload it onto your management workstation or FTP server for submission to the CA.
PAGE 538
Chapter 27: Public Key Infrastructure Certificates 5. From the Public Key Infrastructure (PKI) Configuration Menu, type 3 to generate an enrollment request. The Generate Enrollment Request Menu is shown in Figure 176. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Generate Enrollment Request Menu 1 2 3 4 5 - Request Name.................... KeyPair ID ..................... 0 Format ......................... PEM Type ...........................
PAGE 539
AT-S62 User’s Guide PEM - Creates the certificate in the Privacy Enhanced Mail (PEM) format, which is an ASCII format. Note Option 4, Type, cannot be changed. The PKCS10 value indicates the internal format of an enrollment request. 11. Type 5 to select Generate Enrollment Request. Once the switch has finished generating the request, you will see a message similar to the following. Enrollment request is being generated. Please wait ...Done. Enrollment Request available in file [Switch 12.csr].
PAGE 540
Chapter 27: Public Key Infrastructure Certificates Installing CA Certificates onto a Switch This section lists the procedures to installing a certificate created by a public or private CA onto the switch. It should be noted that a CA generated certificate will consist of several certificates, with a minimum of two. All the certificates from the CA must be installed on the switch. Note A certificate from a CA can only be used on the switch where you created the encryption key pair and enrollment request.
PAGE 541
AT-S62 User’s Guide Configuring PKI Option 1 - Maximum Number of Certificates in the Public Key Infrastructure (PKI) Configuration menu controls the maximum number of certificates you can add to the certificate database. The range is 12 to 256. The default value is 256. There should be little cause or need for you to adjust this value. To display the Public Key Infrastructure (PKI) Configuration menu, perform steps 1 to 3 of the procedure Creating a Self-signed Certificate on page 524.
PAGE 542
Chapter 27: Public Key Infrastructure Certificates Configuring SSL To configure the SSL protocol, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Secure Socket Layer (SSL). The Secure Socket Layer (SSL) menu is shown in Figure 177. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Secure Socket Layer (SSL) 1 - Maximum Number of Sessions.........
PAGE 543
Chapter 28 Secure Shell (SSH) Protocol The chapter contains overview information about the Secure Shell (SSH) protocol and the procedure for configuring this protocol on a switch from a local or Telnet management session. It contains the following sections: ❑ SSH Overview on page 544 ❑ Configuring the SSH Server on page 548 ❑ Displaying SSH Information on page 550 Note The feature is not available in all versions of the AT-S62 management software.
PAGE 544
Chapter 28: Secure Shell (SSH) Protocol SSH Overview Secure management is increasingly important in modern networks, as the ability to easily and effectively manage switches and the requirement for security are two universal requirements. Switches are often remotely managed using remote sessions via the Telnet protocol. This method, however, has a serious security problem—it is only protected by plaintext usernames and passwords which are vulnerable to wiretapping and password guessing.
PAGE 545
AT-S62 User’s Guide ❑ Tunnelling of TCP/IP traffic Note Non-encrypted Secure Shell sessions serve no purpose. SSH Server The AT-S62 management software includes SSH server software. When the SSH server is activated, your remote management sessions of the switch from a management station that has SSH client software will be encrypted. Note If your switch is in a network protected by a firewall, you may need to configure the firewall to permit SSH connections.
PAGE 546
Chapter 28: Secure Shell (SSH) Protocol SSH and Enhanced Stacking The AT-S62 management software allows for encrypted SSH management sessions between a management workstation and a master switch of an enhanced stack, but not with slave switches, as explained in this section. When you remotely manage a slave switch, all management communications are conducted through the master switch using the enhanced stacking feature.
PAGE 547
AT-S62 User’s Guide Guidelines Below are the guidelines to observe when configuring SSH: ❑ SSH requires two encryption key pairs. One key pair will function as the host key and the other the server key. For instructions on creating keys, refer to Creating an Encryption Key on page 500. ❑ The two encryption key pairs must be of different lengths of at least one increment (256 bits) apart. The recommended bit size for a server key is 768 bits. The recommended size for the host key is 1024 bits.
PAGE 548
Chapter 28: Secure Shell (SSH) Protocol Configuring the SSH Server This section describes how to configure the SSH server software on the switch. For a description of all the steps required to configure an SSH server, see General Steps to Configuring SSH on page 547. This procedure assumes that you have already created the two key pairs. If you have not created the keys, go to Creating an Encryption Key on page 500. While you are configuring the SSH feature, you must disable the SSH server.
PAGE 549
AT-S62 User’s Guide 3. Select 1 - SSH Server Status to enable or disable the SSH server. 4. Choose from one of the following: Disabled - While you are configuring SSH, you must set this field to Disabled. This is the default. Enabled - Select this value to enable the SSH server. Select this value after you have finished configuring SSH and want to log on to the server. Note You cannot disable the SSH server when there is an active SSH connection. Otherwise, you receive a warning message. 5.
PAGE 550
Chapter 28: Secure Shell (SSH) Protocol Displaying SSH Information To display SSH server information, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 5 to select Secure Shell (SSH). The Secure Shell (SSH) Menu is shown in Figure 179 on page 548. 3. From the Secure Shell (SSH) menu, select 6 - Show Server information to display the SSH Server data. The Show Server Information Menu is shown in Figure 180.
PAGE 551
AT-S62 User’s Guide ❑ Host Key ID: Indicates the host key ID defined for SSH. ❑ Host Key Bits: Indicates the number of bits in the host key. ❑ Server Key ID: Indicates the server key ID defined for SSH. ❑ Server Key Bits: Indicates the number of bits in the server key. ❑ Server Key Expiry: Indicates the length of time, in hours, until the server key is regenerated. The default is 0 hours which means the server key is not regenerated.
PAGE 552
Chapter 29 RADIUS and TACACS+ Authentication Protocols This chapter explains how to create new manager accounts on a switch using the two authentication protocols RADIUS and TACACS+.
PAGE 553
AT-S62 User’s Guide TACACS+ and RADIUS Overview TACACS+ and RADIUS are authentication protocols for enhancing the security of your network. (TACACS+ is an acronym for Terminal Access Controller Access Control System. RADIUS is an acronym for Remote Authentication Dial In User Services.) In general terms, these authentication protocols are designed to transfer the task of authenticating network access from a network device to an authentication protocol server.
PAGE 554
Chapter 29: RADIUS and TACACS+ Authentication Protocols When a network manager logs in to a switch to manage the device, the switch passes the username and password entered by the manager to the authentication protocol server. The server checks to see if the username and password are valid for that switch. This is referred to as authentication.
PAGE 555
AT-S62 User’s Guide the Administration Menu so that the switch and server can communicate with each other. ❑ You need to configure the TACACS+ or RADIUS software on the authentication server. This involves the following: — Specifying the username and password combinations. — Assigning each combination an authorization level. How this is achieved differs depending on the server software you are using. TACACS+ controls this through the sixteen (0 to 15) different levels of the Privilege attribute.
PAGE 556
Chapter 29: RADIUS and TACACS+ Authentication Protocols When a switch receives a username and password combination from a network manager, it sends the combination to the first authentication server in its list. If the server fails to respond, the switch sends the combination to the next server in the list, and so on.
PAGE 557
AT-S62 User’s Guide Configuring Authentication Protocol Settings To configure the RADIUS or TACACS+ settings on the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 59. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Menu is shown in Figure 181.
PAGE 558
Chapter 29: RADIUS and TACACS+ Authentication Protocols 5. To disable the server-based authentication feature on the switch, do the following: a. Type 1 to select Server-based Authentication. The following prompt is displayed: Server Based User Authentication (E-Enabled, DDisabled) -> b. Type D to disable the feature. The default is disabled. c. Return to the Main Menu and type S to save your change.
PAGE 559
AT-S62 User’s Guide Use per-server secret [Y/N] -> If you will be specifying more than one TACACS+ server and if all of the servers use the same encryption secret, you can answer No to this prompt and enter the encryption secret using the TAC Global Secret parameter. However, if you are specifying only one TACACS+ server or if the servers have difference encryption secrets, then respond with Yes to this prompt.
PAGE 560
Chapter 29: RADIUS and TACACS+ Authentication Protocols f. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 7. To configure the RADIUS protocol, from the Authentication Menu in Figure 181 on page 557 do the following: a. Type 4 to select RADIUS Configuration. The RADIUS Client Configuration menu is shown in Figure 183.
PAGE 561
AT-S62 User’s Guide 3 - RADIUS Server 1 Configuration 4 - RADIUS Server 1 Configuration 5 - RADIUS Server 1 Configuration Use these parameters to specify the IP addresses of up to three network servers containing the RADIUS server software. Selecting one of the options displays the RADIUS Server Configuration menu, shown in Figure 184. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 RADIUS Server 1 Configuration 1 - Server IP Address .................
PAGE 562
Chapter 29: RADIUS and TACACS+ Authentication Protocols d. From the Authentication Menu, type 1 to select Server-based Authentication. The following prompt is displayed: Server Based User Authentication (E-Enabled, DDisabled) -> e. Type E to enable server-based authentication on the switch. f. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 563
Chapter 30 Management Access Control List This chapter explains how to create an access control list (ACL) to restrict Telnet and web browser management access to the switch.
PAGE 564
Chapter 30: Management Access Control List Management Access Control List Overview The Management Access Control List (ACL) is a tool for restricting remote management access to a switch. You can use this feature to control which management workstations can remotely manage the device using the Telnet application protocol or a web browser. The Management ACL filters the remote management packets that a switch receives.
PAGE 565
AT-S62 User’s Guide Mask You need to enter a mask that indicates the parts of the IP address the switch should filter on. A binary “1” indicates the switch should filter on the corresponding bit of the address, while a “0” indicates that it should not. If you are filtering on a specific IP address, use the mask 255.255.255.255. If you are filtering on a subnet, the mask will depend on the subnet address. For example, to allow any management workstation in the subnet 149.11.11.
PAGE 566
Chapter 30: Management Access Control List enter them. ❑ The protocol is always TCP. ❑ The Management ACL does not control local management or SNMP management. ❑ Activating this feature without specifying any ACEs will prohibit you from managing the switch remotely using a Telnet application or web browser because the switch will discard all Telnet and web browser management packets. ❑ You can apply Management ACLs to both Master and Slave switches in an enhanced stack.
PAGE 567
AT-S62 User’s Guide Protocol Interface TCP Web A Management ACL can contain multiple ACEs. The two ACEs in this ACL allow all management packets from the subnets 149.11.11.0 and 149.22.22.0 to manage the switch using the Telnet application protocol, but not a web browser: ACE #1 IP Address Subnet Mask Protocol Interface 149.11.11.0 255.255.255.0 TCP Telnet ACE #2 IP Address Subnet Mask Protocol Interface 149.22.22.0 255.255.255.
PAGE 568
Chapter 30: Management Access Control List Creating the Management ACL To create a Management ACL, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 59. 2. From the System Administration menu, type 7 to select Management ACL. The Management ACL menu is shown in Figure 186.
PAGE 569
AT-S62 User’s Guide on the address. For example, to allow all management workstations in the subnet 149.11.11.0 to manage the switch, you would enter the mask 255.255.255.0. This prompt is displayed: Enter the Protocol [TCP/UDP/ALL]: 6. Enter either TCP or ALL. The software allows you to select UDP. But since AT-S62 management packets from Telnet and web browser management sessions are TCP, you must specify TCP or ALL. This prompt is displayed: Enter the Interface [TELNET/WEB/ALL]: 7.
PAGE 570
Chapter 30: Management Access Control List Adding, Deleting, and Viewing ACEs You can add or delete an ACE from the Management ACL at any time. To add an ACE, simply repeat the procedure in Creating the Management ACL on page 568. The new ACEs that you enter are added to the ACEs that are already in the Management ACL.
PAGE 571
Section VIII Web Browser Management The chapters in this section explain how to manage an AT-8524M switch using a web browser.
PAGE 572
Section III: Web Browser Management ❑ Chapter 47, GARP VLAN Registration Protocol on page 775 ❑ Chapter 48, MAC Address Security on page 782 ❑ Chapter 49, 802.
PAGE 573
Chapter 31 Starting a Web Browser Management Session This chapter contains the procedure for starting a web browser management session on an AT-8524M switch.
PAGE 574
Chapter 31: Starting a Web Browser Management Session Starting a Web Browser Management Session To establish a web browser management session with an AT-8524M switch, there must be at least one switch in the subnet with an IP address and whose stacking status has been changed to master switch. Once you have started a web browser management session on the master switch, you can manage all the enhanced stacking switches that reside in the same enhanced stack.
PAGE 575
AT-S62 User’s Guide The AT-S62 software displays the login page, as shown in Figure 188. Figure 188 AT-S62 Login Page 3. Enter a user name and password. For manager access, enter “manager” as the user name. The default password is “friend”. For operator access, enter “operator” as the user name. The default password is “operator”. Login names and passwords are casesensitive. (For information on the two access levels, refer to Management Access Levels on page 38.) The user names cannot be changed.
PAGE 576
Chapter 31: Starting a Web Browser Management Session The main menu is on the left side of the Home page. It consists of the following selections: ❑ Enhanced Stacking ❑ Configuration ❑ Monitoring ❑ Logout Note The Enhanced Stacking selection is included in the menu only on master switches. A web browser management session remains active even if you link to other sites. You can return to the management web pages anytime as long as you do not quit the browser.
PAGE 577
AT-S62 User’s Guide Saving Your Parameter Changes When you make a change to a switch parameter, the change is, in most cases, immediately activated as soon as you click the Apply button. However, a change to a switch parameter is initially saved only to temporary memory. It is lost the next time you reset or power cycle the unit. To permanently save a change, you must click the Save Changes button. This button is located on the General tab. To locate the button, from the Home Page click Configuration.
PAGE 578
Chapter 31: Starting a Web Browser Management Session Quitting a Web Browser Management Session To exit a web browser management session, select Logout from the main menu.
PAGE 579
Chapter 32 Enhanced Stacking This chapter contains the following procedures: ❑ Setting a Switch’s Enhanced Stacking Status on page 580 ❑ Selecting a Switch in an Enhanced Stack on page 582 ❑ Displaying the Enhanced Stacking Status on page 584 Note For background information on enhanced stacking, refer to Enhanced Stacking Overview on page 49.
