Owner manual

ManualsBrandsAllied Telesis ManualsComputer HardwareAT-S62

Management

Software

AT-S62

◆

Menus Interface

User’s Guide

AT-8516F/SC, AT-8524M, AT-8524POE,

AT-8550GB and AT-8550SP LAYER 2+

FAST ETHERNET SWITCHES

VERSION 1.3.0

PN 613-000124 Rev A

Summary of content (760 pages)

PAGE 1
Management Software ® AT-S62 ◆ Menus Interface User’s Guide AT-8516F/SC, AT-8524M, AT-8524POE, AT-8550GB and AT-8550SP LAYER 2+ FAST ETHERNET SWITCHES VERSION 1.3.
PAGE 2
Copyright © 2005 Allied Telesyn, Inc. 3200 North First Street, San Jose, CA 95134 USA All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesyn, Inc. Microsoft is a registered trademark of Microsoft Corporation, Netscape Navigator is a registered trademark of Netscape Communications Corporation. All other product names, company names, logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners.
PAGE 3
Table of Contents List of Figures ......................................................................................................................................................................................................15 Preface ....................................................................................................................................................................................................................22 How This Guide is Organized .........................
PAGE 4
Table of Contents Chapter 3 Enhanced Stacking ........................................................................................................................................................................................... 44 Enhanced Stacking Overview ......................................................................................................................................................................... 45 Guidelines ...............................................................
PAGE 5
AT-S62 Menus Interface User’s Guide Chapter 8 Static and LACP Port Trunks ...................................................................................................................................................................... 120 Port Trunk Overview ........................................................................................................................................................................................ 121 Static Port Trunk Overview ..............................
PAGE 6
Table of Contents Guidelines ................................................................................................................................................................................................... 188 Downloading a File from a Local Management Session ........................................................................................................... 189 Downloading a File from a Telnet Management Session ...................................................................
PAGE 7
AT-S62 Menus Interface User’s Guide Packet Prioritization ............................................................................................................................................................................... 258 Replacing Priorities ................................................................................................................................................................................. 258 VLAN Tag User Priorities .............................................
PAGE 8
Table of Contents Chapter 20 Power Over Ethernet .....................................................................................................................................................................................318 Power Over Ethernet Overview ....................................................................................................................................................................319 PoE Implementation on the AT-8524POE Switch ....................................
PAGE 9
AT-S62 Menus Interface User’s Guide Deleting an SNMPv3 Notify Table Entry .......................................................................................................................................... 404 Modifying an SNMPv3 Notify Table Entry ...................................................................................................................................... 405 Configuring the SNMPv3 Target Address Table ........................................................................
PAGE 10
Table of Contents Creating an MSTI ...................................................................................................................................................................................... 500 Deleting an MSTI ..................................................................................................................................................................................... 500 Modifying an MSTI ....................................................................
PAGE 11
AT-S62 Menus Interface User’s Guide Chapter 27 Multiple VLAN Modes ................................................................................................................................................................................... 574 Multiple VLAN Mode Overview .................................................................................................................................................................... 575 802.1Q- Compliant Multiple VLAN mode ..........................
PAGE 12
Table of Contents Section VII Management Security ...................................................................................................................... 629 Chapter 31 Web Server .........................................................................................................................................................................................................630 Web Server Overview ...........................................................................................
PAGE 13
AT-S62 Menus Interface User’s Guide Chapter 34 Secure Shell (SSH) Protocol ....................................................................................................................................................................... 687 SSH Overview ..................................................................................................................................................................................................... 688 Support for SSH .................................
PAGE 14
Table of Contents Spanning Tree Switch Settings ........................................................................................................................................................... 735 STP Default Settings ............................................................................................................................................................................... 735 RSTP Default Settings ................................................................................
PAGE 15
List of Figures Chapter 1 Overview ................................................................................................................................................................................................................27 Chapter 2 Starting a Local or Telnet Management Session ................................................................................................................................36 Figure 1: Connecting a Terminal or PC to the RS232 Terminal Port .............
PAGE 16
List of Figures Figure 24: Flow Control Menu ..................................................................................................................................................................... 103 Figure 25: Back Pressure Menu .................................................................................................................................................................... 104 Figure 26: Rate Limiting Menu ...................................................................
PAGE 17
AT-S62 Menus Interface User’s Guide Figure 62: Configure Log Outputs Menu ................................................................................................................................................. 209 Figure 63: Syslog Server Configuration Menu ....................................................................................................................................... 212 Figure 64: Configure Log Outputs Menu with a Syslog Server Definition .................................
PAGE 18
List of Figures Chapter 18 IGMP Snooping ................................................................................................................................................................................................300 Figure 103: Advanced Configuration Menu ........................................................................................................................................... 303 Figure 104: IGMP Snooping Configuration Menu .............................................
PAGE 19
AT-S62 Menus Interface User’s Guide Figure 147: Display SNMPv3 Access Table Menu ................................................................................................................................. Figure 148: Display SNMPv3 SecurityToGroup Table Menu ............................................................................................................. Figure 149: Display SNMPv3 Notify Table Menu ...........................................................................................
PAGE 20
List of Figures Chapter 26 GARP VLAN Registration Protocol ..........................................................................................................................................................548 Figure 191: GVRP Example ........................................................................................................................................................................... 550 Figure 192: GARP Architecture ...............................................................
PAGE 21
AT-S62 Menus Interface User’s Guide Figure 230: Export Key to File Menu .......................................................................................................................................................... 650 Figure 231: Import Key From File Menu ................................................................................................................................................... 652 Chapter 33 Public Key Infrastructure Certificates ........................................
PAGE 22
Preface This guide contains instructions on how to configure an AT-8500 Series Layer 2+ Fast Ethernet Switch using the menu interface in the AT-S62 management software. For instructions on how to manage the switch from the web browser interface or the command line interface, refer to the AT-S62 Web Browser Interface User’s Guide and the AT-S62 Command Line Interface User’s Guide. These guides are available from the Allied Telesyn web site.
PAGE 23
AT-S62 Menus Interface User’s Guide Section IV: Spanning Tree Protocols The chapters in this section explain the Spanning Tree, Rapid Spanning Tree, and Multiple Spanning Tree Protocols. Section V: Virtual LANs The chapters in this section explain port-based and tagged VLANs, GVRP, and the multiple VLAN modes. Section VI: Port Security The chapters in this section explain the MAC address security system and 802.1x port-based access control.
PAGE 24
Preface Document Conventions This document uses the following conventions: Note Notes provide additional information. Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performing or omitting a specific action may result in bodily injury.
PAGE 25
AT-S62 Menus Interface User’s Guide Where to Find Web-based Guides The installation and user guides for all Allied Telesyn products are available in Portable Document Format (PDF) from on our web site at www.alliedtelesyn.com. You can view the documents on-line or download them onto a local workstation or server.
PAGE 26
Preface Contacting Allied Telesyn This section provides Allied Telesyn contact information for technical support as well as sales or corporate information. Online Support You can request technical support online by accessing the Allied Telesyn Knowledge Base from the following web site: www.alliedtelesyn.com/kb. You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions.
PAGE 27
Chapter 1 Overview This chapter reviews the functions of the AT-S62 management software, the types of sessions you can use to access the software, and the management access levels.
PAGE 28
Chapter 1: Overview Management Overview The AT-S62 management software allows you to monitor and adjust the operating parameters of an AT-8500 Series switch and includes the following features: ❑ Basic operations such as configuring port and switch parameters, enhanced stacking, SNMPv1 and v2c, trunking, and mirroring ❑ Advanced operations including file uploads and downloads, event logging, traffic classifiers, access control lists, denial of service defense, Quality of Service (QoS), Class of Service (Co
PAGE 29
AT-S62 Menus Interface User’s Guide Port or remotely using the Telnet or SSH protocol. You use the web browser interface to manage the device with a web browser. The following sections in this chapter briefly describe the different types of management sessions.
PAGE 30
Chapter 1: Overview Local Management Session To establish a local management session with an AT-8500 Series switch, you connect a terminal or a PC with a terminal emulator program to the RS232 Terminal Port on the switch, using the straight-through RS-232 management cable included with the unit. The RS232 Terminal Port is located on the front panel of the AT-8516F/SC, AT-8524M, and AT-8524POEswitches and the back panel of the AT-8550GB and AT-8550SP switches.
PAGE 31
AT-S62 Menus Interface User’s Guide Telnet Management Session You can use any management workstation on your network that has the Telnet application protocol to manage an AT-8500 Series switch. This type of management session is referred to in this guide as a remote management session because you do not have to be in the wiring closet where the switch is located. To establish a Telnet management session with a switch, there must be at least one enhanced stacking switch in the subnet with an IP address.
PAGE 32
Chapter 1: Overview Web Browser Management Session You can also use a web browser from a management workstation on your network to manage a switch. This too is referred to as remote management because you can be anywhere on your network when managing the device. This method of management, as with Telnet management, requires that the switch have an IP address or be part of an enhanced stack.
PAGE 33
AT-S62 Menus Interface User’s Guide SNMP Management Session Another way to remotely manage the switch is with an SNMP management program. AT-S62 software supports SNMPv1, SNMPv2c, and SNMPv3. You need to be familiar with Management Information Base (MIB) objects to configure a switch using SNMP management.
PAGE 34
Chapter 1: Overview Management Access Levels There are two levels of management access in the AT-S62 management software: Manager and Operator. Manager access gives you the power to view and configure all of a switch’s operating parameters. Operator access only allows you to view the operating parameters; you cannot change any values. The switch has two default login accounts. For Manager access, the login name is “manager” and the default password is “friend”.
PAGE 35
Section I Basic Operations The chapters in this section cover a variety of basic switch features and functions.
PAGE 36
Chapter 2 Starting a Local or Telnet Management Session This chapter contains the procedure for starting a local or Telnet management session on an AT-8500 Series switch.
PAGE 37
AT-S62 Menus Interface User’s Guide Local Management Session To establish a local management session, you connect a terminal or PC with a terminal emulator program to the RS-232 terminal port on the switch. The RS232 Terminal Port is located on the front panel of the AT-8516F/SC, AT-8524M, and AT-8524POEswitches and the back panel of the AT-8550GB and AT-8550SP switches.
PAGE 38
Chapter 2: Starting a Local or Telnet Management Session Starting a Local Management Session To start a local management session, perform the following procedure: 1. Connect one end of the straight-through RS232 management cable to the RS232 Terminal Port on the front panel of the switch. AT-85 24 MOD E M Fas t Eth erne t Swit ch COL 100 FULL ACT STAT US FAULT MAST ER RPS PWR Figure 1 Connecting a Terminal or PC to the RS232 Terminal Port 2.
PAGE 39
AT-S62 Menus Interface User’s Guide 4. When prompted, enter a username and password. To configure the switch settings, enter “manager” as the user name. The default password for manager access is “friend”. To just view the settings, enter “operator” as the user name. The default password for operator access is “operator”. Usernames and passwords are case-sensitive. For information on the two access levels, refer to Management Access Levels on page 34.
PAGE 40
Chapter 2: Starting a Local or Telnet Management Session To select a menu item, type the corresponding letter or number. Pressing the Esc key or typing the letter R in a submenu, returns you to the previous menu. Enhanced Stacking When you start a local management session on a switch configured as a Master switch, you can manage all the switches in the enhanced stack from the same management session.
PAGE 41
AT-S62 Menus Interface User’s Guide Telnet Management Session You can use the Telnet application protocol from a workstation on your network to manage an AT-8500 Series switch. This type of management is referred to as remote management because you do not have to be physically close to the switch to start the session, such as with a local management session. Any workstation on your network that has the application protocol can be used to manage the unit.
PAGE 42
Chapter 2: Starting a Local or Telnet Management Session Note You can run only one Telnet management session on a switch at a time. Additionally, you cannot run both a Telnet management session and a local management session on the same switch at the same time. Quitting a Telnet Management Session Section I: Basic Operations To end a Telnet management session, return to the Main Menu and type Q for Quit.
PAGE 43
AT-S62 Menus Interface User’s Guide Saving Your Parameter Changes When you make a change to a switch parameter, the change is, in most cases, immediately activated on the switch as soon as you enter it. However, most parameter changes are initially saved only to temporary memory in the switch and will be lost the next time you reset or power cycle the unit. To permanently save your changes, you must select the S Save Configuration Changes option from the Main Menu.
PAGE 44
Chapter 3 Enhanced Stacking This chapter explains the enhanced stacking feature.
PAGE 45
AT-S62 Menus Interface User’s Guide Enhanced Stacking Overview The enhanced stacking feature can make it easier for you to manage the AT-8500 Series switches in your network. It offers the following benefits: ❑ You can manage up to 24 switches from one local or remote management session. This eliminates the need of having to initiate a separate management session with each switch in your network. ❑ The switches can share the same IP address.
PAGE 46
Chapter 3: Enhanced Stacking ❑ The enhanced stacking feature uses the IP address 172.16.16.16. Do not assign this address to any device if you intend to use the enhanced stacking feature. There are three basic steps to implementing this feature on your network: 1. You must select a switch to function as the master switch of the enhanced stack. The master switch can be any switch that supports enhanced stacking, such as an AT-8000 Series switch, an AT-8400 Series switch, or an AT-8500 Series switch.
PAGE 47
AT-S62 Menus Interface User’s Guide 3. Change the enhanced stacking status of the master switch to Master. This is explained in Setting a Switch’s Enhanced Stacking Status on page 48. Figure 4 is an example of the enhanced stacking feature. Master 1 IP Address 149.32.11.22 Master 2 IP Address 149.32.11.16 Subnet A Router TROP LANIMRET 232-SR TLUAF RETSAM RWP Subnet B Master 1 IP Address 149.32.09.18 Master 2 IP Address 149.32.09.
PAGE 48
Chapter 3: Enhanced Stacking Setting a Switch’s Enhanced Stacking Status The enhanced stacking status of the switch can be master switch, slave switch, or unavailable. Each status is described below: ❑ Master switch - A master switch of a stack can be used to manage all the other switches in a subnet. Once you establish a local or remote management session with the Master switch, you can access and manage all the switches in the stack. A master switch should have a unique IP address.
PAGE 49
AT-S62 Menus Interface User’s Guide The Enhanced Stacking menu is shown in Figure 5. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Enhanced Stacking 1 - Switch State-(M)aster/(S)lave/(U)navailable.... Master 2 - Stacking Services R - Return to Previous Menu Enter your selection? Figure 5 Enhanced Stacking Menu The menu displays the current status of the switch at the end of selection “1 - Switch State.
PAGE 50
Chapter 3: Enhanced Stacking Selecting a Switch in an Enhanced Stack Before you perform a procedure on a switch in an enhanced stack, you should first check to be sure that you are performing it on the correct switch. If you assigned system names to your switches, this should be easy. The name of the switch being managed is always displayed at the top of every management menu.
PAGE 51
AT-S62 Menus Interface User’s Guide 3. Type 1 to select Get/Refresh List of Switches. The Master switch polls the subnet for all slave and Master switches that are a part of the enhanced stack and displays a list of the switches in the Stacking Services menu. The Master switch on which you started the management session is not included in the list, nor are any switches with an enhanced stacking status of Unavailable. By default, the switches are sorted in the menu by MAC address.
PAGE 52
Chapter 4 Basic Switch Parameters This chapter contains a variety of information and procedures. There is a discussion on when to assign an IP address to a switch and the different ways to do it. There are also procedures for resetting the switch, activating the switch default settings, and more.
PAGE 53
AT-S62 Menus Interface User’s Guide When Does a Switch Need an IP Address? One of the tasks to building or expanding a network is deciding which managed switches need to be assigned unique IP addresses. The rule used to be that a managed switch needed an IP address if you wanted to manage it remotely, such as with the Telnet application protocol. However, if a network contained a lot of managed switches, having to assign each one an IP address was often cumbersome and time consuming.
PAGE 54
Chapter 4: Basic Switch Parameters How Do You Assign an IP Address? After you have decided which, if any, switches on your network need an IP address, you must access the AT-S62 software on the switches and assign the addresses. There are two ways in which a switch can obtain an IP address. The first method is for you to assign the IP configuration information manually. The procedure for this is explained in Configuring an IP Address and Switch Name on page 55.
PAGE 55
AT-S62 Menus Interface User’s Guide Configuring an IP Address and Switch Name The procedure in this section explains how to manually assign an IP address, subnet mask, and gateway address to the switch from a local or Telnet management session. (If you want the switch to obtain its IP configuration from a DHCP or BOOTP server on your network, go to the procedure Activating the BOOTP or DHCP Client Software on page 59.
PAGE 56
Chapter 4: Basic Switch Parameters 2. From the System Administration menu, type 2 to select System Configuration. The System Configuration menu is shown in Figure 8. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 System Configuration 1 2 3 4 5 6 7 8 9 A - BOOTP/DHCP .............. IP Address .............. Subnet Mask ............. Default Gateway ......... System Name ............. Location ................ Administrator ...........
PAGE 57
AT-S62 Menus Interface User’s Guide activate the BOOTP or DHCP client software and have the switch obtain its IP configuration from a BOOTP or DHCP server on your network. For isntructions, refer to Activating the BOOTP or DHCP Client Software on page 59. 3 - Subnet Mask This parameter specifies the subnet mask for the switch. You must specify a subnet mask if you assigned an IP address to the switch. The subnet mask must be entered in the format: xxx.xxx.xxx.xxx. The default value is 255.255.0.0.
PAGE 58
Chapter 4: Basic Switch Parameters Note There are two other options on this menu. Option “8 - Configure System Time” is described in Setting the System Time on page 65. Option “9 - Configure System Hardware” is described in Setting the Switch’s Temperature Threshold on page 79. 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 59
AT-S62 Menus Interface User’s Guide Activating the BOOTP or DHCP Client Software The BOOTP and DHCP application protocols were developed to simplify network management. They are used to automatically assign IP configuration information, such as IP addresses and subnet masks, to your network devices. An AT-8500 Series switch contains the client software for these protocols and can obtain its IP configuration information from a BOOTP or DHCP server on your network.
PAGE 60
Chapter 4: Basic Switch Parameters The following prompt is displayed: DHCP/BOOTP/DISABLE (1-DHCP, 2-BOOTP, 3-DISABLE) : 4. Type 1 to activate DHCP, 2 to activate BOOTP, or 3 to disable both application protocols. The default is disabled. Note If you activate the BOOTP or DHCP client software, the switch immediately begins to query the network for the corresponding server. The switch continues to query the network for its IP configuration until it receives a response.
PAGE 61
AT-S62 Menus Interface User’s Guide Rebooting a Switch This procedure reboots the switch. Note Any configuration changes not save will be lost once the switch reboots. To save your configuration changes, return to the Main Menu and type S to select Save Configuration Changes. To reboot the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 2.
PAGE 62
Chapter 4: Basic Switch Parameters Configuring the Manager and Operator Passwords There are two levels of management access on an AT-8500 Series switch: manager and operator. When you log in as manager, you can view and configure all of a switch’s operating parameters. When you log in as an operator, you can only view the operating parameters; you cannot change any values. You log in as a manager or an operator by entering the appropriate username and password when you start an AT-S62 management session.
PAGE 63
AT-S62 Menus Interface User’s Guide 7. When prompted, re-enter the new password. Note A password can be from 0 to 16 alphanumeric characters. Passwords are case-sensitive. You should not use spaces or special characters, such as asterisks (*) or exclamation points (!), in a password if you will be managing the switch from a web browser. Many web browsers cannot handle special characters in passwords.
PAGE 64
Chapter 4: Basic Switch Parameters 4. Type menu to display the Main Menu. 5. Follow the procedure in Changing the Manager or Operator Password on page 62 to reset the manager password. This completes the procedure for resetting the manager password. You can continue to manage the switch or you can quit from the management session.
PAGE 65
AT-S62 Menus Interface User’s Guide Setting the System Time This procedure explains how to set the switch’s date and time. Setting this information is a good idea if you plan to monitor the switch by viewing the events in the event log or having the events sent to a syslog server. This is also important if the management software will be sending traps to your management workstation. Events and traps contain the date and time of when they occurred.
PAGE 66
Chapter 4: Basic Switch Parameters The Configure System Time menu is shown in Figure 11. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure System Time 1 2 3 4 5 6 7 - System Time ................... SNTP Status ................... SNTP Server ................... UTC Offset .................... Daylight Savings Time (DST) ... Poll Interval ................. Last Delta .................... 00:04:22 on 01-Jan-1980 Disabled 0.0.0.
PAGE 67
AT-S62 Menus Interface User’s Guide Note If the switch is obtaining its IP address and subnet mask from a DHCP sever, you can configure the DHCP server to provide the switch with an IP address of an NTP or SNTP server. If you configured the DHCP server to provide this address, then you do not need to enter it here, and you can skip ahead to Step C. The following prompt is displayed: Enter SNTP server IP address -> b. Enter an IP address of an SNTP or NTP server. c.
PAGE 68
Chapter 4: Basic Switch Parameters g. Type 6 - Poll Interval to specify the time interval between queries to the SNTP server. The following prompt is displayed: Enter interval to poll SNTP server [60 to 1200] -> 600 h. Enter the number of seconds the switch waits between polling the SNTP or NTP server. The default is 600 seconds. The range is from 60 to 1200 seconds. i. Type 2 to select SNTP Status to enable or disable the SNTP client.
PAGE 69
AT-S62 Menus Interface User’s Guide Configuring the Console Startup Mode You can configure the AT-S62 software to initially display either the Main Menu or the command line interface prompt when you start a local, Telnet, or SSH management session. The default is the command line interface. To change the console startup mode, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 2.
PAGE 70
Chapter 4: Basic Switch Parameters Configuring the Console Timer The AT-S62 management software uses the console timer, also referred to as the console disconnect interval, to automatically end inactive local and remote management sessions. The management software automatically ends a local or remote management session if does not detect any activity from the management station after the console timer has expired.
PAGE 71
AT-S62 Menus Interface User’s Guide Enabling or Disabling the Telnet Server This procedure explains how to enable or disable the Telnet server on the switch. You might disable the server to prevent individuals from managing the switch with the Telnet application protocol or if you intend to use the Secure Shell (SSH) protocol. Note You cannot disable the Telnet server if there is an active Telnet management session on the switch. To enable or disable the Telnet server, do the following procedure: 1.
PAGE 72
Chapter 4: Basic Switch Parameters Setting the Baud Rate of the RS-232 Terminal Port The default baud rate of the RS-232 Terminal Port on the switch is 9600 bps. To change the baud rate, do the following: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 2. From the System Administration menu, type 3 to select Console (Serial/Telnet) Configuration. The Console (Serial/Telnet) Configuration menu is shown in Figure 12 on page 69. 3.
PAGE 73
AT-S62 Menus Interface User’s Guide Pinging a Remote System You can instruct the switch to ping a remote device on your network. This procedure is useful in determining whether a valid link exists between the switch and another device. Note The switch must have an IP address to perform this procedure. To instruct the switch to ping a network device, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55.
PAGE 74
Chapter 4: Basic Switch Parameters Returning the AT-S62 Software to the Factory Default Values There are two procedures for returning the settings on a switch to the factory default values. The first returns the switch’s settings to the default values, but retains all files in the switch’s file system (i.e., configuration files, SSL certificates, event logs, etc). The second method deletes all the files in the file system, including all configuration files.
PAGE 75
AT-S62 Menus Interface User’s Guide The following prompt is displayed: This operation requires a switch reboot. Continue? [Yes/No] -> 4. Type Y for yes or N to cancel the procedure. If you respond with yes, the following prompt is displayed: Do you want to reset serial baud rate to 9600 bps? [Yes/No] -> 5. Typing Y for yes will change the baud rate of the RS232 Terminal Port to its default value of 9600 bps. Typing N leaves the baud rate at its current setting.
PAGE 76
Chapter 4: Basic Switch Parameters ❑ The current speed setting of the RS232 console port on the switch is retained. Caution This procedure results in a switch reset. The switch will not forward traffic while it initializes its operating software, a process that takes approximately 20 seconds to complete. Some network traffic may be lost. To delete all files from the file system and return the switch’s operating parameters to the default settings, perform the following procedure: 1.
PAGE 77
AT-S62 Menus Interface User’s Guide Viewing System Hardware and Software Information The procedure in this section displays hardware and software information about the switch. The information includes the switch’s serial number and MAC address, as well as the status of the power supply and fan. To display this information, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 2.
PAGE 78
Chapter 4: Basic Switch Parameters The System Hardware Information menu is shown in Figure 14. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 System Hardware Status System 1.8V Power ............... System 2.5V Power ............... System 3.3V Power ............... System 5V Power ................. System Temperature (Celsius) .... System Fan Speed ................ Main Power Supply ............... Redundant Power Supply .......... 1.79V 2.53V 3.
PAGE 79
AT-S62 Menus Interface User’s Guide Setting the Switch’s Temperature Threshold The switch sends an SNMP trap to your management workstation when this adjustable temperature threshold is exceeded. The default threshold is 60° Celsius. To change the temperature threshold for the switch, do the following: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 2 to select System Configuration. 3.
PAGE 80
Chapter 5 SNMPv1 and SNMPv2c Configuration This chapter explains how to activate SNMP management on the switch and how to create, modify, and delete SNMPv1 and SNMPv2c community strings.
PAGE 81
AT-S62 Menus Interface User’s Guide SNMPv1 and SNMPv2c Overview The Simple Network Management Program (SNMP) is another way for you to manage the switch. This type of management involves viewing and changing the management information base (MIB) objects on the device using an SNMP application program. The AT-S62 management software supports SNMPv1, SNMPv2c, and SNMPv3. This chapter explains how to configure the switch’s software for SNMPv1 and SNMPv2c.
PAGE 82
Chapter 5: SNMPv1 and SNMPv2 Community Strings Community String Name You must give the community string a name. The name can be from one to eight alphanumeric characters. Spaces are allowed. Access Mode This defines what the community string will allow a network manager to do. There are two access modes: Read and Read/Write. A community string with an access mode of Read can only be used to view but not change the MIB objects on a switch.
PAGE 83
AT-S62 Menus Interface User’s Guide Each community string can have up to eight trap IP addresses. It does not matter which community strings you assign your trap receivers. When the switch sends a trap, it looks at all the community strings and sends the trap to all trap receivers on all community strings. This is true even for community strings that have a access mode of only Read. If you are not interested in receiving traps, then you do not need to enter any IP addresses of trap receivers.
PAGE 84
Chapter 5: SNMPv1 and SNMPv2 Community Strings Enabling or Disabling SNMP Management To enable or disable SNMP management for the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 16.
PAGE 85
AT-S62 Menus Interface User’s Guide Setting the Authentication Failure Trap As mentioned in the SNMP Overview section in this chapter, a trap is a message sent by the switch to a management workstation or server to signal an operating event, such as when the device is reset. An authentication failure trap is similar to other the traps. It too signals an operating event on the switch. But this trap is somewhat special because it relates to SNMP management.
PAGE 86
Chapter 5: SNMPv1 and SNMPv2 Community Strings Creating an SNMP Community String To create a new SNMP community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 16 on page 84. 3. From the SNMP Configuration menu, type 3 to select Configure SNMPv1 & SNMPv2c Community.
PAGE 87
AT-S62 Menus Interface User’s Guide 5. Enter the new SNMP community string. The name can be from one to fifteen alphanumeric characters. Spaces are allowed. This prompt is displayed: Enter Access Mode [R-Read Only, W-Read/Write]: 6. Specify the access mode for the new SNMP community string. If you specify Read, the community string will only allow you to view the MIB objects on the switch.
PAGE 88
Chapter 5: SNMPv1 and SNMPv2 Community Strings Modifying a Community String To modify a community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 16 on page 84. 3. From the SNMP Configuration menu, type 3 to select Configure SNMPv1 &SNMPv2c Community.
PAGE 89
AT-S62 Menus Interface User’s Guide The menu options are described below: 1 - Add Attributes to Community If a community string has a closed access mode, you can use this selection to add new IP addresses of management workstations that can use the string. You can also use this option to add IP addresses of new trap receivers. To use this option, do the following: 1. From the Modify SNMP Community menu, type 1 to select Add Attributes to Community.
PAGE 90
Chapter 5: SNMPv1 and SNMPv2 Community Strings 3. If you want to remove the IP address of a management workstation from the community string, enter the IP address at the prompt. Otherwise, just press Return. This prompt is displayed: Enter Trap Receiver IP Addr: 4. If you want to remove the IP address of a trap receiver from the community string, enter the IP address at the prompt. Otherwise, just press Return. 5. After making changes, type R until you return to the Main Menu.
PAGE 91
AT-S62 Menus Interface User’s Guide Do you want to change Community Status? (Y/N): [Yes/No] -> 4. Type Y to change the string’s status or N to cancel the change. 5. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 5 - Set Community Open Status Use this selection to change a string’s open status. A string with an open status can be used by any network administrator.
PAGE 92
Chapter 5: SNMPv1 and SNMPv2 Community Strings Displaying the SNMP Community Strings To display the attributes of all the SNMP community strings on the switch, use the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 16 on page 84. 3.
PAGE 93
Chapter 6 Port Parameters The chapter contains the procedures for viewing and adjusting the parameter settings for the individual ports on a switch.
PAGE 94
Chapter 6: Port Parameters Displaying Port Status To display the current status and settings of the ports on the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 20.
PAGE 95
AT-S62 Menus Interface User’s Guide Note The speed, duplex mode, and flow control settings will be blank for ports that have not established a link with their end node. To view the settings of a GBIC or SFP module in Port 49 or 50 of an AT-8550GB or AT-8550SP switch, there must be a valid connection between the module’s port and the end node. Otherwise, Ports 49 and 50 in the menu represent the twisted pair ports 49R and 50R. The information in this menu is for viewing purposes only.
PAGE 96
Chapter 6: Port Parameters PVID The port’s VLAN identifier (PVID). This number corresponds to the VID of the VLAN in which the port is an untagged member. This column will not include the VIDs of the VLANs where the port is a tagged member. Flow Ctl The flow control setting for the port. Possible values are: Disabled - No flow control on the port. Enabled - Flow control is activated.
PAGE 97
AT-S62 Menus Interface User’s Guide Configuring Port Parameters To configure the parameter settings of a port, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 20 on page 94. 2. From the Port Configuration menu, type 1 to select Port Configuration. The following prompt is displayed: Enter port-list -> 3. Enter the number of the port you want to configure. You can specify more than one port at a time.
PAGE 98
Chapter 6: Port Parameters Selections 3, 5, and 6 appear in the menu only when selection 4 Negotiation is set to Manual. When selection 4 is set to Auto, these options are hidden. Note The Port Configuration menu in the figure above is for a 10/100 Mbps twisted pair port. The menu for a fiber optic port will contain a subset of the parameters. If you are configuring multiple ports and the ports have different settings, the Port Configuration menu displays the settings of the lowest numbered port.
PAGE 99
AT-S62 Menus Interface User’s Guide 2 - Broadcast Filter Most frames on an Ethernet network are usually unicast frames. A unicast frame is a frame that is sent to a single destination. A node sending a unicast frame intends the frame for a particular node on the network. Broadcast frames are different. Broadcast frames are directed to all nodes on the network or all nodes within a particular virtual LAN. Broadcast packets can perform a variety of functions.
PAGE 100
Chapter 6: Port Parameters If you set option 4 - Negotiation to Manual, which disables AutoNegotiation on a port, the auto-MDI/MDI-X feature is disabled as well and this menu option appears with the two possible settings of MDI and MDI-X. The default is MDI-X. 4 - Negotiation You use this selection to activate or deactivate Auto-Negotiation on a twisted pair port. This parameter has the two settings Auto and Manual.
PAGE 101
AT-S62 Menus Interface User’s Guide Note Ports 49R and 50R on an AT-8550GB Series switch must be set to Auto-Negotiation in order to operate at 1000Mbps. You cannot manually configure these ports to 1000Mbps. 6 - Duplex This selection is used to set the duplex mode of a port. The option only appears when option 4 - Negotiation is set to Manual. The possible settings are: Full Full-duplex Half Half-duplex.
PAGE 102
Chapter 6: Port Parameters Port C Port A 50% C C C C D D D D Ingress Queue Egress Queue 50% Port D Port B 100% D D D D D D D D D D D D D D D D Ingress Queue Engress Queue Figure 23 Head of Line Blocking The HOL Limit parameter can help prevent this problem from occurring. This parameter sets a threshold on the utilization of a port’s egress queue. When the threshold for a port is exceeded, the switch signals other ports to discard packets to the oversubscribed port.