PAGE 580
Chapter 32: Enhanced Stacking Setting a Switch’s Enhanced Stacking Status The enhanced stacking status of the switch can be master, slave, or unavailable. Each status is described below: ❑ Master - A master switch of a stack can be used to manage other switches in an enhanced stack. Once you have established a local or remote management session with a master switch, you can access and manage the other enhanced stacking switches. A master switch must have a unique IP address.
PAGE 581
AT-S62 User’s Guide Note If the window does not have an Enhanced Stacking tab, you are attempting to change the stacking status of a switch accessed through enhanced stacking. This is not allowed. The only stacking status you can change remotely from a web browser management session is the switch on which you started the session. The Enhanced Stacking tab is shown in Figure 191. Figure 191 Enhanced Stacking Tab (Configuration) 4. Click the desired enhanced stacking status for the switch.
PAGE 582
Chapter 32: Enhanced Stacking Selecting a Switch in an Enhanced Stack The first thing that you should do before you perform any procedure on a switch in an enhanced stack is check to be sure that you are performing it on the correct switch. If you assigned system names to your switches, identifying your switches should be easy. The management software displays the name of the switch being managed at the top of every management menu.
PAGE 583
AT-S62 User’s Guide Note The master switch on which you started the management session is not included in the list, nor are any switches with an enhanced stacking status of Unavailable. You can sort the switches in the list by switch name or MAC address by clicking on the column headers. By default, the list is sorted by MAC address. You can refresh the list by clicking Refresh. This instructs the master switch to again poll the subnet for all switches. 2.
PAGE 584
Chapter 32: Enhanced Stacking Displaying the Enhanced Stacking Status To display the enhanced stacking status of a switch, do the following: 1. From the Home page, select Monitoring. 2. From the Monitoring page, select the Layer 2 menu option. 3. From the Layer 2 page, select the Enhanced Stacking tab. The tab is shown Figure 193. Figure 193 Enhanced Stacking Tab (Monitoring) The information in the tab states the current enhanced stacking status of the switch as master, slave, or unavailable.
PAGE 585
Chapter 33 Basic Switch Parameters This chapter contains the following sections: ❑ Configuring an IP Address and Switch Name on page 586 ❑ Activating the BOOTP and DHCP Client Software on page 589 ❑ Displaying System Information on page 590 ❑ Configuring the Manager and Operator Passwords on page 592 ❑ Rebooting a Switch on page 594 ❑ Pinging a Remote System on page 595 ❑ Returning the AT-S62 Software to the Factory Default Values on page 596 585
PAGE 586
Chapter 33: Basic Switch Parameters Configuring an IP Address and Switch Name Note For guidelines on when to assign an IP address, subnet address, and gateway address to an AT-8524M switch, refer to When Does a Switch Need an IP Address? on page 57. To set basic switch parameters for an AT-8524M switch, perform the following procedure: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194.
PAGE 587
AT-S62 User’s Guide Note This procedure describes the parameters in the Administration section of the tab. The Passwords section is described in Configuring the Manager and Operator Passwords on page 592. The DHCP/BOOTP option is described in Activating the BOOTP and DHCP Client Software on page 589. The maximum aging timer option is described in Changing the Aging Time on page 627. Note The Defaults button returns all parameters in this tab to their default settings.
PAGE 588
Chapter 33: Basic Switch Parameters Comments This parameter specifies the location of the switch, (for example, 4th Floor - rm 402B). The location can be from 1 to 20 characters. The location can include spaces and special characters, such as dashes and asterisks. The default is no location. This parameter is optional. IP address This parameter specifies the IP address of the switch. You must specify an IP address if you want the switch to function as the Master switch of an enhanced stack.
PAGE 589
AT-S62 User’s Guide Activating the BOOTP and DHCP Client Software For background information on BOOTP and DHCP, refer to the section Activating the BOOTP and DHCP Client Software on page 62. To activate or deactivate the BOOTP and DHCP client software on the switch from a web browser management session, perform the following procedure: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2.
PAGE 590
Chapter 33: Basic Switch Parameters Displaying System Information To view basic information about the switch, perform the following procedure: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195. Figure 195 General Tab (Monitoring) This tab is for viewing purposes only. You cannot change any of the values from this tab. The information in the tab is defined below: System Name The name of the switch.
PAGE 591
AT-S62 User’s Guide Comments The location of the switch, (for example, 4th Floor - rm 402B). DHCP/BOOTP The status of the DHCP and BOOTP client software. If enabled, the switch is obtaining its IP information from a DHCP and BOOTP server on the network. If disabled, the IP address must be manually entered. MAC Address Aging Timer The time interval an inactive dynamic MAC address can remain in the MAC address table before it is deleted. IP Address The switch’s IP address.
PAGE 592
Chapter 33: Basic Switch Parameters Configuring the Manager and Operator Passwords There are two levels of management access on an AT-8524M switch: manager and operator. When you log in as a manager, you can view and configure all of a switch’s operating parameters. When you log in as an operator, you can only view the operating parameters; you cannot change any values. You log in as a manager or an operator by entering the appropriate username and password when you start an AT-S62 management session.
PAGE 593
AT-S62 User’s Guide Caution You should not use spaces or special characters, such as asterisks (*) and exclamation points (!), in a password. Many web browsers cannot handle special characters in passwords. Note A change to a password is immediately activated on the switch. You will be prompted for the new password the next time you log on. 3. Click Apply to activate your change on the switch. 4. Click Save Changes to permanently save your change.
PAGE 594
Chapter 33: Basic Switch Parameters Rebooting a Switch Note Any parameters changes that have not been saved will be discarded when a system is reset. To save parameter changes, refer to Saving Your Parameter Changes on page 577. To reboot a switch, perform the following procedure: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. Click Reset. A confirmation prompt is displayed. 3.
PAGE 595
AT-S62 User’s Guide Pinging a Remote System You can instruct the switch to ping a node on your network. This procedure is useful in determining whether a valid link exists between the switch and another device. To ping a network device, perform the following procedure: 1. From the Home Page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590. 2. Select the Ping Client tab. The Ping Client tab is shown in Figure 196.
PAGE 596
Chapter 33: Basic Switch Parameters Returning the AT-S62 Software to the Factory Default Values The procedure in this section returns all AT-S62 software parameters, including IP address and subnet mask, if assigned, to their default values. Please note the following before performing this procedure: ❑ Returning all parameter settings to their default values also deletes any port-based or tagged VLANs you created on the switch. ❑ This procedure does not delete files from the AT-S62 file system.
PAGE 597
AT-S62 User’s Guide The System Utilities tab is shown in Figure 197. Figure 197 System Utilities Tab 3. Click the Reboot Switch After Resetting to Defaults checkbox. 4. Click Apply. 5. Follow the prompts. Note The bottom portion of the System Utilities tab is used to download and upload files from the switch. For instructions, refer to Chapter 39, File Downloads and Uploads on page 644.
PAGE 598
Chapter 34 SNMPv1 and SNMPv2c Community Strings This chapter explains how to activate SNMP management on the switch and how to create, modify, and delete SNMPv1 and SNMPv2c community strings.
PAGE 599
AT-S62 User’s Guide Enabling or Disabling SNMP Management To enable or disable SNMP management on the switch, perform the following procedure: 1. From the Home page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. Select the SNMP tab. The SNMP tab is shown in Figure 198. Figure 198 SNMP Tab (Configuration) 3. Click Enable SNMP Access to enable or disable SNMP management.
PAGE 600
Chapter 34: SNMPv1 and SNMPv2 Community Strings 4. If you want the switch to send authentication failure traps, click Enable Authentication Failure Traps. A check in the box indicates that the switch will send the trap. 5. Click Apply. A change to SNMP access is immediately activated on the switch. 6. To permanently save the changes, use the Save Changes button in the General tab. For directions, refer to Saving Your Parameter Changes on page 577.
PAGE 601
AT-S62 User’s Guide Creating a New SNMPv1 or SNMPv2c Community String To create a new SNMPv1 or SNMPv2c community string, perform the following procedure: 1. From the Home page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. Select the SNMP tab. The SNMP tab is shown in Figure 198 on page 599. 3. Click Configure in the SNMPv1/v2c section of the tab.
PAGE 602
Chapter 34: SNMPv1 and SNMPv2 Community Strings Open Access Displays the opened or closed access status of the string: Yes - The string’s status is open, meaning any management workstation can use it. No - The string’s status is closed, meaning only those workstations whose IP addresses have been assigned to the string can use it. Status Displays whether the string is enabled or disabled. The possible settings are: Enabled - The string can be used to access the switch.
PAGE 603
AT-S62 User’s Guide 5. In the Community Name field, enter the new community string. The name can be from one to fifteen alphanumeric characters. Spaces are allowed. 6. Use the Status option to either enable or disable the community string. A disabled community string cannot be used to access the switch. The default is enabled. 7. Use the Access Mode option to specify the access mode for the new SNMP community string.
PAGE 604
Chapter 34: SNMPv1 and SNMPv2 Community Strings Modifying a Community String To modify a community string, perform the following procedure: 1. From the Home page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. Select the SNMP tab. The SNMP tab is shown in Figure 198 on page 599. 3. Click Configure in the SNMPv1/v2c section of the tab The SNMP tab for SNMPv1 and SNMPv2c is shown in Figure 199 on page 601. 4.
PAGE 605
AT-S62 User’s Guide Note You cannot change the name of a community string. 6. Use the Status option to either enable or disable the community string. A disabled community string cannot be used to access the switch. 7. Use the Access Mode option to change the access mode of the community string. If you specify Read Only, the community string will only allow you to view the MIB objects on the switch.
PAGE 606
Chapter 34: SNMPv1 and SNMPv2 Community Strings Deleting a Community String To delete a community string, do the following: 1. From the Home page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. Select the SNMP tab. The SNMP tab is shown in Figure 198 on page 599. 3. Click Configure in the SNMPv1/v2c section of the tab. The SNMP tab for SNMPv1 and SNMPv2c is shown in Figure 199 on page 601. 4.
PAGE 607
AT-S62 User’s Guide Displaying the SNMP Status and Community Strings To display the SNMPv1 and SNMPv2c community strings on the switch, do the following: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590. 2. Select the SNMP tab. The information in the tab includes: SNMP Access Whether SNMP access is enabled or disabled.
PAGE 608
Chapter 34: SNMPv1 and SNMPv2 Community Strings Trap Receivers IP addresses of management stations to receive SNMP traps from the switch. Open Access Displays the opened or closed access status of the string: Yes - The string’s status is open, meaning that any workstation can use it. No - The string’s status is closed, meaning that only those workstations whose IP addresses have been assigned to the string can use it. Status Displays the status of the string.
PAGE 609
Chapter 35 Port Parameters This chapter explains how to view and change the parameter settings for the individual ports on a switch. Examples of the parameters that you can adjust include port speed and duplex mode.
PAGE 610
Chapter 35: Port Parameters Configuring Port Parameters To configure the parameter settings of a port on the switch, perform the following procedure: 1. From the Home page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. From the Configuration menu, select the Layer 1 option. 3. Select the Port Settings tab. The Port Settings tab is shown in Figure 203. Figure 203 Port Settings Tab (Configuration) 4.
PAGE 611
AT-S62 User’s Guide The Port Configuration page is shown Figure 204. Figure 204 Port Configuration Page Note The Port Configuration page in the figure above is for a 10/100 Mbps twisted pair port. The page for a fiber optic port on an optional expansion module will contain a subset of the parameters. If you are configuring multiple ports and the ports have different settings, the Port Configuration menu displays the settings of the lowest numbered port.
PAGE 612
Chapter 35: Port Parameters You should note the following concerning the operation of AutoNegotiation on the switch port: ❑ In order for a switch port to successfully Auto-Negotiate its duplex mode with an end-node, the end-node should also be using AutoNegotiation. Otherwise, a duplex mode mismatch can occur. A switch port using Auto-Negotiation will default to half-duplex if it detects that the end-node is not using Auto-Negotiation.
PAGE 613
AT-S62 User’s Guide You might also want to disable a port that is not being used to secure it from unauthorized connections. Possible settings for this parameter are: Enabled The port will receive and forward packets. This is the default setting. Disabled The port will not receive or forward packets. Broadcast Filter Most frames on an Ethernet network are usually unicast frames. A unicast frame is a frame that is sent to a single destination.
PAGE 614
Chapter 35: Port Parameters Back Pressure Sets backpressure on a port. This option only applies to ports operating in half-duplex mode. A switch port uses backpressure to control the flow of ingress packets. When a twisted pair port on the switch operating in half-duplex mode needs to stop an end node from transmitting data, it forces a collision. A collision on an Ethernet network occurs when two end nodes attempt to transmit data using the same data link at the same time.
PAGE 615
AT-S62 User’s Guide MDI/MDIX Crossover Use this selection to set the wiring configuration of the port. The configuration can be Auto, MDI, or MDI-X. The default setting is Auto. The default Auto setting activates the auto-MDI/MDI-X feature on a port, which enables a port to configure itself automatically as MDI or MDI-X when connected to an end node. This allows you to use a straight-through twisted pair cable when connecting any type of network device to a port on the switch.
PAGE 616
Chapter 35: Port Parameters Displaying Port Status and Statistics The procedure in this section displays the operating status of the ports on a switch and port statistics. You can view a port’s operating speed, duplex mode, MDI/MDI-X configuration, and more. You can also view the operating status of any GBIC modules installed in an AT-8550GB. To display the status or statistics of a switch port, perform the following procedure: 1. From the Home page, select Monitoring.
PAGE 617
AT-S62 User’s Guide If you select port status, the Port Status page in Figure 206 is displayed. Figure 206 Port Status Page The information in this page is for viewing purposes only. To adjust port parameters, refer to Configuring Port Parameters on page 610. The columns in the page are described below: Port The port number. Name The name of the port. Link The status of the link between the port and the end node connected to the port.
PAGE 618
Chapter 35: Port Parameters Speed The operating speed of the port. Possible values are: 0010 - 10 Mbps 0100 - 100 Mbps 1000 - 1000 Mbps (Optional expansion ports only.) Duplex The duplex mode of the port. Possible values are half-duplex and full-duplex. PVID The port VLAN identifier assigned to the port. Flow Control The port’s flow control setting. Possible values are: Enabled - Flow control is enabled on the port. Disabled - Flow control is disabled on the port.
PAGE 619
AT-S62 User’s Guide The information in this page is for viewing purposes only. The statistics are defined below: Bytes Received Number of bytes received on the port. Bytes Sent Number of bytes transmitted from the port. Frames Received Number of frames received on the port. Frames Sent Number of frames transmitted from the port. Broadcast Frames Received Number of broadcast frames received on the port. Broadcast Frames Sent Number of broadcast frames transmitted from the port.