PAGE 103
AT-S62 Menus Interface User’s Guide The default setting for flow control on a switch port is disabled. Selecting this option displays the Flow Control menu, shown in Figure 24. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Flow Control Configuring Port 11 1 - Flow Control ................. Disabled 2 - Flow Control (Cell Limit) ....
PAGE 104
Chapter 6: Port Parameters When a switch port needs to stop a half-duplex end node from transmitting data, it forces a collision on the data link, which stops the end node. Once the port is ready to receive data again, it stops forcing collisions. The default setting for backpressure on a switch port is disabled. Selecting this option displays the Back Pressure menu shown in Figure 25.
PAGE 105
AT-S62 Menus Interface User’s Guide operating at the same speed and duplex mode. If the port’s speed and duplex mode have been set manually, this option returns the port to Auto-Negotiation. X - Reset Port Resets the speed and duplex mode of the selected port to the default value of Auto-Negotiation. Also returns the MDI/MDIX setting to the default value of Auto-Detect. 5. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 106
Chapter 6: Port Parameters Setting the Rate Limit This feature allows you to set the maximum number of ingress packets the switch ports accept each second. Packets exceeding the threshold are discarded. You can enable the rate limiting threshold independently for multicast, broadcast, and unknown unicast packets. However, the same threshold applies to all packet types. To configure this feature, you must enter a rate limit.
PAGE 107
AT-S62 Menus Interface User’s Guide The Rate Limiting menu is shown in Figure 26. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Rate Limiting Configuring Port 1 1 2 3 4 - Broadcast Rate Limiting Status ........... Multicast Rate Limiting Status ........... Unknown Unicast Rate Limiting Status ..... Rate Limit ...............................
PAGE 108
Chapter 7 MAC Address Table The chapter contains the procedures for viewing the static and dynamic MAC address table.
PAGE 109
AT-S62 Menus Interface User’s Guide MAC Address Overview The AT-8500 Series switch contains a MAC address table with a storage capacity of 8,000 entries. The switch uses the table to store the MAC addresses of the network nodes connected to its ports, along with the port number on which each address was learned. The switch learns the MAC addresses of the end nodes by examining the source address of each packet received on a port.
PAGE 110
Chapter 7: MAC Address Table prevents the MAC address table from becoming filled with addresses of nodes that are no longer active. The period of time that the switch waits before purging an inactive dynamic MAC address is called the aging time. This value is adjustable on the AT-8500 Series switch. The default value is 300 seconds (5 minutes). For instructions on changing the aging timer, refer to Changing the Aging Time on page 119. The MAC address table can also store static MAC addresses.
PAGE 111
AT-S62 Menus Interface User’s Guide Displaying MAC Addresses The management software has two menu selections for displaying the MAC addresses of a switch. One selection displays the static and dynamic unicast MAC addresses while the other displays the static and dynamic multicast addresses. To display the MAC address tables, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 27.
PAGE 112
Chapter 7: MAC Address Table 3. Select the desired option. The options are explained below: 1 - Display All This selection displays all dynamic addresses learned on the ports of the switch and all static addresses that have been assigned to the ports. An example of a unicast MAC address table is shown in Figure 29.
PAGE 113
AT-S62 Menus Interface User’s Guide An example of a multicast MAC address table is shown in Figure 30.
PAGE 114
Chapter 7: MAC Address Table 5 - Display Specified MAC Displays the port number on which a MAC address was assigned or learned. In some situations, you might want to know on which port a particular MAC address was learned. You could display the MAC address table and scroll through the list looking for the MAC address. But if the switch is part of a large network, finding the address could prove difficult. This menu option offers an easier way.
PAGE 115
AT-S62 Menus Interface User’s Guide Adding Static Unicast and Multicast MAC Addresses This section contains the procedure for adding static unicast and multicast MAC addresses to the switch. You can assign up to 255 static addresses per port on an AT-8500 Series switch. To add a static MAC address, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 27 on page 111. 2.
PAGE 116
Chapter 7: MAC Address Table to the port where the multicast application is located will result in the failure of the multicast packets to be properly forwarded to the host nodes. You can specify the ports individually (e.g., 1,4,5), as a range (e.g., 11-14) or both (e.g., 15-17,22,24). The following prompt is displayed: Please enter VLAN ID: [1 to 4094] -> 1 7. Enter the VLAN ID where the port is a member. 8.
PAGE 117
AT-S62 Menus Interface User’s Guide Deleting Unicast and Multicast MAC Addresses To delete a dynamic or static unicast or multicast address from the MAC address table, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 27 on page 111. 2. From the MAC Address Tables menu, type 2 to select Configure MAC Addresses. The Configure MAC Addresses menu is shown in Figure 31 on page 115. 3.
PAGE 118
Chapter 7: MAC Address Table Deleting All Dynamic MAC Addresses To delete all dynamic unicast and multicast MAC address from the MAC address table, do the following: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 27 on page 111. 2. From the MAC Address Tables menu, type 2 to select MAC Addresses Configuration. The MAC Addresses Configuration menu is shown in Figure 31 on page 115. 3.
PAGE 119
AT-S62 Menus Interface User’s Guide Changing the Aging Time The switch uses the aging time to delete inactive dynamic MAC addresses from the MAC address table. When the switch detects that no packets have been sent to or received from a particular MAC address in the table after the period specified by the aging time, the switch deletes the address. This prevents the table from becoming full of addresses of nodes that are no longer active. The default setting for the aging time is 300 seconds (5 minutes).
PAGE 120
Chapter 8 Static and LACP Port Trunks This chapter contains the procedures for creating, modifying, and deleting static and LACP port trunks.
PAGE 121
AT-S62 Menus Interface User’s Guide Port Trunk Overview A port trunk is an economical way for you to increase the bandwidth between the Ethernet switch and another networking device, such as a network server, router, workstation, or another Ethernet switch. A port trunk is a group of ports that have been grouped together to function as one logical path.
PAGE 122
Chapter 8: Port Trunking say that an Allied Telesyn layer 2 managed switch cannot form a static trunk with a device from another manufacturer; but there is the possibility that the implementations of static trunking on the two devices might not be compatible. It should also be noted that this type of trunk does not provide for redundancy or link backup. If a port in a static trunk loses its link, the trunk’s total bandwidth is reduced.
PAGE 123
AT-S62 Menus Interface User’s Guide ❑ The switch can support up to six static trunks when LACP is disable and three static trunks when LACP is enabled. ❑ The ports of a static trunk must be untagged members of the same VLAN. A trunk cannot consist of untagged ports from different VLANs. ❑ The switch selects the lowest numbered port in the trunk to handle broadcast packets and packets of unknown destination. For example, a trunk of ports 11 to 15 would use port 11 for broadcast packets.
PAGE 124
Chapter 8: Port Trunking An aggregate trunk can consist of any number of ports on a switch, but only a maximum of eight ports can be active at a time. If an aggregate trunk contains more ports than can be active at one time, the extra ports are placed in a stand-by mode. Ports in the standby mode do not pass network traffic, but they do transmit and accept LACP data unit (LACPDU) packets, which the switch uses to search for LACP-compliant devices.
PAGE 125
AT-S62 Menus Interface User’s Guide Ports 1 - 3 in Aggregator 1 Ports 12 -14 in Aggregator 2 AT-8500 Series Switch Aggregate Trunks in Separate Aggregators 802.3ad-compliant Device Ethernet Switch Figure 33 Example of Multiple Aggregators for Multiple Aggregate Trunks Here is how the example might look in table format for the ports on the AT-8500 Series switch.
PAGE 126
Chapter 8: Port Trunking If the aggregate trunks go to different devices, you can create one aggregator and let the AT-8500 Series switch form the trunks for you automatically. This is illustrated in Figure 34. The ports of the two aggregate trunks on the AT-8500 Series switch are members of the same aggregator. It is the switch that determines that there are actually two separate aggregate trunks. Ports 1 - 3 and 12-14 in Aggregator 1 AT-8500 Series Switch Aggregate Trunks in Same Aggregator 802.
PAGE 127
AT-S62 Menus Interface User’s Guide LACP System Priority It is possible for two devices interconnected by an aggregate trunk to encounter a conflict when forming a trunk. For example, the two devices might not support the same number of active ports in an aggregate trunk or might not agree on which ports are to be active and which are to be in standby. If a conflict occurs, the devices need a mechanism for resolving the problem, a means by which they can decide whose LACP settings are to take precedence.
PAGE 128
Chapter 8: Port Trunking LACP Port Priority Parameter The switch uses this parameter to determine which ports are to be active and which are to be in the standby mode in situations where the number of ports in an aggregate trunk exceeds the highest allowed number of active ports. This parameter can be adjusted on each port and is a hexadecimal value in a range of 1 to FFFF. The lower the number, the higher the priority.
PAGE 129
AT-S62 Menus Interface User’s Guide Load Distribution Methods The load distribution method determines the manner in which the switch distributes the traffic across the active ports of an aggregate trunk. The method is assigned to an aggregator and applies to all aggregate trunks within it. If you want to assign different load distribution methods to different aggregate trunks, you must create a separate aggregator for each trunk. For further information, refer to Load Distribution Methods on page 130.
PAGE 130
Chapter 8: Port Trunking ❑ Only those ports that are members of an aggregator transmit LACPDU packets. ❑ The load distribution method is applied at the aggregator level. If you want aggregate trunks to have different load distribution methods, you must create a separate aggregator for each trunk. For further information, refer to Load Distribution Methods on page 130.
PAGE 131
AT-S62 Menus Interface User’s Guide ❑ Source IP Address / Destination IP Address (Layer 3) The load distribution methods examine the last three bits of a packet’s MAC or IP address and compare the bits against mappings assigned to the ports in the trunk. The port mapped to the matching bits is selected as the transmission port for the packet.
PAGE 132
Chapter 8: Port Trunking The binary values would be: 9 = 1001 3 = 0011 Applying the XOR rules above on the last three bits would result in 010. A examination of the table above shows that the packet would be transmitted from port 9. Port trunk mappings on an AT-8500 Series switch can consist of up to eight ports. This corresponds to the maximum number of ports allowed in a static trunk and the maximum number of active ports in an LACP trunk.
PAGE 133
AT-S62 Menus Interface User’s Guide Managing Static Port Trunks The following procedures explain how to create, modify, and delete static port trunks: ❑ Creating a Static Port Trunk on page 133 ❑ Modifying a Static Port Trunk on page 136 ❑ Deleting a Static Port Trunk on page 138 For background information, refer to Static Port Trunk Overview on page 121. Creating a Static Port Trunk This section contains the procedure for creating a static port trunk on a switch.
PAGE 134
Chapter 8: Port Trunking The Port Trunking and LACP menu is shown in Figure 35. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Port Trunking and LACP 1 - Static Port Trunking 2 - LACP Configuration R - Return to Previous Menu Enter your selection? Figure 35 Port Trunking and LACP Menu 3. From the Port Trunking and LACP menu, type 1 to select Static Port Trunking. The Static Port Trunking menu is shown in Figure 36.
PAGE 135
AT-S62 Menus Interface User’s Guide The Create Trunk menu is shown in Figure 37. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Create Trunk 1 2 3 4 - Trunk Trunk Trunk Trunk ID ......... 1 Name ....... Method ..... SRC/DST MAC Ports ...... C - Create Trunk R - Return to Previous Menu Enter your selection? Figure 37 Create Trunk Menu 5. Type 1 to select Trunk ID and, when prompted, enter an ID number for the trunk of from 1 to 6.
PAGE 136
Chapter 8: Port Trunking 10. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 11. Configure the ports on the remote switch for port trunking. 12. Connect the cables to the ports of the trunk on the switch. The port trunk is ready for network operations. Modifying a Static Port Trunk This section contains the procedure for modifying a static port trunk on the switch.
PAGE 137
AT-S62 Menus Interface User’s Guide The following prompt is displayed: Enter Trunk ID: [1 to 6] -> 5. Enter the ID number of the trunk you want to modify. The Modify Trunk menu is displayed. The menu displays the operating specifications of the selected trunk. An example is shown in Figure 38. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Modify Trunk 1 2 3 4 - Trunk Trunk Trunk Trunk ID ......... Name ....... Method ..... Ports ......
PAGE 138
Chapter 8: Port Trunking 8. To change the ports of a trunk, type 4 to select Trunk Ports and, when prompted, enter the new ports of the trunk. A trunk can contain up to eight ports. You can identify the ports individually (for example, 3,7,10), as a range (for example, 5-11), or both (for example, 2,4,11-14). The new list of ports replaces the existing ports of the trunk. 9. Type M to select Modify Trunk. The modifications to the port trunk are activated on the switch. 10.
PAGE 139
AT-S62 Menus Interface User’s Guide Managing LACP Trunks The following procedures explain how to create and manage LACP trunks: ❑ Enabling or Disabling LACP on page 139 ❑ Setting a LACP System Priority on page 140 ❑ Creating an Aggregator on page 141 ❑ Modifying an Aggregator on page 143 ❑ Deleting an Aggregator on page 145 ❑ Configuring LACP Port Parameters on page 146 ❑ Displaying LACP Port or Aggregator Status on page 148 For background information, refer to LACP Trunk Overview on page 123.
PAGE 140
Chapter 8: Port Trunking The LACP (IEEE 8023ad) Configuration menu is shown in Figure 39. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 LACP (IEEE 802.3ad) Configuration 1 2 3 4 5 6 7 8 - LACP Status ....................... Disabled Priority ..........................
PAGE 141
AT-S62 Menus Interface User’s Guide Enter Priority [0x1 - 0xFFFF]: [0x1 to 0xffff] -> 0x 5. Enter the new value is hexadecimal. The range is 1 to FFFF. The lower the value, the higher the priority. The prefix “0x” indicates that the number is hexadecimal. The new priority value takes effect immediately on the switch. 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 142
Chapter 8: Port Trunking The Create LACP (IEEE 8023ad) Aggregator menu is shown in Figure 39 on page 140. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Create LACP (IEEE 802.3ad) Aggregator 1 2 3 4 C - Aggregator .................. Adminkey .................... 0x0000 Distribution Mode ........... SRC/DST MAC Port Range ..................
PAGE 143
AT-S62 Menus Interface User’s Guide 4 - Port Range Specifies the aggregator ports. An aggregator can contain any number of ports on the switch. You can identify the ports individually (for example, 3,7,10), as a range (for example, 5-11), or both (for example, 2,4,11-14). 6. After you configure the parameters, type C to select Create Aggregator. The aggregator is created on the switch. 7.
PAGE 144
Chapter 8: Port Trunking To modify an aggregator, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 4 to select Port Trunking and LACP. The Port Trunking and LACP menu is shown in Figure 36 on page 134. 3. Type 2 to select LACP Configuration. The LACP (IEEE 8023ad) Configuration menu is shown in Figure 39 on page 140. 4. Type 4 to select Modify Aggregator.
PAGE 145
AT-S62 Menus Interface User’s Guide 2 - Adminkey Specifies a unique adminkey value for the aggregator. The value is entered in hexadecimal. The range is 1 to FFFF. For background information, refer to Adminkey Parameter on page 127. 3 - Distribution Mode Sets the load distribution method.
PAGE 146
Chapter 8: Port Trunking To delete an aggregator, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 4 to select Port Trunking and LACP. The Port Trunking and LACP menu is shown in Figure 36 on page 134. 3. Type 2 to select LACP Configuration. The LACP (IEEE 8023ad) Configuration menu is shown in Figure 39 on page 140. 4. Type 6 to select Delete Aggregator.
PAGE 147
AT-S62 Menus Interface User’s Guide The LACP (IEEE 8023ad) Configuration menu is shown in Figure 39 on page 140. 4. Type 4 to select Modify Aggregator. The Modify LACP (IEEE 8023ad) Aggregator menu is shown in Figure 41. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 LACP (IEEE 802.3ad) Port Configuration 1 2 3 4 M - Port Number ................. 0 Adminkey .................... 0x0000 Priority .................... 0x0000 Aggregator ................
PAGE 148
Chapter 8: Port Trunking Displaying LACP Port or Aggregator Status To display LACP port or aggregator status, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 4 to select Port Trunking and LACP. The Port Trunking and LACP menu is shown in Figure 36 on page 134. 3. Type 2 to select LACP Configuration. The LACP (IEEE 8023ad) Configuration menu is shown in Figure 39 on page 140. 4.
PAGE 149
AT-S62 Menus Interface User’s Guide Figure 44 is an example of the LACP (IEEE 802.3ad) Aggregator Status menu. The information is for viewing purposes only. An aggregator appears in the menu only if there is at least one active aggregate trunk between the switch and another network device. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 LACP (IEEE 802.3ad) Aggregator Status Aggregator #1 ................. Adminkey ...................... Oper Key......
PAGE 150
Chapter 9 Port Mirroring This chapter contains the procedures for creating and deleting a port mirror.
PAGE 151
AT-S62 Menus Interface User’s Guide Port Mirroring Overview The port mirroring feature allows you to unobtrusively monitor the traffic being received and transmitted on one or more ports on a switch by having the traffic copied to another switch port. You can connect a network analyzer to the port where the traffic is being copied and monitor the traffic on the other ports without impacting network performance or speed. The port(s) whose traffic you want to mirror is called the source port(s).
PAGE 152
Chapter 9: Port Mirroring Creating a Port Mirror To create a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 20 on page 94. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 45. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Port Mirroring 1 - Enable/Disable ....................
PAGE 153
AT-S62 Menus Interface User’s Guide 5. Type 2 to select Mirror-To Port and, when prompted, enter the number of the port to function as the destination port. This is the port where the traffic from the source ports will be copied to and where the network analyzer will be located. You can specify only one destination port. 6. If you want to mirror the ingress (received) traffic on one or more ports, type 3 to select Ingress Mirror Port and, when prompted, enter the ports.
PAGE 154
Chapter 9: Port Mirroring Deleting a Port Mirror To delete a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 20 on page 94. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 46 on page 152. 3. Type 1 to select Enable/Disable. The following prompt is displayed. Enter Enable(E)/Disable(D): 4. Type D to disable the feature.
PAGE 155
Chapter 10 Ethernet Statistics This chapter contains the procedures for displaying data traffic statistics.
PAGE 156
Chapter 10: Ethernet Statistics Displaying Port Statistics To display Ethernet port statistics, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 47.
PAGE 157
AT-S62 Menus Interface User’s Guide Multicast Frames Received Number of multicast frames received on the port. Multicast Frames Sent Number of multicast frames transmitted from the port. Frames 64 Bytes Frames 65 - 127 Bytes Frames 128 - 255 Bytes Frames 256 - 511 Bytes Frames 512 - 1023 Bytes Frames 1024 - 1518 Bytes Number of frames transmitted from the port, grouped by size.
PAGE 158
Chapter 10: Ethernet Statistics Clearing Port Counters To return the statistics counters of a port to zero, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 47 on page 156. 1. From the Port Statistics menu, type 2 to select Clear Port Statistics. This prompt is displayed: Enter port-list: 2.
PAGE 159
Section II Advanced Operations The chapters in this section explain some of the more advanced features of an AT-8500 Series switch.
PAGE 160
Chapter 11 File System This chapter describes the AT-S62 file system, and how you can use the file system to copy, rename, and delete system files. This chapter also explains how you can use the file system to select which boot configuration file you want the switch to use the next time the device is reset or power cycled.
PAGE 161
AT-S62 Menus Interface User’s Guide File System Overview The AT-S62 management software has a file system of 2 megabytes for storing system files. You can view the file system, as well as copy, rename, and delete files. The following file types are supported by the AT-S62 file system: ❑ Boot configuration files ❑ Encryption keys ❑ Public certificates ❑ Certificate enrollment requests For an explanation of a boot configuration file, refer to Working with Boot Configuration Files on page 163.
PAGE 162
Chapter 11: File System File Naming Conventions The file system is a flat file system which means directories are not supported. Files are uniquely identified by a file name in the following format: filename.ext where: ❑ filename is a descriptive name for the file, and may be one to sixteen characters in length. Valid characters are lowercase letters (a–z), uppercase letters (A–Z), digits (0–9), and the following characters: ~ ’ @ # $ % ^ & ( ) _ - { }+.
PAGE 163
AT-S62 Menus Interface User’s Guide Working with Boot Configuration Files A boot configuration file contains the commands that configure the switch’s parameter settings whenever you power cycle or reset the device. The commands in the file recreate all the VLANs, port settings, spanning tree settings, port trunks, port mirrors, and so on. A switch can contain multiple boot configuration files, but only one can be active on a switch at a time.
PAGE 164
Chapter 11: File System Phase 1: Creating a Configuration File Before you begin to configure the switch with the parameter settings that you want to save in a new configuration file, you should first create the file. Configuring the parameters first and then creating the new configuration file might cause you to inadvertently change a configuration file you might not want to change. To perform this phase, do the following: 1. From the Main Menu, type 5 to select System Administration. 2.
PAGE 165
AT-S62 Menus Interface User’s Guide Caution Option 9 - Format Flash Drive should be used with care. It deletes all files in the file system, including configuration files, encryption keys, event logs, etc. For instructions, refer to Deleting the System Files on page 75. 4. Type 3 to select Create Configuration File. The following prompt is displayed: Enter the file name (or None): 5. Enter a file name for the new configuration file. The file name can be up to 16 alphanumeric characters.
PAGE 166
Chapter 11: File System Phase 2: Configuring the Switch’s Parameter Settings Now that you have created a configuration file and designated it as the active boot configuration file on the switch, you can now configure the switch’s parameter settings by making those changes that you want the new configuration file to contain. Once you have done that, be sure to save your changes to the configuration file by returning to the Main Menu and typing S to select Save Configuration Changes.
PAGE 167
AT-S62 Menus Interface User’s Guide To select the active boot configuration file for the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 9 to select System Utilities. 3. From the System Utilities menu, type 1 to select File Operations. The File Operations menu is shown in Figure 48 on page 164. 4. Type 1 to select Boot Configuration File. The following prompt is displayed: Enter the file name: 5.
PAGE 168
Chapter 11: File System To view the contents of a configuration file, perform the following procedure: 1. From the File Operations menu, type 7 to select View File. The following prompt is displayed: Enter file name: 2. Enter the name of the configuration file you want to view. The contents of the configuration file are displayed in the View File menu. An example is shown in Figure 49.
PAGE 169
AT-S62 Menus Interface User’s Guide For instructions on how to upload a configuration file from a switch to your management workstation, refer to Uploading a System File on page 195. For instructions on how to download a configuration file from your workstation back to the switch, refer to Downloading a System File on page 188. For instructions on how to designate an active boot configuration file, refer to Setting the Active Boot Configuration File on page 166.
PAGE 170
Chapter 11: File System Copying, Renaming, and Deleting System Files Use this procedure to copy, rename, and delete system files. To view a list of system file names, see Displaying System Files on page 172. Note Files with the extension UKF are encryption key pairs. These files cannot be copied, renamed, or deleted from the file system. To delete a key pair from the switch, refer to Deleting an Encryption Key on page 648.
PAGE 171
AT-S62 Menus Interface User’s Guide 5. To rename a system file, do the following: a. From the File Operations menu, type 5 to select Rename File. The following prompt is displayed: Enter the source file name: b. Enter the name of the file you want to rename. The following prompt is displayed: Enter the destination file name: c. Enter the new name for the file. You can enter a file name of up to 16 alphanumeric characters, followed by a 3 letter extension. You must keep the same extension.
PAGE 172
Chapter 11: File System Displaying System Files Use this procedure to display a list of the system files currently stored on the switch. For information about shortcuts for specifying file names, see File Naming Conventions on page 162. To display a list of current system file names, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 9 to select System Utilities. 3.
PAGE 173
AT-S62 Menus Interface User’s Guide The List Files menu is displayed. An example of the menu is shown in Figure 50. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 List Files File Name Device Size (Bytes) Last Modified ------------------------------------------------------------------default.cfg boot.cfg newcfg.cg serverkey150.key ProdSw.cer ProdSw2.
PAGE 174
Chapter 12 File Downloads and Uploads This chapter contains procedures for downloading a new AT-S62 image file onto the switch. This chapter also contains procedures for uploading and downloading system files, such as boot configuration files, from the file system in a switch.
PAGE 175
AT-S62 Menus Interface User’s Guide Downloading a New AT-S62 Image File onto a Switch The procedures in this section explain how to download a new AT-S62 image file onto the switch. These procedures can be used to update the AT-S62 image file on a switch with a new version of the file.
PAGE 176
Chapter 12: File Downloads and Uploads to its default configuration values, refer to Returning the AT-S62 Software to the Factory Default Values on page 74. ❑ The AT-S62 image file contains the bootloader for the switch. You cannot load the image file and bootloader separately. The following guidelines apply to an Xmodem download: ❑ Xmodem can only download the image file onto the switch where you started the local management session.
PAGE 177
AT-S62 Menus Interface User’s Guide Downloading an AT-S62 Image from a Local Management Session Review the Guidelines on page 175 before performing the following download procedure. To download a new software image onto a switch from a local management session using Xmodem or TFTP, perform the following procedure: 1. Establish a local management session on the switch where you want to download the new management software. 2. From the Main Menu, type 5 to select System Administration.
PAGE 178
Chapter 12: File Downloads and Uploads 6. To download the AT-S62 image file using Xmodem, go to Step 7. To download the file using TFTP, do the following: a. Type T. The following prompt is displayed: TFTP Server IP address: b. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: c. Enter the file name of the AT-S62 image file stored on the TFTP server. (Be sure to include the “.img” extension.
PAGE 179
AT-S62 Menus Interface User’s Guide The following prompt is displayed: You are going to invoke the Xmodem download utility. Do you wish to continue? [Yes/No] Note: Please select 1K Xmodem protocol for faster download. 8. Type Y for Yes. The prompt “Downloading” is displayed. 9. Begin the file transfer. Note The transfer protocol must be Xmodem or 1K Xmodem. As an example, steps 10 through 13 illustrate how to download a file using the Hilgraeve HyperTerminal program. 10.
PAGE 180
Chapter 12: File Downloads and Uploads 11. Click Browse and specify the location and file to be downloaded onto the switch. 12. Click in the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem. 13. Click Send. The software immediately begins downloading the file onto the switch. The Xmodem File Send window in Figure 54 displays the status of the software download. The download process takes several minutes to complete.
PAGE 181
AT-S62 Menus Interface User’s Guide Downloading an AT-S62 Image from a Telnet Management Session Review the Guidelines on page 175 before performing the following download procedure. To download a new AT-S62 image onto the application block portion of the switch’s flash memory, making it the active image file on the switch, from a Telnet management session using TFTP, perform the following procedure: 1.
PAGE 182
Chapter 12: File Downloads and Uploads After receiving the file, the switch compares the version numbers of the new and existing image files. If the new image file has the same or an earlier version number as the file in the application block, the switch cancels the update process. If the new image file has a newer version number, the switch writes the file to the application block portion of flash memory and then resets.
PAGE 183
AT-S62 Menus Interface User’s Guide Uploading an AT-S62 Image File Switch to Switch This procedure explains how to upload an AT-S62 software image from a master AT-8500 Series switch to other AT-8500 Series switches in an enhanced stack. Commonly referred to as a switch to switch transfer, this transfer method can simplify the task of updating the AT-S62 image file in the AT-8500 Series switches in an enhanced stack.
PAGE 184
Chapter 12: File Downloads and Uploads The following prompt is displayed: Do you want to show remote switch burning flash -> [Yes/No] 6. You can respond with Yes or No to this prompt. It does not affect the upload. The following prompt is displayed: Do you want confirmation before downloading each switch -> [Yes/No] 7. If you answer Yes to this prompt, the management software displays a confirmation message before uploading the image file to a switch.
PAGE 185
AT-S62 Menus Interface User’s Guide Uploading an AT-S62 Configuration File Switch to Switch This procedure uploads a boot configuration file from a master AT-8500 Series switch to another AT-8500 Series switch in an enhanced stack. This procedure provides you with an easy way of distributing a configuration file to different switches that are to share a similar configuration. For background information on configuration files, refer to Working with Boot Configuration Files on page 163.
PAGE 186
Chapter 12: File Downloads and Uploads To upload a boot configuration file from the master switch to another switch in an enhanced stack, perform the following procedure: 1. From the Main Menu, type 8 to select Enhanced Stacking. The Enhanced Stacking menu is shown in Figure 5 on page 49. 2. From the Enhanced Stacking menu, type 2 to select Stacking Services. Note The “2 - Stacking Services” selection is only available on master switches. The Stacking Services menu is shown in Figure 6 on page 50. 3.
PAGE 187
AT-S62 Menus Interface User’s Guide The following prompt is displayed: Do you want confirmation before downloading each switch -> [Yes/No] 8. If you answer Yes to this prompt, the management software prompts you with a confirmation message before uploading the file to a switch. If you answer No, the management software does not display a confirmation prompt before uploading the file. The management software begins the upload.
PAGE 188
Chapter 12: File Downloads and Uploads Downloading a System File This section contains procedures for downloading files into a switch’s file system using Xmodem or TFTP. There are several situations where you might want to download a file into a switch’s file system. For example, you might have edited a boot configuration file at your management workstation and want to download it onto a switch prior to designating it as the active boot file on the unit.
PAGE 189
AT-S62 Menus Interface User’s Guide These guidelines apply to a TFTP download: ❑ Your network must have a node with TFTP server software. ❑ The file to be downloaded must be stored on the TFTP server. ❑ You should start the TFTP server software before you begin the download procedure. ❑ The switch where you are downloading the file must have an IP address and subnet mask, such as a master switch of an enhanced stack.
PAGE 190
Chapter 12: File Downloads and Uploads The following prompt is displayed: Remote File Name: c. Enter the file name of the file on the TFTP server to download to the switch. You can specify only one file. The following prompt is displayed: Local File Name: d. Enter a name for the file. The file is given this name when it is stored in the switch’s file system. When naming a file, be sure to give it an extension that corresponds to its file type. The extensions and file types are listed in Table 2.
PAGE 191
AT-S62 Menus Interface User’s Guide 8. Enter a name for the file. The file is given this name when stored in the switch’s file system. When naming a file, be sure to give it an extension that corresponds to its file type. The extensions and file types are listed in Table 2 on page 190. The following prompt is displayed: You are going to invoke the Xmodem download utility. Do you wish to continue? [Yes/No] Note: Please select 1K Xmodem protocol for faster download. 9. Type Y for Yes.
PAGE 192
Chapter 12: File Downloads and Uploads 12. Click Browse and specify the location and system file to be downloaded onto the switch. 13. Click in the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem. 14. Click Send. The file immediately begins downloading onto the switch. The Xmodem File Send window in Figure 54 displays the status of the download. Figure 57 XModem File Send Window The download is complete when the Downloads and Uploads menu is displayed.
PAGE 193
AT-S62 Menus Interface User’s Guide Downloading a File from a Telnet Management Session Review Guidelines on page 188 before performing this procedure. To download a file onto a switch from a Telnet management session using TFTP, perform the following procedure: 1. Establish a Telnet management session on the switch where you want to download the file. 2. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 3.
PAGE 194
Chapter 12: File Downloads and Uploads After downloading the system file, the switch displays the following message: File received successfully! 10. If you downloaded a new configuration file and you want to make it the switch’s active boot file, go to Setting the Active Boot Configuration File on page 166. If you downloaded a CA certificate and need to add it to the certificate database, refer to Adding a Certificate to the Database on page 672.
PAGE 195
AT-S62 Menus Interface User’s Guide Uploading a System File The procedures in this section upload a system file from a switch to a management workstation or TFTP server. You might perform one of these procedures to upload a configuration file from a switch so that you can modify it with a text editor at your management workstation. Or, you might have created a CA certificate enrollment request on the switch and need to upload it to your workstation prior to submitting it to a CA.
PAGE 196
Chapter 12: File Downloads and Uploads Uploading a File from a Local Management Session Review Guidelines on page 195 before performing this procedure. To upload a system file from a switch to a workstation or TFTP server from a local management session using Xmodem or TFTP, perform the following procedure: 1. Establish a local management session on the switch where you want to upload the system file. 2. From the Main Menu, type 5 to select System Administration.
PAGE 197
AT-S62 Menus Interface User’s Guide d. Enter the name of the file in the switch’s file system you want to upload to the TFTP server. You can specify only one file. You may not use wildcards in the filename. The following message is displayed: Sending the file to Remote TFTP Server - Please wait ... Once the file is uploaded, the following message is displayed: File sent successfully! The file is now stored on the TFTP server.