PAGE 620
Chapter 35: Port Parameters Oversize Frames Number of frames exceeding the maximum specified by IEEE 802.3 (1518 bytes including the CRC) received on the port. Fragments Number of undersized frames, frames with alignment errors, and frames with frame check sequence (FCS) errors (CRC errors) received on the port. The Clear button at the bottom of the statistics page clears all the counters for the selected port. The Clear All button clears the counters for all of the ports on the switch.
PAGE 621
Chapter 36 MAC Address Table This chapter contains instructions on how to view the dynamic and static addresses in the MAC address table of the switch. This chapter contains the following procedure: ❑ Displaying the MAC Address Table on page 622 ❑ Adding Static Unicast and Multicast MAC Addresses on page 624 ❑ Deleting Unicast and Multicast MAC Addresses on page 626 ❑ Changing the Aging Time on page 627 Note For background information, refer to MAC Address Overview on page 110.
PAGE 622
Chapter 36:MAC Address Table Displaying the MAC Address Table To view the MAC address table, perform the following procedure: 1. From the Home page, select either Configuration or Monitoring. 2. Select Layer 2. The Layer 2 page is displayed with the MAC Address tab shown by default. Figure 208 shows how this tab appears when you display it through the Configuration page. If displayed through the Monitoring page, the Add button is not included.
PAGE 623
AT-S62 User’s Guide View All This selection displays all dynamic addresses learned on the ports of the switch and all static addresses that have been assigned to the ports. View Static This selection displays just the static addresses assigned to the ports on the switch. View Dynamic This selection displays just the dynamic addresses learned on the ports on the switch. View MAC Addresses on Port Displays the dynamic and static MAC addresses of a particular port.
PAGE 624
Chapter 36:MAC Address Table Adding Static Unicast and Multicast MAC Addresses This section contains the procedure for assigning a static unicast or multicast address to a port on the switch. You can assign up to 255 static MAC addresses per port. To add a static address to the MAC address table, perform the following procedure: 1. From the Home page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2.
PAGE 625
AT-S62 User’s Guide the failure of the multicast packets to be properly forwarded to the host nodes. You can specify the ports individually (e.g., 1,4,5), as a range (e.g., 11-14) or both (e.g., 15-17,22,24). 6. In the VLAN ID field, enter the VLAN ID where the port is a member. 7. Click Apply. 8. Repeat this procedure to add other static addresses to the switch. 9. To permanently save the change, use the Save Changes button in the General tab.
PAGE 626
Chapter 36:MAC Address Table Deleting Unicast and Multicast MAC Addresses To delete a static or dynamic unicast or multicast MAC address from the switch, perform the following procedure: 1. From the Home page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. From the Configuration menu, select Layer 2. The Layer 2 page opens with the MAC Address tab selected by default, as shown in Figure 208 on page 622. 3.
PAGE 627
AT-S62 User’s Guide Changing the Aging Time The switch uses the aging time to delete inactive dynamic MAC addresses from the MAC address table. When the switch detects that no packets have been sent to or received from a particular MAC address in the table after the period specified by the aging time, the switch deletes the address. This prevents the table from becoming full of addresses of nodes that are no longer active. The default setting for the aging time is 300 seconds (5 minutes).
PAGE 628
Chapter 37 Port Trunking This chapter contains the procedure for creating, modifying, or deleting a port trunk from a web browser management session. Sections in this chapter include: ❑ Creating a Port Trunk on page 629 ❑ Modifying a Port Trunk on page 632 ❑ Deleting a Port Trunk on page 634 ❑ Displaying the Port Trunks on page 635 Note For background information, refer to Port Trunking Overview on page 122.
PAGE 629
AT-S62 User’s Guide Creating a Port Trunk This section contains the procedure for creating a port trunk on the switch. Be sure to review the guidelines in Port Trunking Overview on page 122 before performing the procedure. Caution Do not connect the cables to the trunk ports on the switches until after you have configured the trunk with the management software. Connecting the cables before configuring the software will create a loop in your network topology.
PAGE 630
Chapter 37: Port Trunking The Port Trunking tab is shown in Figure 210. Figure 210 Port Trunking Tab This tab lists the existing trunks. Columns in the tab are defined below: ID The ID number of the trunk. Name The name of the trunk.
PAGE 631
AT-S62 User’s Guide The Add New Trunk page is shown in Figure 211. Figure 211 Add New Trunk Page 5. In the Trunk Name field, enter a name for the port trunk. The name can be up to fifteen alphanumeric characters. No spaces or special characters, such as asterisks and exclamation points, are allowed. Each trunk must be given a unique name. 6. From the Trunk Method list, select a distribution method.
PAGE 632
Chapter 37: Port Trunking Modifying a Port Trunk This section contains the procedure for modifying a port trunk on the switch. You can change the name of a trunk and the ports that constitute the trunk. You cannot change the load distribute method. Be sure to review the guidelines in Port Trunking Overview on page 122 before performing the procedure.
PAGE 633
AT-S62 User’s Guide An example of the Modify Trunk page is shown in Figure 212. Figure 212 Modify Trunk Page Note You cannot change the Trunk ID number or the load distribution method of a port trunk. 5. To change the name of the trunk, click the Trunk Name field and modify the name as needed. The name can be up to fifteen alphanumeric characters. No spaces or special characters, such as asterisks and exclamation points, are allowed. Each trunk must have a unique name. 6.
PAGE 634
Chapter 37: Port Trunking Deleting a Port Trunk Caution Disconnect the cables from the port trunk on the switch before performing the following procedure. Deleting a port trunk without first disconnecting the cables can create loops in your network topology. Data loops can result in broadcast storms and poor network performance. To delete a port trunk from the switch, perform the following procedure: 1. From the Home Page, select Configuration.
PAGE 635
AT-S62 User’s Guide Displaying the Port Trunks To display the port trunks, do the following: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590 2. From the Monitoring menu, select the Layer 1 option. The Layer 1 page is displayed with the Port Settings tab selected by default, as shown in Figure 205 on page 616. 3. Select the Port Trunking tab. The Port Trunking tab is shown in Figure 213.
PAGE 636
Chapter 37: Port Trunking ❑ DI - Destination IP address (Layer 3) ❑ SI/DI - Source/destination IP address (Layer 3) Ports The ports of the trunk.
PAGE 637
Chapter 38 Port Mirroring This chapter contains the procedure for creating or deleting a port mirror. Sections in the chapter include: ❑ Creating a Port Mirror on page 638 ❑ Modifying or Disabling a Port Mirror on page 641 ❑ Deleting a Port Mirror on page 642 ❑ Displaying the Port Mirror on page 643 Note For background information on port mirroring, refer to Port Mirroring Overview on page 137.
PAGE 638
Chapter 38: Port Mirroring Creating a Port Mirror To create or delete a port mirror, perform the following procedure: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. From the Configuration menu, select Layer 1. The Layer 1 page opens with the Port Settings tab displayed by default, as shown in Figure 203 on page 610. 3. Select the Port Mirroring tab. The Port Mirroring tab is shown in Figure 214.
PAGE 639
AT-S62 User’s Guide Egress Port(s) This column lists the source ports whose egress traffic is mirrored to the destination port. Status This column contains the status of the mirroring feature. If enabled, traffic is being copied to the destination port. If disabled, no traffic is being mirrored. 4. Click Modify. The Modify Mirror page is shown in Figure 215. Figure 215 Modify Mirror Page 5. Click the ports of the port mirror.
PAGE 640
Chapter 38: Port Mirroring Figure 216 shows an example of the Modify Mirror page configured for a port mirror. The egress traffic on Ports 11 and 12 is being mirrored to the destination Port 5. Figure 216 Example of a Modify Mirror Page 6. After selecting the destination and source ports, click the Enable Mirror check box. 7. Click Apply. The port mirror is now active on the switch. You can connect a data analyzer to the destination port to monitor the traffic on the source ports. 8.
PAGE 641
AT-S62 User’s Guide Modifying or Disabling a Port Mirror To modify a port mirror, you perform the same procedure that you did to create it, as explained in Creating a Port Mirror on page 638. But before modifying it, you should first disable it using the Enable Mirror option in the Modify Mirror page. Once you have made the necessary modifications, enable the mirror again and click Apply. To permanently save the change, use the Save Changes button in the General tab.
PAGE 642
Chapter 38: Port Mirroring Deleting a Port Mirror To delete a port mirror so that you can use the destination port for normal network operations, perform the procedure Creating a Port Mirror on page 638. Disable the port mirror using the Enable Mirror option and then click the destination port to change it from white to black. Once black, the port is available for normal network operations. Then click Apply. To permanently save the change, use the Save Changes button in the General tab.
PAGE 643
AT-S62 User’s Guide Displaying the Port Mirror To display the port mirror, do the following: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590 2. From the Monitoring menu, select the Layer 1 option. The Layer 1 page is displayed with the Port Settings tab selected by default, as shown in Figure 205 on page 616. 3. Select the Port Mirroring tab. The Port Mirroring tab is shown in Figure 217.
PAGE 644
Chapter 39 File Downloads and Uploads This chapter contains the procedure for downloading a new AT-S62 image file onto the switch from a web browser management session. This chapter also contains procedures for uploading and downloading system files, such as a boot configuration file, from the file system in the switch.
PAGE 645
AT-S62 User’s Guide Downloading a File This procedure explains how to download a file from a TFTP server on your network to the switch using the web browser interface. You can download any of the following files: ❑ AT-S62 image file ❑ Boot configuration file ❑ Public key ❑ CA certificate Note The public key and CA certificate are only supported on the version of AT-S62 management software that features SSL, PKI, and SSH security. Caution Installing a new AT-S62 image file will invoke a switch reset.
PAGE 646
Chapter 39: File Downloads and Uploads switch typically does not have an IP address. Rather, you would need to perform the download from a local management session of the switch using Xmodem or, alternatively, switch to switch. For instructions, refer to Chapter 12, File Downloads and Uploads on page 160. To download a file, perform the following procedure: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default. 2. Select the System Utilities tab.
PAGE 647
AT-S62 User’s Guide 5. In the TFTP Remote Filename field, enter the filename of the file on the TFTP server to be downloaded to the switch. 6. In the TFTP Local Filename field, enter a name for the file. This is the name that the switch will store the file as in its file system. If you are downloading the AT-S62 image file, enter “ats62.img” as the filename. 7. In the TFTP File Type, select one of the following: ❑ Image - Select this option if you are downloading the AT-S62 image file.
PAGE 648
Chapter 39: File Downloads and Uploads Uploading a File This procedure explains how to upload a file from the switch’s file system to a TFTP server on your network using the web browser interface. You can upload any of the following files: ❑ Boot configuration file ❑ Public encryption key ❑ CA certificate ❑ CA enrollment request Note The public key, CA certificate, and CA enrollment request are only supported on the version of AT-S62 management software that features SSL, PKI, and SSH security.
PAGE 649
AT-S62 User’s Guide Note The top portion of the tab is used to return the switch to its factory default settings. For instructions, refer to Returning the AT-S62 Software to the Factory Default Values on page 596. 3. In the TFTP Server IP Address field, enter the IP address of the network node that contains the TFTP server software. 4. In the TFTP Operation field, click Upload. 5. In the TFTP Remote Filename field, enter a name for the file.
PAGE 650
Chapter 40 Event Log This chapter describes the event log. Sections in the chapter include: ❑ Enabling or Disabling the Event Log on page 651 ❑ Displaying Events on page 653 ❑ Saving the Event Log on page 655 ❑ Clearing the Event Log on page 656 Note For background information on this feature, refer to Event Log Overview on page 183.
PAGE 651
AT-S62 User’s Guide Enabling or Disabling the Event Log Allied Telesyn recommends setting the switch’s date and time if you intend to use the event log. Otherwise, the switch will not log the entries with the correct date and time. For instructions, refer to Setting the System Time on page 67. To enable or disable the event log, do the following: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2.
PAGE 652
Chapter 40: Event Log 3. For Status in Log Settings, click either Disable or Enable. If you enable the log, the system immediately begins to add events to the log. The default is enabled. 4. For Log Full Action, click either Wrap or Halt. The Wrap option causes the log to delete old entries as it adds new entries once it reaches its maximum capacity of 4,000 events. The Halt option causes the log to stop adding new entries once it reaches maximum capacity. The default is Wrap. 5. Click Apply. 6.
PAGE 653
AT-S62 User’s Guide Displaying Events To view the event log, do the following: 1. From the Home Page, click either Configuration or Monitoring. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. From the System page, select the Event Log tab. The Event Log tab is shown in Figure 219 on page 651. 3. Configure the following options: Severity Selections Displays events of a selected severity.
PAGE 654
Chapter 40: Event Log Figure 220 shows an example of the event log in the Full display mode. The Normal display mode does not include the Filename, Line Number, and Event ID items. Figure 220 Event Log Example The columns in the log are described below: ❑ S (Severity) - The event’s severity. Table 6 on page 186 defines the different severity levels. ❑ Date/Time - The date and time the event occurred. ❑ Event ID - A unique number that identifies the event. (Displayed only in the Full display mode.
PAGE 655
AT-S62 User’s Guide Saving the Event Log You can save the event log as a file in the file system, from where you can view it or download it to your management workstation. To save the event log, do the following: 1. Perform steps 1 to 3 in Displaying Events on page 653. (To save an event log, you must access the Event Log tab through Configuration and not Monitoring.) 2. In the Save Filename field, enter a name for the file.
PAGE 656
Chapter 40: Event Log Clearing the Event Log To clear all events from the log, perform the following procedure: 1. From the Home Page, click Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. From the System page, select the Event Log tab. The Event Log tab is shown in Figure 219 on page 651. 3. In Log Settings, click Clear Log. 4. Click Apply. The log, if enabled, will immediately begin to learn new events.
PAGE 657
Chapter 41 Quality of Service This chapter contains instructions on how to configure Quality of Service (QoS). This chapter contains the following procedure: ❑ Configuring CoS on page 658 ❑ Mapping CoS Priorities to Egress Queues on page 661 ❑ Configuring Egress Scheduling on page 663 ❑ Displaying the CoS Settings on page 664 ❑ Displaying QoS Scheduling on page 666 Note For background information on QoS, refer to Quality of Service Overview on page 192.