PAGE 198
Chapter 12: File Downloads and Uploads 11. From the HyperTerminal main window, select Receive File from the Transfer pull-down menu, as shown in Figure 58. Figure 58 Local Management Window The Receive File window is shown in Figure 59. Figure 59 Receive File Window 12. Click Browse and specify the location on your computer where you want the system file stored. 13. Click in the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem. 14. Click Receive. 15.
PAGE 199
AT-S62 Menus Interface User’s Guide Uploading a File from a Telnet Management Session Review Guidelines on page 195 before performing this procedure. Allied Telesyn recommends reviewing the guidelines onTo upload a system file from the switch using a Telnet management session and TFTP, perform the following procedure: 1. Establish a Telnet management session on the switch containing the system file you want to upload to the TFTP server. 2. From the Main Menu, type 5 to select System Administration.
PAGE 200
Chapter 12: File Downloads and Uploads After the switch has uploaded the system file, the following message is displayed: File sent successfully! The file is now stored on the TFTP server. This completes the procedure for uploading a file from a Telnet management session using TFTP.
PAGE 201
Chapter 13 Event Log and Syslog Servers This chapter describes how to view the event messages in the event log and how to configure the switch to send its event messages to a syslog server.
PAGE 202
Chapter 13: Event Log Event Log and Syslog Server Overview A managed switch is a complex piece of computer equipment that includes both hardware and software components. Multiple software features operate simultaneously, interoperating with each other and processing large amounts of network traffic. It is often difficult to determine exactly what is happening when a switch appears not to be operating normally, or what happened when a problem occurs.
PAGE 203
AT-S62 Menus Interface User’s Guide Managing the Event Log The following porcedures explain how to view the events in the event log as well as how to enable or disable the log.
PAGE 204
Chapter 13: Event Log The Event Log menu is shown in Figure 60. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 1 2 3 4 5 6 - Event Log Event Logging..............Enabled Display Output.............Temporary (Memory) Display Order..............Chronological Display Mode...............Normal Display Severity...........E,W,I Display Module.............
PAGE 205
AT-S62 Menus Interface User’s Guide 3- Display Order Controls the order of the events in the log. Choices are Chronological, which displays the events in the order oldest to newest, and Reverse Chronological, which displays the events newest to oldest. The default is Chronological. 4 - Display Mode Controls the format of the event log.
PAGE 206
Chapter 13: Event Log instruct the switch to display only those events that apply to selected modules. The default is ALL, which displays the events for all modules. The modules are defined in Table 4.
PAGE 207
AT-S62 Menus Interface User’s Guide Table 4 AT-S62 Modules Module Name Description PTRUNK Port trunking QOS Quality of Service RADIUS RADIUS authentication protocol SNMP SNMP SSH Secure Shell protocol SSL Secure Sockets Layer protocol STP Spanning Tree, Rapid Spanning, and Multiple Spanning Tree protocols SYSTEM Hardware status; Manager and Operator log in and log off events.
PAGE 208
Chapter 13: Event Log Figure 61 shows an example of the event log in the Full display mode. The Normal display mode does not include the Filename, Line Number, and Event ID items. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 S Date Event Log Source File:Line Number Time EventID Event -----------------------------------------------------------------I 2/01/04 09:11:02 073001 garpmain.c:259 garp: GARP initialized I 2/01/04 09:55:15 083001 portconfig.
PAGE 209
AT-S62 Menus Interface User’s Guide Modifying the Event Log Full Action This procedure explains how to control what the log will do once it reaches its maximum capacity of 4,000 events. You have two options. The first is to have the switch delete the oldest entries as it adds new entries to the log. The second is to have the switch stop adding entries, so as to preserve the existing log contents. This procedure is only relevant when viewing the event log through a local or remote management session.
PAGE 210
Chapter 13: Event Log Enter new log full action (1-Wrap on Full, 2-Halt on Full) -> 6. Type 1 if you want the switch to delete the oldest entries as it adds new entries, or 2 if the switch is to stop adding entries when the log reaches maximum capacity. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 211
AT-S62 Menus Interface User’s Guide Managing Syslog Server Definitions As explained at the start of this chapter, there are two ways that you can view the events generated by a switch. One way is to view the switch’s event log through a local or remote management session. The drawbacks to this approach are that you have to establish a management session with the switch before you can view the log and you can view the log of only one switch at a time.
PAGE 212
Chapter 13: Event Log Creating a Syslog Server Definition To create a syslog server definition, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 60 on page 204. 3. From the Event Log menu, type L to select Configure Log Outputs. The Configure Log Outputs menu is shown in Figure 62 on page 209. 4. Type 1 to select Create Log Output.
PAGE 213
AT-S62 Menus Interface User’s Guide 3 - Message Generation This enables and disables the syslog server definition. If set to disabled, which is the default, the switch does not send events to the syslog server. When enabled, the switch sends events. The default is disabled. 4 - Message Format The information sent with each event. Choices are: ❑ Normal - sends the severity, module, and description. ❑ Extended - sends the same as Normal, plus the date, time, and switch’s IP address. This is the default.
PAGE 214
Chapter 13: Event Log Table 5 Applicable RFC 3164 Numerical Code and AT-S62 Module Mappings Numerical Code RFC 3164 Facility AT-S62 Module 9 Clock daemon Time- based modules: - TIME (system time and SNTP) - RTC 22 Local use 6 Physical interface and data link modules: - PCFG - PMIRR - PTRUNK - STP - VLAN 23 Local use 7 SYSTEM events related to major exceptions. 16 Local use 0 All other modules and events.
PAGE 215
AT-S62 Menus Interface User’s Guide Table 6 Numerical Code and Facility Level Mappings Numerical Code Facility Level Setting 18 LOCAL2 19 LOCAL3 20 LOCAL4 21 LOCAL5 22 LOCAL6 23 LOCAL7 For example, selecting LOCAL2 as the facility level assigns the numerical code of 18 to all events sent to the syslog server by the switch. 6 - Event Severity The severity of events to be sent by the switch to the syslog server.
PAGE 216
Chapter 13: Event Log The switch immediately begins to send events to the server, if you enabled the definition when you created it, and adds the new syslog server definition to the Configure Log Outputs menu. An example of the menu with a syslog server definition is shown in Figure 64.
PAGE 217
AT-S62 Menus Interface User’s Guide The Syslog Server Configuration menu is shown in Figure 63 on page 212. The menu contains the specifications of the selected definition. 6. Modify the settings as needed. For definitions of the parameters, refer to Creating a Syslog Server Definition on page 212. You cannot change a definition’s output ID number. 7. When you are finished modifying the settings, type M to select Modify Log Output. The Configure Log Outputs menu is displayed again. 8.
PAGE 218
Chapter 13: Event Log Displaying a Syslog Server Definition To display the details of an existing syslog server definition, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 60 on page 204. 3. From the Event Log menu, type L to select Configure Log Outputs. The Configure Log Outputs menu is shown in Figure 62 on page 209. 4.
PAGE 219
Chapter 14 Classifiers This chapter explains classifiers and how you can create classifiers to define traffic flows.
PAGE 220
Chapter 14: Classifiers Classifier Overview A classifier defines a traffic flow. A traffic flow consists of packets that share one or more characteristics. A traffic flow can range from being very broad to very specific. An example of the former might be all IP traffic while an example of the latter could be packets with specific source and destination MAC addresses. A classifier consists of a set of criteria. You configure the criteria to match the traffic flow you want the classifier to define.
PAGE 221
AT-S62 Menus Interface User’s Guide As with an ACL, you specify the traffic flow of interest by creating one or more classifiers and applying them to a QoS policy. The action to be taken by a port when it receives a packet that corresponds to the prescribed flow is dictated by the QoS policy, as explained in Chapter 16 on page 253. In summary, a classifier is a list of variables that define a traffic flow.
PAGE 222
Chapter 14: Classifiers 802.1p Priority Level (Layer 2) A tagged Ethernet frame, as explained in Tagged VLAN Overview on page 523, contains within it a field that specifies its VLAN membership. Such frames also contain a user priority level used by the switch to determine the Quality of Service to apply to the frame and which egress queue on the egress port a packet should be stored in. The three bit binary number represents eight priority levels, 0 to 7, with 0 the lowest priority and 7 the highest.
PAGE 223
AT-S62 Menus Interface User’s Guide Protocol (Layer 2) Traffic flows can be identified by any of the following Layer 2 protocols: ❑ IP ❑ ARP ❑ RARP ❑ Protocol Number Observe the following guidelines when using this variable: ❑ This variable must be left blank or set to IP when setting a Layer3 or Layer 4 variable. ❑ To specify a protocol by its number, you can enter the value in decimal or hexadecimal format. If you choose hexadecimal, precede the number with the prefix “0x”.
PAGE 224
Chapter 14: Classifiers Observe these guidelines when using this criterion: ❑ The Protocol variable must be left blank or set to IP. ❑ You cannot specify both an IP ToS value and an IP DSCP value in the same classifier. IP DSCP (DiffServ Code Point) (ToS) (Layer 3) The Differentiated Services Code Point (DSCP) tag indicates the class of service to which packets belong. The DSCP value is written into the TOS field of the IP header, as shown in Figure 66 on page 223.
PAGE 225
AT-S62 Menus Interface User’s Guide You do not need to enter a source IP mask if you are filtering on the IP address of a specific end node. A mask is required, however, when filtering on a subnet. A binary “1” indicates the switch should filter on the corresponding bit of the IP address, while a “0” indicates that it should not. For example, the Class C subnet address 149.11.11.0 would have the mask “255.255.255.0”.
PAGE 226
Chapter 14: Classifiers ❑ The Protocol variable must be left blank or set to IP. ❑ The IP Protocol variable must be left blank or set to UDP. ❑ A classifier cannot contain criteria for both TCP and UDP ports. You may specify only one in a classifier.
PAGE 227
AT-S62 Menus Interface User’s Guide ❑ You cannot create two classifiers that have the same settings. There can be only one classifier for any given type of traffic flow. ❑ The switch can store up to 256 classifiers. However, the maximum number of classifiers that you can assign to access control lists and QoS policies at any one time will be from 14 to 127.
PAGE 228
Chapter 14: Classifiers Creating a Classifier This section contains the procedure for creating a classifier. As explained in Classifier Overview on page 220, a classifier is a series of variables that you set to define a traffic flow. To create a classifier, do the following: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 1 to select Classifier Configuration. The Classifier Configuration menu is shown in Figure 67.
PAGE 229
AT-S62 Menus Interface User’s Guide The Create Classifier menu (page 1) is shown in Figure 68. Allied Telesyn Ethernet Switch AT-8524M - ATS62 Production Switch User: Manager 11:20:02 02-Jan-2004 Create Classifier 01 02 03 04 05 06 07 08 09 10 E C N U R - Classifier ID: . 2 Description: ... Dst MAC: ....... Src MAC: ....... Eth Format ..... Priority: ...... VLAN ID: ....... Protocol: ...... IP ToS: ........ IP DSCP: .......
PAGE 230
Chapter 14: Classifiers 4. To set a variable, type E to select Edit Parameters. The following prompt is displayed. Enter parameter ID to edit: [1 to 19] ->1 5. Enter the number of the variable you want to configure. You can configure only one parameter at a time. 6. Adjust the new value for the variable. Refer to Classifier Overview on page 220 for definitions of the variables. Note Option 1 is used to assign the classifier an ID number. Each classifier must have a unique number. The range is 1 to 9999.
PAGE 231
AT-S62 Menus Interface User’s Guide Modifying a Classifier In order to modify a classifier, you need to know its ID number. To view classifier ID numbers, refer to Displaying Classifiers on page 235. You cannot modify a classifier if it belongs to an ACL or QoS policy that is assigned to a port. You must first remove the port assignments from the ACL or policy before you can modify the classifier. To modify a classifier, do the following: 1. From the Main Menu, type 7 to select Security and Services. 2.
PAGE 232
Chapter 14: Classifiers 9. To add the modified classifier to an ACL, refer to Creating an ACL on page 245 or Modifying an ACL on page 247. To add it to a QoS policy, refer to Managing Flow Groups on page 269.
PAGE 233
AT-S62 Menus Interface User’s Guide Deleting a Classifier This procedure deletes a classifier from the switch. To delete a classifier, you need to know its ID number. To view classifier ID numbers, refer to Displaying Classifiers on page 235. You cannot delete a classifier if it belongs to an ACL or QoS policy. You must first remove a classifier from its ACL and QoS policy assignments before you can delete it. To delete a classifier, do the following: 1.
PAGE 234
Chapter 14: Classifiers Deleting All Classifiers This procedure deletes all classifiers from the switch. To delete individual classifiers , perform Deleting a Classifier on page 233. You cannot delete the classifiers if any of them belong to an ACL or QoS policy. All classifiers must be removed from their ACL and QoS policy assignments before you can delete them. To delete all classifiers, do the following: 1. From the Main Menu, type 7 to select Security and Services. 2.
PAGE 235
AT-S62 Menus Interface User’s Guide Displaying Classifiers To display the classifiers on a switch, do the following: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 1 to select Classifier Configuration. The Classifier Configuration menu is shown in Figure 67 on page 228. 3. From the Classifier Configuration menu, type 4 to select Show Classifiers. An example of the Show Classifiers window is illustrated in Figure 70.
PAGE 236
Chapter 14: Classifiers ❑ Number of Active Associations - The number of current assignments of a classifier to only active ACLs and QoS policy. 4. To view the details of a classifier, type D to select Detail Classifier Display. The following prompt is displayed: Enter Classifier ID : [1 to 9999] -> 1 5. Enter the ID number of the classifier you want to display. The details of the specified classifier are displayed. For examples of the windows, refer to Figure 68 on page 229 and Figure 69 on page 229.
PAGE 237
Chapter 15 Access Control Lists This chapter explains access control lists (ACL) and how you can use this feature to improve network security and performance.
PAGE 238
Chapter 15: Access Control Lists Access Control List (ACL) Overview An ACL is a filter that controls the ingress packets on a port. You can use this feature to control which ingress packets a port will accept and which it will reject. Packets are filtered based on the criteria defined in the classifiers assigned to an ACL. There are several benefits of this feature. One is that it can add to your network security.
PAGE 239
AT-S62 Menus Interface User’s Guide Here is an overview of how the process works. 1. When an ingress packet arrives on a port, the switch checks it against the criteria in the classifiers of all the ACLs, both permit and deny, assigned to that port. 2. If the packet matches the criteria of a permit ACL, the port immediately accepts it. Because a permit ACL overrides a deny ACL, the packet is accepted even if it matches a deny ACL assigned to the same port. 3.
PAGE 240
Chapter 15: Access Control Lists ❑ It does not matter the order in which you add ACLs to a port. An ingress packet is compared against all the ACLs assigned to a port. ❑ A classifier can be assigned to multiple ACLs. However, a classifier cannot be assigned more than once to a port. Put another way, ACLs that have the same classifier cannot be assigned to the same port. ❑ The switch can store up to 64 ACLs. Examples This section contains several examples of ACLs.
PAGE 241
AT-S62 Menus Interface User’s Guide To deny traffic from several subnets on the same port, you can create multiple classifiers and apply them to the same ACL. This example denies traffic on port 4 from three subnets using three classifiers, one for each subnet, assigned to the same ACL. Create Classifier 01 - Classifier ID: ..... 22 02 - Description: ...... 149.11.11 flow . . 12 - Src IP Addr: ..... 149.11.11.0 13 - Src IP Mask: .... 255.255.255.0 Create Access Control Lists (ACL) 1 - ACL ID .............
PAGE 242
Chapter 15: Access Control Lists You can achieve the same result by assigning each classifier to a different ACL and assigning the ACLs to the same port, as in this example, again for port 4. Create Access Control Lists (ACL) 1 - ACL ID ................. 4 2 - Description .......... 149.11.11-deny 3 - Action .................. Deny 4 - Classifier List ...... 22 5 - Port List .............. 4 Create Access Control Lists (ACL) 1 - ACL ID ................. 22 2 - Description .......... 149.22.22.
PAGE 243
AT-S62 Menus Interface User’s Guide In this example, the traffic on ports 14 and 15 is restricted to packets from the source subnet 149.44.44.0. All other IP traffic is denied. Classifier ID 11, which specifies the traffic flow to be permitted by the ports, is assigned to an ACL with an action of permit. Classifier ID 17 specifies all IP traffic and is assigned to an ACL whose action is deny. Since a permit ACL overrides a deny ACL, the port will accept the traffic from the 149.44.44.
PAGE 244
Chapter 15: Access Control Lists The next example limits the ingress traffic on port 17 to IP packets from the subnet 149.22.11.0 and a Type of Service setting of 6, destined to the end node with the IP address 149.22.22.22. All other IP traffic and ARP packets are prohibited. Create Classifier Create Access Control Lists (ACL) 1 - ACL ID ................. 4 2 - Description .......... ToS 6 traffic - permit 3 - Action .................. Permit 4 - Classifier List ...... 6 5 - Port List ..............
PAGE 245
AT-S62 Menus Interface User’s Guide Creating an ACL This procedure explains how to create an ACL. In order to perform this procedure, you need to know the ID numbers of the classifiers you want to assign to the ACL. To view classifier ID numbers, refer to Displaying Classifiers on page 235. To create an ACL, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 4 to select Access Control Lists.
PAGE 246
Chapter 15: Access Control Lists 4. Type 1 to select ACL ID and, when prompted, enter an ID number for the ACL. Every ACL on the switch must have a unique ID number. The range is 0 to 255. The default is the lowest unused number. This parameter is required. 5. Type 2 to select Description and enter a description for the ACL. A description can be up to 31 alphanumeric characters. Spaces are allowed. This parameter is optional, though recommended.
PAGE 247
AT-S62 Menus Interface User’s Guide Modifying an ACL This procedure explains how to modify an ACL. In order to perform this procedure, you need to know the ID number of the ACL you want to modify. To display ACL ID numbers, refer to Displaying ACLs on page 252. If you plan to add classifiers to the ACL, you also need to know the ID numbers of the classifiers. To view classifier ID numbers, refer to Displaying Classifiers on page 235. To modify an ACL, perform the following procedure: 1.
PAGE 248
Chapter 15: Access Control Lists 5. To change the description of the ACL, type 2 to select Description and enter a new description for the ACL. The description can be up to 31 alphanumeric characters. Spaces are allowed. This parameter is optional, though recommended. Assigning each ACL a name will make it easier for you to identify them. 6. To change the ACL’s action, type 3 to select Action. The following prompt is displayed: Enter Value [0 - Deny, 1 - Permit] : [0 to 1] -> 0 7.
PAGE 249
AT-S62 Menus Interface User’s Guide Deleting an ACL This procedure deletes an ACL from the switch. In order to perform this procedure, you need to know the ID number of the ACL you want to delete. To display ACL ID numbers, refer to Displaying ACLs on page 252. To delete an ACL, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 4 to select Access Control Lists.
PAGE 250
Chapter 15: Access Control Lists A deleted ACL is immediately removed from the switch. 6. To delete additional ACLs, repeat this procedure starting with step 3. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 251
AT-S62 Menus Interface User’s Guide Deleting All ACLs This procedure deletes all ACLs from the switch. To delete all ACLs, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 4 to select Access Control Lists. The Access Control Lists (ACL) menu is shown in Figure 77 on page 245. 3. From the Access Control Lists (ACL) menu, type P to selection Purge ACLs. Caution No confirmation prompt is displayed.
PAGE 252
Chapter 15: Access Control Lists Displaying ACLs To display the ACLs on a switch, perform this procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 4 to select Access Control Lists. The Access Control Lists (ACL) menu is shown in Figure 77 on page 245. 3. From the Access Control Lists (ACL) menu, type 4 to selection Show ACLs. An example of the Show ACLs window is illustrated in Figure 81.
PAGE 253
Chapter 16 Quality of Service This chapter describes Quality of Service (QoS).
PAGE 254
Chapter 16: Quality of Service Quality of Service Overview Quality of Service allows you to prioritize traffic and/or limit the bandwidth available to it. The concept of QoS is a departure from the original networking protocols, which treated all traffic on the Internet or within a LAN the same. Without QoS, every different traffic type is equally likely to be dropped if a link becomes oversubscribed.
PAGE 255
AT-S62 Menus Interface User’s Guide Note QoS is only performed on packets which are switched at wirespeed. This includes IP, IP multicast, IPX, and Layer 2 traffic within VLANs. The QoS functionality described by this chapter sorts packets into various flows, according to the QoS policy that applies to the port the traffic is received on. The switch then allocates resources to direct this traffic according to bandwidth or priority settings in the policy.
PAGE 256
Chapter 16: Quality of Service Classifiers Classifiers are used to identify a particular traffic flow, and range from general to specific. (See Chapter 14, Classifiers on page 219 for more information.) Note that a single classifier should not be used in different flows that will end up, via traffic classes, assigned to the same policy. A classifier should only be used once per policy. Traffic is matched in the order of classifiers.
PAGE 257
AT-S62 Menus Interface User’s Guide Note that the switch can only perform error checking of parameters and parameter values for the policy and its traffic classes and flow groups when the policy is set on a port. QoS Policy Guidelines ❑ A classifier may be assigned to many flow groups. However, assigning a classifier more than once within the same policy may lead to undesirable results. A classifier may be used successfully in many different policies.
PAGE 258
Chapter 16: Quality of Service Bandwidth Allocation Packet Prioritization Bandwidth limiting is configured at the level of traffic classes, and encompasses the flow groups contained in the traffic class. Traffic classes can be assigned maximum bandwidths, specified in kbps, Mbps or Gbps. The switch has four Class of Service (CoS) egress queues, numbered from 0 to 3. Queue 3 has the highest priority. When the switch becomes congested, it gives high priority queues precedence over lower-priority queues.
PAGE 259
AT-S62 Menus Interface User’s Guide DiffServ domains. ❑ The DSCP value of the IP header’s TOS byte (Figure 66 on page 223). Replacing this field may be required as part of the configuration of a DiffServ domain. See DiffServ Domains on page 259 for information on using the QoS policy model and the DSCP value to configure a DiffServ domain.
PAGE 260
Chapter 16: Quality of Service A simple example of this process is shown in Figure 82, for limiting the amount of bandwidth used by traffic from a particular IP address. In the domain shown, this bandwidth limit is supplied by the class of service represented by a DSCP value of 40. In the next DiffServ domain, this traffic is assigned to the class of service represented by a DSCP value of 3.
PAGE 261
AT-S62 Menus Interface User’s Guide 2. On switches and routers within the DiffServ domain, classify packets according to the DSCP values that were assigned to traffic classes on the edge switches. Assign the classifiers to flow groups and the flow groups to traffic classes, with a different traffic class for each DiffServ code point grouping within the DiffServ domain.
PAGE 262
Chapter 16: Quality of Service Examples Voice Applications Voice applications typically require a small bandwidth but it must be consistent. They are sensitive to latency (interpacket delay) and jitter (delivery delay). Voice applications can be set up to have the highest priority. This example creates two policies that ensure low latency for all traffic sent by and destined to a voice application located on a node with the IP address 149.44.44.44.
PAGE 263
AT-S62 Menus Interface User’s Guide The parts of the policies are: ❑ Classifier - Defines the traffic flow by specifying the IP address of the node with the voice application. The classifier for Policy 6 specifies the address as a source address since this classifier is part of a policy for packets coming from the application. The classifier for Policy 11 specifies the address as a destination address since this classifier is part of a policy for packets going to the application.
PAGE 264
Chapter 16: Quality of Service Video Applications Video applications typically require a larger bandwidth than voice applications. Video applications can be set up to have a high priority and buffering, depending on the application. This example creates policies with low latency and jitter for video streams (for example, net conference calls). The policies in Figure 84 assign the packets a priority level of 4 and limit the bandwidth to 5 Mbps. The node containing the application has the IP address 149.44.
PAGE 265
AT-S62 Menus Interface User’s Guide The parts of the policies are: ❑ Classifier - Specifies the IP address of the node with a video application. The classifier for Policy 17 specifies the address as a source address since this classifier is part of a policy concerning packets coming from the application. The classifier for Policy 32 specifies the address as a destination address since this classifier is part of a policy concerning packets going to the application.
PAGE 266
Chapter 16: Quality of Service Critical Database Critical databases typically require a high bandwidth. They also typically require less priority than either voice or video. The policies in Figure 85 assign 50 Mbps bandwidth, with no change to priority, to traffic going to and from a database. The database is located on a node with the IP address 149.44.44.44 on port 1 of the switch. Policy 15 Policy 17 Create Classifier Create Classifier 01 - Classifier ID: ..... 42 02 - Description ....... Database .
PAGE 267
AT-S62 Menus Interface User’s Guide Policy Component Hierarchy The purpose of this example is to illustrate the hierarchy that exists among the components of a QoS policy and how that hierarchy needs to be taken into account when assigning new priority and DSCP values. A new priority can be set at the flow group and traffic class levels, while a new DSCP value can be set at all three levels -- flow group, traffic class and policy.
PAGE 268
Chapter 16: Quality of Service Create Classifier 01 - Classifier ID: ..... 1 . 14 - Dst IP Addr ..... 149.11.11.0 15 - Dst IP Mask ..... 255.255.255.0 Create Classifier Create Flow Group 1 - Flow Group ID ......... 1 . 3 - DSCP Value ............. 10 . 6 - Classifier List ............1,2 01 - Classifier ID: ..... 2 . 14 - Dst IP Addr ..... 149.22.22.0 15 - Dst IP Addr ...... 255.255.255.0 Create Traffic Class 1 - Traffic Class ID: ........ 1 . 5 - DSCP value ............. 30 . A - Flow Group List .....
PAGE 269
AT-S62 Menus Interface User’s Guide Managing Flow Groups This section contains the following procedures: ❑ Creating a Flow Group on page 269 ❑ Modifying a Flow Group on page 271 ❑ Deleting a Flow Group on page 272 ❑ Displaying Flow Groups on page 273 Creating a Flow Group To create a flow group, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service.
PAGE 270
Chapter 16: Quality of Service The Flow Group Configuration menu is shown in Figure 88. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Flow Group Configuration 1 2 3 4 - Create Flow Group Modify Flow Group Destroy Flow Group Show Flow Groups R - Return to Previous Menu Enter your selection? Figure 88 Flow Group Configuration Menu 4. Type 1 to select Create Flow Group. The Create Flow Group menu is shown in Figure 89.
PAGE 271
AT-S62 Menus Interface User’s Guide 2 - Description Specifies a description for the flow group. The description can be from 1 to 15 alphanumeric characters. Spaces are allowed. This parameter is optional, but recommended. Names can help you identify the groups on the switch. 3 - DSCP value Specifies a replacement value to write into the DSCP (TOS) field of the packets. The range is 0 to 63. A new DSCP value can be set at all three levels: flow group, traffic class, and policy.
PAGE 272
Chapter 16: Quality of Service The Flow Group Configuration menu is shown in Figure 88 on page 270. 4. Type 2 to select Modify Flow Group. The following prompt is displayed: Available Flow Group(s): 0-10 Enter Flow Group ID : [0 to 1023] -> 0 5. Enter the ID number of the flow group you want to modify. You can modify only one flow group at a time. The Modify Flow Group menu is displayed. The menu contains the specifications of the selected flow group. 6. Modify the settings as needed.
PAGE 273
AT-S62 Menus Interface User’s Guide 4. Type 3 to select Destroy Flow Group. The following prompt is displayed: Available Flow Group(s): 0-10 Enter Flow Group ID : [0 to 1023] -> 0 5. Enter the ID number of the flow group you want to delete. You can delete only one flow group at a time. The Destroy Flow Group menu is displayed. The menu contains the specifications of the selected flow group. Use this menu to confirm that you are deleting the correct flow group. 6. Type D to delete the flow group.
PAGE 274
Chapter 16: Quality of Service The Show Flow Groups menu is shown in Figure 90. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Show Flow Groups Number of Flow Groups: 5 ID Description -----------------------------------------------0 Dev database 1 Inv database 2 Video1 3 Video2 4 Demo dev D - Detail Flow Group Display U - Update Display R - Return to Previous Menu Enter your selection? Figure 90 Show Flow Groups Menu 5.
PAGE 275
AT-S62 Menus Interface User’s Guide Managing Traffic Classes This section contains the following procedures: ❑ Creating a Traffic Class on page 275 ❑ Modifying a Traffic Class on page 279 ❑ Deleting a Traffic Class on page 280 ❑ Displaying Traffic Classes on page 280 Creating a Traffic Class To create a traffic class, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service.
PAGE 276
Chapter 16: Quality of Service The Create Traffic Class menu is shown in Figure 92. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Create Traffic Class 1 2 3 4 5 6 7 8 9 A - Traffic Class ID .......... 0 Description ............... Exceed Action ............. Drop Exceed Remark Value ....... 0 DSCP value ................ Max bandwidth ............. Burst Size ................ Priority .................. Remark Priority ..........
PAGE 277
AT-S62 Menus Interface User’s Guide 5 - DSCP value Specifies a replacement value to write into the DSCP (TOS) field of the packets. The range is 0 to 63. A new DSCP value can be set at all three levels: flow group, traffic class, and policy. A DSCP value specified in a flow group overrides a DSCP value specified at the traffic class or policy level. A DSCP value specified at the traffic class level is used only if no value has been specified at the flow group level.
PAGE 278
Chapter 16: Quality of Service If the amount of traffic flow matches the maximum bandwidth, no traffic is dropped because the number of tokens added to the bucket matches the number being used by the traffic. However, no unused tokens will accumulate in the bucket. If the traffic increases, the excess traffic will be discarded since no tokens are available for handling the increase.
PAGE 279
AT-S62 Menus Interface User’s Guide 7. To create another traffic class, repeat this procedure starting with step 3. To assign the traffic class to a policy, go to Managing Policies on page 282. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying a Traffic Class To modify a traffic class, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2.
PAGE 280
Chapter 16: Quality of Service 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting a Traffic Class To delete a traffic class, do the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service. The Quality of Service (QoS) menu is shown in Figure 87 on page 269. 3.
PAGE 281
AT-S62 Menus Interface User’s Guide The Traffic Class Configuration menu is shown in Figure 91 on page 275. 4. Type 4 to select Show Traffic Classes. The Show Traffic Classes menu is shown in Figure 93.
PAGE 282
Chapter 16: Quality of Service Managing Policies This section contains the following procedure: ❑ Creating a Policy on page 282 ❑ Modifying a Policy on page 284 ❑ Deleting a Policy on page 285 ❑ Displaying Policies on page 286 Creating a Policy To create a policy, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service. The Quality of Service (QoS) menu is shown in Figure 87 on page 269. 3.
PAGE 283
AT-S62 Menus Interface User’s Guide The Create Policy menu is shown in Figure 95. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Create Policy 1 2 3 4 5 6 7 8 - Policy ID ............ 0 Description .......... Remark DSCP .......... None DSCP value ........... Traffic Class List ... Redirect Port ........ Ingress Port List .... Egress Port ..........
PAGE 284
Chapter 16: Quality of Service 5 - Traffic Class List Specifies the traffic classes to be assigned to the policy. The specified traffic classes must already exist. Separate multiple IDs with commas (e.g., 4,11,13). 6 - Redirect Port Specifies a port to where the traffic is to be redirected. Traffic that matches the defined traffic flow is redirected to the specified port. You can specify only one port. 7 - Ingress Port List Specifies the ingress ports to which the policy is to be assigned.
PAGE 285
AT-S62 Menus Interface User’s Guide 4. From the Policy Configuration menu, type 2 to select Modify Policy. The following prompt is displayed: Available Policy(ies): 0-4 Enter Policy ID : [0 to 255] -> 0 5. Enter the ID number of the policy you want to modify. You can modify only one policy at a time. The Modify Policy menu is displayed. The menu contains the specifications of the selected policy. 6. Modify the settings as needed. For parameter definitions, refer to Creating a Policy on page 282.
PAGE 286
Chapter 16: Quality of Service Available Policy(ies): 0-4 Enter Policy ID : [0 to 255] -> 0 5. Enter the ID number of the policy you want to delete. You can delete only one policy at a time. The Destroy Policy menu is displayed. The menu contains the specifications of the selected policy. Use this menu to confirm that you are deleting the correct policy. 6. Type D to delete the policy. The policy is deleted from the switch. 7. To delete another policy, repeat this procedure starting with step 4. 8.
PAGE 287
AT-S62 Menus Interface User’s Guide 5. To display the specifics of a policy, type D to select Detail Policy Display. 6. When prompted, enter the ID number of the policy you want to view. You can display only one policy at a time. The specifics of the policy are displayed in the Detail Policy Display. For definitions of the parameters, refer to Creating a Policy on page 282.
PAGE 288
Chapter 17 Class of Service This chapter contains the procedures for configuring Class of Service (CoS).
PAGE 289
AT-S62 Menus Interface User’s Guide Class of Service Overview When a port on an Ethernet switch becomes oversubscribed—its egress queues contain more packets than the port can handle in a timely manner—the port may be forced to delay the transmission of some packets, resulting in the delay of packets reaching their destinations.
PAGE 290
Chapter 17: Class of Service Table 7 lists the mappings between the eight CoS priority levels and the four egress queues of a switch port. Table 7 Default Mappings of IEEE 802.1p Priority Levels to Priority Queues IEEE 802.1p Priority Level Port Priority Queue 0 Q1 1 Q0 2 Q0 3 Q1 4 Q2 5 Q2 6 Q3 7 Q3 For example, if a tagged packet with a priority level of 3 entered a port on the switch, the switch would store the packet in Q1 queue on the egress port.
PAGE 291
AT-S62 Menus Interface User’s Guide Table 8 Customized Mappings of IEEE 802.1p Priority Levels to Priority Queues IEEE 802.1p Priority Level Port Priority Queue 3 Q1 4 Q2 5 Q3 6 Q3 7 Q3 The procedure for changing the default mappings is found in Mapping CoS Priorities to Egress Queues on page 297. Note that because all ports must use the same priority-to-egress queue mappings, these mappings are applied at the switch level. They cannot be set on a per-port basis.
PAGE 292
Chapter 17: Class of Service ❑ Strict priority ❑ Weighted round robin priority Note Scheduling is set at the switch level. You cannot set this on a perport basis. Strict Priority Scheduling With this type of scheduling, a port transmits all packets out of higher priority queues before transmitting any from the lower priority queues. For instance, as long as there are packets in Q3 it does not handle any packets in Q2.
PAGE 293
AT-S62 Menus Interface User’s Guide Table 9 Example of Weighted Round Robin Priority Port Egress Queue Maximum Number of Packets Q2 10 Q1 5 Q0 1 In this example, the port transmits a maximum number of 15 packets from Q3 before moving to Q2, from which it transmits up to 10 packets, and so forth.
PAGE 294
Chapter 17: Class of Service Configuring CoS As explained in Class of Service Overview on page 289, a tagged packet received on a port is placed it into one of four priority queues on the egress port according to the switch’s mapping of 802.1p priority levels to egress priority queues. The default mappings are shown in Table 7 on page 290.
PAGE 295
AT-S62 Menus Interface User’s Guide Note Options 7, 8, and 9 are not available in all versions of the AT-S62 management software. Contact your sales representative to determine if these features are available for your locale. 2. From the Security and Services menu, type 5 to select Class of Service (CoS). The Class of Service (CoS) menu is shown in Figure 98.
PAGE 296
Chapter 17: Class of Service The Configure Port COS Priorities menu is shown in Figure 99. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure Port COS Priorities 1 - Port Number ................... 1 2 - Priority (0-7) 0=Low 7=High ... 0 3 - Override Priority (Y/N) ....... N C - Configure Port COS Priorities R - Return to Previous Menu Enter your selection? Figure 99 Configure Port COS Priorities Menu Menu option 1 cannot be changed. 5.
PAGE 297
AT-S62 Menus Interface User’s Guide Mapping CoS Priorities to Egress Queues This procedure explains how to change the default mappings of CoS priorities to egress priority queues, shown in Table 9 on page 292. This is set at the switch level. You cannot set this at the per-port level. To change the mappings, perform the following procedure. 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 97 on page 294. 2.
PAGE 298
Chapter 17: Class of Service Configuring Egress Scheduling This procedure explains how to select and configure a scheduling method for Class of Service. Scheduling determines the order in which the ports handle packets in their egress queues. For an explanation of the two scheduling methods, refer to Scheduling on page 291. Scheduling is set at the switch level. You cannot set this on a per-port basis. 1. From the Main Menu, type 7 to select Security and Services.
PAGE 299
AT-S62 Menus Interface User’s Guide Displaying Port CoS Priorities The following procedure displays a menu that lists the current egress priority queue settings for each port. 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 97 on page 294. 2. From the Security and Services menu, type 5 to select Class of Service (CoS). The Class of Service (CoS) menu is shown in Figure 98 on page 295. 3.
PAGE 300
Chapter 18 IGMP Snooping This chapter explains how to activate and configure the Internet Group Management Protocol (IGMP) snooping feature on the switch.
PAGE 301
AT-S62 Menus Interface User’s Guide IGMP Snooping Overview IGMP enables routers to create lists of nodes that are members of multicast groups. (A multicast group is a group of end nodes that want to receive multicast packets from a multicast application.) The router creates a multicast membership list by periodically sending out queries to the local area networks connected to its ports. A node wanting to become a member of a particular multicast group responds to a query by sending a report.
PAGE 302
Chapter 18: IGMP Snooping network security by restricting the flow of multicast packets only to those switch ports connected to host nodes. Without IGMP snooping a switch would have to flood multicast packets out all of its ports, except the port on which it received the packet. Such flooding of packets can negatively impact switch and network performance.
PAGE 303
AT-S62 Menus Interface User’s Guide Activating IGMP Snooping To activate or deactivate IGMP snooping on the switch and to configure IGMP snooping parameters, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Multicast Configuration menu is shown in Figure 103.
PAGE 304
Chapter 18: IGMP Snooping The options in the menu are defined below: 1 - IGMP Snooping Status Enables and disables IGMP snooping on the switch. After selecting this option, type E to enable or D to disable this feature. 2 - Multicast Host Topology Defines whether there is only one host node per switch port or multiple host nodes per port. Possible settings are Single-Host/Port (Edge) and Multiple Host/Ports (Intermediate).
PAGE 305
AT-S62 Menus Interface User’s Guide When selecting a value for this parameter, it is important to note that the value you enter actually defines the approximate mid-point of a range within which a timeout can occur. The actual timeout may occur earlier or later than the value you enter. The range is from 0.7 to 1.4 of your value. For example, if you leave this parameter set to the default 260 seconds, a timeout can occur from 182 seconds to 364 seconds.
PAGE 306
Chapter 18: IGMP Snooping Displaying a List of Host Nodes To view a list of the multicast groups and host nodes on a switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 103 on page 303. 2. From the Advanced Configuration menu, type 1 to select IGMP Snooping Configuration. The IGMP Snooping Configuration menu is shown in Figure 104 on page 303. 3.
PAGE 307
AT-S62 Menus Interface User’s Guide Port/TrunkID - The port on the switch where a host node of the multicast group is connected. If the host node is connected to the switch through a trunk, the trunk ID number, not the port number, is displayed. HostIP - The IP address of the host node connected to the port. IGMP Ver. - The version of IGMP being used by the host. Exp. Time - The number of seconds remaining before the host is timed out if no further IGMP reports are received from it.
PAGE 308
Chapter 18: IGMP Snooping Displaying a List of Multicast Routers A multicast router is a router that is receiving multicast packets from a multicast application and transmitting the packets to host nodes. You can use the AT-S62 software to display a list of the multicast routers that are connected to the switch. To display a list of the multicast routers, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration.
PAGE 309
Chapter 19 Denial of Service Defense This chapter contains procedures on how to configure the switch to protect your network against Denial of Service (DoS) attacks.
PAGE 310
Chapter 19: Denial of Service Defense Denial of Service Defense Overview The AT-S62 management software can help protect your network against the following types of Denial of Service attacks. ❑ SYN Flood Attack ❑ SMURF Attack ❑ Land Attack ❑ Teardrop Attack ❑ Ping of Death Attack ❑ IP Options Attack The following subsections briefly describe each type of attack and the mechanism employed by the AT-S62 management software to protect your network.
PAGE 311
AT-S62 Menus Interface User’s Guide SMURF Attack This DoS attack is instigated by an attacker sending a ICMP Echo (Ping) request containing a broadcast address as the destination address and the address of the victim as the source of the ICMP Echo (Ping) request. This overwhelms the victim with a large number of ICMP Echo (Ping) replies from the other network nodes.
PAGE 312
Chapter 19: Denial of Service Defense Note This defense mechanism should only be used if there is a port on the switch that is connected to a device that leads outside your network. Here is a overview of how the process takes place. This example assumes that you have activated the feature on port 4 and that you have specified port 1 as the uplink port. The steps below review what happens when an ingress IP packet arrives on port 4: 1.
PAGE 313
AT-S62 Menus Interface User’s Guide The defense mechanism for this type of attack has all ingress IP traffic received on a port sent to the switch’s CPU. The CPU samples related, consecutive fragments, checking for fragments with invalid offset values. If one is found, the following occurs: ❑ The switch sends a SNMP trap to the management workstations. ❑ The switch port discards the fragment with the invalid offset and, for a one minute period, discards all ingress fragmented IP traffic.
PAGE 314
Chapter 19: Denial of Service Defense Also note that an attacker can circumvent the defense by sending a stream of ICMP Echo (Ping) requests with a size of 63,488 to 65,534 bits. A large number of requests could overwhelm the switch’s CPU. IP Options Attack In the basic scenario of an IP attack, an attacker sends packets containing bad IP options. There are several different types of IP option attacks and the AT-S62 management software does not distinguish between them.
PAGE 315
AT-S62 Menus Interface User’s Guide Enabling or Disabling Denial of Service Prevention To configure DoS defense, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 97 on page 294. 2. From the Security and Services menu, type 3 to select Denial of Service (DoS). The Denial of Service (DoS) Menu is shown in Figure 107.
PAGE 316
Chapter 19: Denial of Service Defense The LAN IP Subnet menu is shown in Figure 108. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Lan IP Subnet 1 - IP Address ................. 0.0.0.0 2 - Subnet Mask ................ 0.0.0.0 3 - Uplink Port ................ 26 R - Return to Previous Menu Enter your selection? Figure 108 LAN IP Subnet Menu b.
PAGE 317
AT-S62 Menus Interface User’s Guide A menu is displayed containing either one or two options, depending on the DoS defense you selected. An example of the menu is shown in Figure 109. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 SYN Flood Configuration Configuring DoS for Port 2 1 - DoS Status ................. Disabled R - Return to Previous Menu Enter your selection? Figure 109 SYN Flood Configuration Menu 6.
PAGE 318
Chapter 20 Power Over Ethernet This chapter contains the procedures for configuring Power over Ethernet (PoE) for the AT-8524POE switch. Sections in the chapter include: ❑ Power Over Ethernet Overview on page 319 ❑ Setting the PoE Threshold on page 323 ❑ Configuring PoE Port Settings on page 325 ❑ Displaying PoE Status and Settings on page 327 Note This chapter applies only to the AT-8524POE switch.
PAGE 319
AT-S62 Menus Interface User’s Guide Power Over Ethernet Overview The twisted pair ports on the AT-8524POE switch offer the same features as the twisted pair ports on the other switches in the series. As such, they can operate at 10 or 100 Mbps, feature Auto-Negotiation and AutoMDI/MDI-X, and so forth. These ports, however, also offer Power over Ethernet (PoE). PoE is a mechanism for supplying power to network devices over the same twisted pair cables used to carry network traffic.
PAGE 320
Chapter 20: Power Over Ethernet PoE Implementation on the AT-8524POE Switch A standard Ethernet twisted pair cable contains four pairs of strands for a total of eight strands. 10/100 Mbps network traffic requires only four strands, leaving four strands in the cable unused. The strands that carry the network traffic are 1, 2, 3, and 6, and the spare strands are 4, 5, 7, and 8. The IEEE 802.
PAGE 321
AT-S62 Menus Interface User’s Guide connected to it is PoE-compliant or not and, if it is, how much power is required. The default setting for PoE on the switch is enabled on all ports. Port Prioritization This section explains port prioritization, a mechanism by which the switch determines which ports are to receive PoE in the event the needs of the powered devices exceed the available power resources of the switch.
PAGE 322
Chapter 20: Power Over Ethernet Power allocation is dynamic. Ports supplying power to powered devices may cease power transmission if the switch’s power budget has reached maximum usage and new powered devices, connected to ports with a higher priority, become active. PoE Device Classes The IEEE 802.3af standard specifies four levels of classes for powered devices. The classes are defined by power usage. The classes are: ❑ 0 - 0.44 W to 12.95 W ❑ 1 - 0.44 W to 3.84 W ❑ 2 - 3.84 W to 6.49 W ❑ 3 - 6.
PAGE 323
AT-S62 Menus Interface User’s Guide Setting the PoE Threshold The PoE threshold is a percentage of the total maximum PoE power on the switch, which for the AT-8524POE switch is 400 W. If the total power requirements of the powered devices exceed this threshold, the switch sends an SNMP trap to your management workstation and enters an event in the event log. At the default setting of 95%, the threshold is exceeded when the PoE devices require more than 380 W, which is 95% of 400 W.
PAGE 324
Chapter 20: Power Over Ethernet The PoE Global Configuration menu is shown in Figure 111. Allied Telesyn Ethernet Switch AT-8524POE - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 PoE Global Configuration 1 - Power Threshold ................ 95 percent 2 - Maximum Available Power ........ 400W R - Return to Previous Menu Enter your selection? Figure 111 PoE Global Configuration Menu Options 2, Maximum Available Power, displays the maximum amount of PoE for the switch.
PAGE 325
AT-S62 Menus Interface User’s Guide Configuring PoE Port Settings This procedure enables and disables PoE on a port. This procedure also sets a port’s priority level and its maximum power usage. To configure PoE port settings, do the following: 1. From the Main Menu, type 6 to select Advanced Configuration. 2. From the Advanced Configuration menu, type 2 to select Power Over Ethernet Configuration. The Power Over Ethernet Configuration menu is shown in Figure 110 on page 323. 3.
PAGE 326
Chapter 20: Power Over Ethernet 6. To change the port’s priority, type 2 to select Power Priority and, when prompted, type C for Critical, H for High, or L for Low. A port can belong to only one priority level at a time. The default is Low. For an explanation of this parameter, refer to Port Prioritization on page 321. 7. To change the maximum amount of power the port can supply to the device, type 3 to select Power Limit and enter a new value in milliwatts. The default value is 15,400 mW.
PAGE 327
AT-S62 Menus Interface User’s Guide Displaying PoE Status and Settings Use this procedure to display PoE status and settings at the switch or port level. To display PoE information, do the following: 1. From the Main Menu, type 6 to select Advanced Configuration. 2. From the Advanced Configuration menu, type 2 to select Power Over Ethernet Configuration. The Power Over Ethernet Configuration menu is shown in Figure 110 on page 323. 3.
PAGE 328
Chapter 20: Power Over Ethernet 1 - PoE Global Status Menu This selection displays the following window: Allied Telesyn Ethernet Switch AT-8524POE - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 PoE Global Status Max Available Power ...... Consumed Power ........... Available Power .......... Power Usage .............. Min Shutdown Voltage ..... Max Shutdown Voltage ..... 400 W 25 W 375W 6.25 percent 44.0 V 57.
PAGE 329
AT-S62 Menus Interface User’s Guide Max Shutdown Voltage The maximum threshold voltage at which the switch shuts down PoE. If the power supply in the switch experiences a problem and the output voltage exceeds this value, the switch shuts down PoE on all ports. This value is not adjustable. 2 - Summary All Ports Status Menu This selection display an abbreviated status report of PoE on the individual switch ports. For more detailed information, refer to selection 3.
PAGE 330
Chapter 20: Power Over Ethernet Power Status Whether power is being supplied to the device. ON means that the port is providing power to a powered device. OFF means the device is not a powered device or PoE has been disabled on the port. 3 - Detailed Ports Status Menu When you select this option, you are prompted to enter the port(s) you want to view. You can specify more than one port at a time.
PAGE 331
AT-S62 Menus Interface User’s Guide Power Status Whether power is being supplied to the device. ON means that the port is providing power to a powered device. OFF means the device is not a powered device, PoE has been disabled on the port, or no device is connected to the port. Power Consumed The amount of power in milliwatts currently consumed by the powered device connected to the port. If the port is not connected to a powered device, this value will be 0 (zero).
PAGE 332
Chapter 20: Power Over Ethernet 4 - PoE Device Information This selection displays the hardware and firmware version numbers of the PoE chipset used in the switch. This selection is intended for troubleshooting purposes and displays the following window: Allied Telesyn Ethernet Switch AT-8524POE - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 PoE Device Information MCU Device Info: Hardware Version ......... Firmware Version ......... Build Number ............. Serial Number ............
PAGE 333
Chapter 21 Networking Stack The AT-S62 management software allows you to perform a few basic functions on the switch’s TCP/IP stack. The functions include viewing the switch’s Address Resolution Protocol (ARP) table and routing table. The switch uses these tables when you instruct it to perform a management function that requires it to interact with another network device.
PAGE 334
Chapter 21: Networking Stack Managing the Address Resolution Protocol Table The switch has an Address Resolution Protocol (ARP) table for storing IP addresses of network devices and their corresponding MAC addresses. The switch uses the table whenever you issue a management command that requires the switch’s AT-S62 management software to interact with another device on the network.
PAGE 335
AT-S62 Menus Interface User’s Guide Note The switch does not use the ARP table to move packets through its switching matrix. The switch refers to the table only when performing a management function that involves interaction with another network node. Displaying the ARP Table To view the switch’s ARP table, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 2.
PAGE 336
Chapter 21: Networking Stack The Display ARP Table menu is shown in Figure 119. Allied Telesyn Ethernet Switch AT-8524POE - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Display ARP Table Interface IP Address MAC Address Type --------------------------------------------------------loopback 127.0.0.1 00:00:00:00:00:00 PERMANENT eth0 149.22.22.22 00:30:84:32:8A:5B TEMPORARY eth0 149.22.22.1 00:30:84:32:12:42 TEMPORARY eth0 149.22.22.101 00:30:84:32:8A:1B TEMPORARY eth0 149.22.22.
PAGE 337
AT-S62 Menus Interface User’s Guide Deleting an ARP Entry To delete an entry from the ARP table, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 9 on page 61. 3. From the System Utilities menu, type 6 to select Networking Stack.
PAGE 338
Chapter 21: Networking Stack Note No confirmation prompt is displayed. All entries in the ARP table are immediately deleted, with the exception of the “loopback” entry, which cannot be deleted. The switch begins to add new entries to the table as it performs new management functions in conjunction with other network devices. Configuring the ARP Table Timeout Value Inactive temporary entries in the ARP table are timed out according to the ARP cache timeout value.
PAGE 339
AT-S62 Menus Interface User’s Guide Displaying the Routing Table The routing table is used by the switch when the IP address of a remote node specified in a management command is not on the same physical network as the switch. The table contains the IP address of the next hop to reaching the remote network or device. For example, the switch might refer to the table if you instructed it to download a new AT-S62 image file from a network server that was on a different physical network.
PAGE 340
Chapter 21: Networking Stack Destination The IP address of a destination network, subnetwork, or end node. Mask A filter used to designate the active part of the destination IP address. A binary 1 in the mask indicates an active bit in the address while a binary 0 indicates that the corresponding bit in the address is not. Next Hop The IP address of the next intermediary device to reaching the destination network, subnetwork, or end node. Interface The interface on the switch where the next hop is located.
PAGE 341
AT-S62 Menus Interface User’s Guide Displaying the TCP Connections Table The TCP connections table lists the active Telnet, SSH, and web browser management sessions on a switch and includes the IP addresses of the management stations. You can use the table to determine the number of active, remote active management sessions open on a switch, as well as identify the management stations. To view the TCP Connections Table, perform the following procedure: 1.
PAGE 342
Chapter 21: Networking Stack This table is for viewing purposes only. The columns in the table are defined here. Total Number of TCP Listening sockets The number of active listening sockets. There can be a maximum of three listening sockets. One is for the Telnet server, another for SSH, and the last for the web browser server. If a server is disabled, its listening socket does not appear in the table.
PAGE 343
AT-S62 Menus Interface User’s Guide The example in Figure 121 on page 341 shows that the Telnet and web browser servers are active on the switch. The table also includes two active TCP connections. Entry 4 is for a Telnet connection and entry 24 is for a web browser HTTP connection. A web browser management session can have more than one TCP connection open at a time. The different connections carry different packets of the management session. You cannot change any of the information in this table.
PAGE 344
Chapter 21: Networking Stack Deleting a TCP Connection This procedure explains how you can use the TCP connections table to end a remote Telnet or web browser management session on a switch. This procedure is useful if a manager forgot to log out after ending a session or if you suspect that an unauthorized person is accessing the switch’s management software.
PAGE 345
AT-S62 Menus Interface User’s Guide Displaying the TCP Global Information Table The TCP Global Information table displays TCP status and statistics. To view the table, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 9 on page 61. 3.
PAGE 346
Chapter 21: Networking Stack Max connections The maximum number of TCP connections allowed. Active Opens The number of active TCP opens. Active opens initiate connections. Passive Opens The number of TCP passive opens. Passive opens are issued to wait for a connection from another host. Attempt Fails The number of failed connection attempts. Established Resets The number of connections established but have not been reset. Current Established The number of current connections.
PAGE 347
Section III SNMPv3 Operations This section contains the following chapter: ❑ Chapter 22: SNMPv3 Configuration on page 348 347
PAGE 348
Chapter 22 SNMPv3 Configuration This chapter provides a description of the AT-S62 implementation of the SNMPv3 protocol. In addition, it provides procedures that allow you to create and modify SNMPv3 users.
PAGE 349
AT-S62 Menus Interface User’s Guide SNMPv3 Overview The SNMPv3 protocol builds on the existing SNMPv1 and SNMPv2c protocol implementation which is described in Chapter 5: SNMPv1 and SNMPv2c Configuration on page 80. In the SNMPv3 protocol, User-based Security Model (USM) authentication is implemented along with encryption, allowing you to configure a secure SNMP environment. The SNMP terminology changes in the SNMPv3 protocol.
PAGE 350
Chapter 22: SNMPv3 Configuration With the SNMPv3 protocol, you create users, determine the protocol used for message authentication as well as determine if data transmitted between an SNMP agent and an NMS is encrypted. In addition, you have the ability to restrict user privileges by determining the user’s view of the Management Information Bases (MIBs). In this way, you restrict which MIBs the user can display and modify.
PAGE 351
AT-S62 Menus Interface User’s Guide SNMPv3 Privacy Protocol After you have configured an authentication protocol, you have the option of assigning a privacy protocol if you have the encrypted version of the AT-S62 software. In SNMPv3 protocol terminology, privacy is equivalent to encryption. Currently, the DES protocol is the only encryption protocol supported. The DES privacy protocol requires the authentication protocol to be configured as either MD5 or SHA.
PAGE 352
Chapter 22: SNMPv3 Configuration The AT-S62 software supports the MIB tree, starting with the Internet MIBs, as defined by 1.3.6.1. There are two ways to specify a MIB view. You can enter the OID number of the MIB view or its equivalent text name. For example, to specify MIBs in the Internet view, you can enter the OID format “1.3.6.1” or the text name “internet.” In addition, you can define a MIB view that the user can access or a MIB view that the user cannot access.
PAGE 353
AT-S62 Menus Interface User’s Guide To determine the destination of the message, you configure the IP address of the host. This configuration is similar to the SNMPv1 and SNMPv2c configuration.
PAGE 354
Chapter 22: SNMPv3 Configuration First, you create a user in the Configure SNMPv3 User Table. Then you define the MIB view this user has access to in the Configure SNMPv3 View Table. To configure a security group and associate a MIB view to a security group, you configure the Configure SNMPv3 Access Table. Finally, configure the Configure SNMPv3 SecurityToGroup Menu to associate a user to a security group. See Figure 125 for an illustration of how the user configuration tables are linked.
PAGE 355
AT-S62 Menus Interface User’s Guide See Figure 126 for an illustration of how the message notification tables are linked.
PAGE 356
Chapter 22: SNMPv3 Configuration SNMPv3 User Table The Configure SNMPv3 User Table menu allows you to create an SNMPv3 user and provides the options of configuring authentication and privacy protocols. With an authentication protocol configured, users are authenticated when they send and receive messages. In addition, you can configure a privacy protocol and password so messages a user sends and receives are encrypted.
PAGE 357
AT-S62 Menus Interface User’s Guide SNMPv3 SecurityToGroup Table The Configure SNMPv3 SecurityToGroup Table Menu allows you to associate a User Name with a security group called a Group Name. The User Name is previously configured with the Configure SNMPv3 User Table Menu. The security group is previously configured with the Configure SNMPv3 Access Table Menu. Lastly, you can configure a storage type for this table entry which allows you to save the entry to flash memory.
PAGE 358
Chapter 22: SNMPv3 Configuration SNMPv3 Community Table The Configure SNMPv3 Community Table Menu allows you to configure SNMPv1 and SNMPv2c communities. If you are going to use the SNMPv3 Tables to configure SNMPv1 and SNMPv2c communities, start with the SNMPv3 Community Table. See Configuring the SNMPv3 Community Table on page 435. Note Allied Telesyn recommends that you use the procedures described in Chapter 5: SNMPv1 and SNMPv2c Configuration on page 80 to configure the SNMPv1 and SNMPv2c protocols.
PAGE 359
AT-S62 Menus Interface User’s Guide Configuring the SNMPv3 Protocol This section describes how to configure the SNMPv3 protocol using the SNMPv3 Tables. To successfully configure this protocol, you must perform the procedures in the order given. For overview information about SNMPv3, see the SNMPv3 Overview on page 349. In order to allow an NMS to access the switch, you need to enable SNMP access.
PAGE 360
Chapter 22: SNMPv3 Configuration Configuring the SNMPv3 User Table This section contains a description of the SNMPv3 User Table and how to create, delete, and modify table entries. Configure the SNMPv3 User Table first. Creating this table, allows you to create an entry in an SNMPv3 User Table for a User Name.
PAGE 361
AT-S62 Menus Interface User’s Guide The Configure SNMPv3 Table Menu is shown in Figure 127. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure SNMPv3 Table 1 2 3 4 5 6 7 8 9 - SNMP Engine...............
PAGE 362
Chapter 22: SNMPv3 Configuration 5. To create a new user table, type 1 to select Create SNMPv3 Table Entry. The following prompt is displayed: Enter User (Security) Name: 6. Enter a descriptive name of the user. You can enter a name that consists of up to 32-alphanumeric characters. The following prompt is displayed: Enter Authentication Protocol [M-MD5, S-SHA, N-None]: 7. Enter one of the following: M-MD5 This value represents the MD5 authentication protocol.
PAGE 363
AT-S62 Menus Interface User’s Guide Note If you have the non encrypted version of the AT-S62 software, then the Privacy Protocol field is read-only. Note You can only configure the Privacy Protocol if you have configured the Authentication Protocol with the MD5 or SHA values. 9. Select one of the following options: D -DES Select this value to make the DES privacy (or encryption) protocol the privacy protocol for this User Table entry.
PAGE 364
Chapter 22: SNMPv3 Configuration Note The Row Status parameter is a read-only field in the Telnet and Local interfaces. The Active value indicates the SNMPv3 User Table entry takes effect immediately. 12. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 User Table Entry You may want to delete an entry from the SNMPv3 User Table. When you delete an entry in the SNMPv3 User Table, there is no way to undelete, or recover it.
PAGE 365
AT-S62 Menus Interface User’s Guide Modifying the Authentication Protocol and Password To modify the Authentication Protocol and Password in an SNMPv3 User Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 360. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 127. 2. From the Configure SNMPv3 Table Menu, type 2 to select Configure SNMPv3 User Table.
PAGE 366
Chapter 22: SNMPv3 Configuration 6. Enter one of the following: M-MD5 This value represents the MD5 authentication protocol. With this selection, users are authenticated with the MD5 authentication protocol after a message is received. This algorithm generates the message digest. The user is authenticated when the authentication protocol checks the message digest. With the MD5 selection, you can configure a Privacy Protocol. S-SHA This value represents the SHA authentication protocol.
PAGE 367
AT-S62 Menus Interface User’s Guide Modifying the Privacy Protocol and Password To modify the Privacy Protocol and Password in an SNMPv3 User Table entry, perform the following procedure. Note You can only configure the Privacy Protocol if you have configured the Authentication Protocol with the MD5 or SHA values. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 360. Or, from the Main Menu type 5->5->5.
PAGE 368
Chapter 22: SNMPv3 Configuration 7. Enter a privacy password of up to 32-alphanumeric characters. The following prompt is displayed: Re-enter Authentication password: 8. Re-enter the password. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Storage Type To modify the Storage Type in an SNMPv3 User Table entry, perform the following procedure. 1.
PAGE 369
AT-S62 Menus Interface User’s Guide N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 User Table to nonvolatile memory. After making changes to an SNMPv3 User Table entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 370
Chapter 22: SNMPv3 Configuration Configuring the SNMPv3 View Table This section contains a description of the SNMPv3 View Table and how to create, delete, and modify table entries. Creating this table, allows you to specify a view using the following parameters: ❑ Subtree OID ❑ Subtree Mask ❑ MIB OID Table View To configure the SNMPv3 View Table, you need to be very familiar with the MIB tree. You can be very specific about the view a user can or cannot access—down to a column or row of the tree.
PAGE 371
AT-S62 Menus Interface User’s Guide The Configure SNMPv3 View Table Menu is shown in Figure 130. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 View Table View Name ................. Subtree OID ............... Subtree Mask .............. View Type ................. Storage Type .............. Row Status ................ internet 1.3.6.
PAGE 372
Chapter 22: SNMPv3 Configuration The following prompt is displayed: Enter Subtree Mask (Hex format): 6. Enter a subtree mask. This is an optional parameter that is used to further refine the value in the View Subtree parameter. This parameter is in binary format. The View Subtree parameter defines a MIB View and the Subtree Mask further restricts a user’s view, for example, to a specific row of the MIB tree. The value of the Subnet Mask parameter is dependent on the subtree you select.
PAGE 373
AT-S62 Menus Interface User’s Guide 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 View Table Entry You may want to delete an entry from the SNMPv3 View Table. After you delete an SNMPv3 View Table entry, there is no way to undelete, or recover it. To delete an entry in the SNMPv3 View Table, perform the following procedure: 1.
PAGE 374
Chapter 22: SNMPv3 Configuration Modifying an SNMPv3 View Table Entry This section describes how to modify parameters in an SNMPv3 Notify Table entry. See the following procedures: ❑ Modifying a Subtree Mask on page 374 ❑ Modifying a View Type on page 376 ❑ Modifying a Storage Type on page 377 Modifying a Subtree Mask To modify the Subtree Mask parameter in an SNMPv3 View Table entry, perform the following procedure. 1.
PAGE 375
AT-S62 Menus Interface User’s Guide The Modify SNMPv3 View Table Menu is shown in Figure 131. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Modify SNMPv3 View Table View Name ................. Subtree OID ............... Subtree Mask .............. View Type ................. Storage Type .............. Row Status ................ tcp 1.3.6.1.2.1.
PAGE 376
Chapter 22: SNMPv3 Configuration The View Subtree parameter defines a MIB View and the Subtree Mask further restricts a user’s view, for example, to a specific row of the MIB tree. The value of the Subnet Mask parameter is dependent on the subtree you select. See RFC 2575 for detailed information about defining a subnet mask. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 377
AT-S62 Menus Interface User’s Guide The following prompt is displayed: Enter View Type [I-Included, E-Excluded]: 7. Choose one of the following view types: I - Included Enter this value to permit the View Name to see the subtree specified above. E - Excluded Enter this value to not permit the View Name to see the subtree specified above. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 378
Chapter 22: SNMPv3 Configuration 7. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 View Table to the configuration file. After making changes to an SNMPv3 View Table entry with a Volatile storage type, the S - Save Configuration Changes option does not appear on the Main Menu.
PAGE 379
AT-S62 Menus Interface User’s Guide Configuring the SNMPv3 Access Table This section contains a description of the SNMPv3 Access Table and how to create, delete, and modify table entries. The SNMPv3 Access Table allows you to configure a security group. Each user must belong to a security group. After you have configured a security group, use the SecurityToGroup Table to assign users to security groups. See Creating an SNMPv3 SecurityToGroup Table Entry on page 394.
PAGE 380
Chapter 22: SNMPv3 Configuration The Configure SNMPv3 Access Table Menu is shown in Figure 132. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 Access Table Group Name .... Context Prefix. Read View...... Write View .... Notify View ... softwareengineering internet tcp tcp Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
PAGE 381
AT-S62 Menus Interface User’s Guide Note The Context Prefix and the Context Match fields are a read only fields. The Context Prefix field is always set to null. The Context Match field is always set to exact. The following prompt is displayed: Enter Security Model [1-v1, 2-v2c, 3-v3]: 5. Select one of the following SNMP protocols as the Security Model for this Group Name. 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol.