PAGE 658
Chapter 41: Quality of Service Configuring CoS This procedure explains how to change the egress queue used to handle untagged ingress packets on a port. This procedure also overrides the priority levels in tagged ingress packets. To configure CoS, perform the following procedure: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. From the Configuration menu, select the QoS option.
PAGE 659
AT-S62 User’s Guide The CoS Setting for Port page is shown in Figure 222. Figure 222 CoS Setting for Port Page 5. Use the Priority list to select a value from Level 1 to Level 7 that corresponds to the egress queue where you want all untagged ingress frames received on the port to be stored. For example, if you select Level 4, all untagged packets received on the port will be stored in egress queue Q2 of the egress port. The default is Level 0, which corresponds to Q0.
PAGE 660
Chapter 41: Quality of Service Note The tagged information in a frame is not changed as the frame traverses the switch. A tagged frame exits the switch with the same priority level that it had when it entered. The default for this parameter is No, meaning that the priority level of tagged frames is determined by the priority level specified in the frame itself. 7. Click Apply. Configuration changes are immediately activated on the switch. 8.
PAGE 661
AT-S62 User’s Guide Mapping CoS Priorities to Egress Queues This procedure explains how to change the default mappings of CoS priorities to egress priority queues, shown in Table 8, Default Mappings of IEEE 802.1p Priority Levels to Priority Queues on page 193. This is set at the switch level. To change the mappings, perform the following procedure. 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2.
PAGE 662
Chapter 41: Quality of Service Note The Configure Egress Weights section in the tab is explained in the next procedure, Configuring Egress Scheduling on page 663. 4. In the Configure CoS Queues to Egress Queues section of the tab, click the list for a CoS priority whose queue assignment you want to change and select the new queue. For example, to direct all tagged packets with a CoS priority level of 5 to egress queue Q3, you would use the list in CoS 5 to PQ and select Q3 - QoS PriorityQ 3. 5.
PAGE 663
AT-S62 User’s Guide Configuring Egress Scheduling This procedure explains how to select and configure a scheduling method for QoS. Scheduling determines the order in which the ports handle packets in their egress queues. For an explanation of the two scheduling methods, refer to Scheduling on page 194. Scheduling is set at the switch level. You cannot set this at the port level. To change scheduling, perform the following procedure. 1. From the Home Page, select Configuration.
PAGE 664
Chapter 41: Quality of Service Displaying the CoS Settings To display the CoS settings, do the following: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590 2. From the Monitoring menu, select the QoS option. The QoS page is displayed with the CoS tab selected by default, as shown in Figure 224. Figure 224 CoS Tab (Monitoring) 3. Click the port where you want to view the settings.
PAGE 665
AT-S62 User’s Guide The page displays the following information: Port The port number. VLAN Id The VLAN of which the port is a member. Default Priority The default priority level for this port. Override Priority Whether or not the default priority should be overridden.
PAGE 666
Chapter 41: Quality of Service Displaying QoS Scheduling To display QoS scheduling, do the following: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590 2. From the Monitoring menu, select the QoS option. The QoS page is displayed with the CoS tab selected by default, as shown in Figure 224 on page 664. 3. Select the Scheduling tab. The Scheduling tab is shown in Figure 226.
PAGE 667
Chapter 42 IGMP Snooping This chapter describes how to configure the IGMP snooping feature on the switch. Sections in the chapter include: ❑ Configuring IGMP Snooping on page 668 ❑ Displaying a List of Host Nodes and Multicast Routers on page 671 Note For background information, refer to IGMP Snooping Overview on page 204.
PAGE 668
Chapter 42: IGMP Snooping Configuring IGMP Snooping To configure IGMP snooping from a web browser management session, perform the following procedure: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586 2. Select the IGMP tab. The IGMP tab is shown in Figure 227. Figure 227 IGMP Tab (Configuration) 3. Adjust the IGMP parameters as necessary.
PAGE 669
AT-S62 User’s Guide host node stops sending reports and times-out. The switch forwards the leave request to the router and simultaneously ceases transmission of any further multicast packets out the port where the host node is connected. The Intermediate (Multi-Host) setting is appropriate if there is more than one host node connected to a switch port, such as when a port is connected to an Ethernet hub to which multiple host nodes are connected.
PAGE 670
Chapter 42: IGMP Snooping This parameter is useful with networks that contain a large number of multicast groups. You can use the parameter to prevent the switch’s MAC address table from filling up with multicast addresses, leaving no room for dynamic or static MAC addresses. The range is 1 address to 2048 addresses. The default is 256 multicast addresses. 4. After setting the IGMP snooping parameters, click Apply. 5. To permanently save the change, use the Save Changes button in the General tab.
PAGE 671
AT-S62 User’s Guide Displaying a List of Host Nodes and Multicast Routers You can use the AT-S62 software to display a list of the multicast groups on a switch, as well as the host nodes. You can also view the multicast routers. A multicast router is a router that is receiving multicast packets from a multicast application and transmitting the packets to host nodes. To view host nodes and multicast routers, perform the following procedure: 1. From the Home page, select Monitoring.
PAGE 672
Chapter 42: IGMP Snooping VLAN ID The VID of the VLAN in which the port is an untagged member. Member Port The port(s) on the switch to which one or more host nodes of the multicast group are connected. Host IP The IP address(es) of the host node(s) connected to the port. Status The status of the host node. Status can be: ❑ Active - The host node is an active member of the group. ❑ Left Group - The host node recently left the group.
PAGE 673
Chapter 43 Denial of Service Defense This chapter contains instructions on how to configure the Denial of Service defense feature on the switch. The sections include: ❑ Configuring Denial of Service Attack Defense on page 674 ❑ Displaying the DoS Settings on page 677 Note For background information, refer to Denial of Service Defense Overview on page 213. Be sure to read the overview before implementing a DoS defense on a switch. Some defense mechanisms are CPU intensive and can impact switch behavior.
PAGE 674
Chapter 43: Denial of Service Defense Configuring Denial of Service Attack Defense To configure the ports on the switch for a Denial of Service defense, perform the following procedure: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. From the Configuration menu, select Security. The Security page is displayed with the 802.1x Port Access tab selected by default, as shown in Figure 283 on page 786. 3.
PAGE 675
AT-S62 User’s Guide b. In the DoS Subnet Mask field, enter the LAN’s mask. A binary “1” indicates the switch should filter on the corresponding bit of the IP address, while a “0” indicates that it should not. As an example, assume that the devices connected to a switch are using the IP address range 149.11.11.1 to 149.11.11.50. The mask would be 0.0.0.63. c. If you are activating the Land defense, in the DoS Uplink Port field enter the number of the port connected to the device (e.g.
PAGE 676
Chapter 43: Denial of Service Defense 8. Adjust the settings as needed. The parameters are described below. Status Enables or disables the DoS on the selected ports. Mirror Port This option applies to Land, Tear Drop, Ping of Death, and IP Options. You can use this option to copy invalid traffic to another port on the switch. You can specify only one mirror port. Specifying a mirror port is not required. 9. Click Apply. The defense is immediately activated or deactivated on the ports. 10.
PAGE 677
AT-S62 User’s Guide Displaying the DoS Settings To display the DoS settings, do the following: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590 2. From the Monitoring menu, select the Security option. The Security page opens with the 802.1x Port Access tab selected by default, as shown in Figure 287 on page 795. 3. Select the DoS tab. The DoS tab is shown in Figure 231.
PAGE 678
Chapter 44 SNMPv3 Protocol This chapter provides the following procedures for configuring basic switch parameters using a web browser management session: ❑ Configuring the SNMPv3 Protocol on page 679 ❑ Enabling the SNMP Protocol on page 680 ❑ Configuring the SNMPv3 User Table on page 683 ❑ Configuring the SNMPv3 View Table on page 690 ❑ Configuring the SNMPv3 Access Table on page 696 ❑ Configuring the SNMPv3 SecurityToGroup Table on page 703 ❑ Configuring the SNMPv3 Notify Table on page 708 ❑ Configuring
PAGE 679
AT-S62 User’s Guide Configuring the SNMPv3 Protocol To configure the SNMPv3 protocol, you need to configure the SNMPv3 tables. To enable a manager to access the SNMPv3 protocol on the switch, you need to enable the SNMP protocol.
PAGE 680
Chapter 44: SNMPv3 Protocol Enabling the SNMP Protocol In order to allow an NMS (an SNMP manager) to access the switch, you need to enable SNMP access. In addition, to allow the switch to send a trap when it receives a request message, you need to enable authentication failure traps. This section provides a procedure to accomplish both of these tasks. To enable SNMP access and authentication failure traps, perform the following procedure. 1. From the Home Page, select Configuration.
PAGE 681
AT-S62 User’s Guide The SNMP Tab is shown in Figure 232. Figure 232 Configuration System Page, SNMP Tab 3. To enable SNMP Access, click the box next to Enable SNMP Access. Use this parameter to enable the switch to be remotely managed with an SNMP application program. Note If the check box in the Enable SNMP Access box is empty, the switch cannot be managed through SNMP. This is the default. 4.
PAGE 682
Chapter 44: SNMPv3 Protocol 5. Click Apply to update the User Table. 6. To save your changes, return to the General Tab and click Save Changes.
PAGE 683
AT-S62 User’s Guide Configuring the SNMPv3 User Table You can create, delete, and modify an SNMPv3 User Table entry. See the following procedures: ❑ Creating a User Table Entry on page 683 ❑ Deleting a User Table Entry on page 686 ❑ Modifying a User Table Entry on page 686 For reference information about the SNMPv3 User Table, see Configuring the SNMPv3 User Table on page 234. Creating a User Table Entry To create an entry in the SNMPv3 User Table, perform the following procedure. 1.
PAGE 684
Chapter 44: SNMPv3 Protocol 4. Click the Add button to add a new SNMPv3 User Table entry. The Add New SNMPv3 User Page is shown in Figure 234 Figure 234 Add New SNMPv3 User Page 5. In the User Name field, enter a name, or logon id, that consists of up to 32 alphanumeric characters 6. In the Authentication Protocol field, enter an authentication protocol. This is an optional parameter. Select one of the following: MD5 This value represents the MD5 authentication protocol.
PAGE 685
AT-S62 User’s Guide 8. In the Confirm Authentication Password field, re-enter the authentication password. Note If you have the AT-S60 software version 2.1.0 that does not contain the encryption features, then the Privacy Protocol field is read-only field and it is set to None. Note You can only configure the Privacy Protocol if you have configured the Authentication Protocol with the MD5 or SHA values. 9.
PAGE 686
Chapter 44: SNMPv3 Protocol 13. Click Apply to update the SNMPv3 User Table. 14. To save your changes, return to the General Tab and click Save Changes. Deleting a User Table Entry To delete an entry in the SNMPv3 User Table, perform the following procedure. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 586. 2. Select the SNMP Tab. The SNMP Tab is shown in Figure 198 on page 599. 3.
PAGE 687
AT-S62 User’s Guide The Modify SNMPv3 User Page is shown in Figure 235. Figure 235 Modify SNMPv3 User Page 5. In the Authentication Protocol field, enter an authentication protocol. This is an optional parameter. Select one of the following: MD5 This value represents the MD5 authentication protocol. With this selection, users are authenticated with the MD5 authentication protocol after a message is received. With this selection, you can configure a Privacy Protocol.
PAGE 688
Chapter 44: SNMPv3 Protocol 6. In the Authentication Password field, enter an authentication password of up to 32 alphanumeric characters. 7. In the Confirm Authentication Password field, re-enter the authentication password. Note If you have the AT-S60 software version 2.1.0 that does not contain the encryption features, then the Privacy Protocol field is read-only field and it is set to None.
PAGE 689
AT-S62 User’s Guide Note The Row Status parameter is a read-only field in the Web interface. The Active value indicates the SNMPv3 User Table entry takes effect immediately. 12. Click Apply to update the SNMPv3 User Table. 13. To save your changes, return to the General Tab and click Save Changes.
PAGE 690
Chapter 44: SNMPv3 Protocol Configuring the SNMPv3 View Table You can create, delete, and modify an SNMPv3 View Table entry. See the following procedures: ❑ Creating a View Table Entry on page 690 ❑ Deleting a View Table Entry on page 693 ❑ Modifying a View Table Entry on page 694 For reference information about the SNMPv3 View Table, see Configuring the SNMPv3 View Table on page 690. Creating a View Table Entry To create an entry in the SNMPv3 View Table entry, perform the following procedure. 1.
PAGE 691
AT-S62 User’s Guide 4. To create a new SNMPv3 View Table entry click Add. The Add New SNMPv3 View Page is shown in Figure 237. Figure 237 Add New SNMPv3 View Page 5. In the View Name field, enter a descriptive name of this view. Assign a name that reflects the subtree OID, for example, “internet.” Enter a unique name of up to 32 alphanumeric characters. Note The “defaultViewAll” value is the default entry for the SNMPv1 and SNMPv2c configuration.
PAGE 692
Chapter 44: SNMPv3 Protocol The View Subtree parameter defines a MIB View and the Subtree Mask further restricts a user’s view, for example, to a specific row of the MIB tree. The value of the Subnet Mask parameter is dependent on the subtree you select. See RFC 2575 for detailed information about defining a subnet mask. 8. In the View Type field, enter one of the following view types: Included Enter this value to permit the user to see the subtree specified above.
PAGE 693
AT-S62 User’s Guide Deleting a View Table Entry To delete an entry in the SNMPv3 View Table, perform the following procedure. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 586. 2. Select the SNMP Tab. The SNMP Tab is shown in Figure 198 on page 599. 3. In the SNMPv3 section of the page, click the circle next to Configure View Table. Then click Configure. 4.
PAGE 694
Chapter 44: SNMPv3 Protocol Modifying a View Table Entry To modify an entry in the SNMPv3 View Table, perform the following procedure. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 586. 2. Select the SNMP Tab. The SNMP Tab is shown in Figure 198 on page 599. 3. In the SNMPv3 section of the page, click the circle next to Configure View Table. Then click Configure at the bottom of the page.
PAGE 695
AT-S62 User’s Guide 6. In the View Type field, enter one of the following view types: Included Enter this value to permit the View Name to see the subtree specified above. Excluded Enter this value to not permit the View Name to see the subtree specified above. 7. In the Storage Type field, enter a storage type for this table entry: Volatile Select this storage type if you do not want the ability to save an entry in the Target Parameters Table to the configuration file.