PAGE 382
Chapter 22: SNMPv3 Configuration greatest level of security. You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. The following prompt is displayed: Enter Read View Name: 7. Enter a value that you configured with the View Name parameter in the SNMPv3 View Table. A Read View Name allows the users assigned to this Group Name to view the information specified by the View Table entry. This value does not need to be unique.
PAGE 383
AT-S62 Menus Interface User’s Guide Note The Row Status parameter is a read-only field in the Telnet and Local interfaces. The Active value indicates the SNMPv3 Access Table entry will take effect immediately. 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 Access Table Entry You may want to delete an entry from the SNMPv3 Access Table.
PAGE 384
Chapter 22: SNMPv3 Configuration 2-v2c Select this value to associate the Group Name with the SNMPv2c protocol. 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Enter the Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 6. Enter the Security Level of this Group Name. Select one of the following Security Levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol.
PAGE 385
AT-S62 Menus Interface User’s Guide Modifying an SNMPv3 Access Table Entry This section describes how to modify parameters in an SNMPv3 Access Table entry. For each entry in the SNMPv3 Access Table, you can modify the following parameters: ❑ Read View Name ❑ Write View Name ❑ Notify View Name ❑ Storage Type Configure the values of the Read View Name, Write View Name, and Notify View Name parameters with values previously configured with the View Name parameter in the SNMPv3 View Table.
PAGE 386
Chapter 22: SNMPv3 Configuration The Modify SNMPv3 Access Table is shown in Figure 133. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Modify SNMPv3 Access Table Group Name .... Context Prefix. Read View...... Write View .... Notify View ... 1 2 3 4 - Set Set Set Set sales systemmanagers salespeople salespeople Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
PAGE 387
AT-S62 Menus Interface User’s Guide The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol. This security level provides the least security.
PAGE 388
Chapter 22: SNMPv3 Configuration Modifying the Write View Name To modify the Write View Name parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 360. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 127 on page 361. 2. From the Configure SNMPv3 Table Menu, type 4 to select Configure SNMPv3 Access Table.
PAGE 389
AT-S62 Menus Interface User’s Guide 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol. This security level provides the least security.
PAGE 390
Chapter 22: SNMPv3 Configuration Modifying the Notify View Name To modify the Notify View Name parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 360. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 127 on page 361. 2. From the Configure SNMPv3 Table Menu, type 4 to select Configure SNMPv3 Access Table.
PAGE 391
AT-S62 Menus Interface User’s Guide 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol. This security level provides the least security.
PAGE 392
Chapter 22: SNMPv3 Configuration Modifying the Storage Type To modify the Storage Type parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 360. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 127 on page 361. 2. From the Configure SNMPv3 Table Menu, type 4 to select Configure SNMPv3 Access Table.
PAGE 393
AT-S62 Menus Interface User’s Guide 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol. This security level provides the least security.
PAGE 394
Chapter 22: SNMPv3 Configuration Configuring the SNMPv3 SecurityToGroup Table This section contains a description of the SNMPv3 SecurityToGroup Table and how to create, delete, and modify table entries. The SNMPv3 SecurityToGroup Table allows you to associate a User Name with a Group Name. The User Name is configured in the Configure SNMPv3 User Table Menu while the Group Name is configured in the Configure SNMPv3 Access Table Menu.
PAGE 395
AT-S62 Menus Interface User’s Guide The Configure SNMPv3 SecurityToGroup Table Menu is shown in Figure 134. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
PAGE 396
Chapter 22: SNMPv3 Configuration The following prompt is displayed: Enter Group Name: 6. Enter a Group Name that you configured in the SNMPv3 Access Table. See. Creating an SNMPv3 Access Table Entry on page 379. There are four default values for this field: ❑ defaultV1GroupReadOnly ❑ defaultV1GroupReadWrite ❑ defaultV2cGroupReadOnly ❑ defaultV2cGroupReadWrite These values are reserved for SNMPv1 and SNMPv2c implementations.
PAGE 397
AT-S62 Menus Interface User’s Guide Deleting an SNMPv3 SecurityToGroup Table Entry You may want to delete an entry from the SNMPv3 SecurityToGroup Table. When you delete an SNMPv3 SecurityToGroup Table entry, there is no way to undelete, or recover, it. To delete an entry in the SNMPv3 SecurityToGroup Table, perform the following procedure: 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 360. Or, from the Main Menu type 5->5->5.
PAGE 398
Chapter 22: SNMPv3 Configuration The following prompt is displayed: Do you want to delete this table entry? (Y/N): [Yes/No]-> 6. Enter Y to delete this SecurityToGroup entry or N to save it. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 SecurityToGroup Table Entry This section describes how to modify parameters in an SNMPv3 SecurityToGroup Table entry.
PAGE 399
AT-S62 Menus Interface User’s Guide The Modify SecurityToGroup Table is displayed as shown Figure 134. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Modify SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
PAGE 400
Chapter 22: SNMPv3 Configuration 3-v3 Select this value to associate the User Name with the SNMPv3 protocol. The following prompt is displayed: Enter Group Name: 7. Enter the new Group Name. This value must match a value configured in the Group Name parameter in the Configure SNMPv3 Access Table. See Creating an SNMPv3 Access Table Entry on page 379. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 401
AT-S62 Menus Interface User’s Guide Select one of the following SNMP protocols: 1-v1 Select this value if this User Name is configured with the SNMPv1 protocol. 2-v2c Select this value if this User Name is configured with the SNMPv2c protocol. 3-v3 Select this value if this User Name is configured with the SNMPv3 protocol. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 7.
PAGE 402
Chapter 22: SNMPv3 Configuration Configuring the SNMPv3 Notify Table This section contains a description of the SNMPv3 Notify Table Menu and how to create, delete, and modify table entries. The Configure SNMPv3 Notify Table Menu allows you to define a name for sending traps. In each Notify Table entry, you define if the switch sends a trap or an inform message. The two message types, trap and inform, have different packet formats.
PAGE 403
AT-S62 Menus Interface User’s Guide The Configure SNMPv3 Notify Table Menu is shown in Figure 136. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 Notify Table Notify Name ...................... Notify Tag ....................... Notify Type ...................... Storage Type ..................... Row Status .......................
PAGE 404
Chapter 22: SNMPv3 Configuration I-Inform Indicates this notify table is used to send inform messages. With this message type, the switch expects a response from the authoritative entity. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 7. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Notify Table to the configuration file.
PAGE 405
AT-S62 Menus Interface User’s Guide Note To display a Group Name and its associated parameters from the Configure SNMPv3 SecurityToGroup Table Menu, type N to display the Next Page and P to display the previous page. 3. To delete an SNMPv3 Notify Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Notify Name: 4. Enter a Notify Name. The following prompt is displayed: Do you want to delete this table entry? (Y/N): [Yes/No]-> 5.
PAGE 406
Chapter 22: SNMPv3 Configuration The Modify SNMPv3 Notify Table Menu is displayed as shown in Figure 137. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Modify SNMPv3 Notify Table Notify Name ................... Notify Tag..................... Notify Type.................... Storage Type .................. Row Status ....................
PAGE 407
AT-S62 Menus Interface User’s Guide Modifying a Notify Type To modify the Notify Type parameter in an SNMPv3 Notify Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 360. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 127 on page 361. 2. From the Configure SNMPv3 Table Menu, type 6 to select Configure SNMPv3 Notify Table.
PAGE 408
Chapter 22: SNMPv3 Configuration Modifying a Storage Type To modify the Storage Type parameter in an SNMPv3 Notify Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 360. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 127 on page 361. 2. From the Configure SNMPv3 Table Menu, type 6 to select Configure SNMPv3 Notify Table.
PAGE 409
AT-S62 Menus Interface User’s Guide Configuring the SNMPv3 Target Address Table This section contains a description of the SNMPv3 Target Address Table Menu and how to create, delete, and modify table entries. You use the SNMPv3 Target Address Table Menu to assign the IP address of a host that is used for generating notifications. The Configure SNMPv3 Target Address Table Menu is linked internally to the Configure SNMPv3 Notify Table through the Tag List parameter.
PAGE 410
Chapter 22: SNMPv3 Configuration Creating an SNMPv3 Target Address Table Entry To create an entry in the Configure SNMPv3 Target Address Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 360. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 127 on page 361. 2. From the Configure SNMPv3 Table Menu, type 7 to select Configure SNMPv3 Target Address Table.
PAGE 411
AT-S62 Menus Interface User’s Guide Use the following format for an IP address: XXX.XXX.XXX.XXX The following prompt is displayed: Enter UDP Port#: [0 to 65535]-> 162 6. Enter a UDP port. You can enter a UDP port in the range of 0 to 65,535. The default UDP port is 162. The following prompt is displayed: Enter Timeout (10mS): [0 to 2147483647]-> 1500 7. Enter a timeout value in milliseconds. When an Inform message is generated, it requires a response from the switch.
PAGE 412
Chapter 22: SNMPv3 Configuration This name can consist of up to 32-alphanumeric characters. The value configured here must match the value configured with the Target Parameters Name parameter in the Configure SNMPv3 Target Parameters Table. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 11.
PAGE 413
AT-S62 Menus Interface User’s Guide The Configure SNMPv3 Target Address Table Menu is shown in Figure 140 on page 423. Note To display a Group Name and its associated parameters from the Configure SNMPv3 SecurityToGroup Table Menu, type N to display the Next Page and P to display the previous page. 3. To delete an SNMPv3 Target Address Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Target Address Name: 4. Enter a Target Address Name.
PAGE 414
Chapter 22: SNMPv3 Configuration Modifying a Target IP Address To modify the target IP address in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 360. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 127 on page 361. 2. From the Configure SNMPv3 Table Menu, type 7 to select Configure SNMPv3 Target Address Table.
PAGE 415
AT-S62 Menus Interface User’s Guide 4. To change the Target IP Address, type 1 to select Set Target IP Address. The following prompt is displayed: Enter Target Address Name: 5. Enter a previously configured Target Address Name. This is the name of the SNMP manager, or host, that manages the SNMP activity on your switch. You can enter a name of up to 32alphanumeric characters. The following prompt is displayed: Enter IP Address: 6. Enter the IP address of the host.
PAGE 416
Chapter 22: SNMPv3 Configuration This is the name of the SNMP manager, or host, that manages the SNMP activity on your switch. You can enter a name of up to 32alphanumeric characters. The following prompt is displayed: Enter UDP Port#: [0 to 65535]-> 162 6. Enter a UDP port. You can enter a UDP port in the range of 0 to 65,535. The default UDP port is 162. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 417
AT-S62 Menus Interface User’s Guide 6. Enter a timeout value in milliseconds. When an Inform message is generated, it requires a response from the switch. The timeout value determines how long the switch considers the Inform message an active message. This parameter applies to Inform messages only. The range is from 0 to 2,147,483,647 milliseconds. The default value is 1500 milliseconds. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 418
Chapter 22: SNMPv3 Configuration 6. Enter the number of times the switch will retry, or resend, the Inform message. The range is 0 to 255 retries. The default is 3 retries. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Address Tag List To modify the Target Address Tag List parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1.
PAGE 419
AT-S62 Menus Interface User’s Guide Modifying the Target Parameters Field To modify the Target Parameters field in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 360. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 127 on page 361. 2. From the Configure SNMPv3 Table Menu, type 7 to select Configure SNMPv3 Target Address Table.
PAGE 420
Chapter 22: SNMPv3 Configuration Modifying the Storage Type To modify the Storage Type parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 360. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 127 on page 361. 2. From the Configure SNMPv3 Table Menu, type 7 to select Configure SNMPv3 Target Address Table.
PAGE 421
AT-S62 Menus Interface User’s Guide 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 422
Chapter 22: SNMPv3 Configuration Configuring the SNMPv3 Target Parameters Table This section contains a description of the SNMPv3 Target Parameters Table and how to create, delete, and modify table entries. The SNMPv3 Target Parameters Table links the user security information with the message notification information configured in the Configure SNMPv3 Notify Table Menu and Configure SNMPv3 Target Address Table Menu.
PAGE 423
AT-S62 Menus Interface User’s Guide There are three functions you can perform with the Configure SNMPv3 Target Parameters Table Menu. ❑ Creating an SNMPv3 Target Parameters Table Entry on page 423 ❑ Deleting an SNMPv3 Target Parameters Table Entry on page 426 ❑ Modifying an SNMPv3 Target Parameters Table Entry on page 427 Creating an SNMPv3 Target Parameters Table Entry To create an entry in the Configure SNMPv3 Target Parameters Table, perform the following procedure. 1.
PAGE 424
Chapter 22: SNMPv3 Configuration 3. To create an SNMPv3 Target Parameters Table, type 1 to select Create SNMPv3 Table Entry. The following prompt is displayed: Enter Target Parameters Name: 4. Enter a name of the Target Parameters. Enter a value of up to 32-alphanumeric characters. Note You are prompted to enter a value for the Message Processing Model parameter only if you select SNMPv1 or SNMPv2c as the Security Model.
PAGE 425
AT-S62 Menus Interface User’s Guide 7. Select one of the following Security Levels: Note The value you configure for the Security Level must match the value configured for the User Name in the Configure SNMPv3 User Table Menu. See Creating an SNMPv3 User Table Entry on page 360. N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol.
PAGE 426
Chapter 22: SNMPv3 Configuration entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Note The Row Status parameter is a read-only field in the Telnet and Local interfaces. The Active value indicates the SNMPv3 Target Parameters Table entry will take effect immediately. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 427
AT-S62 Menus Interface User’s Guide 5. Enter Y to delete the SNMPv3 Target Address Table entry or N to save it. 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 Target Parameters Table Entry This section provides procedures for modifying parameters in an SNMPv3 Target Parameters Table entry. The parameter values configured in the Target Parameters Table must match those configured in the other tables.
PAGE 428
Chapter 22: SNMPv3 Configuration Note You cannot modify an entry in the SNMPv3 Target Parameter Table that contains a value of “default” in the Target Parameters Name field. Modifying the Security Name (User Name) In the AT-S62 implementation of the SNMPv3 protocol, the Security Name and the User Name parameters are equivalent. In the SNMPv3 Target Parameters Table Menu, the Security Name and the User Name parameters are used interchangeably.
PAGE 429
AT-S62 Menus Interface User’s Guide The Modify SNMPv3 Target Parameters Table Menu is shown in Figure 141. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Modify SNMPv3 Target Parameters Table Target Parameters Name ... Message Processing Model . Security Model............ Security Name ............ Security Level ........... Storage Type ............. Row Status ...............
PAGE 430
Chapter 22: SNMPv3 Configuration Modifying the Security Model For the Security or User Name you have selected, the value of the Security Model parameter in an SNMPv3 Target Parameter Table entry must match the value of the Security Model parameter in the SNMPv3 Access Table entry. Caution If the values of the Security Model parameter in the SNMPv3 User Table and the SNMPv3 Target Parameter Table entry do not match, notification messages are not generated on behalf of this User (Security) Name.
PAGE 431
AT-S62 Menus Interface User’s Guide 2-v2c Select this value if this User Name is associated with the SNMPv2c protocol. 3-v3 Select this value if this User Name is associated with the SNMPv3 protocol. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 432
Chapter 22: SNMPv3 Configuration Select one of the following Security Levels: Note The value you configure for the Security Level must match the value configured for the User Name in the Configure SNMPv3 User Table Menu. See Creating an SNMPv3 User Table Entry on page 360. N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol.
PAGE 433
AT-S62 Menus Interface User’s Guide The Configure SNMPv3 Table Menu is shown in Figure 127 on page 361. 2. From the Configure SNMPv3 Table Menu, type 8 to select Configure SNMPv3 Target Address Table. The Configure SNMPv3 Target Parameters Table Menu is shown in Figure 140. 3. From the Configure SNMPv3 Target Parameters Table Menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Target Parameters Table Menu is shown in Figure 141 on page 429. 4.
PAGE 434
Chapter 22: SNMPv3 Configuration 2. From the Configure SNMPv3 Table Menu, type 8 to select Configure SNMPv3 Target Address Table. The Configure SNMPv3 Target Parameters Table Menu is shown in Figure 140. 3. From the Configure SNMPv3 Target Parameters Table Menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Target Parameters Table Menu is shown in Figure 141 on page 429. 4. To modify the Storage Type, type 5 to select Storage Type.
PAGE 435
AT-S62 Menus Interface User’s Guide Configuring the SNMPv3 Community Table This section contains a description of the SNMPv3 Community Table and how to create, delete, and modify table entries. The SNMPv3 Community Table allows you to create SNMPv1 and SNMPv2c Communities using the SNMPv3 Tables. Allied Telesyn does not recommend that you use the menu described in this section to configure SNMPv1 and SNMPv2c communities.
PAGE 436
Chapter 22: SNMPv3 Configuration For each SNMPv3 Community Table entry, you can configure the following parameters: ❑ Community Index ❑ Community Name ❑ Security Name ❑ Transport Tag ❑ Storage Type In addition, you can display the entries configured with the Configure SNMPv1 & SNMPv2c Community Menu in the Configure SNMPv3 Community Table Menu. However, you cannot modify an SNMPv1 & SNMPv2c Community Table entry with the Configure SNMPv3 Community Table Menu.
PAGE 437
AT-S62 Menus Interface User’s Guide The Configure SNMPv3 Community Table Menu is shown in Figure 142. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
PAGE 438
Chapter 22: SNMPv3 Configuration The following prompt is displayed: Enter Security Name: 6. Enter the name of an SNMPv1 and SNMPv2c user. This name must be unique. Enter a value of up to 32alphanumeric characters. Note Do not use a value configured with the User Name parameter in the SNMPv3 User Table. The following prompt is displayed: Enter Transport Tag: 7. Enter a name of up to 32-alphanumeric characters for the Transport Tag.
PAGE 439
AT-S62 Menus Interface User’s Guide 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 Community Table Entry You may want to delete an entry from the SNMPv3 Community Table. When you delete an entry in the SNMPv3 Community Table, there is no way to undelete or recover it. To delete an entry in the SNMPv3 Community Table, perform the following procedure: 1.
PAGE 440
Chapter 22: SNMPv3 Configuration Modifying an SNMPv3 Community Table Entry For each entry in the SNMPv3 Community Table, you can modify the following parameters: ❑ Community Name ❑ Security Name ❑ Transport Tag ❑ Storage Type However, you cannot modify the Community Index parameter.
PAGE 441
AT-S62 Menus Interface User’s Guide The Modify SNMPv3 Community Table Menu is shown in Figure 143. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 00:14:33 15-Jan-2004 Modify SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
PAGE 442
Chapter 22: SNMPv3 Configuration Modifying the Security Name To modify the Security Name parameter in an SNMPv3 Community Table entry, perform the following procedure: 1. Follow steps 1 through 3 in the procedure described in Creating an SNMPv3 User Table Entry on page 360. Or, from the Main Menu type 5->5->5. The Configure SNMPv3 Table Menu is shown in Figure 127 on page 361. 2. From the Configure SNMPv3 Table Menu, type 9 to select Configure SNMPv3 Community Table.
PAGE 443
AT-S62 Menus Interface User’s Guide 2. From the Configure SNMPv3 Table Menu, type 9 to select Configure SNMPv3 Community Table. The Configure SNMPv3 Community Table Menu is shown in Figure 142 on page 437. 3. From the Configure SNMPv3 Community Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Community Table Menu is shown in Figure 143 on page 441. 4. To change the Transport Tag, type 3 to select Set Transport Tag. The following prompt is displayed: Enter Community Index: 5.
PAGE 444
Chapter 22: SNMPv3 Configuration The following prompt is displayed: Enter Community Index: 5. Enter the Community Index of the Storage Type you want to change. The following prompt is displayed: Enter Storage type [V-volatile, N-NonVolatile]: 6. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to an entry in the SNMPv3 Community Table to the configuration file.
PAGE 445
AT-S62 Menus Interface User’s Guide Displaying SNMPv3 Table Menus The procedures in this section describe how to display the SNMPv3 Tables.
PAGE 446
Chapter 22: SNMPv3 Configuration The Display SNMPv3 Table Menu is shown in Figure 144.
PAGE 447
AT-S62 Menus Interface User’s Guide Displaying the Display SNMPv3 View Table Menu This section describes how to display the Display SNMPv3 View Table Menu. For information about the SNMPv3 View Table parameters, see Creating an SNMPv3 View Table Entry on page 370. To display the Display SNMPv3 View Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Displaying the Display SNMPv3 User Table Menu on page 445. Or, from the Main Menu type 5->5->6. 2.
PAGE 448
Chapter 22: SNMPv3 Configuration Displaying the Display SNMPv3 Access Table Menu This section describes how to display the Display SNMPv3 Access Table Menu. For information about the SNMPv3 Access Table parameters, see Creating an SNMPv3 Access Table Entry on page 379. To display the Display SNMPv3 Access Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Displaying the Display SNMPv3 User Table Menu on page 445. Or, from the Main Menu type 5->5->6. 2.
PAGE 449
AT-S62 Menus Interface User’s Guide Displaying the Display SNMPv3 SecurityToGroup Table Menu This section describes how to display the Display SNMPv3 SecurityToGroup Table Menu. For more information about the parameters in the SNMPv3 SecurityToGroup Table Menu, see Creating an SNMPv3 SecurityToGroup Table Entry on page 394. To display the Display SNMPv3 SecurityToGroup Table Menu, perform the following procedure. 1.
PAGE 450
Chapter 22: SNMPv3 Configuration Displaying the Display SNMPv3 Notify Table Menu This section describes how to display the Display SNMPv3 Notify Table Menu. For information about the SNMPv3 Notify Table parameters, see Creating an SNMPv3 Notify Table Entry on page 402. To display the Display SNMPv3 Notify Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Displaying the Display SNMPv3 User Table Menu on page 445. Or, from the Main Menu type 5->5->6. 2.
PAGE 451
AT-S62 Menus Interface User’s Guide Displaying the Display SNMPv3 Target Address Table Menu This section describes how to display the Display SNMPv3 Target Address Table Menu. For information about the SNMPv3 Target Address Table parameters, see Creating an SNMPv3 Target Address Table Entry on page 410. To display the Display SNMPv3 Target Address Table Menu, perform the following procedure. 1.
PAGE 452
Chapter 22: SNMPv3 Configuration Displaying the Display SNMPv3 Target Parameters Table Menu This section describes how to display the Display SNMPv3 Target Parameters Table Menu. For information about the SNMPv3 Target Parameters Table parameters, see Creating an SNMPv3 Target Parameters Table Entry on page 423. To display the Display SNMPv3 Target Parameters Table Menu, perform the following procedure. 1.
PAGE 453
AT-S62 Menus Interface User’s Guide Displaying the Display SNMPv3 Community Table Menu This section describes how to display the Display SNMPv3 Community Table Menu. For information about the SNMPv3 Community Table parameters, see Creating an SNMPv3 Community Table Entry on page 436. To display the Display SNMPv3 Community Table Menu, perform the following procedure. 1. Follow steps 1 through 3 in the procedure described in Displaying the Display SNMPv3 User Table Menu on page 445.
PAGE 454
Section IV Spanning Tree Protocols The chapters in this section explain the spanning tree protocols.
PAGE 455
Chapter 23 Spanning Tree and Rapid Spanning Tree Protocols This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). The chapter also contains procedures on how to adjust the STP and RSTP bridge and port parameters.
PAGE 456
Chapter 23: STP and RSTP STP and RSTP Overview The performance of a Ethernet network can be severely impaired by the existence of a physical loop in the network topology. A loop exists when two or more nodes on a network can transmit data to each other over more than one traffic path. The problem that loops pose is that Ethernet packets can become caught in repeating cycles, referred to as broadcast storms, that needlessly consume network bandwidth and can significantly reduce network performance.
PAGE 457
AT-S62 Menus Interface User’s Guide Bridge Priority and the Root Bridge The first task that bridges running spanning tree perform is the selection of a root bridge. A root bridge distributes network topology information to the other network bridges and is used by the other bridges to determine if there are redundant paths in the network. A root bridge is selected by the bridge priority number, also referred to as the bridge identifier, and sometimes the bridge’s MAC address.
PAGE 458
Chapter 23: STP and RSTP Path Costs and Port Costs After the root bridge has been selected, the bridges must determine if the network contains redundant paths. If one is found, they must select a preferred path while placing the redundant paths in a backup or blocking state. Where there is only one path between a bridge and the root bridge, the bridge is referred to as the designated bridge and the port through which the bridge is communicating with the root bridge is referred to as the root port.
PAGE 459
AT-S62 Menus Interface User’s Guide Table 12 lists the STP port costs with Auto-Detect when a port is part of a port trunk. Table 12 STP Auto-Detect Port Trunk Costs Port Speed Port Cost 10 Mbps 4 100 Mbps 4 1000 Mbps 2 Table 13 lists the RSTP port costs with Auto-Detect. Table 13 RSTP Auto-Detect Port Costs Port Speed Port Cost 10 Mbps 2,000,000 100 Mbps 200,000 1000 Mbps 20,000 Table 14 lists the RSTP port costs with Auto-Detect when the port is part of a port trunk.
PAGE 460
Chapter 23: STP and RSTP Port Priority If two paths have the same cost, the bridges must choose between them to select a preferred path. In some instances this can involve the use of the port priority parameter. This parameter is used as a tie-breaker when two paths have the same cost. The lower the value, the higher the priority given to the port. The range for port priority is 0 to 240. As with bridge priority, this range is broken into increments, in this case multiples of 16.
PAGE 461
AT-S62 Menus Interface User’s Guide To forestall the formation of temporary data loops during topology changes, a port designated to change from blocking to forwarding passes through two additional states—listening and learning—before it begins to forward frames. The amount of time a port spends in these states is set by the forwarding delay value. This value states the amount of time that a port spends in the listening and learning states prior to changing to the forwarding state.
PAGE 462
Chapter 23: STP and RSTP Point-to-Point Ports and Edge Ports Note This section applies only to RSTP and MSTP. Part of the task of configuring RSTP is defining the port types on the bridge. This relates to the device(s) connected to the port. With the port types defined, RSTP can reconfigure a network much quicker than STP when a change in network topology is detected.
PAGE 463
AT-S62 Menus Interface User’s Guide If a port is operating in half-duplex mode and is not connected to any further bridges participating in STP or RSTP, then the port is an edge port. Figure 154 illustrates an edge port on an AT-8524M switch. The port is connected to an Ethernet hub, which in turn is connected to a series of Ethernet workstations. This is an edge port because it is connected to a device operating at half-duplex mode and there are no participating STP or RSTP devices connected to it.
PAGE 464
Chapter 23: STP and RSTP Mixed STP and RSTP Network RSTP IEEE 802.1w is compliant with STP IEEE 802.1d. Your network can consist of bridges running both protocols. STP and RSTP in the same network can operate together to create a single spanning tree domain. There is no reason not to activate RSTP on an AT-8500 Series switch even when all other switches are running STP. The switch can combine its RSTP with the STP of the other switches. The switch monitors the traffic on each port for BPDU packets.
PAGE 465
AT-S62 Menus Interface User’s Guide You can avoid this problem by not activating spanning tree or by connecting VLANs using tagged instead of untagged ports. (For information on tagged and untagged ports, refer to Chapter 25, Tagged and Port-based Virtual LANs on page 513.) Another approach is to use the Multiple Spanning Tree Protocol, explained in Chapter 24 on page 478, which allows you to create multiple spanning trees within a network.
PAGE 466
Chapter 23: STP and RSTP Enabling or Disabling a Spanning Tree Protocol The AT-S62 software supports STP, RSTP, and MSTP. (MSTP is explained in Chapter 24 on page 478.) Only one spanning tree protocol can be active on the switch at a time. Before you can enable a spanning tree protocol, you must first select it as the active spanning tree protocol on the switch. After you have selected it as the active protocol, you can then configure it and enable or disable it.
PAGE 467
AT-S62 Menus Interface User’s Guide 4. If you selected STP as the active spanning tree protocol, go to Configuring STP on page 468 for further instructions. If you selected RSTP, go to Configuring RSTP on page 473. If you selected MSTP, go to Chapter 24 on page 478. Note Once you have configured the spanning tree parameters, perform Steps 5 through 7 to enable spanning tree. 5. To enable or disable spanning tree, type 1 to select Spanning Tree Status.
PAGE 468
Chapter 23: STP and RSTP Configuring STP This section contains the following procedures: ❑ Configuring STP Bridge Settings, next ❑ Configuring STP Port Settings on page 470 Configuring STP Bridge Settings This section contains the procedure for configuring a bridge’s STP settings. Caution The default STP parameters are adequate for most networks. Changing them without prior experience and an understanding of how STP works might have a negative effect on your network. You should consult the IEEE 802.
PAGE 469
AT-S62 Menus Interface User’s Guide 2. Adjust the bridge STP settings as needed. The parameters are described below. 1 - Bridge Priority The priority number for the bridge. This number is used to determine the root bridge for RSTP. The bridge with the lowest priority number is selected as the root bridge. If two or more bridges have the same priority value, the bridge with the numerically lowest MAC address becomes the root bridge.
PAGE 470
Chapter 23: STP and RSTP 3. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 4. To change STP port settings, go to the next procedure. Configuring STP Port Settings To adjust STP port parameters, perform the following procedure: 1. From the Spanning Tree Configuration menu, type 3 to select STP Configuration. The STP Menu is shown in Figure 158 on page 468. 2. From the STP Menu, type P to select STP Port Parameters.
PAGE 471
AT-S62 Menus Interface User’s Guide The Configure STP Port Settings menu is shown in Figure 160. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure STP Port Settings Configuring Ports 4-4 1 - Port Priority ..... 128 2 - Port Cost ......... Automatic-Update R - Return to Previous Menu Enter your selection? Figure 160 Configure STP Port Settings Menu 6. Adjust the settings as desired. The parameters are described below.
PAGE 472
Chapter 23: STP and RSTP Displaying STP Port Settings To display STP port settings, perform the following procedure: 1. From the Spanning Tree Configuration menu, type 3 to select STP Configuration. The STP Menu is shown in Figure 158 on page 468. 2. From the STP Menu, type P to select STP Port Parameters. The STP Port Parameters menu is shown in Figure 159 on page 470. 3. From the STP Port Parameters menu, type 2 to select Display STP Port Configuration.
PAGE 473
AT-S62 Menus Interface User’s Guide Configuring RSTP This section contains the following procedures: ❑ Configuring RSTP Bridge Settings, next ❑ Configuring RSTP Port Settings on page 475 Configuring RSTP Bridge Settings This section contains the procedure for configuring a bridge’s RSTP settings. Caution The default RSTP parameters are adequate for most networks. Changing them without prior experience and an understanding of how RSTP works might have a negative effect on your network.
PAGE 474
Chapter 23: STP and RSTP 2. Adjust the parameters as needed. The parameters are defined below. 1 - Force Version This selection determines whether the bridge will operate with RSTP or in an STP-compatible mode. If you select RSTP, the bridge will operate all ports in RSTP, except for those ports that receive STP BPDU packets. If you select Force STP Compatible, the bridge will operate in RSTP, using the RSTP parameter settings, but it will send only STP BPDU packets out the ports.
PAGE 475
AT-S62 Menus Interface User’s Guide 6 - Bridge Identifier The MAC address of the bridge. The bridge identifier is used as a tie breaker in the selection of the root bridge when two or more bridges have the same bridge priority value. This value cannot be changed. 3. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Configuring RSTP Port Settings To adjust RSTP port parameters, perform the following procedure: 1.
PAGE 476
Chapter 23: STP and RSTP The Configure RSTP Port Settings menu is shown in Figure 164. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure RSTP Port Settings Configuring Ports 4-4 1 2 3 4 - Port Priority ...... Port Cost .......... Point-to-Point ..... Edge Port .......... 128 Automatic Update Auto Detect Yes R - Return to Previous Menu Enter your selection? Figure 164 Configure RSTP Port Settings Menu 6. Adjust the settings as needed.
PAGE 477
AT-S62 Menus Interface User’s Guide Displaying Port RSTP Status The RSTP Port Parameters menu has two selections for displaying a variety of RSTP port information. The two menu selections are discussed below. 2 - Display RSTP Port Configuration This selection displays a menu that contains the current port settings for the following RSTP parameters: Port - The port number. Edge-Port - Whether or not the port is operating as an edge port. The possible settings are Yes and No.
PAGE 478
Chapter 24 Multiple Spanning Tree Protocol This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP). The chapter also explains how to adjust multiple spanning tree bridge and port parameters.
PAGE 479
AT-S62 Menus Interface User’s Guide MSTP Overview As explained in the previous chapter, STP and RSTP are single-instance spanning trees that search for physical loops across all VLANs in a bridged network. When loops are detected, the protocols stop the loops by placing one or more bridge ports in a blocking state. As explained in Spanning Tree and VLANs on page 464, activating STP or RSTP can result in VLAN fragmentation when VLANs that span multiple bridges are interconnected with untagged ports.
PAGE 480
Chapter 24: Multiple Spanning Tree Protocol Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MSTIs). A MSTI can span any number of switches. An AT-8500 Series switch can support up to 16 MSTIs at a time. To create a MSTI, you first assign it a number, referred to as the MSTI ID. The range is 1 to 15. (The switch comes with a default MSTI with an MSTI ID of 0.
PAGE 481
AT-S62 Menus Interface User’s Guide If the switches were running STP or RSTP, one of the links would be blocked because the links constitute a physical loop. Which link would be blocked would depend on the STP or RSTP bridge settings. In the example, the link between the two parts of the Production VLAN is blocked, resulting in a loss of communications between the two parts of the Production VLAN.
PAGE 482
Chapter 24: Multiple Spanning Tree Protocol Figure 166 illustrates the same two AT-8524M switches and the same two virtual LANs. But in this example, the two switches are running MSTP and the two VLANs have been assigned to different spanning tree instances. Both links remain active now that they reside in different MSTIs, enabling the VLANs to forward traffic over their respective direct link.
PAGE 483
AT-S62 Menus Interface User’s Guide A MSTI can contain more than one VLAN. This is illustrated in Figure 167 where there are two AT-8524M switches with four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains the Sales and Presales VLANs and MSTI 2 contains the Design and Engineering VLANs.
PAGE 484
Chapter 24: Multiple Spanning Tree Protocol MSTI Guidelines Here are several guidelines to keep in mind about MSTIs: ❑ An AT-8500 Series can support up to 16 spanning tree instances, including the CIST, at a time. ❑ A MSTI can contain any number of VLANs. ❑ A VLAN can belong to only one MSTI at a time. ❑ A switch port can belong to more than one spanning tree instance at a time. This allows you to assign a port as an untagged and tagged member of VLANs that belong to different MSTIs.
PAGE 485
AT-S62 Menus Interface User’s Guide The second group can be applied independently on a port for each MSTI where the port is a member. One of the parameters is the internal path cost. This parameter specifies the port’s operating cost if it is connected to a bridge that is a part of the same MSTP region. You can give a port a different internal path cost for each MSTI where it is a member.
PAGE 486
Chapter 24: Multiple Spanning Tree Protocol Figure 168 illustrates the concept of regions. It shows one MSTP region consisting of two AT-8524M switches. Each switch in the region has the same configuration name and revision level. The switches also have the same five VLANs and the VLANs are associated with the same MSTIs.
PAGE 487
AT-S62 Menus Interface User’s Guide The AT-8500 Series switch determines regional boundaries by examining the MSTP BPDUs received on the ports. A port that receives a MSTP BPDU from another bridge with regional information different from its own is considered to be a boundary port and the bridge connected to the port as belonging to another region. The same is true for any ports connected to bridges running the singleinstance spanning tree STP or RSTP.
PAGE 488
Chapter 24: Multiple Spanning Tree Protocol ❑ The regional root of a MSTI must be in the same region as the MSTI. Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree instance called the Common and Internal Spanning Tree (CIST). This instance has an MSTI ID of 0. This instance has unique features and functions that make it different from the MSTIs that you create yourself. First, you cannot delete this instance and you cannot change its MSTI ID.
PAGE 489
AT-S62 Menus Interface User’s Guide MSTP with STP and RSTP MSTP is fully compatible with STP and RSTP. If a port on an AT-8500 Series switch running MSTP receives STP BPDUs, the port sends only STP BPDU packets. If a port receives RSTP BPDUs, the port sends MSTP BPDUs because RSTP can process MSTP BPDUs. A port connected to a bridge running STP or RSTP is considered a boundary port of the MSTP region and the bridge as belonging to a different region. An MSTP region can be considered as a virtual bridge.
PAGE 490
Chapter 24: Multiple Spanning Tree Protocol ❑ Each MSTI must have a regional root for locating loops in the instance. MSTIs can share the same regional root or have different roots. A regional root is determined by the MSTI priority value and a bridge’s MAC address. ❑ The regional root of a MSTI must be in the same region as the MSTI. ❑ The CIST must have a regional root for communicating with other regions and single-instance spanning trees. ❑ MSTP is compatible with STP and RSTP.
PAGE 491
AT-S62 Menus Interface User’s Guide BPDU Packet Instance: CIST 0 and MSTI 10 Port 1 AT-8524M Switch A AT-8524M Port 8 Switch B BPDU Packet Instances: CIST 0 and MSTI 7 Figure 169 CIST and VLAN Guideline - Example 1 At first glance, it might appear that since both ports belong to CIST, a loop would exist between the switches and that MSTP would block a port to stop the loop. However, within a region, MSTI takes precedence over CIST.
PAGE 492
Chapter 24: Multiple Spanning Tree Protocol When port 3 on Switch B receives a BPDU, the switch notes the port sending the packet belongs only to CIST. Consequently, Switch B uses CIST in determining whether a loop exists. The result would be that the switch would determine that a loop exists because the other port is also receiving BPDU packets from CIST 0. Switch B would block a port to cancel the loop. To avoid this issue, always assign all VLANs on a switch, including the Default_VLAN, to an MSTI.
PAGE 493
AT-S62 Menus Interface User’s Guide Region 1 Port 5 MSTI 4 VLAN (untagged) port: Accounting Region 2 AT-8524M AT-8524M Switch A Switch B Port 15 MSTI 12 VLAN (untagged port): Sales VLAN (tagged port): Presales VLAN (tagged port): Marketing Figure 171 Spanning Regions - Example 1 There are several ways to address this issue. One is to have only one MSTP region for each subnet in your network. Another approach is to group those VLANs that need to span regions into the same MSTI.
PAGE 494
Chapter 24: Multiple Spanning Tree Protocol Configuring MSTP Bridge Settings This section contains the procedure for configuring a bridge’s MSTP settings. Note You cannot configure the MSTP parameters until you have selected the protocol as the active spanning tree protocol on the switch. For instructions, refer to Enabling or Disabling a Spanning Tree Protocol on page 466. 1. From the Main Menu, type 3 to select Spanning Tree Menu. The Spanning Tree Menu is shown in Figure 157 on page 466. 2.
PAGE 495
AT-S62 Menus Interface User’s Guide 3. Adjust the MSTP settings as needed. Changes are immediately activated on the switch. The selections are described below. 1 - Force Version This selection determines whether the bridge operates with MSTP or in an STP-compatible mode. If you select MSTP, the bridge operates all ports in MSTP, except for those ports that receive STP or RSTP BPDU packets.
PAGE 496
Chapter 24: Multiple Spanning Tree Protocol 5 - Max Hops MSTP regions use this parameter to discard BPDUs. The Max Hop counter in a BPDU is decremented every time the BPDU crosses an MSTP region boundary. Once the counter reaches zero, the BPDU is deleted. The range is 1 to 40 hops. The default is 20. 6 - Configuration Name The name of the MSTP region. The range is 0 (zero) to 32 alphanumeric characters in length. The name, which is casesensitive, must be the same on all bridges in a region.
PAGE 497
AT-S62 Menus Interface User’s Guide Configuring the CIST Priority This procedure explains how to adjust the bridge’s CIST priority. Note You cannot configure MSTP parameters until you have selected the protocol as the active spanning tree protocol on the switch. For instructions, refer to Enabling or Disabling a Spanning Tree Protocol on page 466. This procedure starts from the MSTP Menu. If you do not know how to access the menu, perform steps 1 and 2 in Configuring MSTP Bridge Settings on page 494.
PAGE 498
Chapter 24: Multiple Spanning Tree Protocol 2. To change the CIST priority, type 1. The following prompt is displayed: Enter new priority [the value will be multiplied by 4096]: [0 to 15] -> 3. Enter the increment that represents the new CIST priority value. The range is 0 (zero) to 61,440 in increments of 4,096, with 0 being the highest priority. For a list of the increments, refer to Table 10, Bridge Priority Value Increments on page 457. The change is immediately implemented on the switch. 4.
PAGE 499
AT-S62 Menus Interface User’s Guide Creating, Deleting, and Modifying MSTIs The following procedures explain how to create, delete, and modify spanning tree instances. Note You cannot configure MSTP parameters until you have selected the protocol as the active spanning tree protocol on the switch. For instructions, refer to Enabling or Disabling a Spanning Tree Protocol on page 466. This procedure starts from the MSTP Menu.
PAGE 500
Chapter 24: Multiple Spanning Tree Protocol Regional Root ID Identifies the regional root for the MSTI by its MAC address. Path Cost Specifies the path cost from the bridge to the regional root. If the bridge is the regional root, the value is 0. Associated VLANs Specifies the VIDs of the VLANs that have been associated with the MSTI ID. The table does not include the CIST. The table is empty if no MSTI IDs have been created. Creating an MSTI To create an MSTI, do the following: 1.
PAGE 501
AT-S62 Menus Interface User’s Guide 2. Enter the ID number of the MSTI you want to delete. The range is 1 to 15. (You cannot delete CIST, which has a value of 0.) You can delete only one MSTI at a time. The selected MSTI is deleted from the switch. All associated VLANs are returned to CIST. 3. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 502
Chapter 24: Multiple Spanning Tree Protocol Associating VLANs to MSTI IDs When you create a new MSTI, you are given the opportunity to associate VLANs to it. But once a MSTI is created, there might come a time when you want to add more VLANs, or perhaps remove VLANs from it. This procedure explains how to associate VLANs on the switch to an existing MSTI and also how to remove VLANs. Before performing this procedure, note the following: ❑ You must create an MSTI before you can assign VLANs to it.
PAGE 503
AT-S62 Menus Interface User’s Guide The VLAN-MSTI Association Menu is shown in Figure 175.
PAGE 504
Chapter 24: Multiple Spanning Tree Protocol A prompt similar to the following is displayed: Enter the list of VLANs: 3. Enter the VLAN ID of the virtual LAN you want to associate with the MSTI. You can enter more than one VLAN at a time (for example, 2,4,7). The new VLAN associations are added to the existing associations in the MSTI. To view VIDs, refer to Displaying VLANs on page 538. New VLAN associations are immediately implemented on the switch. 4.
PAGE 505
AT-S62 Menus Interface User’s Guide 3. A prompt similar to the following is displayed: Enter the list of VLANs: 4. Enter the VLAN ID of the virtual LAN that you want to associate with the MSTI. You can enter more than one VLAN at a time (for example, 2,4,7) (To view VIDs, refer to Displaying VLANs on page 538.) The existing VLANs associations are removed from the MSTI when the new VLANs are added. The removed VLANs are returned to CIST. 5. After making changes, type R until you return to the Main Menu.
PAGE 506
Chapter 24: Multiple Spanning Tree Protocol Configuring MSTP Port Settings As explained in Ports in Multiple MSTIs on page 484, MSTP port settings are divided into two groups. The parameters in the first group are set just once on a port. The setting for a generic port parameter applies to all MSTIs in which the port is a member.
PAGE 507
AT-S62 Menus Interface User’s Guide 2. Type 1 to select Configure Generic Port Settings. The following prompt is displayed: Start port to configure: [1 to 26] -> 3. Enter the number of the port you want to configure. To configure a range of ports, enter the first port of the range. The following prompt is displayed: End port to configure: [1 to 26] -> 4 4. Enter the last port of the range. To configure just one port, enter the same port here as in Step 3.
PAGE 508
Chapter 24: Multiple Spanning Tree Protocol Table 17 lists the MSTP port costs with the Auto setting when the port is part of a port trunk. Table 17 Auto External Path Trunk Costs Port Speed Port Cost 10 Mbps 20,000 100 Mbps 20,000 1000 Mbps 2,000 2 - Point-to-Point This parameter defines whether the port is functioning as a pointto-point port. For an explanation of this parameter, refer to Pointto-Point Ports and Edge Ports on page 462.
PAGE 509
AT-S62 Menus Interface User’s Guide The following prompt is displayed: Start port to configure: [1 to 26] -> 1 4. Enter the number of the port you want to configure. To configure a range of ports, enter the first port of the range. The following prompt is displayed: End port to configure: [1 to 26] -> 1 5. Enter the last port of the range. To configure just one port, enter the same port here as in Step 3. Configure Per Spanning Tree Port Settings Menu is shown in Figure 178.
PAGE 510
Chapter 24: Multiple Spanning Tree Protocol Table 18 MSTP Auto Update Port Costs Port Speed Port Cost 10 Mbps 2,000,000 100 Mbps 200,000 1000 Mbps 20,000 Table 19 lists the MSTP port costs with Auto Update when the port is part of a port trunk. Table 19 MSTP Auto Update Port Trunk Costs Port Speed Port Cost 10 Mbps 20,000 100 Mbps 20,000 1000 Mbps 2,000 Parameter changes are immediately activated on the port. 7. After making changes, type R until you return to the Main Menu.
PAGE 511
AT-S62 Menus Interface User’s Guide Displaying MSTP Port Settings and Status The MSTP Port Parameters menu, shown in Figure 176 on page 506, has two selections for displaying a variety of MSTP port information. The two menu selections are described below. (To display the menu, from the MSTP Menu, type P to select MSTP Port Parameters.
PAGE 512
Section V Virtual LANs The chapters in this section explain virtual LANs (VLANs).
PAGE 513
Chapter 25 Tagged and Port-based Virtual LANs This chapter contains background information on tagged and portbased virtual LANs (VLANs). It also contains the procedures for creating, modifying, and deleting VLANs from a local or Telnet management session.
PAGE 514
Chapter 25: Tagged and Port-based Virtual LANs VLAN Overview A VLAN is a group of ports on an Ethernet switch that form a logical Ethernet segment. The ports of a VLAN form an independent traffic domain where the traffic generated by the nodes of a VLAN remains within the VLAN. With VLANs, you can segment your network through the switch’s management software and so be able to group nodes with related functions into their own separate, logical LAN segments.
PAGE 515
AT-S62 Menus Interface User’s Guide But with VLANS, you can change the LAN segment assignment of an end node connected to the switch through the switch’s AT-S62 management software. VLAN memberships can be changed any time through the management software without moving the workstations physically, or having to change group memberships by moving cables from one switch port to another. Additionally, a virtual LAN can span more than one switch.
PAGE 516
Chapter 25: Tagged and Port-based Virtual LANs Port-based VLAN Overview As explained in the VLAN Overview on page 514, a VLAN consists of a group of ports on one or more Ethernet switches that form an independent traffic domain. Traffic generated by the end nodes of a VLAN remains within the VLAN and does not cross over to the end nodes of other VLANs unless there is an interconnection device, such as a router or Layer 3 switch.
PAGE 517
AT-S62 Menus Interface User’s Guide If a VLAN spans multiple switches, then the VID for the VLAN on the different switches should be the same. The switches are then able to recognize and forward frames belonging to the same VLAN even though the VLAN spans multiple switches. For example, if you had a port-based VLAN titled Marketing that spanned three AT-8500 Series switches, you would assign the Marketing VLAN on each switch the same VID.
PAGE 518
Chapter 25: Tagged and Port-based Virtual LANs For example, if you were creating a port-based VLAN on a switch and you had assigned the VLAN the VID 5, the PVID for each port in the VLAN would need to be assigned the value 5. Some switches and switch management programs require that you assign the PVID value for each port manually. However, the AT-S62 management software performs this task automatically.
PAGE 519
AT-S62 Menus Interface User’s Guide VLANs that span switches, many ports could end up being used ineffectively just to interconnect the various VLANs. Port-based Example 1 Figure 179 illustrates an example of one AT-8524M Fast Ethernet Switch with three port-based VLANs. (For purposes of the following examples, the Default_VLAN is not shown.
PAGE 520
Chapter 25: Tagged and Port-based Virtual LANs Each VLAN has been assigned a unique VID. You assign this number when you create a VLAN. The ports have been assigned PVID values. The management software automatically assigns the PVIDs when you create the VLAN. The PVID of a port is the same as the VID to which the port is an untagged member. In the example, each VLAN has one port connected to the router. The router interconnects the various VLANs and functions as a gateway to the WAN.
PAGE 521
AT-S62 Menus Interface User’s Guide Port-based Example 2 Figure 180 illustrates more port-based VLANs. In this example, two VLANs, Sales and Engineering, span two Ethernet switches.
PAGE 522
Chapter 25: Tagged and Port-based Virtual LANs The table below lists the port assignments for the Sales, Engineering, and Production VLANs on the switches: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) AT-8524M Switch (top) Ports 1 - 6, 18 (PVID 2) Ports 9 - 11, 14, 20 (PVID 3) Ports 21 - 24 (PVID 4) AT-8524M Switch (bottom) Ports 1 - 6 (PVID 2) none Ports 13, 19-24 (PVID 3) ❑ Sales VLAN - This VLAN spans both switches.
PAGE 523
AT-S62 Menus Interface User’s Guide Tagged VLAN Overview The second type of user-configured VLAN is the tagged VLAN. VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assigned to the ports determine VLAN membership. The VLAN information within an Ethernet frame is referred to as a tag or tagged header.
PAGE 524
Chapter 25: Tagged and Port-based Virtual LANs ❑ Tagged and Untagged Ports ❑ Port VLAN Identifier Note For an explanation of VLAN name and VLAN identifier, refer back to VLAN Name and VLAN Identifier on page 516. Tagged and Untagged Ports You need to specify which ports will be members of the VLAN. In the case of a tagged VLAN, this will usually be a combination of both untagged ports and tagged ports. You specify which ports are tagged and which untagged when you create the VLAN.
PAGE 525
AT-S62 Menus Interface User’s Guide General Rules for Creating a Tagged VLAN Below is a summary of the rules to observe when creating a tagged VLAN. ❑ Each tagged VLAN must be assigned a unique VID. If a particular VLAN spans multiple switches, each part of the VLAN on the different switches must be assigned the same VID. ❑ A tagged port can be a member of multiple VLANs. ❑ An untagged port can be an untagged member of only one VLAN at a time.
PAGE 526
Chapter 25: Tagged and Port-based Virtual LANs Tagged VLAN Example Figure 181 illustrates how tagged ports can be used to interconnect IEEE 802.1Q-based products. Engineering VLAN (VID 3) Legacy Server Production VLAN (VID 4) Sales VLAN (VID 2) AT-8524M Fast Ethernet Switch MODE STATUS LINK FAULT MODE MASTER LINK RPS MODE PWR AT-8524M Ethernet Switch IEEE 802.
PAGE 527
AT-S62 Menus Interface User’s Guide The port assignments for the VLANs are as follows: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) Untagged Ports Tagged Ports Untagged Ports Tagged Ports Untagged Ports Tagged Ports AT-8524M Switch (top) 1 to 5, 18 (PVID 2) 8, 16 9 to 11, 20 (PVID 3) 8, 16 21 to 24 (PVID 4) 8 AT-8524M Switch (bottom) 1 to 5 (PVID 2) 15 19 to 24 (PVID 3) 15 none none This example is nearly identical to the Port-based Example 2 on page 521.
PAGE 528
Chapter 25: Tagged and Port-based Virtual LANs Creating a Port-based or Tagged VLAN To create a new port-based or tagged VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 182. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 VLAN Configuration 1 2 3 4 5 6 7 - Ingress Filtering Status ........ Enabled VLANs Mode ......................
PAGE 529
AT-S62 Menus Interface User’s Guide The Configure VLANs menu is shown in Figure 183. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure VLANs 1 2 3 4 - Create VLAN Modify VLAN Delete VLAN Reset to Default VLAN R - Return to Previous Menu Enter your selection? Figure 183 Configure VLANs Menu 3. From the Configure VLANs menu, type 1 to select Create VLAN. The Create VLAN menu is shown in Figure 184.
PAGE 530
Chapter 25: Tagged and Port-based Virtual LANs If the VLAN will be unique in your network, then the name should be unique as well. If the VLAN will be part of a larger VLAN that spans multiple switches, then the name for the VLAN should be the same on each switch where nodes of the VLAN are connected. Note A VLAN must be assigned a name. 5. Type 2 to select VLAN ID (VID) and enter a VID value for the new VLAN. The permitted range of the VID value is 1 to 4094. Note A VLAN must have a VID.
PAGE 531
AT-S62 Menus Interface User’s Guide Note Option 5, Protected Ports, in the Create VLAN menu is not used to create port-based and tagged VLANs. It should be left in the “No” default setting. This option is used to create protected ports VLANs, as explained in Chapter 28, Protected Ports VLANs on page 581. 8. Type C to select Create VLAN. The following message is displayed: SUCCESS - Press any key to continue. The AT-S62 software creates the new VLAN. The new VLAN is now ready for network use. 9.
PAGE 532
Chapter 25: Tagged and Port-based Virtual LANs Example of Creating a Port-based VLAN The following procedure creates the Sales VLAN illustrated in Port-based Example 1 on page 519. This VLAN will be assigned a VID of 2 and will consist of four untagged ports, Ports 1 to 4. The VLAN will not contain any tagged ports. To create the Sales VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 182 on page 528. 2.
PAGE 533
AT-S62 Menus Interface User’s Guide Example of Creating a Tagged VLAN The following procedure creates the Engineering VLAN in the top switch illustrated in Tagged VLAN Example on page 526. This VLAN will be assigned a VID of 3. It will consist of four untagged ports, Ports 9, 10, 11, and 20, and two tagged ports, Ports 8 and 16. To create the example Engineering VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration.
PAGE 534
Chapter 25: Tagged and Port-based Virtual LANs Modifying a VLAN You can use this procedure to add or remove ports from a port-based or tagged VLAN. You can also use this procedure to change a VLAN’s name. Note To modify a VLAN, you need to know its VID. To view VLAN VIDs, refer to Displaying VLANs on page 538. To modify a VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 182 on page 528. 2.
PAGE 535
AT-S62 Menus Interface User’s Guide The following prompt is displayed: Enter new value -> [1 to 4096] -> 5. Enter the VID of the VLAN you want to modify. The Modify VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 186. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Modify VLAN 1 2 3 4 5 - VLAN Name .............. VLAN ID (VID) .......... Tagged Ports ........... Untagged Ports ......... Protected Ports .....
PAGE 536
Chapter 25: Tagged and Port-based Virtual LANs 3 - Tagged Ports Use this selection to add or remove tagged ports from the VLAN. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 7-9), or both (e.g., 2,5,7-9). When adding or removing tagged ports, observe the following guidelines: ❑ The new list of tagged ports will replace the existing tagged ports. ❑ If the VLAN contains tagged ports and you want to remove them all, enter 0 (zero) for this value.
PAGE 537
AT-S62 Menus Interface User’s Guide Any untagged ports removed from a VLAN are automatically returned to the Default_VLAN as untagged ports. If you added or removed from the VLAN a port with one or more static MAC addresses assigned to it, you must update the static addresses by deleting their entries from the MAC address table and reentering them again using the VID of the VLAN to which the port has been moved to.
PAGE 538
Chapter 25: Tagged and Port-based Virtual LANs Displaying VLANs To view the name, VID number, and member ports of all the VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 182 on page 528. 2. From the VLAN Configuration menu, type 5 to select Show VLANs. An example of the Show VLANs menu is shown in Figure 187.
PAGE 539
AT-S62 Menus Interface User’s Guide Deleting a VLAN This procedure deletes port-based and tagged VLANs from the switch. All untagged ports in a deleted VLAN are returned to the Default_VLAN. Note To delete a VLAN, you need to know its VID. To view VLAN VIDs, refer to Displaying VLANs on page 538. To delete a VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 182 on page 528. 2.
PAGE 540
Chapter 25: Tagged and Port-based Virtual LANs Note You cannot delete the Default_VLAN, which has a VID of 1. The Delete VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 189. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Delete VLAN 1 2 3 4 5 - VLAN Name .............. VLAN ID (VID) .......... Tagged Ports ........... Untagged Ports ......... Protected Ports ........
PAGE 541
AT-S62 Menus Interface User’s Guide 9. Repeat this procedure starting with Step 4 to delete other VLANs. 10. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 542
Chapter 25: Tagged and Port-based Virtual LANs Deleting All VLANs This section contains the procedure for deleting all port-based and tagged VLANs, except the Default_VLAN, on a switch. To delete selected VLANs, perform the procedure Deleting a VLAN on page 539. To delete all VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 182 on page 528. 2.
PAGE 543
AT-S62 Menus Interface User’s Guide Displaying PVIDs and Port Priorities The following procedure displays a menu that lists the PVIDs for all the ports on the switch. The menu also contains the current priority queue settings for each port. To display the PVID settings on the switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 182 on page 528. 2. From the VLAN Configuration menu, type 6 to select Show PVIDs.
PAGE 544
Chapter 25: Tagged and Port-based Virtual LANs Enabling or Disabling Ingress Filtering There are rules a switch follows when it receives and forwards an Ethernet frame. There are rules for frames as they enter a port (called ingress rules) and rules for when a frame is transmitted out a port (called egress rules). A switch does not accept and forward a frame unless the frame passes the ingress and egress rules. There are quite a few ingress and egress rules for Fast Ethernet switches.
PAGE 545
AT-S62 Menus Interface User’s Guide Activating or deactivating ingress filtering has no effect on the switch’s handling of priority tags. A switch will always examines a priority tag in a tagged frame, without regard to the status of ingress filtering. You can enable or disable ingress filtering on a per switch basis. You cannot set this per port. The default setting for ingress filtering is disabled. To enable or disable ingress filtering, perform the following procedure: 1.
PAGE 546
Chapter 25: Tagged and Port-based Virtual LANs Specifying a Management VLAN The management VLAN is the VLAN on which an AT-8500 Series switch expects to receive management packets. This VLAN is important if you will be managing a switch remotely or using the enhanced stacking feature of the switch. Management packets are packets generated by a management workstation when you manage a switch using the Telnet application protocol, SSH, or a web browser.
PAGE 547
AT-S62 Menus Interface User’s Guide Now assume that you decide to create a VLAN called NMS with a VID of 24 for the sole purpose of remote network management. For this, you need to create the NMS VLAN on each AT-8500 Series switch that you want to manage remotely, being sure to assign each NMS VLAN the VID of 24. Then you need to be sure that the uplink and downlink ports connecting the switches together are either tagged or untagged members of the NMS VLAN.
PAGE 548
Chapter 26 GARP VLAN Registration Protocol This chapter describes the GARP VLAN Registration Protocol (GVRP).
PAGE 549
AT-S62 Menus Interface User’s Guide Basic Overview of GARP VLAN Registration Protocol (GVRP) The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information. The main purpose of GVRP is to allow switches to automatically discover some of the VLAN information that would otherwise have to be manually configured in each switch. This can be helpful in networks where VLANs span more than one switch.
PAGE 550
Chapter 26: GARP VLAN Registration Protocol Figure 191 provides an example of how GVRP works. Switch #1 Static VLAN Sales VID=11 AT-8524M Port 1 Port 4 AT-8524M Switch #2 Port 15 Port 17 Switch #3 Static VLAN Sales VID=11 AT-8524M Figure 191 GVRP Example Switches #1 and #3 contain the Sales VLAN, but Switch #2 does not. Consequently, the end nodes of the two parts of the Sales VLANs are unable to communicate with each other.
PAGE 551
AT-S62 Menus Interface User’s Guide 3. Switch #2 sends a PDU out port 15 containing all of the VIDs of the VLANs on the switch, including the new GVRP_VLAN_11 VLAN with its VID of 11. (It should be noted that port 15 is not yet a member of the VLAN. Ports are added to VLANs when they receive, not send a PDU.) 4. Switch #3 receives the PDU on port 17 and, after examining it, notes that one of the VLANs on Switch #2 has the VID 11, which matches the VID of an already existing VLAN on the switch.
PAGE 552
Chapter 26: GARP VLAN Registration Protocol ❑ Resetting a switch erases all dynamic GVRP VLANs and dynamic GVRP port assignments. The switch relearns the dynamic assignments as it receives PDUs from the other switches. ❑ GVRP has three timers that you can set: join timer, leave timer, and leave all timer. The values for these timers must be set the same on all switches running GVRP. Timers with different values on different switches can result in GVRP incompatibility problems.
PAGE 553
AT-S62 Menus Interface User’s Guide GVRP-inactive Intermediate Switches The presence of a GVRP-inactive switch between GVRP-active devices may impact the ability of GVRP to automatically configure the VLANs in your switches. You might need to take this into account when implementing GVRP in your network.
PAGE 554
Chapter 26: GARP VLAN Registration Protocol Technical Overview of Generic Attribute Registration Protocol (GARP) The purpose of the Generic Attribute Registration Protocol (GARP) is to provide a generic framework whereby devices in a bridged LAN, for example, end stations and switches, can register and de-register attribute values, such as VLAN Identifiers, with each other.
PAGE 555
AT-S62 Menus Interface User’s Guide The architecture of GARP is shown in Figure 192.
PAGE 556
Chapter 26: GARP VLAN Registration Protocol An instance of GID consists of the set of state machines that define the current registration and declaration state of all attribute values associated with the GARP Participant. Separate state machines exist for the Applicant and Registrar. This is shown in Figure 193. GID Attribute ...
PAGE 557
AT-S62 Menus Interface User’s Guide The Applicant is therefore looking after the interests of all would-be Participants. This allows the Registrar to be very simple. The job of the Registrar is to record whether an attribute is registered, in the process of being de-registered, or is not registered for an instance of GID. To control the Applicant state machine, an Applicant Administrative Control parameter is provided.
PAGE 558
Chapter 26: GARP VLAN Registration Protocol Configuring GVRP This section contains the procedure for configuring GVRP. The timers in the following menus are in increments of centi seconds, which are hundredths of a second. To configure GVRP, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 182 on page 528. 2. From the VLAN Configuration menu, type 8 to select Configure GARPGVRP.
PAGE 559
AT-S62 Menus Interface User’s Guide 6. Choose one of the following: E to enable GIP. D to disable GIP. Note Do not disable GIP if you intend to use GVRP. GIP is required to propagate VLAN information among the ports of the switch. Caution The following steps change the three GVRP timers. The settings for these timers must be the same on all GVRP-active devices in your network. 7. Type 3 - GVRP Join Timer to change the value of the Join Timer.
PAGE 560
Chapter 26: GARP VLAN Registration Protocol Enabling or Disabling GVRP on a Port This procedure enables and disables GVRP on a switch port. The default setting for GVRP on a port is enabled. Only those ports where GVRP is enabled transmit PDUs. Note To protect against unauthorized access to restricted areas of your network, Allied Telesyn recommends disabling GVRP on unused ports and those ports that are connected to GVRP-inactive devices.
PAGE 561
AT-S62 Menus Interface User’s Guide 5. Enter a port. You can configure more than one port at a time. The Configure GVRP Port Settings Menu is shown in Figure 196. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure GVRP Port Settings Configuring Port 1-2 1 - Port Mode ............. Normal R - Return to Previous Menu Enter your selection? Figure 196 Configure GVRP Port Settings Menu 6. Type 1 - Port Mode.
PAGE 562
Chapter 26: GARP VLAN Registration Protocol 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Your changes are saved.
PAGE 563
AT-S62 Menus Interface User’s Guide Converting a Dynamic GVRP VLAN This procedure converts a dynamic GVRP VLAN into a static VLAN. You can perform this procedure to permanently retain the VLANs the switch learned through GVRP. Note This procedure cannot convert a dynamic GVRP port in a static VLAN into a static port. For that you must manually modify the static VLAN, specifying the dynamic port as either a tagged or untagged member of the VLAN.
PAGE 564
Chapter 26: GARP VLAN Registration Protocol Displaying GVRP Parameters and Statistics To display GVRP counters, database, state machine, and GIP connected ports ring, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 182 on page 528. 2. From the VLAN Configuration menu, type 8 to select Configure GARPGVRP. The GARP-GVRP Menu is shown in Figure 194 on page 558. 3.
PAGE 565
AT-S62 Menus Interface User’s Guide GVRP Counters Option 1 - Display GVRP Counters in the Other GARP Port Parameters displays the GVRP Counters Menu (page 1) as shown in Figure 199.