PAGE 696
Chapter 44: SNMPv3 Protocol Configuring the SNMPv3 Access Table You can create, delete, and modify an SNMPv3 Access Table entry. See the following procedures: ❑ Creating an Access Table on page 696 ❑ Deleting an Access Table Entry on page 700 ❑ Modifying an Access Table Entry on page 701 For reference information about the SNMPv3 Access Table, see Configuring the SNMPv3 Access Table on page 696. Creating an Access Table To create an entry in the SNMPv3 Access Table, perform the following procedure. 1.
PAGE 697
AT-S62 User’s Guide The SNMPv3 Access Table Page is shown in Figure 239. Figure 239 SNMPv3 Access Table Page 4. To create an SNMPv3 Access Table entry, click Add. The Add New SNMPv3 Access Page is shown in Figure 240.
PAGE 698
Chapter 44: SNMPv3 Protocol 5. In the Group Name field, enter a descriptive name of the group. The Group Name can consist of up to 32 alphanumeric characters. You are not required to enter a unique value here because the SNMPv3 Access Table entry is indexed with the Group Name, Security Model, and Security Level parameter values. However, a unique group name makes it easier for you to tell the groups apart.
PAGE 699
AT-S62 User’s Guide v2c Select this value to associate the Group Name with the SNMPv2c protocol. v3 Select this value to associate the Group Name with the SNMPv3 protocol. 10. In the Security Level field, enter a security level. Select one of the following security levels: No Authentication/Privacy This option represents neither an authentication nor privacy protocol. Select this security level if you do not want to authenticate users and you do not want to encrypt messages using a privacy protocol.
PAGE 700
Chapter 44: SNMPv3 Protocol NonVolatile Select this storage type if you want the ability to save an entry in the Access Table to the configuration file. After making changes to an Access Table entry with a NonVolatile storage type, Save Changes appears on the General Tab. Note The Row Status parameter is a read-only field in the Web interface. The Active value indicates the SNMPv3 Access Table entry will take effect immediately. 12. Click Apply to update the SNMPv3 Access Table. 13.
PAGE 701
AT-S62 User’s Guide Modifying an Access Table Entry To modify an entry in the SNMPv3 Access Table, perform the following procedure. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 586. 2. Select the SNMP Tab. The SNMP Tab is shown in Figure 198 on page 599. 3. In the SNMPv3 section of the page, click the circle next to Configure Access Table. Then click Configure at the bottom of the page.
PAGE 702
Chapter 44: SNMPv3 Protocol This parameter allows the users assigned to this Group Name to view the information specified by the View Table entry. This value does not need to be unique. 7. In the Write View Name field, enter a value that you configured with the View Name parameter in the View Table. This parameter allows the users assigned to this Security Group to write, or modify, the information in the specified View Table. This value does not need to be unique. 8.
PAGE 703
AT-S62 User’s Guide Configuring the SNMPv3 SecurityToGroup Table You can create, delete, and modify an SNMPv3 SecurityToGroup Table entry. See the following procedures: ❑ Creating a SecurityToGroup Table Entry on page 703 ❑ Deleting a SecurityToGroup Table Entry on page 705 ❑ Modifying a SecurityToGroup Table Entry on page 706 For reference information about the SNMPv3Configuring the SNMPv3 SecurityToGroup Table on page 703.
PAGE 704
Chapter 44: SNMPv3 Protocol 4. To create an SNMPv3 SecurityToGroup Table entry, click Add. The Add New SNMPv3 SecurityToGroup Page is shown in Figure 243. Figure 243 Add New SNMPv3 SecurityToGroup Page 5. In the Security Model field, select the SNMP protocol that was configured for this User Name. Choose from the following: v1 Select this value to associate the User Name with the SNMPv1 protocol. v2c Select this value to associate the User Name with the SNMPv2c protocol.
PAGE 705
AT-S62 User’s Guide There are four default values for this field that are reserved for SNMPv1 and SNMPv2c implementations: ❑ defaultV1GroupReadOnly ❑ defaultV1GroupReadWrite ❑ defaultV2cGroupReadOnly ❑ defaultV2cGroupReadWrite 8. In the Storage Type field, select one of the following storage types for this table entry: Volatile Select this storage type if you do not want the ability to save an entry in the SecurityToGroup Table to the configuration file.
PAGE 706
Chapter 44: SNMPv3 Protocol The SNMPv3 SecurityToGroup Table Page is shown in Figure 242 on page 703. 4. Click the circle next to the SecurityToGroup Table entry that you want to delete. Then click Remove. A warning message is displayed. Click OK to remove the SNMPv3 SecurityToGroup Table entry. 5. To save your changes, return to the General Tab and click Save Changes. Modifying a SecurityToGroup Table Entry To modify an entry SNMPv3 SecurityToGroup Table, perform the following procedure. 1.
PAGE 707
AT-S62 User’s Guide 5. In the Group Name field, enter a Group Name that you configured in the SNMPv3 Access Table. See Creating an Access Table on page 696. There are four default values for this field that are reserved for SNMPv1 and SNMPv2c implementations: ❑ defaultV1GroupReadOnly ❑ defaultV1GroupReadWrite ❑ defaultV2cGroupReadOnly ❑ defaultV2cGroupReadWrite 6.
PAGE 708
Chapter 44: SNMPv3 Protocol Configuring the SNMPv3 Notify Table You can create, delete, and modify an SNMPv3 Notify Table entry. See the following procedures: ❑ Creating a Notify Table Entry on page 708 ❑ Deleting a Notify Table Entry on page 710 ❑ Modifying a Notify Table Entry on page 711 For reference information about the SNMPv3 Notify Table, see Configuring the SNMPv3 Notify Table on page 708.
PAGE 709
AT-S62 User’s Guide 4. To create an SNMPv3 Notify Table entry, click Add. The Add New SNMPv3 Notify Page is shown in Figure 246. Figure 246 Add New SNMPv3 Notify Page 5. In the Notify Name field, enter the name associated with this trap message. Enter a descriptive name of up to 32 alphanumeric characters. For example, you might want to define a trap message for hardware engineering and enter a value of “hardwareengineeringtrap” for the Notify Name. 6.
PAGE 710
Chapter 44: SNMPv3 Protocol NonVolatile Select this storage type if you want the ability to save an entry in the Notify Table to the configuration file. After making changes to a Notify Table entry with a NonVolatile storage type, Save Changes appears on the General Tab. Note The Row Status parameter is a read-only field in the Web interface. The Active value indicates the SNMPv3 Notify Table entry takes effect immediately. 9. Click Apply to update the SNMPv3 Notify Table. 10.
PAGE 711
AT-S62 User’s Guide Modifying a Notify Table Entry To modify an entry in the SNMPv3 Notify Table, perform the following procedure. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 586. 2. Select the SNMP Tab. The SNMP Tab is shown in Figure 198 on page 599. 3. In the SNMPv3 section of the page, click the circle next to Configure Notify Table. Then click Configure at the bottom of the page.
PAGE 712
Chapter 44: SNMPv3 Protocol 7. In the Storage Type field, select one of the following storage types for this table entry: Volatile Select this storage type if you do not want the ability to save an entry in the Notify Table to the configuration file. After making changes to an Notify Table entry with a Volatile storage type, Save Changes does not appear on the Configuration Tab. NonVolatile Select this storage type if you want the ability to save an entry in the Notify Table to the configuration file.
PAGE 713
AT-S62 User’s Guide Configuring the SNMPv3 Target Address Table You can create, delete, and modify an SNMPv3 Target Address Table entry. See the following procedures: ❑ Creating a Target Address Table Entry on page 713 ❑ Deleting a Target Address Table Entry on page 716 ❑ Modifying Target Address Table Entry on page 717 For reference information about the SNMPv3 Target Address Table, see Configuring the SNMPv3 Target Address Table on page 713.
PAGE 714
Chapter 44: SNMPv3 Protocol The SNMPv3 Target Address Table Page is shown in Figure 248. Figure 248 SNMPv3 Target Address Table Page 4. To create an SNMPv3 Target Address Table entry, click Add. The Add New SNMPv3 Target Address Table Page is shown in Figure 249.
PAGE 715
AT-S62 User’s Guide 5. In the Target Address Name field, enter the name of the SNMP manager, or host, that manages the SNMP activity on your switch. You can enter a name of up to 32 alphanumeric characters. 6. In the IP Address field, enter the IP address of the host. Use the following format for an IP address: XXX.XXX.XXX.XXX 7. In the UDP Port Number field, enter a UDP port number. You can enter a UDP port in the range of 0 to 65,535. The default UDP port is 162. 8.
PAGE 716
Chapter 44: SNMPv3 Protocol NonVolatile Select this storage type if you want the ability to save an entry in the Target Address Table to the configuration file. After making changes to a Target Address Table entry with a NonVolatile storage type, Save Changes appears on the General Tab. Note The Row Status parameter is a read-only field in the Web interface. The Active value indicates the SNMPv3 Target Address Table entry takes effect immediately. 13. Click Apply to update the SNMPv3 Target Address Table.
PAGE 717
AT-S62 User’s Guide Modifying Target Address Table Entry To modify an entry in the SNMPv3 Target Address Table, perform the following procedure. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 586. 2. Select the SNMP Tab. The SNMP Tab is shown in Figure 198 on page 599. 3. In the SNMPv3 section of the page, click the circle next to Configure Target Address Table.
PAGE 718
Chapter 44: SNMPv3 Protocol 7. In the UDP Port Number field, enter a UDP port number. You can enter a UDP port in the range of 0 to 65,535. The default UDP port is 162. 8. In the Timeout field, enter a timeout value in milliseconds. When an Inform message is generated, it requires a response from the switch. The timeout value determines how long the switch considers the Inform message an active message. This parameter applies to Inform messages only. The range is from 0 to 2,147,483,647 milliseconds.
PAGE 719
AT-S62 User’s Guide 14. To save your changes, return to the General Tab and click Save Changes.
PAGE 720
Chapter 44: SNMPv3 Protocol Configuring the SNMPv3 Target Parameters Table You can create, delete, and modify an SNMPv3 Target Parameters Table entry. See the following procedures: ❑ Creating a Target Address Table Entry on page 713 ❑ Deleting a Target Address Table Entry on page 716 ❑ Modifying Target Address Table Entry on page 717 For reference information about the SNMPv3 Target Parameters Table, see Configuring the SNMPv3 Target Parameters Table on page 720.
PAGE 721
AT-S62 User’s Guide 4. To create an SNMPv3 Target Parameters Table entry, click Add. The Add New SNMPv3 Target Parameter Table Page is shown in Figure 252. Figure 252 Add New SNMPv3 Target Parameters Table Page 5. In the Target Parameters Name field, enter a name of the SNMP manager or host. Enter a value of up to 32 alphanumeric characters. Note Enter a value for the Message Processing Model parameter only if you select SNMPv1 or SNMPv2c as the Security Model.
PAGE 722
Chapter 44: SNMPv3 Protocol 7. In the Security Model field, select one of the following SNMP protocols as the Security Model for this Security Name, or User Name. v1 Select this value to associate the Security Name, or User Name, with the SNMPv1 protocol. v2c Select this value to associate the Security Name, or User Name, with the SNMPv2c protocol. v3 Select this value to associate the Security Name, or User Name, with the SNMPv3 protocol. 8.
PAGE 723
AT-S62 User’s Guide This level provides the greatest level of security. You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. 10. In the Storage Type parameter, select one of the following storage types for this table entry: Volatile Select this storage type if you do not want the ability to save an entry in the Target Parameters Table to the configuration file.
PAGE 724
Chapter 44: SNMPv3 Protocol A warning message is displayed. Click OK to remove the Target Parameters Table entry. 5. To save your changes, return to the General Tab and click Save Changes. Modifying a Target Parameters Table Entry To modify an SNMPv3 Target Parameters Table entry, perform the following procedure. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 586. 2. Select the SNMP Tab.
PAGE 725
AT-S62 User’s Guide Note Enter a value for the Message Processing Model field only if you select SNMPv1 or SNMPv2c as the Security Model. If you select the SNMPv3 protocol as the Security Model, then the switch automatically assigns the Message Processing Model to SNMPv3. 5. In the Message Processing Model field, enter a Security Model that is used to process messages. Select one of the following SNMP protocols: v1 Select this value to process messages with the SNMPv1 protocol.
PAGE 726
Chapter 44: SNMPv3 Protocol Note If you have selected SNMPv1 or SNMPv2c as the Security Model, you must select No Authentication/Privacy as the Security Level. Authentication This option represents authentication, but no privacy protocol. Select this security level if you want to authenticate SNMP users, but you do not want to encrypt messages using a privacy protocol.You can select this value if you configured the Security Model parameter with the SNMPv3 protocol.
PAGE 727
AT-S62 User’s Guide Configuring the SNMPv3 Community Table You can create, delete, and modify an SNMPv3 Community Table entry. See the following procedures: ❑ Creating an SNMPv3 Community Table Entry on page 727 ❑ Deleting an SNMPv3 Community Table Entry on page 730 ❑ Modifying an SNMPv3 Community Table Entry on page 731 For reference information about the SNMPv3 Community Table, see Configuring the SNMPv3 Community Table on page 727.
PAGE 728
Chapter 44: SNMPv3 Protocol Figure 254 SNMPv3 Community Table Page 4. To create an SNMPv3 Community Table entry, click Add. The Add New SNMPv3 Community Table Page is shown in Figure 255.
PAGE 729
AT-S62 User’s Guide 5. In the Community Index field, enter a numerical value for this Community. This parameter is used to index the other parameters in an SNMPv3 Community Table entry. Enter a value of up to 32alphanumeric characters. 6. In the Community Name field, enter a Community Name of up to 64-alphanumeric characters. The value of the Community Name parameter acts as a password for the SNMPv3 Community Table entry. This parameter is case sensitive.
PAGE 730
Chapter 44: SNMPv3 Protocol making changes to an SNMPv3 Community Table entry with a NonVolatile storage type, Save Changes appears on the General Tab. Note The Row Status parameter is a read-only field in the Web interface. The Active value indicates the SNMPv3 Community Table entry takes effect immediately. 10. Click Apply to update the SNMPv3 Community Table. 11. To save your changes, return to the General Tab and click Save Changes.
PAGE 731
AT-S62 User’s Guide Modifying an SNMPv3 Community Table Entry To modify an entry in the SNMPv3 Community Table, perform the following procedure. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 586. 2. Select the SNMP Tab. The SNMP Tab is shown in Figure 198 on page 599. 3. In the SNMPv3 section of the page, click the circle next to Configure Community Table.