PAGE 566
Chapter 26: GARP VLAN Registration Protocol Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 GVRP Counters Receive: -------GARP Messages: --------------LeaveAll JoinEmpty JoinIn LeaveEmpty LeaveIn Empty Bad Message Bad Attribute Transmit: --------7 0 68 0 0 5 0 0 LeaveAll JoinEmpty JoinIn LeaveEmpty LeaveIn Empty 77 58 285 1 0 21 P - Previous Page U - Updated Display R - Return to Previous Menu Enter your selection? Figure 200 GVRP Counters Menu (
PAGE 567
AT-S62 Menus Interface User’s Guide Table 20 GVRP Counters Section V: Virtual LANs Parameter Meaning Receive Discarded: Port Not Listening Number of GARP PDUs discarded because the port that received the PDUs was not listening, that is, MODE=NONE was set on the port. Transmit Discarded: Port Not Sending Number of GARP PDUs discarded because the port that the PDUs were to be transmitted on was not sending, that is, MODE=NONE was set on the port.
PAGE 568
Chapter 26: GARP VLAN Registration Protocol Table 20 GVRP Counters Section V: Virtual LANs Parameter Meaning Transmit GARP Messages: JoinIn Total number of GARP JoinIn messages transmitted for all attributes in the GARP application. Receive GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages received for all attributes in the GARP application. Transmit GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages transmitted for all attributes in the GARP application.
PAGE 569
AT-S62 Menus Interface User’s Guide GVRP Database Option 2 - Display GVRP Database in the Other GARP Port Parameters displays the GVRP Database Menu as shown in Figure 201.
PAGE 570
Chapter 26: GARP VLAN Registration Protocol GIP Connected Ports Ring Option 3 - Display GIP Connected Ports Ring in the Other GARP Port Parameters displays the GIP Connected Ports Ring Menu as shown in Figure 202.
PAGE 571
AT-S62 Menus Interface User’s Guide GVRP State Machine Option 4 - Display GVRP State Machine in the Other GARP Port Parameters displays the GVRP State Machine Menu (page 1) as shown in Figure 203.
PAGE 572
Chapter 26: GARP VLAN Registration Protocol Table 23 GVRP State Machine Parameters Parameter Meaning App Applicant state machine for the GID index on that particular port.
PAGE 573
AT-S62 Menus Interface User’s Guide Table 23 GVRP State Machine Parameters Parameter Meaning App (Continued) Non-Participant Management state: “Von” Very Anxious Observer “Aon” Anxious Observer “Qon” Quiet Observer “Lon” Leaving Observer “Vpn” Very Anxious Passive Member “Apn” Anxious Passive Member “Qpn” Quiet Passive Member “Van” Very Anxious Active Member “Aan” Anxious Active Member “Qan” Quiet Active Member “Lan” Leaving Active Member The initialized state for the Applicant is
PAGE 574
Chapter 27 Multiple VLAN Modes This chapter describes the multiple VLAN modes and how to select a mode.
PAGE 575
AT-S62 Menus Interface User’s Guide Multiple VLAN Mode Overview Multiple VLAN modes simplify the task of configuring the switch in network environments that require a high degree of network segmentation. In a multiple VLAN mode, the ports on a switch are prohibited from forwarding traffic to each other and can only forward traffic to a user designated uplink port. These configurations isolate the traffic on each port from all other ports, while providing the ports with access to an uplink port.
PAGE 576
Chapter 27: Multiple VLAN Modes A user designated port on the switch functions as an uplink port, which can be connected to a shared device, such as a router for access to a WAN. This port is placed as a tagged port in each VLAN. Thus, while the switch ports are separated from each other in their individual VLANs, they all have access to the uplink port. The uplink port also has its own VLAN, where it is an untagged member. This VLAN is called Uplink_VLAN. Note In 802.
PAGE 577
AT-S62 Menus Interface User’s Guide VLAN Name VID Untagged Port Tagged Port Client_VLAN_16 16 16 25 Client_VLAN_17 17 17 25 Client_VLAN_18 18 18 25 Client_VLAN_19 19 19 25 Client_VLAN_20 20 20 25 Client_VLAN_21 21 21 25 Client_VLAN_22 22 22 25 Client_VLAN_23 23 23 25 Client_VLAN_24 24 24 25 Uplink_VLAN 25 25 Client_VLAN_26 26 26 25 This highly segmented configuration is useful in situations where traffic generated by each end node or network segment connected
PAGE 578
Chapter 27: Multiple VLAN Modes Non-802.1Q Compliant Multiple VLAN Mode Unlike the 802.1Q-compliant VLAN mode, which isolates port traffic by placing each port in a separate VLAN, this mode forms one VLAN with a VID of 1 that encompasses all ports. Traffic isolation is established through port mapping. The result, however, is the same. Ports are permitted to forward traffic only to the designated uplink port and to no other port, even when they receive a broadcast packet.
PAGE 579
AT-S62 Menus Interface User’s Guide Selecting a VLAN Mode The following procedure explains how to select a VLAN mode. Available modes are: ❑ User configured VLAN mode (port-based and tagged VLANs) ❑ IEEE 802.1Q Compliant Multiple VLAN mode ❑ Non-IEEE 802.1Q Compliant Multiple VLAN mode Note Any port-based or tagged VLANs you created are not retained when you change the VLAN mode from the user configured mode to a multiple VLAN mode and, at some point, reset the switch.
PAGE 580
Chapter 27: Multiple VLAN Modes Displaying VLAN Information To view the VLANs on the switch while the unit is operating in Multiple VLAN mode, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 182 on page 528. 2. From the VLAN Configuration menu, type 6 to select Show VLANs. An example of the Show VLANs menu is shown in Figure 205.
PAGE 581
Chapter 28 Protected Ports VLANs This chapter explains protected ports VLANs.
PAGE 582
Chapter 28: Protected Ports VLANs Protected Ports VLAN Overview The purpose of a protected ports VLAN is to allow multiple ports on the switch to share the same uplink port but not share traffic with each other. In a protected ports VLAN, each port is considered a separate LAN segment that can only communicate with an uplink port. The result is a configuration appropriate in network environments that require a great deal of segmentation.
PAGE 583
AT-S62 Menus Interface User’s Guide In contrast, the uplink port in a protected ports VLAN, which is shared by the ports in the different groups, can be either tagged or untagged. The device connected to it does not necessarily need to be 802.1Q compliant. Note For explanations of VIDs and tagged and untagged ports, refer to Chapter 25, ”Tagged and Port-based Virtual LANs” on page 513.
PAGE 584
Chapter 28: Protected Ports VLANs Allied Telesyn recommends that you create tables similar to this before you create your own protected ports VLAN. You are prompted for this information when you create the VLAN, and having the tables handy will make the job easier. Protected Ports VLAN Guidelines Following are some guidelines for implementing protected ports VLANS: ❑ A switch can contain multiple protected ports VLANs. ❑ A protected ports VLAN should contain a minimum of two groups.
PAGE 585
AT-S62 Menus Interface User’s Guide Creating a Protected Ports VLAN To create a new protected ports VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. 2. From the VLAN Configuration Menu, type 4 to select Configure VLANs. Note If the menu does not include selection 4, Configure VLANs, the switch is running a multiple VLAN mode. To change the switch’s VLAN mode, refer to Selecting a VLAN Mode on page 579. 3.
PAGE 586
Chapter 28: Protected Ports VLANs Note A VLAN must be assigned a name. 6. Type 2 to select VLAN ID (VID. The following prompt is displayed: Enter new value -> [2 to 4094] -> 7. Type a VID value for the new VLAN. The range for the VID value is 2 to 4094. The AT-S62 management software uses the next available VID number on the switch as the default value.
PAGE 587
AT-S62 Menus Interface User’s Guide 12. Type C to select Create VLAN. The following prompt is displayed: Enter Uplink Ports (4 - 12) -> The prompt will show the ports that you specified as belonging to the VLAN. 13. Enter the port in the VLAN that will function as the uplink port for the different VLAN groups. You can select more than one uplink port.
PAGE 588
Chapter 28: Protected Ports VLANs Modifying a Protected Ports VLAN Please note the following before you perform this procedure: ❑ To modify this type of VLAN, you must recreate it by reselecting the uplink port(s) and reassigning the ports to the groups. For this reason Allied Telesyn recommends that before you perform this procedure you first display the details of the protected ports VLAN you want to modify and write down on paper the VLAN’s current configuration (i.e.
PAGE 589
AT-S62 Menus Interface User’s Guide 3. From the Configure VLANs Menu, type 2 to select Modify VLAN. The Modify VLAN Menu is shown in Figure 185 on page 534. 4. Type 1 to select VLAN ID (VID). The following prompt is displayed: Enter new value -> [1 to 4096] -> 5. Enter the VID of the VLAN you want to modify. The Modify VLAN Menu expands to contain all relevant information about the VLAN, as shown in Figure 207.
PAGE 590
Chapter 28: Protected Ports VLANs 2 - VLAN ID (VID) This is the VLAN’s VID value. You cannot change this value. 3 - Tagged Ports Use this selection to add or remove tagged ports from the VLAN. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 7-9), or both (e.g., 2,5,7-9). The new list of tagged ports will replace the existing tagged ports. 4 - Untagged Ports Use this selection to add or remove untagged ports from the VLAN. You can specify the ports individually (e.g.
PAGE 591
AT-S62 Menus Interface User’s Guide 11. If there are ports within the VLAN that still need to be assigned to a group, the prompt in Step 8 is displayed again, showing the unassigned ports. You must repeat Steps 9 and 10, creating additional groups, until all of the ports in the VLAN have been assigned to a group. After you have created all of the groups, this prompt is displayed: SUCCESS - Press any key to continue. Press any key to continue.
PAGE 592
Chapter 28: Protected Ports VLANs Displaying a Protected Port VLAN To view the name, VID number, and member ports of all the VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 182 on page 528. 2. From the VLAN Configuration menu, type 5 to select Show VLANs. The Show VLANs Menu is shown in Figure 208.
PAGE 593
AT-S62 Menus Interface User’s Guide Untagged (U) / Tagged (T) - The ports of the VLAN. Tagged ports are designated with a “T” and untagged ports with a “U.” 3. To view additional information about a protected ports VLAN, type D to select Detail Information Display. The following prompt is displayed: Enter new value -> 4. Enter the VID of the protected ports VLAN whose information you want to view. An example of the Show VLANs window for a protect ports VLAN is shown in Figure 209.
PAGE 594
Chapter 28: Protected Ports VLANs Deleting a Protected Ports VLAN All untagged ports in a deleted protected ports VLAN are automatically returned to the Default_VLAN. To delete a protected ports VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration Menu is shown in Figure 182 on page 528. 2. From the VLAN Configuration Menu, type 4 to select Configure VLANs. The Configure VLANs Menu is shown in Figure 183 on page 529.
PAGE 595
AT-S62 Menus Interface User’s Guide The Delete VLAN Menu expands to contain all relevant information about the VLAN, as shown in Figure 211. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Delete VLAN 1 2 3 4 5 - VLAN Name .............. VLAN ID (VID) .......... Tagged Ports ........... Untagged Ports ......... Protected Ports ........
PAGE 596
Chapter 28: Protected Ports VLANs 9. Repeat this procedure starting with Step 4 to delete other VLANs. 10. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 597
Section VI Port Security The chapters in this section explain the port security features of the AT-8524M switch The chapters include: ❑ Chapter 29: MAC Address Security on page 598 ❑ Chapter 30: 802.
PAGE 598
Chapter 29 MAC Address Security This chapter explains how you can use the dynamic and static MAC addresses learned and assigned to the ports of the switch to control which end nodes can forward packets through the device. The sections in this chapter include: ❑ MAC Address Security Overview on page 599 ❑ Configuring MAC Address Port Security on page 602 ❑ Displaying Port Security Levels on page 605 Note This type of port security does not apply to ports located on optional GBIC modules.
PAGE 599
AT-S62 Menus Interface User’s Guide MAC Address Security Overview This feature can enhance the security of your network. You can use it to control which end nodes can forward frames through the switch, and so prevent unauthorized individuals from accessing your network or particular parts of the network. This type of network security uses a frame’s source MAC address to determine whether the switch should forward a frame or discard it.
PAGE 600
Chapter 29: MAC Address Security Secured The Secured security level instructs a port to forward frames using only static MAC address. The port will not learn any dynamic MAC addresses and will delete any dynamic addressees that it has already learned. Only those end nodes whose MAC addresses are entered as static addresses can forward frames through the port.
PAGE 601
AT-S62 Menus Interface User’s Guide Intrusion action defines what a port will do when it receives an invalid frame. For a port operating under either the Secured or Locked security mode, the intrusion action is always the same. It discards invalid frames. With the Limited security mode you can specify an intrusion action. The options are: ❑ Discard the invalid frame. ❑ Discard the invalid frame and send an SNMP trap. (SNMP must be enabled on the switch for the trap to be sent.
PAGE 602
Chapter 29: MAC Address Security Configuring MAC Address Port Security To set the port security level, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 5 to select Port Security. The Port Security menu is shown in Figure 212.
PAGE 603
AT-S62 Menus Interface User’s Guide 5. Press 1 to change the port security on your specified port list. The following prompt appears: Enter new mode (A-Automatic, L-Limited, S-Secured, K-locKed): 6. Select the desired security level. For definitions of the security levels, refer to MAC Address Security Overview on page 599. If you select Automatic, which disables port security on the port, return to the Main Menu to save your change.
PAGE 604
Chapter 29: MAC Address Security 8. To set the intrusion action for a port in the limited security mode, do the following: a. Type 3 to select Intruder Action. The following prompt is displayed: Enter intruder action: (N-Discard, T-Trap, DDisable): b. Select the desired action: N - Discard: The port discards invalid frames. This is the default. T - Trap: The port discards invalid frames and sends an SNMP trap. D - Disable: The port discards invalid frames, sends a SNMP trap, and disables the port. 9.
PAGE 605
AT-S62 Menus Interface User’s Guide Displaying Port Security Levels To view the current security levels for the ports on the switch, do the following: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 5 to select Port Security. The Port Security menu is shown in Figure 212 on page 602. 3. From the Port Security menu, type 2 to select Display Port Security. The Display Port Security menu is shown in Figure 215.
PAGE 606
Chapter 29: MAC Address Security Intruder Action The column specifies the action taken by a port if it receives an invalid frame. ❑ Discard: The port discards invalid frames. This is the default. ❑ Send Trap: The port discards invalid frames and sends a trap. This applies only to the Limited security mode. ❑ Disable Port: The port discards invalid frames, sends a trap, and disables the port. This applies only to the Limited security mode.
PAGE 607
Chapter 30 802.1x Port-based Access Control This chapter explains 802.1x Port-based Access Control and how you can use this feature to restrict access to the ports on the switch. Sections are as follows: ❑ 802.
PAGE 608
Chapter 30: 802.1x Port-based Access Control 802.1x Port-based Access Control Overview The AT-S62 management software provides you with several different methods for protecting your network and its resources from unauthorized access. For instance, Chapter 29, MAC Address Security on page 598, explains how you can restrict network access based on the MAC addresses of the end nodes. This chapter explains yet another way. This method is referred to as portbased access control (IEEE 802.1x).
PAGE 609
AT-S62 Menus Interface User’s Guide ❑ Authenticator - The authenticator is a port on the switch that prohibits network access by a supplicant until the network user has entered a valid username and password. ❑ Authentication server - The authentication server is the network device that has the RADIUS server software. This is the device that will do the actual authenticating of the user names and password from the supplicants.
PAGE 610
Chapter 30: 802.1x Port-based Access Control Port Roles Part of the task to implementing this feature is specifying the roles of the ports on the switch. A port can have one of three roles: ❑ None ❑ Authenticator ❑ Supplicant None Role A port in the none role does not participate in port-based access control. Any device can connect to the port and send traffic through it and receive traffic from it without having to provide a username and password. This is the default setting for a port.
PAGE 611
AT-S62 Menus Interface User’s Guide AT-8524M Fast Ethernet Switch MODE STATUS Port 24 in None Role Port 2 in Authenticator Role Supplicant with 802.1x Client Software RADIUS Authentication Server Figure 216 Example of the Authenticator Role As mentioned earlier, the switch itself does not authenticate the user names and passwords from the clients. That is the responsibility of the authentication server, which contains the RADIUS server software.
PAGE 612
Chapter 30: 802.1x Port-based Access Control AT-8524M Fast Ethernet Switch MODE STATUS Switch A Port 6 in Authenticator Role RADIUS Authentication Server Port 11 in Supplicant Role AT-8524M Fast Ethernet Switch MODE STATUS Switch B Figure 217 Example of the Supplicant Role Note The use of this port role should be strictly limited. Otherwise, undesired switch operation may result. The port role should only be used when the link will carry traffic from just one client or only management traffic.
PAGE 613
AT-S62 Menus Interface User’s Guide The information sent by the switch to the RADIUS server for an event includes: ❑ The port number where the event occurred. ❑ The date and time when the event occurred. ❑ The number of packets transmitted and received by the port during a supplicant’s session. (This information is sent when the client logs off.) You can also configure the accounting feature to send interim updates so you can monitor which clients are still active.
PAGE 614
Chapter 30: 802.1x Port-based Access Control 3. You must configure the RADIUS client software in the AT-S62 management software. You will need to provide the following information: ❑ The IP addresses of up to three RADIUS servers. ❑ The encryption key used by the authentication servers. The instructions for this step are in Configuring Authentication Protocol Settings on page 701. 4. You must configure the port access control settings on the switch. This involves the following: ❑ Specifying the port roles.
PAGE 615
AT-S62 Menus Interface User’s Guide ❑ If a switch port set to the supplicant role is connected to a port on another switch that is not set to authenticator, the port, after a timeout period, will assume that it can send traffic without having to log on. ❑ A username and password combination is not tied to the MAC address of an end node. This allows end users to use the same username and password when working at different workstations.
PAGE 616
Chapter 30: 802.1x Port-based Access Control future requests go to servers 1 and 2. If only server 3 responds, then all future requests go to all three servers. ❑ Ports used to interconnect switches should typically be set to the none role, as illustrated in Figure 218.
PAGE 617
AT-S62 Menus Interface User’s Guide Enabling and Disabling Port-based Access Control This procedure explains how to enable and disable port-based access control on the switch. If you have not assigned port roles and configured the parameter settings, you should skip this procedure and go first to Setting Port Roles on page 618. To enable or disable Port-based Access Control, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services.
PAGE 618
Chapter 30: 802.1x Port-based Access Control Setting Port Roles This procedure sets port roles. For an explanation of port roles, refer to Port Roles on page 610. 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 97 on page 294. 2. From the Security and Services menu, type 2 to select Port Access Control (802.1X). The Port Access Control (802.1X) menu is shown in Figure 219 on page 617. 3. In the Port Access Control (802.
PAGE 619
AT-S62 Menus Interface User’s Guide 8. Once you have set port roles, you can go to the next procedure to configure port security parameters or, if you do not want to change the default values, you can go to Enabling and Disabling Port-based Access Control on page 617 and activate the feature.
PAGE 620
Chapter 30: 802.1x Port-based Access Control Configuring Authenticator Port Parameters Note A port must be set to the authenticator role before you can configure its settings. For instructions on how to set a port’s role, refer to Setting Port Roles on page 618. To configure authenticator port parameters, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 97 on page 294. 2.
PAGE 621
AT-S62 Menus Interface User’s Guide The Configure Authenticator Port Access Parameters menu is shown in Figure 222. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure Authenticator Port Access Parameters Configuring Port 3 0 1 2 3 4 5 6 7 8 9 - Port Control ............. Quiet Period ............. TX Period ................ Reauth Enabled ........... Reauth Period ............ Supplicant Timeout ....... Server Timeout ...........
PAGE 622
Chapter 30: 802.1x Port-based Access Control to the client through the interface 1 - Quiet Period Sets the number of seconds that the port remains in the quiet state following a failed authentication exchange with the client. The default value is 60 seconds. The range is 0 to 65,535 seconds. 2 - TX Period Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request. The default value is 30 seconds.
PAGE 623
AT-S62 Menus Interface User’s Guide packets from the client. All other ingress packets that the port might receive from the client, including multicast and broadcast traffic, is discarded until the supplicant has logged on. You can use this selection to control how an Authenticator port will handle egress broadcast and multicast traffic when in the unauthorized state.
PAGE 624
Chapter 30: 802.1x Port-based Access Control Configuring Supplicant Port Parameters Note A port must be set to the supplicant role before you can configure its settings. For instructions on how to set a port’s role, refer to Setting Port Roles on page 618. To configure supplicant port parameters, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 97 on page 294. 2.
PAGE 625
AT-S62 Menus Interface User’s Guide The Configure Supplicant Port Access Parameters menu is shown in Figure 222. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Configure Supplicant Port Access Parameters Configuring Port 5-8 1 2 3 4 5 6 - Auth Period........... Held Period........... Max Start............. Start Period.......... User Name............. User Password.........
PAGE 626
Chapter 30: 802.1x Port-based Access Control network. The username can be from 1 to 64 alphanumeric characters (A to Z, a to z, 1 to 9). Do not use spaces or special characters, such as asterisks or exclamation points. The username is case-sensitive. 6 - User Password Specifies the password for the port. The port sends the password to the authentication server for verification when the port logs on to the network. The password can contain alphanumeric characters (A to Z, a to z, 1 to 9).
PAGE 627
AT-S62 Menus Interface User’s Guide Configuring RADIUS Accounting The AT-S62 management software supports RADIUS accounting for ports operating in the Authenticator role. The accounting information sent by the switch to a RADIUS server includes the date and time when clients log on and log off, as well as the number of packets sent and received by a port during a client session. For background information on this feature, refer to RADIUS Accounting on page 612.
PAGE 628
Chapter 30: 802.1x Port-based Access Control 4. Configure the parameters as needed. Changes take affect immediately on the switch. The parameters are defined below. 1 - Status Activates and deactivate RADIUS accounting on the switch. Select Enabled to activate the feature or Disabled to deactivate it. The default is Disabled. 2 - Port Specifies the UDP port for RADIUS accounting. The default is port 1813. 3 - Type Specifies the type of RADIUS accounting. The default is Network.
PAGE 629
Section VII Management Security The chapters in this section explain the management security features of the AT-S62 software.
PAGE 630
Chapter 31 Web Server The chapter provides an overview of the web server feature and the procedure for configuring the server.
PAGE 631
AT-S62 Menus Interface User’s Guide Web Server Overview The AT-S62 management software comes with web server software so you can remotely manage a switch with a web browser from a management workstation on your network. (For instructions on how to manage a switch with a web browser, refer to the AT-S62 Web Browser Interface User’s Guide.) The web server can operate in two modes. The first is referred to as nonsecure HTTP mode.
PAGE 632
Chapter 31: Web Server ❑ TLS (Transmission Layer Security) version 1.0 General Steps to Configuring the Web Server for Encryption There are several procedures you need to perform in order to implement HTTPS and web browser encryption on the switch. This section is here to provide you with the general steps and the procedures for performing them. There is a section for configuring the web server with a self-signed certificate and another for a public or private CA certificate.
PAGE 633
AT-S62 Menus Interface User’s Guide 6. Once you have received the appropriate certificates from the CA, download them into the AT-S62 file system from your management workstation or a TFTP server, as explained in Downloading a System File on page 188. 7. Add the certificates to the certificate database, as explained in Adding a Certificate to the Database on page 672. 8.
PAGE 634
Chapter 31: Web Server Configuring the Web Server This procedure explains how to enable and disable the web server and how to configure the HTTP and HTTPS settings from a local or Telnet management session. The default setting for the web server is enabled, with the non-secure HTTP mode as the active web server mode. Before configuring the web server, please note the following: ❑ You cannot make any changes to the HTTP or HTTPS settings while the web server is enabled.
PAGE 635
AT-S62 Menus Interface User’s Guide Menu option 4 is displayed only for HTTPS operation. The option is hidden for HTTP. 3. Type 1 to select Status to toggle the web server between enabled and disabled. To configure the web server, you must first disable it. Toggle between the following values: Enabled - Enables the web server. This is the default setting. Disabled - Disables the web server. (If you are making any changes to the web server settings, you must first disable it.) 4.
PAGE 636
Chapter 32 Encryption Keys This chapter describes how to improve the security of your switches with encryption keys. Because of the complexity of the feature, two overview sections are provided. The Basic Overview section offers a general review of the purpose of this feature along with relevant guidelines. For additional information, refer to the Technical Overview section.
PAGE 637
AT-S62 Menus Interface User’s Guide Basic Overview Protecting your managed switches from unauthorized management access is an important role for a network manager. Network operations and security can be severely compromised should an intruder gain access to critical switch information, such as a manager’s login username and password, and use that information to alter a switch’s configuration settings.
PAGE 638
Chapter 32: Encryption Keys SSH encryption requires two key pairs on the switch— a server key pair and a host key pair. You then configure the Secure Shell protocol server software on the switch, as explained in Chapter 34, Secure Shell (SSH) Protocol on page 687, by specifying the keys as the host and server SSH keys. Encryption Key Length To create a key pair, you must specify its length. The length is given in bits. The range is 512 to 1,536 bits, in increments of 256 bits. The default is 512 bits.
PAGE 639
AT-S62 Menus Interface User’s Guide Technical Overview The encryption feature provides the following data security services: ❑ data encryption ❑ data authentication ❑ key exchange algorithms ❑ key creation and storage Data Encryption Data encryption for switches is driven by the need for organizations to keep sensitive data private and secure. Data encryption operates by applying an encryption algorithm and key to the original data (the plaintext) to convert it into an encrypted form (the ciphertext).
PAGE 640
Chapter 32: Encryption Keys ❑ Electronic Code Book (ECB) is the fundamental DES function. Plaintext is divided into 64-bit blocks which are encrypted with the DES algorithm and key. For a given input block of plaintext ECB always produces the same block of ciphertext. ❑ Cipher Block Chaining (CBC) is the most popular form of DES encryption.
PAGE 641
AT-S62 Menus Interface User’s Guide Asymmetrical (Public Key) Encryption Asymmetrical encryption algorithms use two keys—one for encryption and one for decryption. The encryption key is called the public key because it cannot be used to decrypt a message and therefore does not have to be kept secret. Only the decryption, or private key, needs to be kept secret. The other name for this type of algorithm is public key encryption.
PAGE 642
Chapter 32: Encryption Keys Typically a MAC is calculated using a keyed one-way hash algorithm. A keyed one-way hash function operates on an arbitrary-length message and a key. It returns a fixed length hash.
PAGE 643
AT-S62 Menus Interface User’s Guide The Diffie-Hellman algorithm, which is used by the AT-S62 management software, is one of the more commonly used key exchange algorithms. It is not an encryption algorithm because messages cannot be encrypted using Diffie-Hellman. Instead, it provides a method for two parties to generate the same shared secret with the knowledge that no other party can generate that same value. It uses public key cryptography and is commonly known as the first public key algorithm.
PAGE 644
Chapter 32: Encryption Keys Creating an Encryption Key This section contains the procedure for creating an encryption key pair. Caution Key generation is a CPU-intensive process. Because this process may affect switch behavior, Allied Telesyn recommends performing it when the switch is not connected to a network or during periods of low network activity. To create an encryption key pair, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2.
PAGE 645
AT-S62 Menus Interface User’s Guide The Key Management menu is shown in Figure 228.
PAGE 646
Chapter 32: Encryption Keys The Create Key menu is shown in Figure 229. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Create Key 1 2 3 4 5 - Key ID ............. 0 Key Type ........... RSA-Private Key Length ......... 512 Key Description .... Generate Key U - Update Display R - Return to Previous Menu Enter your selection? Figure 229 Create Key Menu 5. Type 1 to select Key ID.
PAGE 647
AT-S62 Menus Interface User’s Guide 9. Type 4 to create a key description. The following prompt is displayed: Enter new Description -> 10. Enter a description for the key. For instance, the description could reflect the key’s function (for example, Sales switch SSL key). You can enter up to 40 alphanumeric characters including spaces. 11. Type 5 to generate the key. The following message is displayed: Key generation will take some time. Please wait... The management software begins to create the key.
PAGE 648
Chapter 32: Encryption Keys Deleting an Encryption Key This section contains the procedure for deleting an encryption key pair from the switch. Note the following before performing this procedure. ❑ Deleting a key pair from the key management database also deletes the key’s corresponding “.UKF” file from the AT-S62 file system. ❑ You cannot delete a key pair if it is being used by SSL or SSH. You must first either disable the SSL or SSH server software or reconfigure the software by specifying another key.
PAGE 649
AT-S62 Menus Interface User’s Guide Modifying an Encryption Key The Key Management menu has a selection for modifying the description of an encryption key. This is the only item of a key you can modify. This procedure starts from the Key Management menu. If you are unsure how to display the menu, perform steps 1 to 3 in Creating an Encryption Key on page 644. To change the description of a key, perform the following procedure: 1. From the Key Management menu, type 3 to select Modify Key.
PAGE 650
Chapter 32: Encryption Keys Exporting an Encryption Key The following procedure exports the public key of a key pair into the AT-S62 file system. (The management software does not allow you to export a private key.) Before performing this procedure, please note the following: ❑ The only circumstance in which you are likely to perform this procedure is if you are using an SSH client that does not upload the key automatically when you start an SSH management session.
PAGE 651
AT-S62 Menus Interface User’s Guide Note Key Type is a read-only field. You cannot change this value. 3. Type 3 to toggle Key File Format to specify the format of the key. Possible settings are: HEX - Indicates an internal format for storing files. Select this value for SSL configuration. This is the default. SSH - Indicates a format for a SSH1 environment. This is the correct setting for a key intended for an SSH1 client. SH2 - Indicates a format for a SSH2 environment.
PAGE 652
Chapter 32: Encryption Keys Importing an Encryption Key Use the following procedure to import a public key from the AT-S62 file system into the key management database. If a file contains both public and private keys, only the public key is imported. The private key is ignored. Note It is unlikely you will ever have reason to perform this procedure. The switch can use only those keys it has generated itself. This procedure starts from the Key Management menu.
PAGE 653
AT-S62 Menus Interface User’s Guide 3. Type 3 to select Key File Format to choose the format of the key. Selections are: HEX - Indicates an internal format for storing files. Select this value for SSL configuration. This is the default. SSH - Indicates a format for a SSH1 environment. This is the correct setting for a key intended for an SSH1 client. SH2 - Indicates a format for a SSH2 environment. This is the correct setting for a key intended for an SSH2 client. 4.
PAGE 654
Chapter 33 Public Key Infrastructure Certificates This chapter contains the procedures for creating Public Key Infrastructure (PKI) certificates for web server security. Because of the complexity of this feature, two overview sections are provided. The Basic Overview section offers a general review of the purpose of certificates along with relevant guidelines. For additional information, refer to the Technical Overview section.
PAGE 655
AT-S62 Menus Interface User’s Guide Basic Overview This chapter explains how to implement encryption for your web browser management sessions. Encryption can protect your managed switches from unauthorized access by making it impossible for an intruder monitoring network traffic to decipher the contents of the management packets exchanged between your workstation and a switch during a web browser management session.
PAGE 656
Chapter 33: Public Key Infrastructure Certificates Public CAs issue certificates typically intended for use by the general public. Since a certificate for an AT-8500 Series switch is not intended for general use, but will only be used by you and other network managers, you might decide that the switch’s certificate need not be issued by this type of CA. Some large companies have private CAs.
PAGE 657
AT-S62 Menus Interface User’s Guide A certificate name does not have to contain all of these parts. You can use as many or as few as you want. You separate the parts with a comma. You can use alphanumeric characters, as well as spaces in the name strings. You cannot use quotation marks. To use the following special characters {=,+<>#;\}, type a “\” before the character Here are a few examples.
PAGE 658
Chapter 33: Public Key Infrastructure Certificates SSL and Enhanced Stacking Secure Sockets Layer (SSL) is supported in an enhanced stack, but only when all switches in the stack are using the feature. A web server can operate in one of two modes -- HTTP or HTTPS. When a switch’s web server is operating in HTTP, management packets are transmitted in plaintext. When it operates in HTTPS, management packets are sent encrypted.
PAGE 659
AT-S62 Menus Interface User’s Guide Guidelines Here are guidelines to creating certificates: ❑ A certificate can have only one public key. ❑ A switch can use only those certificates that contain keys that it generated itself. ❑ You can create multiple certificates on a switch, but the device will only use the certificate whose key pair has been designated as the active key pair for the switch’s web server. ❑ Most web browsers support both unsecured (plaintext) and secured (encrypted) operation.
PAGE 660
Chapter 33: Public Key Infrastructure Certificates Technical Overview The Secure Sockets Layer (SSL) feature is a security protocol that provides a secure and private TCP connection between a client and server. SSL can be used with many higher layer protocols including HTTP, File Transfer Protocol (FTP) and Net News Transfer Protocol (NNTP). Most web browsers and servers support SSL, and its most common deployment is for secure connections between a client and server over the Internet.