PAGE 732
Chapter 44: SNMPv3 Protocol 6. In the Security Name field, enter a name of an SNMPv1 and SNMPv2c user. This name must be unique. Enter a value of up to 32 alphanumeric characters. Note Do not use a value configured with the User Name parameter in the SNMPv3 User Table. 7. In the Transport Tag field, enter a name of up to 32 alphanumeric characters. The Transport Tag parameter links an SNMPv3 Community Table entry with an SNMPv3 Target Address Table entry.
PAGE 733
AT-S62 User’s Guide Displaying SNMPv3 Tables This section contains procedures to display the SNMPv3 Tables.
PAGE 734
Chapter 44: SNMPv3 Protocol Displaying User Table Entries To display entries in the SNMPv3 User Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 195 on page 590. 2. Select the SNMP Tab. 3. From the SNMP Monitoring Tab, click the circle next to View User Table. 4. Click View at the bottom of the page. The Monitoring, SNMPv3 User Table Page is shown in Figure 257.
PAGE 735
AT-S62 User’s Guide Displaying View Table Entries To display entries in the SNMPv3 View Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 195 on page 590. 2. Select the SNMP Tab. 3. From the SNMP Monitoring Tab, click the circle next to View View Table. 4. Click View at the bottom of the page. The Monitoring, SNMPv3 View Table Page is shown in Figure 258.
PAGE 736
Chapter 44: SNMPv3 Protocol Displaying Access Table Entries To display entries in the SNMPv3 Access Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 195 on page 590. 2. Select the SNMP Tab. 3. From the SNMP Monitoring Tab, click the circle next to View Access Table. 4. Click View at the bottom of the page. The Monitoring, SNMPv3 Access Table Page is shown in Figure 259.
PAGE 737
AT-S62 User’s Guide Displaying SecurityToGroup Table Entries To display entries in the SNMPv3 SecurityToGroup Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 195 on page 590. 2. Select the SNMP Tab. 3. From the SNMP Monitoring Tab, click the circle next to the View SecurityToGroup Table. 4. Click View at the bottom of the page.
PAGE 738
Chapter 44: SNMPv3 Protocol Displaying Notify Table Entries To display entries in the SNMPv3 Notify Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 195 on page 590. 2. Select the SNMP Tab. 3. From the SNMP Monitoring Tab, click the circle next to View Notify Table. 4. Click View at the bottom of the page. The Monitoring, SNMPv3 Notify Table Page is shown in Figure 261.
PAGE 739
AT-S62 User’s Guide Displaying Target Address Table Entries To display entries in the SNMPv3 Target Address Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 195 on page 590. 2. Select the SNMP Tab. 3. From the SNMP Monitoring Tab, click the circle next to View Target Address Table. 4. Click View at the bottom of the page.
PAGE 740
Chapter 44: SNMPv3 Protocol Displaying Target Parameters Table Entries To display entries in the SNMPv3 Target Parameters Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 195 on page 590. 2. Select the SNMP Tab. 3. From the SNMP Monitoring Tab, click the circle next to the View Target Parameters Table. 4. Click View at the bottom of the page.
PAGE 741
AT-S62 User’s Guide Displaying SNMPv3 Community Table Entries To display entries in the SNMPv3 Community Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 195 on page 590. 2. Select the SNMP Tab. 3. From the SNMP Monitoring Tab, click the circle next to the View Community Table. 4. Click View at the bottom of the page.
PAGE 742
Chapter 45 STP, RSTP, and MSTP This chapter explains how to configure the STP, RSTP and MSTP parameters on an AT-8524M switch from a web browser management session. Sections in the chapter include: ❑ Enabling or Disabling Spanning Tree on page 743 ❑ Configuring STP on page 745 ❑ Configuring RSTP on page 748 ❑ Configuring MSTP on page 752 ❑ Displaying Spanning Tree Settings on page 760 Note For background information on STP and RSTP, refer to STP and RSTP Overview on page 330.
PAGE 743
AT-S62 User’s Guide Enabling or Disabling Spanning Tree To enable or disable spanning tree on the switch, do the following: 1. From the Home page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. From the Configuration menu, select Layer 2. The Layer 2 page is displayed with the MAC Address tab shown by default, as shown in Figure 208 on page 622. 3. Select the Spanning Tree tab. The Spanning Tree tab is shown in Figure 265.
PAGE 744
Chapter 45: STP, RSTP, and MSTP 7. Click Apply. 8. If you activated STP, go to Configuring STP on page 745. If you activated RSTP go to Configuring RSTP on page 748. If you selected MSTP, go to Configuring MSTP on page 752.
PAGE 745
AT-S62 User’s Guide Configuring STP Caution The bridge provides default STP parameters that are adequate for most networks. Changing them without prior experience and an understanding of how STP works might have a negative effect on your network. You should consult the IEEE 802.1d standard before changing any of the STP parameters. This procedure assumes that you have already designated STP as the active spanning tree on the switch.
PAGE 746
Chapter 45: STP, RSTP, and MSTP 2. Adjust the STP bridge settings as needed. The parameters are described below. Bridge Priority The priority number for the bridge. This number is used in determining the root bridge for RSTP. The bridge with the lowest priority number is selected as the root bridge. If two or more bridges have the same priority value, the bridge with the numerically lowest MAC address becomes the root bridge.
PAGE 747
AT-S62 User’s Guide Bridge Identifier The MAC address of the bridge. The bridge identifier is used as a tie breaker in the selection of the root bridge when two or more bridges have the same bridge priority value. This value cannot be changed. 3. After you have made the desired changes, click Apply. 4. To adjust a port’s STP settings, click on the port in the switch image and click Modify. You can select more than one port at a time. The STP Port Settings window is shown in Figure 267.
PAGE 748
Chapter 45: STP, RSTP, and MSTP Configuring RSTP Caution The bridge provides default RSTP parameters that are adequate for most networks. Changing them without prior experience and an understanding of how RSTP works might have a negative effect on your network. You should consult the IEEE 802.1w standard before changing any of the RSTP parameters. This procedure assumes that you have already designated RSTP as the active spanning tree on the switch.
PAGE 749
AT-S62 User’s Guide 2. Adjust the parameters are desired. The parameters are defined below. 1 - Force Version This selection determines whether the bridge will operate with RSTP or in an STP-compatible mode. If you select RSTP, the bridge operates all ports in RSTP, except for those ports that receive STP BPDU packets. If you select Force STP Compatible, the bridge operates in RSTP, using the RSTP parameter settings, but it sends only STP BPDU packets out the ports.
PAGE 750
Chapter 45: STP, RSTP, and MSTP 6 - Bridge Identifier The MAC address of the bridge. The bridge identifier is used as a tie breaker in the selection of the root bridge when two or more bridges have the same bridge priority value. This value cannot be changed. 3. After you have made your changes, click Apply. 4. To adjust RSTP port settings, click on the port in the switch image and click Modify. You can select more than one port at a time. The RSTP Port Settings window is shown in Figure 269.
PAGE 751
AT-S62 User’s Guide 4 - Edge Port This parameter defines whether the port is functioning as an edge port. For an explanation of this parameter, refer to Point-to-Point Ports and Edge Ports on page 336. 6. Once you have configured the parameters, click Apply. 7. To permanently save the change, use the Save Changes button in the General tab. For directions, refer to Saving Your Parameter Changes on page 577.
PAGE 752
Chapter 45: STP, RSTP, and MSTP Configuring MSTP This section is divided into the following procedures: ❑ Configuring MSTP and CIST Parameters on page 752 ❑ Associating VLANs to MSTIs on page 755 ❑ Configuring MSTP Port Parameters on page 758 This procedure assumes that you have already designated MSTP as the active spanning tree on the switch. For instructions, refer to Enabling or Disabling Spanning Tree on page 743.
PAGE 753
AT-S62 User’s Guide The MSTP Spanning Tree tab is shown in Figure 270. Figure 270 MSTP Spanning Tree Tab Note This procedure explains the Configure MSTP Parameters and Configure CIST Parameters sections of the web page. The CIST/MSTI Table is explained in Associating VLANs to MSTIs on page 755. The graphic image of the switch is described in Configuring MSTP Port Parameters on page 758.
PAGE 754
Chapter 45: STP, RSTP, and MSTP 5. Adjust the bridge MSTP settings as needed. The parameters are described below. Force Version This selection determines whether the bridge will operate with MSTP or in an STP-compatible mode. If you select MSTP, the bridge operates all ports in MSTP, except those ports that receive STP or RSTP BPDU packets. If you select Force STP Compatible, the bridge uses its MSTP parameter settings, but sends only STP BPDU packets from the ports. The default is MSTP.
PAGE 755
AT-S62 User’s Guide ❑ MaxAge must be less than (2 x (ForwardingDelay - 1)) Bridge Max Hops MSTP regions use this parameter to discard BPDUs. The Max Hop counter in a BPDU is decremented every time the BPDU crosses an MSTP region boundary. Once the counter reaches zero, the BPDU is deleted. Revision Level The revision level of an MSTP region. This is an arbitrary number that you assign to a region. The revision level must be the same on all bridges in a region.
PAGE 756
Chapter 45: STP, RSTP, and MSTP 2. To create or delete an MSTI ID and to associate VLANs to MSTIs, do the following: a. In the CIST/MSTI Table section of the menu, click Add. The Add New MSTI window is shown in Figure 271. Figure 271 Add New MSTI Window b. In the MSTI ID field, enter a new MSTI ID. The range is 1 to 15. c. In the Priority field, enter a MSTI Priority value. This parameter is used in selecting a regional root for the MSTI.
PAGE 757
AT-S62 User’s Guide The Modify MSTI window is shown in Figure 272. Figure 272 Modify MSTI Window c. In the Priority field, enter a new MSTI Priority value. This parameter is used in selecting a regional root for the MSTI. The range is 0 (zero) to 61,440 in increments of 4,096, with 0 being the highest priority. For a list of the increments, refer to Table 12 on page 331. The default is 0. d. In the VLAN List field, modify the list of VIDs of the VLANs to be associated with this MSTI.
PAGE 758
Chapter 45: STP, RSTP, and MSTP Configuring MSTP Port Parameters To configure MSTP port parameters, perform the following procedure: 1. Perform Steps 1 through 4 in the procedure Configuring MSTP and CIST Parameters on page 752 to display the Spanning Tree Expanded Web Page for MSTP. 2. In the diagram of the switch at the bottom of the MSTP Spanning Tree Expanded Web Page, click the port you want to configure. You can select more than one port at a time. A selected port turns white. 3. Click Configure.
PAGE 759
AT-S62 User’s Guide Point-to-Point This parameter defines whether the port is functioning as a pointto-point port. For an explanation of this parameter, refer to Pointto-Point Ports and Edge Ports on page 336. Port External Path Cost The port cost of the port if the port is connected to a bridge which is a member of another MSTP region or is running STP or RSTP. The range is 0 to 200,000,000. The default setting is 200,000. 5. After adjusting the parameters, click Apply. 6.
PAGE 760
Chapter 45: STP, RSTP, and MSTP Displaying Spanning Tree Settings To display the parameter settings for the active spanning tree, perform the following procedure: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590. 2. From the Monitoring menu, select Layer 2. 3. Select the Spanning Tree tab. The Spanning Tree tab is shown in Figure 274.
PAGE 761
Chapter 46 Virtual LANs This chapter explains how to create, modify, and delete port-based and tagged VLANs from a web browser management session. This chapter also explains how to select a multiple VLAN mode.
PAGE 762
Chapter 46: Virtual LANs Creating a New Port-Based or Tagged VLAN To create a new port-based or tagged VLAN, perform the procedure below: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. From the Configuration menu, select Layer 2. The Layer 2 page is displayed with the MAC Address tab selected by default, as shown in Figure 208 on page 622. 3. Select the VLAN tab. The VLAN tab is shown in Figure 275.
PAGE 763
AT-S62 User’s Guide The VLAN Mode and Uplink Port options are explained in Selecting a VLAN Mode on page 771. The Mgmt. VLAN ID option is explained in Specifying a Management VLAN on page 773. The tab displays the VLANs on the switch. The columns in the tab are defined below: VLAN ID The VID number assigned to the VLAN. (Client) Name The name of the VLAN. Uplink Port This column is applicable only when the switch is operating in one of the two multiple VLAN modes.
PAGE 764
Chapter 46: Virtual LANs If this VLAN will be unique in your network, then its VID should also be unique. If this VLAN will be part of a larger VLAN that spans multiple switches, than the VID value for the VLAN should be the same on each switch. For example, if you are creating a VLAN called Sales that will span three switches, you should assign the Sales VLAN on each switch the same VID value. Note A VLAN must have a VID.
PAGE 765
AT-S62 User’s Guide 8. Click Apply. Note Any untagged ports that you assign to the new VLAN are automatically removed from their current untagged VLAN assignment. The new user-configured VLAN is now ready for network operations. 9. To permanently save the change, use the Save Changes button in the General tab. For directions, refer to Saving Your Parameter Changes on page 577.
PAGE 766
Chapter 46: Virtual LANs Modifying a Port-Based or Tagged VLAN This procedure explains how to add or remove ports from a VLAN. When modifying a VLAN, note the following: ❑ You cannot change the VID of a VLAN. ❑ You cannot change the name of a VLAN from a web browser management session; you can from a local or Telnet session. ❑ You cannot modify VLANs when the switch is operating in one of the multiple VLAN modes. To modify a VLAN, perform the following procedure: 1.
PAGE 767
AT-S62 User’s Guide 7. After making the necessary changes, click Apply. Note Untagged ports that are added to a VLAN are automatically removed from their current untagged VLAN assignment. Untagged ports that are removed from a VLAN are returned to the Default_VLAN. Removing an untagged port from the Default_VLAN without assigning it to another VLAN will leave the port as an untagged member of no VLAN. The modified VLAN is now ready for network operations. 8.
PAGE 768
Chapter 46: Virtual LANs Deleting a Port-Based or Tagged VLAN To delete a port-based or tagged VLAN from the switch, perform the following procedure: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. From the Configuration menu, select Layer 2. The Layer 2 page is displayed with the MAC Address tab selected by default, as shown in Figure 208 on page 622. 3. Select the VLAN tab.
PAGE 769
AT-S62 User’s Guide Displaying VLANs To display the current VLANs on a switch, perform the following procedure: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590. 2. From the Monitoring menu, select Layer 2. The Layer 2 page is displayed with the MAC Address tab selected by default. 3. Select the VLAN tab. The VLAN tab is shown in Figure 277. The information in this tab is for viewing purposes only.
PAGE 770
Chapter 46: Virtual LANs Uplink Port This column is applicable only when the switch is operating in one of the two multiple VLAN modes. The column lists the port that is functioning as the uplink port for all the other ports on the switch. Type - If this column contains Port Based, the VLAN is a port-based or tagged VLAN. If it contains GARP, the VLAN was created automatically by GVRP. Protocol - If this column is blank, the VLAN is a port-based or tagged VLAN.
PAGE 771
AT-S62 User’s Guide Selecting a VLAN Mode The AT-S62 management software features three VLAN modes: ❑ Port-based and tagged VLAN Mode (default mode) ❑ IEEE 802.1Q-compliant Multiple VLAN Mode ❑ Non-IEEE 802.1Q compliant Multiple VLAN Mode For background information on port-based and tagged VLANs, refer to Chapter 20, Tagged and Port-based Virtual LANs on page 385. For information on the multiple VLAN modes, refer to Chapter 22, Multiple VLAN Modes on page 446.
PAGE 772
Chapter 46: Virtual LANs 6. Click Apply. The new mode is automatically activated on the switch. 7. To permanently save the change, use the Save Changes button in the General tab. For directions, refer to Saving Your Parameter Changes on page 577.
PAGE 773
AT-S62 User’s Guide Specifying a Management VLAN The management VLAN is the VLAN through which an AT-8524M switch expects to receive management packets. This VLAN is important if you will be managing a switch remotely or using the enhanced stacking feature of the switch. Management packets are packets generated by a management workstation when you remotely manage a switch using the Telnet application protocol or a web browser.
PAGE 774
Chapter 46: Virtual LANs Now let’s assume that you decide to create a VLAN called NMS with a VID of 24 for the sole purpose of remote network management of your switches. For this, you would need to create the NMS VLAN on each AT-8524M switch that you want to manage remotely, being sure to assign each NMS VLAN the VID of 24. Then you would need to be sure that the uplink and downlink ports connecting the switches together are either tagged or untagged members of the NMS VLAN.
PAGE 775
Chapter 47 GARP VLAN Registration Protocol This chapter about web server security contains the following procedures: ❑ Configuring GVRP on page 776 ❑ Enabling or Disabling GVRP on a Port on page 778 ❑ Displaying the GVRP Settings on page 780 Note For background information on GVRP, refer to Basic Overview of GARP VLAN Registration Protocol (GVRP) on page 421 or Technical Overview of Generic Attribute Registration Protocol (GARP) on page 426.
PAGE 776
Chapter 47: GARP VLAN Registration Protocol Configuring GVRP To configure the GVRP parameters, perform the following procedure: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586 2. From the Configuration menu, select the Layer 2 option. 3. Select the GVRP tab. The GVRP tab is shown in Figure 278. Figure 278 GVRP Tab (Configuring) The GVRP tab is not shown if MSTP is enabled on the switch.
PAGE 777
AT-S62 User’s Guide Join Time Sets the duration of the Join Period timer. The range is from 10 to 60 centiseconds and the default is 20. If you change this timer, it must in relation to the GVRP Leave Timer according to the following equation: Join Timer <= 2 x (GVRP Leave Timer) Enable GIP Enables the operation of GIP. If enabled, attribute registrations and de-registrations processed on a port are propagated to other ports in the GIP-connected ring. GIP must be enabled in order to use GVRP.
PAGE 778
Chapter 47: GARP VLAN Registration Protocol Enabling or Disabling GVRP on a Port This procedure enables and disables GVRP on a switch port. The default setting for GVRP on a port is enabled. Only those ports where GVRP is enabled transmit PDUs. Note Allied Telesyn recommends disabling GVRP on unused ports and those ports that are connected to GVRP-inactive devices. This will protect against unauthorized access to restricted areas of your network.
PAGE 779
AT-S62 User’s Guide 8. To permanently save the change, use the Save Changes button in the General tab. For directions, refer to Saving Your Parameter Changes on page 577.
PAGE 780
Chapter 47: GARP VLAN Registration Protocol Displaying the GVRP Settings Use this procedure to view the GVRP settings: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590. 2. From the Monitoring menu, select the Layer 2 option. 3. Select the GVRP tab. The GVRP tab is shown in Figure 280.
PAGE 781
AT-S62 User’s Guide View GVRP State Machine for VLAN Refer to Table 23 on page 443 for descriptions of the status information displayed by the selection. You must enter a VID number. View GVRP Counters Refer to Table 20 on page 438 for descriptions of the status information displayed by the selection. View GIP Connected Ports Ring Refer to Table 22 on page 442 for descriptions of the status information displayed by the selection.
PAGE 782
Chapter 48 MAC Address Security This chapter explains how to display the MAC address security levels on the ports on the switch. It contains the following section: ❑ Displaying MAC Address Security Levels on page 783 Note For background information, refer to MAC Address Security Overview on page 455. Note You cannot configure the MAC address security feature from a web browser management session. This feature can only be configured from a local or Telnet management session.
PAGE 783
AT-S62 User’s Guide Displaying MAC Address Security Levels To display the MAC address security level of a port, perform the following procedure: 1. From the Home page, select Monitoring. 2. Select Layer 2. The Layer 2 page is displayed with the MAC Address tab selected by default, as shown in Figure 208 on page 622. 3. Select the Port Security tab. The Port Security tab is shown in Figure 281. Figure 281 Port Security Tab (Monitoring) 4. Click the port whose port security level you want to view.
PAGE 784
Chapter 48: MAC Address Security This page is for viewing purposes only. The columns in the page are defined below: Port The number of the port. Security Mode The active security mode on the port. Intruder Action The column specifies the action taken by a port when it receives an invalid frame. ❑ Discard: The port discards invalid frames. This is the default. ❑ Send Trap: The port discards invalid frames and sends a trap.
PAGE 785
Chapter 49 802.1x Port-based Access Control This chapter contains instructions on how to configure the 802.1x portbased access control feature on the switch. ❑ Enabling and Disabling Port-based Access Control on page 786 ❑ Setting Port Roles on page 788 ❑ Configuring Authenticator Port Parameters on page 790 ❑ Configuring Supplicant Port Parameters on page 793 ❑ Displaying the Port-based Access Control Settings on page 795 Note For background information, refer to 802.
PAGE 786
Chapter 49: 802.1x Port-based Access Control Enabling and Disabling Port-based Access Control This procedure explains how to enable and disable port-based access control on the switch. If you have not assigned port roles and configured the parameter settings, you should skip this procedure and go first to Setting Port Roles on page 788. To enable or disable port-based access control, perform the following procedure: 1. From the Home Page, select Configuration.
PAGE 787
AT-S62 User’s Guide 3. To enable or disable the feature, do the following: a. Click the Enable Port Access check box. A check in the box means that the feature is activated on the switch. No check means that the feature is disabled. b. Click Apply. 4. If you want to use the RADIUS accounting feature, configure the parameters in the RADIUS Accounting section of the tab. For background information, refer to RADIUS Accounting on page 468.
PAGE 788
Chapter 49: 802.1x Port-based Access Control Setting Port Roles To set port roles for port-based access control, perform the following procedure: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. Select Security. The Security page is displayed with the 802.1x Port Access tab selected by default, as shown in Figure 283 on page 786.
PAGE 789
AT-S62 User’s Guide 7. To configure authenticator port settings, go to Configuring Authenticator Port Parameters on page 790. To configure supplicant port settings, go to Configuring Supplicant Port Parameters on page 793.
PAGE 790
Chapter 49: 802.1x Port-based Access Control Configuring Authenticator Port Parameters To configure authenticator port parameters, perform the following procedure: 1. From the 802.1x Port Access tab shown in Figure 283 on page 786, click the authenticator port that you want to configure. You can select more that one authenticator port at a time. The selected port turns white. Note A port must already be configured as an authenticator before you can configure its settings.
PAGE 791
AT-S62 User’s Guide authentication of the client. This is the default setting ❑ Force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the interface ❑ Auto: Enables 802.1x port-based authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port.
PAGE 792
Chapter 49: 802.1x Port-based Access Control 4. Click Apply. 5. To permanently save the changes, use the Save Changes button in the General tab. For directions, refer to Saving Your Parameter Changes on page 577.
PAGE 793
AT-S62 User’s Guide Configuring Supplicant Port Parameters To configure supplicant port parameters, perform the following procedure: 1. From the 802.1x Port Access tab shown in Figure 283 on page 786, click the supplicant port that you want to configure. You can select more that one supplicant port at a time. The selected port turns white. Note A port must already be designated as a supplicant before you can configure its settings.
PAGE 794
Chapter 49: 802.1x Port-based Access Control Held Period Specifies the amount of time in seconds the supplicant is to refrain from retrying to re-contact the authenticator in the event the end user provides an invalid username and/or password. Once the time period has expired, the supplicant can attempt to log on again. The range is 0 to 65,535 seconds. The default value is 60 seconds.
PAGE 795
AT-S62 User’s Guide Displaying the Port-based Access Control Settings To display the port-based access control settings, do the following: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590. 2. From the Monitoring menu, select the Security option. The 802.1x Port Access tab opens with the 802.1x Port Access tab selected by default, as shown in Figure 287. Figure 287 802.
PAGE 796
Chapter 49: 802.1x Port-based Access Control A port status page is displayed, as shown in Figure 288. Figure 288 Port Status Page 4. To review the port access settings, click the port and click Settings. You can Note To view the settings of multiple ports, you have to select ports that have the same port role (authenticator or supplicant). For authenticator port(s), the Authenticator Port Parameters page is displayed, as shown in Figure 289.
PAGE 797
Chapter 50 Secure Shell Protocol This chapter contains the procedure for configuring the SSH protocol settings. Sections in this chapter include: ❑ Configuring the SSH Server on page 798 ❑ Displaying SSH Information on page 800 Note For background information, refer to SSH Overview on page 544.
PAGE 798
Chapter 50: Secure Shell Protocol Configuring the SSH Server This section describes how to configure the SSH server software on the switch. For an overview of all the steps to configuring the SSH server, see General Steps to Configuring SSH on page 547. This procedure assumes that you have already created the two key pairs. If you have not created the keys, go to Creating an Encryption Key on page 500. You cannot create encryption keys from a web browser management session.
PAGE 799
AT-S62 User’s Guide 4. Configure the parameters as needed. The parameters are described below: Status Enables and disables the feature. Choose from one of the following: Disabled - Disables the SSH server. While you are configuring SSH, you must set this field to Disabled. This is the default. Enabled - Enables the SSH server. Select this value after you have finished configuring SSH and want to log on to the server. Note You cannot disable the SSH server when there is an active SSH connection.
PAGE 800
Chapter 50: Secure Shell Protocol Displaying SSH Information To display SSH information, do the following: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590. 2. Click Security. 3. Select the Secure Shell tab. The Secure Shell tab is shown in Figure 292.
PAGE 801
AT-S62 User’s Guide ❑ Server Key ID: Indicates the server key ID defined for SSH. ❑ Server Key Bits: Indicates the number of bits in the server key. ❑ Server Key Expiry: Indicates the length of time, in hours, until the server key is regenerated. The default is 0 hours which means the server key is not regenerated. ❑ Login Timeout: Indicates the time, in seconds, until a SSH server is released from an incomplete connection with a SSH client.
PAGE 802
Chapter 51 Encryption Keys, PKI, and SSL This chapter explains how to view the encryption keys, PKI certificates, and SSL settings and includes the following sections: ❑ Displaying Encryption Keys on page 803 ❑ Displaying PKI Settings and Certificates on page 804 ❑ Displaying the SSL Settings on page 807 Note For background information on encryption keys, refer to Basic Overview on page 493 or Technical Overview on page 495.
PAGE 803
AT-S62 User’s Guide Displaying Encryption Keys To display the SSL and SSH encryption key pairs, do the following: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590. 2. Click Security. 3. Select the Keys tab. The Keys tab is shown in Figure 293. Figure 293 Keys Tab (Monitoring) This tab lists the key pairs existing on the switch.
PAGE 804
Chapter 51: Encryption Keys, SSL, and PKI Displaying PKI Settings and Certificates To display the self-signed and CA certificates stored in the certificate database and the PKI settings, do the following: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590. 2. Click the Security option. 3. Select the PKI tab. The PKI tab is shown in Figure 293. Figure 294.
PAGE 805
AT-S62 User’s Guide MTrust (Manually Trusted) The certificate has been manually verified that it is from a trusted or untrusted authority. Type The certificate type, one of the following: ❑ EE - The certificate was issued by a CA. ❑ CA - The certificate belongs to a CA. ❑ Self - A self-signed certificate. Source The certificate was created on the switch. 4. To view the details about a certificate, click the certificate and click View.
PAGE 806
Chapter 51: Encryption Keys, SSL, and PKI Subject The Subject distinguished name. Issuer The certificate issuer’s distinguished name. MD5 Fingerprint The MD5 algorithm. This value provides a unique sequence for each certificate consisting of 16 bytes. SHA1 Fingerprint The Secure Hash Algorithm. This value provides a unique sequence for each certificate consisting of 20 bytes. 5. Click Close to close the page.
PAGE 807
AT-S62 User’s Guide Displaying the SSL Settings To display the SSL settings, perform the following procedure: 1. From the Home page, select Monitoring. The System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590. 2. From the Monitoring menu, select the Security option. 3. Select the SSL tab. The SSL tab is shown in Figure 295.
PAGE 808
Chapter 52 RADIUS and TACACS+ Authentication Protocols This chapter contains instructions on how to configure the authentication protocols. This chapter contains the following procedures: ❑ Configuring RADIUS and TACACS+ on page 809 ❑ Displaying the RADIUS or TACSACS+ Settings on page 813 Note For background information on the authentication protocols, refer to 802.1x Port-based Access Control Overview on page 464 and TACACS+ and RADIUS Overview on page 553.
PAGE 809
AT-S62 User’s Guide Configuring RADIUS and TACACS+ To configure the authentication protocols, perform the following procedure: 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586 2. Select the Server-based Authentication tab. The Server-based Authentication tab is shown in Figure 296.
PAGE 810
Chapter 52: RADIUS and TACACS+ Authentication Protocols 4. Click Apply. Note To configure TACACS+, go to Step 6. To configure RADIUS, go to Step 7. 5. To configure TACACS+, do the following: a. In lower section of the Server-based Authentication tab, click TACACS+ Configuration and click Configure. The TACACS+ Client Configuration page is shown in Figure 297. Figure 297 TACACS+ Configuration Page b. Configure the parameters as needed. They are described below.