PAGE 661
AT-S62 Menus Interface User’s Guide All application data messages are authenticated by SSL with a message authentication code (MAC). The MAC is a checksum that is created by the sender and is sent as part of the encrypted message. The recipient recalculates the MAC, and if the values match, the sender’s identity is verified. The MAC also ensures that the message has not been tampered with by a third party because any change to the message changes the MAC.
PAGE 662
Chapter 33: Public Key Infrastructure Certificates The Application data message encapsulates the encrypted application data. Authentication Authentication is the process of ensuring both the web site and the end user are genuine. In other words, they are not imposters. Both the server and an individual users need to be authenticated. This is especially important when transmitting secure data over the Internet. To verify the authenticity of a server, the server has a public and private key.
PAGE 663
AT-S62 Menus Interface User’s Guide Digital Signatures The second main service provided by public key encryption is digital signing. Digital signatures both confirm the identity of the message’s supposed sender and protect the message from tampering. Therefore they provide message authentication and non-repudiation. It is very difficult for the signer of a message to claim that the message was corrupted, or to deny that it was sent.
PAGE 664
Chapter 33: Public Key Infrastructure Certificates ❑ The owner’s identity details, such as name, company and address. ❑ The owner’s public key, and information about the algorithm with which it was produced. ❑ The identity details of the organization which issued the certificate. ❑ The issuer’s digital signature and the algorithm used to produce it. ❑ The period for which the certificate is valid.
PAGE 665
AT-S62 Menus Interface User’s Guide An organization may own a Certification Authority and issue certificates for use within its own networks. In addition, an organization’s certificates may be accepted by another network, after an exchange of certificates has validated a certificate for use by both parties. As an alternative, an outside CA may be used. The switch can interact with the CA, whether a CA is part of the organization or not, by sending the CA requests for certification.
PAGE 666
Chapter 33: Public Key Infrastructure Certificates Out-of-band verification involves both the owner of a certificate and the user who wishes to verify that certificate generating a one-way hash (a fingerprint) of the certificate. These two hashes must then be compared using at least one non-network-based communication method. Examples of suitable communication methods are mail, telephone, fax, or transfer by hand from a storage device such as a smartcard or floppy disk.
PAGE 667
AT-S62 Menus Interface User’s Guide Before the switch can use a certificate, it must be retrieved and manually added to the switch’s Certificate Database, which is stored in RAM memory. The switch attempts to validate the certificate, and if validation is successful the certificate’s public key is available for use.
PAGE 668
Chapter 33: Public Key Infrastructure Certificates Creating a Self-signed Certificate This section contains the procedure for creating a self-signed certificate. Please review the following before you perform the procedure: ❑ For a general review of all the steps to configuring the switch for a self-signed certificate, refer to General Steps for a Self-signed Certificate on page 632.) ❑ The switch’s time and date must be set before you create a selfsigned certificate.
PAGE 669
AT-S62 Menus Interface User’s Guide 3. From the Keys/Certificate menu, select 3 to select Public Key Infrastructure (PKI) Configuration. The Public Key Infrastructure (PKI) Configuration menu is shown in Figure 232. Allied Telesyn Ethernet Switch AT-8524M - ATS62 Production Switch User: Manager 11:20:02 02-Jan-2004 Public Key Infrastructure (PKI) Configuration 1 - Maximum Number of Certificates.......
PAGE 670
Chapter 33: Public Key Infrastructure Certificates The Certificate Database portion of the window lists the certificates currently in the database. These could be certificates that you created or had a CA create. The switch’s web server can only use a certificate if it is in the database. Note In the X509 Certificate Management Menu, MTrust means manually trusted. This field indicates that you verified the certificate. The Source field indicates the certificate was generated on the switch. 5.
PAGE 671
AT-S62 Menus Interface User’s Guide 9. Enter the ID number of the encryption key you want to use to create the certificate. The encryption key must already exist on the switch. (If you have forgotten the key ID number, return to the Key Management menu to view the keys on the switch.) The value can be from 0 to 65,535. 10. Type 3 to select Format to choose the encoding format for the certificate. Possible settings are: DER - Indicates the certificate contents are in a binary format. This is the default.
PAGE 672
Chapter 33: Public Key Infrastructure Certificates Adding a Certificate to the Database Once you have created a certificate or received a certificate from a public or private CA, you need to add it into the certificate database to make it available for use by the switch’s web server. After you add a certificate to the certificate database, it appears in the X509 Certificate Management menu. During the procedure you are asked to specify the certificate’s filename.
PAGE 673
AT-S62 Menus Interface User’s Guide 6. Type 1 to select Certificate Name and enter a name for the certificate. This is the name for the certificate as it will appear in the certificate database list. You can enter up to 24 alphanumeric characters. Spaces are allowed. No extension is needed. You might want to include in the name the filename of the certificate in the file system. This will make it easier for you to match a certificate in the database with its corresponding file in the file system.
PAGE 674
Chapter 33: Public Key Infrastructure Certificates 10. Type 5 to select Add Certificate to add the certificate to the certificate database. The management software adds the certificate to the database, a process that requires only a few seconds. 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 675
AT-S62 Menus Interface User’s Guide Modifying a Certificate The procedure in this section modifies a certificate. (The certificate to be modified must be in the certificate database.) Here are the certificate items you can modify: ❑ State - trusted or untrusted ❑ Type - EE, CA, or Self Note These parameters have no affect on the operation of a certificate. They are included only for informational purposes when the certificate is displayed in the certificate database.
PAGE 676
Chapter 33: Public Key Infrastructure Certificates 3. Type 2 to select State and specify if a certificate is trusted or untrusted. Trusted - This value indicates you have verified that the certificate is from a trusted CA. This is the default. Untrusted - This value indicates the certificate is from an untrusted CA either because you have not verified the CA or you have verified the CA is untrusted. 4. Type 3 to specify the type assigned to the certificate.
PAGE 677
AT-S62 Menus Interface User’s Guide Deleting a Certificate The procedure in this section deletes a certificate from the certificate database. Please note the following before performing this procedure: ❑ Deleting a certificate from the database does not delete it from the switch. It continues to reside in the AT-S62 file system. To completely remove a certificate from the switch, you must also delete it from the file system.
PAGE 678
Chapter 33: Public Key Infrastructure Certificates Viewing a Certificate This procedure displays information about a certificate, such as its distinguished name and serial number. This procedure starts from the X509 Certificate Management menu. If you are unsure how to access the menu, perform steps 1 to 4 in the procedure Adding a Certificate to the Database on page 672. To view the details of a certificate, perform the following procedure: 1.
PAGE 679
AT-S62 Menus Interface User’s Guide 3. Type N to see the second page of certificate details. The View Certificate Details menu (page 2) is shown in Figure 238. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 View Certificate Details Subject ......... CN=149.44.44.44 Issuer .......... CN=149.44.44.44 MD5 Fingerprint...4E:76:06:FA:F6:C1:DA:FF:4D:E9:76:02:1D:8F:DA:CB SHA1 Fingerprint..
PAGE 680
Chapter 33: Public Key Infrastructure Certificates MD5 Fingerprint - Indicates the MD5 algorithm. This value provides a unique sequence for each certificate consisting of 16 bytes. SHA1 Fingerprint - Indicates the Secure Hash Algorithm. This value provides a unique sequence for each certificate consisting of 20 bytes.
PAGE 681
AT-S62 Menus Interface User’s Guide Generating an Enrollment Request To request a certificate from a public or private CA, you need to generate an enrollment request. The request contains the public key for the certificate, a distinguished name, and other information. The request is stored as a file with a “.csr” extension in the AT-S62 file system, from where you can upload it onto your management workstation or FTP server for submission to the CA.
PAGE 682
Chapter 33: Public Key Infrastructure Certificates 5. From the Public Key Infrastructure (PKI) Configuration Menu, type 3 to generate an enrollment request. The Generate Enrollment Request Menu is shown in Figure 239. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Generate Enrollment Request Menu 1 2 3 4 5 - Request Name.................... KeyPair ID ..................... 0 Format ......................... PEM Type ...........................
PAGE 683
AT-S62 Menus Interface User’s Guide PEM - Creates the certificate in the Privacy Enhanced Mail (PEM) format, which is an ASCII format. Note Option 4, Type, cannot be changed. The PKCS10 value indicates the internal format of an enrollment request. 11. Type 5 to select Generate Enrollment Request. Once the switch has finished generating the request, you will see a message similar to the following. Enrollment request is being generated. Please wait ...Done. Enrollment Request available in file [Switch 12.
PAGE 684
Chapter 33: Public Key Infrastructure Certificates Installing CA Certificates onto a Switch This section lists the procedures to installing a certificate created by a public or private CA onto the switch. It should be noted that a CA generated certificate will consist of several certificates, with a minimum of two. All the certificates from the CA must be installed on the switch. Note CA certificates can only be used on the switch where you created the encryption key pair and enrollment request.
PAGE 685
AT-S62 Menus Interface User’s Guide Configuring PKI Option 1 - Maximum Number of Certificates in the Public Key Infrastructure (PKI) Configuration menu controls the maximum number of certificates you can add to the certificate database. The range is 12 to 256. The default value is 256. There should be little cause or need for you to adjust this value. To display the Public Key Infrastructure (PKI) Configuration menu, perform steps 1 to 3 of the procedure Creating a Self-signed Certificate on page 668.
PAGE 686
Chapter 33: Public Key Infrastructure Certificates Configuring SSL To configure the SSL protocol, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 9 to select Secure Socket Layer (SSL). The Secure Socket Layer (SSL) menu is shown in Figure 240. Allied Telesyn Ethernet Switch - AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 Secure Socket Layer (SSL) 1 - Maximum Number of Sessions.........
PAGE 687
Chapter 34 Secure Shell (SSH) Protocol The chapter contains overview information about the Secure Shell (SSH) protocol and the procedure for configuring this protocol on a switch from a local or Telnet management session. It contains the following sections: ❑ SSH Overview on page 688 ❑ Configuring the SSH Server on page 692 ❑ Displaying SSH Information on page 694 Note The feature is not available in all versions of the AT-S62 management software.
PAGE 688
Chapter 34: Secure Shell (SSH) Protocol SSH Overview Secure management is increasingly important in modern networks, as the ability to easily and effectively manage switches and the requirement for security are two universal requirements. Switches are often remotely managed using remote sessions via the Telnet protocol. This method, however, has a serious security problem—it is only protected by plaintext usernames and passwords which are vulnerable to wiretapping and password guessing.
PAGE 689
AT-S62 Menus Interface User’s Guide ❑ Tunnelling of TCP/IP traffic Note Non-encrypted Secure Shell sessions serve no purpose. SSH Server The AT-S62 management software includes SSH server software. When the SSH server is activated, your remote management sessions of the switch from a management station that has SSH client software will be encrypted. Note If your switch is in a network protected by a firewall, you may need to configure the firewall to permit SSH connections.
PAGE 690
Chapter 34: Secure Shell (SSH) Protocol SSH and Enhanced Stacking The AT-S62 management software allows for encrypted SSH management sessions between a management workstation and a master switch of an enhanced stack, but not with slave switches, as explained in this section. When you remotely manage a slave switch, all management communications are conducted through the master switch using the enhanced stacking feature.
PAGE 691
AT-S62 Menus Interface User’s Guide Guidelines Below are the guidelines to observe when configuring SSH: ❑ SSH requires two encryption key pairs. One key pair will function as the host key and the other the server key. For instructions on creating keys, refer to Creating an Encryption Key on page 644. ❑ The two encryption key pairs must be of different lengths of at least one increment (256 bits) apart. The recommended bit size for a server key is 768 bits.
PAGE 692
Chapter 34: Secure Shell (SSH) Protocol Configuring the SSH Server This section describes how to configure the SSH server software on the switch. For a description of all the steps required to configure an SSH server, see General Steps to Configuring SSH on page 691. This procedure assumes that you have already created the two key pairs. If you have not created the keys, go to Creating an Encryption Key on page 644. While you are configuring the SSH feature, you must disable the SSH server.
PAGE 693
AT-S62 Menus Interface User’s Guide 3. Select 1 - SSH Server Status to enable or disable the SSH server. 4. Choose from one of the following: Disabled - While you are configuring SSH, you must set this field to Disabled. This is the default. Enabled - Select this value to enable the SSH server. Select this value after you have finished configuring SSH and want to log on to the server. Note You cannot disable the SSH server when there is an active SSH connection. Otherwise, you receive a warning message. 5.
PAGE 694
Chapter 34: Secure Shell (SSH) Protocol Displaying SSH Information To display SSH server information, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 8 to select Secure Shell (SSH). The Secure Shell (SSH) Menu is shown in Figure 242 on page 692. 3. From the Secure Shell (SSH) menu, select 6 - Show Server information to display the SSH Server data. The Show Server Information Menu is shown in Figure 243.
PAGE 695
AT-S62 Menus Interface User’s Guide ❑ Host Key ID: Indicates the host key ID defined for SSH. ❑ Host Key Bits: Indicates the number of bits in the host key. ❑ Server Key ID: Indicates the server key ID defined for SSH. ❑ Server Key Bits: Indicates the number of bits in the server key. ❑ Server Key Expiry: Indicates the length of time, in hours, until the server key is regenerated. The default is 0 hours which means the server key is not regenerated.
PAGE 696
Chapter 35 RADIUS and TACACS+ Authentication Protocols This chapter explains how to create new manager accounts on a switch using the two authentication protocols RADIUS and TACACS+.
PAGE 697
AT-S62 Menus Interface User’s Guide TACACS+ and RADIUS Overview TACACS+ and RADIUS are authentication protocols for enhancing the security of your network. (TACACS+ is an acronym for Terminal Access Controller Access Control System. RADIUS is an acronym for Remote Authentication Dial In User Services.) In general terms, these authentication protocols transfer the task of authenticating network access from a network device to an authentication protocol server.
PAGE 698
Chapter 35: RADIUS and TACACS+ Authentication Protocols When a network manager logs in to a switch to manage the device, the switch passes the username and password entered by the manager to the authentication protocol server. The server checks to see if the username and password are valid for that switch. This is referred to as authentication.
PAGE 699
AT-S62 Menus Interface User’s Guide gateway in the Administration Menu so that the switch and server can communicate with each other. ❑ You need to configure the TACACS+ or RADIUS software on the authentication server. This involves the following: — Specifying the username and password combinations. A username can contain up to 30 alphanumeric characters and a password up to 16 characters.
PAGE 700
Chapter 35: RADIUS and TACACS+ Authentication Protocols You can specify up to three TACACS+ or RADIUS servers. Specifying multiple servers adds redundancy to your network. For example, removing an authentication server from the network for maintenance will not prevent network managers from logging into switches if there are one or two other authentication servers on the network.
PAGE 701
AT-S62 Menus Interface User’s Guide Configuring Authentication Protocol Settings To configure the RADIUS or TACACS+ settings on the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Menu is shown in Figure 244.
PAGE 702
Chapter 35: RADIUS and TACACS+ Authentication Protocols 5. To disable the server-based authentication feature on the switch, do the following: a. Type 1 to select Server-based Authentication. The following prompt is displayed: Server Based User Authentication (E-Enabled, DDisabled) -> b. Type D to disable the feature. The default is disabled. c. Return to the Main Menu and type S to save your change.
PAGE 703
AT-S62 Menus Interface User’s Guide Use per-server secret [Y/N] -> If you will be specifying more than one TACACS+ server and if all of the servers use the same encryption secret, you can answer No to this prompt and enter the encryption secret using the TAC Global Secret parameter. However, if you are specifying only one TACACS+ server or if the servers have difference encryption secrets, then respond with Yes to this prompt.
PAGE 704
Chapter 35: RADIUS and TACACS+ Authentication Protocols a. Type 4 to select RADIUS Configuration. The RADIUS Client Configuration menu is shown in Figure 246. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 RADIUS Client Configuration 1 2 3 4 5 6 - Global Encryption Key ............. Global Server Timeout period....... RADIUS Server 1 Configuration ..... RADIUS Server 2 Configuration ..... RADIUS Server 3 Configuration .....
PAGE 705
AT-S62 Menus Interface User’s Guide 3 - RADIUS Server 1 Configuration 4 - RADIUS Server 1 Configuration 5 - RADIUS Server 1 Configuration Use these parameters to specify the IP addresses of up to three network servers containing the RADIUS server software. Selecting one of the options displays the RADIUS Server Configuration menu, shown in Figure 247. Allied Telesyn Ethernet Switch AT-8524M - AT-S62 Production Switch User: Manager 11:20:02 02-Jan-2004 RADIUS Server 1 Configuration 1 - Server IP Address .
PAGE 706
Chapter 35: RADIUS and TACACS+ Authentication Protocols d. From the Authentication Menu, type 1 to select Server-based Authentication. The following prompt is displayed: Server Based User Authentication (E-Enabled, DDisabled) -> e. Type E to enable server-based authentication on the switch. f. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 707
Chapter 36 Management Access Control List This chapter explains how to create an access control list (ACL) to restrict Telnet and web browser management access to the switch.
PAGE 708
Chapter 36: Management Access Control List Management Access Control List Overview The Management Access Control List (ACL) is a tool for restricting remote management access to a switch. You can use this feature to control which management workstations can remotely manage the device using the Telnet application protocol or a web browser. The Management ACL filters the remote management packets that a switch receives.
PAGE 709
AT-S62 Menus Interface User’s Guide IP Address You can specify the IP address of a specific management workstation or a subnet. Mask You need to enter a mask that indicates the parts of the IP address the switch should filter on. A binary “1” indicates the switch should filter on the corresponding bit of the address, while a “0” indicates that it should not. If you are filtering on a specific IP address, use the mask 255.255.255.255.
PAGE 710
Chapter 36: Management Access Control List ❑ The ACEs are performed in the order in which you enter them in the ACL. However, you can enter the ACEs in any order since all ACEs are permit statements. ❑ The protocol is always TCP. ❑ The Management ACL does not control local, SSH, or SNMP management. ❑ Activating this feature without specifying any ACEs prohibits you from managing the switch remotely with a Telnet application or web browser. The switch discards all Telnet and web browser management packets.
PAGE 711
AT-S62 Menus Interface User’s Guide This ACE allows all management workstations in the subnet 149.11.11.0 to remotely manage the switch using a web browser, but not the Telnet application protocol: IP Address Mask Protocol Interface 149.11.11.0 255.255.255.0 TCP Web A Management ACL can contain multiple ACEs. The two ACEs in this ACL allow all management packets from the subnets 149.11.11.0 and 149.22.22.
PAGE 712
Chapter 36: Management Access Control List Creating a Management ACL To create a Management ACL, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 7 on page 55. 2. From the System Administration menu, type 7 to select Management ACL. The Management ACL menu is shown in Figure 249.
PAGE 713
AT-S62 Menus Interface User’s Guide 255.255.255.255. If you are filtering on a subnet, the mask will depend on the address. For example, to allow all management workstations in the subnet 149.11.11.0 to manage the switch, you would enter the mask 255.255.255.0. This prompt is displayed: Enter the Protocol [TCP]: 6. Enter TCP. AT-S62 management packets from Telnet and web browser management sessions use TCP. This prompt is displayed: Enter the Interface [TELNET/WEB/ALL]: 7.
PAGE 714
Chapter 36: Management Access Control List Adding, Deleting, and Viewing ACEs You can add or delete ACEs from the Management ACL at any time. To add an ACE, simply repeat the procedure in Creating a Management ACL on page 712. A new ACE is automatically added to the existing ACEs already in the Management ACL. To delete an ACE, you perform the same procedure, but instead of selecting option 2 - Add Management ACL Entry from the Management ACL Menu, select option 3 - Delete Management ACL Entry.
PAGE 715
Appendix A AT-S62 Default Settings This appendix lists the AT-S62 factory default settings.
PAGE 716
Appendix A: AT-S62 Default Settings ❑ VLAN Default Settings on page 739 ❑ Web Server Default Settings on page 740 716
PAGE 717
AT-S62 Menus Interface User’s Guide Basic Switch Default Settings This section lists the default settings for basic switch parameters.
PAGE 718
Appendix A: AT-S62 Default Settings Management Interface Setting Default Console Disconnect Timer Interval 10 minutes Note Login names and passwords are case-sensitive. RS-232 Port Default Settings SNTP Default Settings The following table lists the RS-232 Terminal Port default settings. RS-232 Port Setting Default Data Bits 8 Stop Bits 1 Parity None Flow Control None Baud Rate 9600 bps The following table lists the SNTP default settings.
PAGE 719
AT-S62 Menus Interface User’s Guide Switch Administration Default Settings System Software Default Settings The following table describes the switch administration default settings. Administration Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.0 Gateway Address 0.0.0.0 System Name None Administrator None Comments None BOOTP/DHCP Disabled MAC Address Aging Time 300 seconds The following table lists the system software default settings.
PAGE 720
Appendix A: AT-S62 Default Settings Denial of Service Defense Default Settings The following table lists the default settings for the Denial of Service defense feature. Denial of Service Defense Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.
PAGE 721
AT-S62 Menus Interface User’s Guide Enhanced Stacking Default Setting The following table lists the enhanced stacking default setting.
PAGE 722
Appendix A: AT-S62 Default Settings Event Log Default Settings The following table lists the event log default settings.
PAGE 723
AT-S62 Menus Interface User’s Guide GVRP Default Settings This section provides the default settings for GVRP.
PAGE 724
Appendix A: AT-S62 Default Settings IGMP Snooping Default Settings The following table lists the IGMP Snooping default settings.
PAGE 725
AT-S62 Menus Interface User’s Guide MAC Address Security Default Settings The following table lists the MAC address security default settings.
PAGE 726
Appendix A: AT-S62 Default Settings Management Access Control List Default Setting The following table lists the default setting for the Management Access Control List.
PAGE 727
AT-S62 Menus Interface User’s Guide PKI Default Settings The following table lists the PKI default settings, including the generate enrollment request settings.
PAGE 728
Appendix A: AT-S62 Default Settings Port Configuration Default Settings The following table lists the port configuration default settings.
PAGE 729
AT-S62 Menus Interface User’s Guide 802.1x Port-Based Network Access Control Default Settings The following table describes the 802.1x Port Access Control default settings. 802.1x Port Access Control Setting Default Port Access Control Disabled Authentication Method RADIUS EAP Port Role None The following table lists the default settings for RADIUS accounting.
PAGE 730
Appendix A: AT-S62 Default Settings Authenticator Port Setting Default Piggyback Mode Enabled The following table lists the default settings for a supplicant port.
PAGE 731
AT-S62 Menus Interface User’s Guide Power Over Ethernet The following table describes the Power over Ethernet (PoE) default settings. This feature applies only to the AT-8524POE switch. PoE Setting Default PoE Status Enabled Port PoE Status Enabled Maximum Port Power 15.
PAGE 732
Appendix A: AT-S62 Default Settings Class of Service The following table lists the default mappings of IEEE 802.1p priority levels to egress port priority queues. IEEE 802.
PAGE 733
AT-S62 Menus Interface User’s Guide Server-Based Authentication Default Settings This section describes the server-based authentication, RADIUS, and TACACS+ client default settings. Server-Based Authentication Default Settings RADIUS Default Settings TACACS+ Client Default Settings The following table describes the server-based authentication default settings.
PAGE 734
Appendix A: AT-S62 Default Settings SNMP Default Settings The following table describes the SNMPv1 and SNMPv2c default settings.
PAGE 735
AT-S62 Menus Interface User’s Guide STP, RSTP, and MSTP Default Settings This section provides the spanning tree, STP RSTP, and MSTP, default settings. Spanning Tree Switch Settings STP Default Settings RSTP Default Settings The following table describes the Spanning Tree Protocol default settings for the switch. STP Switch Setting Default Spanning Tree Status Disabled Active Protocol Version RSTP The following table describes the STP default settings.
PAGE 736
Appendix A: AT-S62 Default Settings MSTP Default Settings RSTP Setting Default Port Priority 128 The following table lists the MSTP default settings.
PAGE 737
AT-S62 Menus Interface User’s Guide SSH Default Settings The following table lists the SSH default settings.
PAGE 738
Appendix A: AT-S62 Default Settings SSL Default Settings The following table lists the SSL default settings.
PAGE 739
AT-S62 Menus Interface User’s Guide VLAN Default Settings This section provides VLAN default settings.
PAGE 740
Appendix A: AT-S62 Default Settings Web Server Default Settings The following table lists the web server default settings.
PAGE 741
Appendix B SNMPv3 Configuration Examples This appendix provides two examples of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to use as an aid when configuring the SNMPv3 protocol.
PAGE 742
Appendix B: SNMPv3 Configuration Examples SNMPv3 Configuration Examples This appendix provides SNMPv3 configuration examples for the following types of users: ❑ a Manager ❑ an Operator In addition an SNMPv3 Configuration Table is provided to record your SNMPv3 configuration. For more information about the SNMPv3 protocol, see Chapter 22, SNMPv3 Configuration on page 348. SNMPv3 Manager Configuration This section provides a sample configuration for a Manager with a User Name of systemadmin24.
PAGE 743
AT-S62 Menus Interface User’s Guide Configure SNMPv3 SecurityToGroup Table User Name:systemadmin24 Security Model:v3 Group Name: Managers Storage Type: NonVolatile Configure SNMPv3 Notify Table Notify Name: sysadminTrap Notify Tag: sysadminTag Notify Type: Trap Storage Type: NonVolatile Configure SNMPv3 Target Address Table Target Address Name: host451 Target IP Address: 198.35.11.
PAGE 744
Appendix B: SNMPv3 Configuration Examples Configure SNMPv3 View Table Menu View Name: internet View Subtree OID: 1.3.6.1 (or internet) Subtree Mask: View Type: Included Storage Type: NonVolatile Configure SNMPv3 Access Table Group Name: Operators Security Model: SNMPv3 Security Level: Authentication Read View Name: internet Write View Name: Notify View Name: SNMPv3 Worksheet This section supplies a table that you can use a worksheet when configuring SNMPv3.
PAGE 745
AT-S62 Menus Interface User’s Guide SNMPv3 Parameters (Continued) SNMPv3 Access Table Menu Group Name Security Model Security Level Read View Name Write View Name Notify View Name Storage Type SNMPv3 SecurityToGroup Table User Name Security Model Group Name Storage Type SNMPv3 Notify Table Notify Name Notify Tag Notify Type Storage Type SNMPv3 Target Address Table Target Address Name Target IP Address UDP Port Timeout Retries Tag List Target Parms Name 745
PAGE 746
Appendix B: SNMPv3 Configuration Examples SNMPv3 Parameters (Continued) Storage Type SNMPv3 Target Parameters Table Target Parameters Name User (Security) Name Security Model Security Level Storage Type 746
PAGE 747
Index Numerics 802.
PAGE 748
Index associations defined 484 VLANs to MSTI IDs 502 asymmetrical encryption algorithms 641 AT-S62 software default settings 715 AT-S62 software updates downloading 26 downloading from a local session 175, 195 obtaining 26 auth period 625 authentication failure trap default setting 734 disabling 85 enabling 85 authentication protocols 697 authentication server 609 authenticator port role 610 authenticator port, described 609 automatic port security mode, described 599 auto-negotiation configuring 100 force
PAGE 749
AT-S62 Menus Interface User’s Guide certificate type, configuring 673 certificates, guidelines 659 certificates, PKI adding to database 672 chains 665 creating 668 database 666 database storage 666 deleting 675, 677 described 663 displaying 678 modifying 675, 677 validating 665 certificates, SSL authentication 662 described 662 certificates, X.509 663 certification authority (CA) described 664 root 665 CFB.
PAGE 750
Index dynamic GVRP port 549 dynamic GVRP VLAN 549 Dynamic Host Control Protocol (DHCP) activating 59 deactivating 59 default setting 719 dynamic MAC address, defined 109 E ECB.
PAGE 751
AT-S62 Menus Interface User’s Guide guidelines 551 GVRP counters 565 GVRP state machine, displaying 571 intermediate switches 553 overview 549 parameters, displaying 564 security issues 552 statistics, displaying 564 GARP. See Generic Attribute Registration Protocol (GARP) gateway address configuring 57 default setting 719 Generic Attribute Registration Protocol (GARP) Applicant state machine 556 defined 554 diagram 555 overview 554 Registrar state machine 557 GID index parameter 569 GID.
PAGE 752
Index multicast routers, displaying 308 overview 301 snoop topology 304 Internet Protocol (IP) address assigning 54 configuring 56 default 719 switches 53 intrusion action (port) configuring 604 default setting 725 IP Options attack 314 K key exchange algorithms 642 key pair ID, configuring 682 L LACP port priority described 128 LACP system priority configuring 140 described 127 LACP trunk configuring ports 146 creating aggregator 141 deleting aggregator 145 described 123 displaying status 148 enabling or
PAGE 753
AT-S62 Menus Interface User’s Guide max age parameter Multiple Spanning Tree Protocol (MSTP) 495 max hops parameter Multiple Spanning Tree Protocol (MSTP) 496 max requests 622 max start 625 maximum multicast groups configuring 305 default setting 724 maximum number of sessions configuring 686 default setting 738 MD5 authentication algorithm 642 MD5 authentication protocol 350 MDI 95 MDI/MDIX mode 99 MDI-X 95 message authentication code (MAC) defined 661 described 641 message encryption 662 MIB Subtree view
PAGE 754
Index mode activating 579 deactivating 579 overview 575 N negotiation status 95 networking stack 333 non-802.1Q compliant multiple VLAN mode, described 578 none port role 610 NonVolatile storage, described 352 O OFB.
PAGE 755
AT-S62 Menus Interface User’s Guide Rapid Spanning Tree Protocol (RSTP) 475 Spanning Tree Protocol (STP) 470 port priorities, displaying 299, 543 port priority default setting 735 described 460 Rapid Spanning Tree Protocol (RSTP) 476 Spanning Tree Protocol (STP) 471 port priority parameter Multiple Spanning Tree Instance (MSTI) 499 Multiple Spanning Tree Protocol (MSTP) 509 port role, default setting 729 port security configuring 602 default settings 725 defined 599 displaying 605 guidelines 601 intrusion
PAGE 756
Index R RADIUS default settings 733 disabling 701 enabling 701 guidelines 698 overview 697 settings, displaying 706 status, displaying 706 RADIUS server encryption key 705 IP address, configuring 705 Rapid Spanning Tree Protocol (RSTP) bridge forwarding delay 474 bridge hello time 474 bridge max age 474 bridge parameters, configuring 473 bridge priority 474 default settings 735 disabling 466 edge port, configuring 476 enabling 466 force version 474 point-to-point port, configuring 476 port configuration, d
PAGE 757
AT-S62 Menus Interface User’s Guide server key ID parameter 693 server port (SSH) parameter 694 server timeout, configuring 622 server-based authentication method default setting 729, 733 setting 701 session cache timeout configuring 686 default setting 738 SHA authentication algorithm 642 SHA authentication protocol 350 Simple Network Management Protocol.
PAGE 758
Index displaying 449 modifying group name 398 storage type 400 SNMPv3 SecurityToGroup Table, described 357 SNMPv3 Target Address Table entry creating 410 deleting 412 displaying 451 modifying storage type 420 target address retries 417 target address tag list 418 target address timeout 416 target address UDP port 415 target IP address 414 target parameters 419 SNMPv3 Target Address Table, described 357 SNMPv3 Target Parameters Table entry creating 423 deleting 426 displaying 452 modifying message process m
PAGE 759
AT-S62 Menus Interface User’s Guide strict priority scheduling 292 subnet mask 57 configuring 57 default setting 719 Subtree Mask 352 subtree mask, modifying 374 supplicant port described 608 start period 625 supplicant role 611 supplicant timeout 622 switch hardware information 77 rebooting 61 resetting 61 software information 77 switch name, configuring 55 switch state, default setting 721 symmetrical encryption 639 SYN Flood attack 310 system date default setting 718 setting 65 system files copying 170
PAGE 760
Index user password, configuring 626 User-based Security Model (USM) authentication 349 UTC offset default setting 718 setting 67 disabling 635 enabling 635 overview 631 port number 635 web server mode, configuring 635 weighted round robin priority scheduling 292 V versions supported (SSH) parameter 694 VID. See VLAN ID view type, modifying 376 virtual LAN (VLAN) creating 528, 532, 585 default settings 739 defined 514 deleting 539, 542 displaying 538, 580, 592 modifying 534, 588 multiple 802.