PAGE 811
AT-S62 User’s Guide IP Address and Encryption Key Use these fields to specify the IP addresses and encryption secrets of up to three network servers containing TACACS+ server software. You can leave an encryption field blank if you entered the server’s secret in the Global Secret field. c. After you have finished configuring the parameters, click Apply. d. To enable the authentication feature on the switch, click the Enable Server-based Authentication check box.
PAGE 812
Chapter 52: RADIUS and TACACS+ Authentication Protocols Global Server Timeout This parameter specifies the maximum amount of time the switch will wait for a response from a TACACS+ server before assuming the server cannot respond. If the timeout expires and the server has not responded, the switch queries the next TACACS+ server in the list. If there aren’t any more servers, than the switch will default to the standard Manager and Operator accounts. The default is 30 seconds. The range is 1 to 30 seconds.
PAGE 813
AT-S62 User’s Guide Displaying the RADIUS or TACSACS+ Settings To display the RADIUS or TACACS+ settings on the switch, do the following: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590. 2. Select the Server-based Authentication tab. The Server-based Authentication tab is shown in Figure 299.
PAGE 814
Chapter 52: RADIUS and TACACS+ Authentication Protocols The TACACS+ (Figure 300) or RADIUS (Figure 301) client configuration page is displayed.
PAGE 815
Chapter 53 Management Access Control List This chapter explains how to create a Management Access Control List (ACL). You can use the ACL to restrict Telnet and web browser management access to the switch. Sections in this chapter include: ❑ Creating a Management ACL on page 816 ❑ Adding or Deleting an ACE on page 818 ❑ Displaying the Management ACL on page 819 Note For background information, refer to Management Access Control List Overview on page 564.
PAGE 816
Chapter 53: Management Access Control List Creating a Management ACL To create a Management ACL, perform the following procedure: Note Activating this feature without specifying any ACEs will prohibit you from managing the device remotely. 1. From the Home Page, select Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 194 on page 586. 2. Click Security. 3. Select the Mgmt ACL tab. The Mgmt ACL tab is shown in Figure 302.
PAGE 817
AT-S62 User’s Guide been permitted remote management access to the switch. If you enter a subnet. then any management node in the subnet will be permitted remote management access to the switch. 5. In the Mgmt. ACL IP Mask field enter a mask that indicates the parts of the IP address the switch should filter on. A binary “1” indicates the switch should filter on the corresponding bit of the address, while a “0” indicates that it should not. If you are filtering on a specific IP address, use the mask 255.
PAGE 818
Chapter 53: Management Access Control List Adding or Deleting an ACE You can add or delete ACEs from the management ACL at any time. To add a new ACE, simply repeat the procedure in the previous section. New ACEs are immediately activated on the switch once added to the ACL. To remove an ACE, from the Mgmt ACL menu click the button next to the ACE you want to delete and click Delete.
PAGE 819
AT-S62 User’s Guide Displaying the Management ACL To display the ACEs in the Management ACL, do the following: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 195 on page 590. 2. Click Security. 3. Select the Mgmt ACL tab. The Mgmt ACL tab is shown in Figure 303. Figure 303 Mgmt ACL Tab (Monitoring) The information in the tab is described below: IP Address The IP address of a management workstation or subnet.
PAGE 820
Appendix A AT-S62 Default Settings This appendix lists the AT-S62 factory default settings.
PAGE 821
AT-S62 User’s Guide Basic Switch Default Settings This section lists the default settings for basic switch parameters.
PAGE 822
Appendix A: AT-S62 Default Settings Management Interface Setting Default Console Disconnect Timer Interval 10 minutes Note Login names and passwords are case-sensitive. RS-232 Port Default Settings SNTP Default Settings The following table lists the RS-232 Terminal Port default settings. RS-232 Port Setting Default Data Bits 8 Stop Bits 1 Parity None Flow Control None Baud Rate 9600 bps The following table lists the SNTP default settings.
PAGE 823
AT-S62 User’s Guide Switch Administration Default Settings System Software Default Settings The following table describes the switch administration default settings. Administration Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.0 Gateway Address 0.0.0.0 System Name None Administrator None Comments None BOOTP/DHCP Disabled MAC Address Aging Time 300 seconds The following table lists the system software default settings.
PAGE 824
Appendix A: AT-S62 Default Settings Enhanced Stacking Default Setting The following table lists the enhanced stacking default setting.
PAGE 825
AT-S62 User’s Guide SNMP Default Settings The following table describes the SNMPv1 and SNMPv2c default settings.
PAGE 826
Appendix A: AT-S62 Default Settings Port Configuration Default Settings The following table lists the port configuration default settings.
PAGE 827
AT-S62 User’s Guide Event Log Default Settings The following table lists the event log default settings.
PAGE 828
Appendix A: AT-S62 Default Settings Quality of Service The following table lists the default mappings of IEEE 802.1p priority levels to egress port priority queues. IEEE 802.
PAGE 829
AT-S62 User’s Guide IGMP Snooping Default Settings The following table lists the IGMP Snooping default settings.
PAGE 830
Appendix A: AT-S62 Default Settings Denial of Service Prevention Default Settings The following table lists the default settings for the Denial of Service prevention feature. Denial of Service Prevention Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.
PAGE 831
AT-S62 User’s Guide STP, RSTP, and MSTP Default Settings This section provides the spanning tree, STP RSTP, and MSTP, default settings. Spanning Tree Switch Settings STP Default Settings RSTP Default Settings The following table describes the Spanning Tree Protocol default settings for the switch. STP Switch Setting Default Spanning Tree Status Disabled Active Protocol Version RSTP The following table describes the STP default settings.
PAGE 832
Appendix A: AT-S62 Default Settings MSTP Default Settings RSTP Setting Default Port Priority 128 The following table lists the MSTP default settings.
PAGE 833
AT-S62 User’s Guide VLAN Default Settings This section provides VLAN default settings.
PAGE 834
Appendix A: AT-S62 Default Settings GVRP Default Settings This section provides the default settings for GVRP.
PAGE 835
AT-S62 User’s Guide MAC Address Security Default Settings The following table lists the MAC address security default settings.
PAGE 836
Appendix A: AT-S62 Default Settings 802.1x Port-Based Network Access Control Default Settings The following table describes the 802.1x Port Access Control default settings. 802.1x Port Access Control Setting Default Port Access Control Disabled Authentication Method RADIUS EAP Port Role None The following table lists the default settings for RADIUS accounting.
PAGE 837
AT-S62 User’s Guide Web Server Default Settings The following table lists the web server default settings.
PAGE 838
Appendix A: AT-S62 Default Settings SSL Default Settings The following table lists the SSL default settings.
PAGE 839
AT-S62 User’s Guide PKI Default Settings The following table lists the PKI default settings, including the generate enrollment request settings.
PAGE 840
Appendix A: AT-S62 Default Settings SSH Default Settings The following table lists the SSH default settings.
PAGE 841
AT-S62 User’s Guide Server-Based Authentication Default Settings This section describes the server-based authentication, RADIUS, and TACACS+ client default settings. Server-Based Authentication Default Settings RADIUS Default Settings TACACS+ Client Default Settings The following table describes the server-based authentication default settings.
PAGE 842
Appendix A: AT-S62 Default Settings Management Access Control List Default Setting The following table lists the default setting for the Management Access Control List.
PAGE 843
Appendix B SNMPv3 Configuration Examples This appendix provides two examples of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to use as an aid when configuring the SNMPv3 protocol.
PAGE 844
Appendix B: SNMPv3 Configuration Examples SNMPv3 Configuration Examples This appendix provides SNMPv3 configuration examples for the following types of users: ❑ a Manager ❑ an Operator In addition an SNMPv3 Configuration Table is provided to record your SNMPv3 configuration. For more information about the SNMPv3 protocol, see Chapter 17, SNMPv3 Configuration on page 222. SNMPv3 Manager Configuration This section provides a sample configuration for a Manager with a User Name of systemadmin24.
PAGE 845
AT-S62 User’s Guide Configure SNMPv3 SecurityToGroup Table User Name:systemadmin24 Security Model:v3 Group Name: Managers Storage Type: NonVolatile Configure SNMPv3 Notify Table Notify Name: sysadminTrap Notify Tag: sysadminTag Notify Type: Trap Storage Type: NonVolatile Configure SNMPv3 Target Address Table Target Address Name: host451 Target IP Address: 198.35.11.
PAGE 846
Appendix B: SNMPv3 Configuration Examples Configure SNMPv3 View Table Menu View Name: internet View Subtree OID: 1.3.6.1 (or internet) Subtree Mask: View Type: Included Storage Type: NonVolatile Configure SNMPv3 Access Table Group Name: Operators Security Model: SNMPv3 Security Level: Authentication Read View Name: internet Write View Name: Notify View Name: SNMPv3 Worksheet This section supplies a table that you can use a worksheet when configuring SNMPv3.
PAGE 847
AT-S62 User’s Guide SNMPv3 Parameters (Continued) SNMPv3 Access Table Menu Group Name Security Model Security Level Read View Name Write View Name Notify View Name Storage Type SNMPv3 SecurityToGroup Table User Name Security Model Group Name Storage Type SNMPv3 Notify Table Notify Name Notify Tag Notify Type Storage Type SNMPv3 Target Address Table Target Address Name Target IP Address UDP Port Timeout Retries Tag List Target Parms Name 847
PAGE 848
Appendix B: SNMPv3 Configuration Examples SNMPv3 Parameters (Continued) Storage Type SNMPv3 Target Parameters Table Target Parameters Name User (Security) Name Security Model Security Level Storage Type 848
PAGE 849
Index Numerics 802.
PAGE 850
Index auto-negotiation configuring 100, 611, 612 forced 105 status 96 B back pressure configuring 104, 614 default setting 826 boot configuration file configuring parameters 151 creating 149 displaying 153 editing 154 overview 149 selecting 152 selecting active 152 Boot Protocol (BootP) activating 62, 589 deactivating 62 default setting 823 defined 62 BPDU, see bridge protocol data unit BPDU.
PAGE 851
AT-S62 User’s Guide database storage 522 deleting 531, 533 described 519 displaying 534 modifying 531, 533 validating 521 certificates, SSL authentication 518 described 518 certificates, X.509 519 certification authority (CA) described 520 root 521 CFB. See Cipher Feedback (CFB) Cipher Block Chaining (CBC), described 496 Cipher Feedback (CFB), described 496 ciphers available parameter 551, 801 CIST priority parameter 373 CIST.
PAGE 852
Index E ECB.
PAGE 853
AT-S62 User’s Guide Generic Attribute Registration Protocol (GARP) Applicant state machine 428 defined 426 diagram 427 overview 426 Registrar state machine 429 GID index parameter 441 GID. See GARP Information Declaration (GID) GIP connected ports ring 442 GIP.
PAGE 854
Index IP Options attack 217 K key exchange algorithms 498 key pair ID, configuring 538 L Land attack 214 limited port security mode, described 455 link status 96 local management session defined 34 quitting 44 starting 41, 42 locked port security mode, described 456 login timeout parameter 549, 799 M MAC address aging time changing 120, 627 default setting 823 MAC address table defined 110 displaying 112, 622 MAC addresses adding 116, 624 defined 110 deleting 118, 626 displaying 112, 622 MAC limit, default
PAGE 855
AT-S62 User’s Guide MSTI association to a VLAN creating 378 removing 379 MSTI priority, defined 361 MSTI.
PAGE 856
Index PEM certificate format 538 Ping of Death attack 216 pinging 75, 595 PKI certificates adding to database 528 certificate database 522 chains 521 creating 524 database storage 522 deleting 531, 533 described 519 displaying 534 maximum number of certificates, default setting 839 modifying 531, 533 validating 521 PKI.
PAGE 857
AT-S62 User’s Guide port speed configuring 96, 611 default setting 826 port state, displaying, Rapid Spanning Tree Protocol (RSTP) 351 port statistics, displaying 142 port trunk creating 129, 629 deleting 135, 634 modifying 132, 632 port trunking described 122 example 122 guidelines 122 port VLAN identifier (PVID) described 389 displaying 202, 415 port-based access control. See 802.
PAGE 858
Index MCHECK 382 parameters, displaying 760 point-to-point port, configuring 350, 750 port configuration, displaying 351 port cost 350, 750 port parameters, configuring 349, 749 port priority 350, 750 port settings, configuring 750 port settings, displaying 760 port state, displaying 351 rate limit, setting 107 reauth period, configuring 478, 791 reg (registrar state machine) parameter 445 regional root ID parameter 375 regional root path cost parameter 375 regional root, described 361 remote management ac
PAGE 859
AT-S62 User’s Guide SNMP default setting for remote management 821 default settings 825 SNMP community configuring 680 enabling 680 SNMP community string access mode 83 closed access status 83 creating 87, 601 default 84 default name 825 deleting 606 disabling 85 displaying 93 enabling 85 modifying 89, 604 name 83 open access status 83 operating status 83 SNMP management default setting 825 disabling 85, 599 enabling 85, 599 SNMP management session 37 SNMPv3 Access Table entry creating 253 deleting 257 dis
PAGE 860
Index modifying storage type 294 target address retries 291 target address tag list 292 target address timeout 290 target address UDP port 289 target IP address 288 target parameters 293 SNMPv3 Target Address Table web entry displaying 739 SNMPv3 Target Address Table, described 231 SNMPv3 Target Parameters Table entry creating 297 deleting 300 displaying 326 modifying message process model 306 security level 305 security model 304 storage type 307 user name 302 SNMPv3 Target Parameters Table web entry disp
PAGE 861
AT-S62 User’s Guide displaying 112, 622 STP ID parameter 442 strict priority scheduling 194 subnet mask 61, 588 configuring 61, 588 default setting 823 Subtree Mask 226 subtree mask, modifying 248 supplicant port described 464 start period 481, 794 supplicant role 467 supplicant timeout 478, 791 switch hardware information 78, 590 rebooting 64 resetting 64 software information 78, 590 switch name, configuring 59, 586 switch state, default setting 824 symmetrical encryption 495 SYN Flood attack 213 system d
PAGE 862
Index setting 69 V versions supported (SSH) parameter 550, 800 VID. See VLAN ID view type, modifying 250 virtual LAN (VLAN) creating 400, 404, 762 default settings 833 defined 386 deleting 411, 414, 768 displaying 410, 452, 769 mode, selecting 771 modifying 406, 766 multiple 802.