Management Software ® AT-S63 ◆ Menus Interface User’s Guide AT-9424T/SP AND AT-9424T/GB LAYER 2+ GIGABIT ETHERNET SWITCHES VERSION 1.0.
Copyright © 2004 Allied Telesyn, Inc. All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesyn, Inc. Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation. Netscape Navigator is a registered trademark of Netscape Communications Corporation. All other product names, company names, logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners. Allied Telesyn, Inc.
Contents Figures .................................................................................................................................................................................................................... 15 Tables ...................................................................................................................................................................................................................... 21 Preface .............................................
Contents How Do You Assign an IP Address? ..................................................................................................................................................... 50 Configuring the IP Address, Switch Name, and Other Basic Parameters .........................................................................................51 Activating the BOOTP and DHCP Client Software ..............................................................................................................
AT-S63 Management Software Menus Interface User’s Guide Adding Static Unicast and Multicast MAC Addresses ..........................................................................................................................136 Deleting Unicast and Multicast MAC Addresses ....................................................................................................................................138 Deleting All Dynamic MAC Addresses ...............................................................
Contents Downloading a System File from a Telnet Management Session ......................................................................................... 200 Uploading a System File ................................................................................................................................................................................. 201 Uploading a System File from a Local Management Session .......................................................................................
AT-S63 Management Software Menus Interface User’s Guide Displaying the RSTP Port State ........................................................................................................................................................... 272 Resetting RSTP to the Default Settings ............................................................................................................................................ 274 Chapter 17 MSTP ................................................................
Contents Deleting an SNMPv3 User Table Entry ............................................................................................................................................. 332 Modifying an SNMPv3 User Table Entry .......................................................................................................................................... 333 Modifying the Authentication Protocol and Password .........................................................................................
AT-S63 Management Software Menus Interface User’s Guide Deleting an SNMPv3 Community Table Entry .............................................................................................................................. 410 Modifying an SNMPv3 Community Table Entry ........................................................................................................................... 411 Modifying the Community Name ....................................................................................
Contents GARP VLAN Registration Protocol .......................................................................................................................................................... 471 GARP VLAN Registration Protocol (GVRP) Overview ............................................................................................................................ 472 Guidelines ...........................................................................................................................
AT-S63 Management Software Menus Interface User’s Guide Configuring the Web Server ..........................................................................................................................................................................542 General Steps for Configuring the Web Server for Encryption .........................................................................................................545 General Steps for a Self-signed Certificate .........................................
Contents Deleting a Certificate ....................................................................................................................................................................................... 594 Viewing a Certificate ........................................................................................................................................................................................ 596 Generating an Enrollment Request ...............................................
AT-S63 Management Software Menus Interface User’s Guide IP Options Attack ..................................................................................................................................................................................... 664 Denial of Service Defense Guidelines ............................................................................................................................................... 664 Configuring Denial of Service Defense ............................
Contents Index .....................................................................................................................................................................................................................
Figures Figure 1: Connecting the Management Cable to the RJ-45 Serial Terminal Port ......................................................................... 40 Figure 2: CLI Prompt ........................................................................................................................................................................................... 41 Figure 3: Main Menu ......................................................................................................................
Figures Figure 38: Display All Menu - Multicast MAC Addresses ..................................................................................................................... 134 Figure 39: MAC Addresses Configuration Menu .................................................................................................................................... 136 Figure 40: Port Trunk Example ....................................................................................................................
AT-S63 Management Software Menus Interface User’s Guide Figure 93: CIST and VLAN Guideline - Example 2 ..................................................................................................................................290 Figure 94: Spanning Regions - Example 1 ................................................................................................................................................291 Figure 95: MSTP Menu .................................................................
Figures Figure 148: GID Architecture ........................................................................................................................................................................ 478 Figure 149: GARP-GVRP Menu ...................................................................................................................................................................... 480 Figure 150: GVRP Port Parameters Menu .................................................................
AT-S63 Management Software Menus Interface User’s Guide Figure 203: Display Port Access Status Menu .........................................................................................................................................639 Figure 204: Radius Accounting Menu ........................................................................................................................................................641 Figure 205: Authentication Configuration Menu .................................
Figures 20
Tables Table 1: Switch #1 - Source MAC Address Load Distribution ...........................................................................................................145 Table 2: Switch #2 - Destination MAC Address Load Distribution Method .................................................................................147 Table 3: Switch #2 - Source MAC Address/Destination MAC Address Method .........................................................................
Tables 22
Preface This guide contains instructions on how to configure an AT-9400 Series Layer 2+ Gigabit Ethernet Switch using the AT-S63 management software menus interface. How This Guide is Organized This manual is divided into four sections. Section I: Basic Features The chapters in this section explain how to start a local management session and perform some basic tasks such as configuring switch and port parameters, SNMPv1 and SNMPv2c, port trunking, and enhanced stacking.
Preface lists, encryption, web server, port-based access control, Denial of Service, TACACS+ and RADIUS. For information on managing a AT-9400 Series switch using the web browser management interface, refer to the AT-S63 Management Software Web Browser Interface User’s Guide. To manage the switch using the command line interface, refer to the ATS63 Management Software Command Line Interface User’s Guide.
AT-S63 Management Software Menus Interface User’s Guide Document Conventions This document uses the following conventions: Note Notes provide additional information. Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performing or omitting a specific action may result in bodily injury.
Preface Where to Find Web-based Guides The installation and user guides for all Allied Telesyn products are available in portable document format (PDF) on our web site at www.alliedtelesyn.com. You can view the documents online or download them onto a local workstation or server.
AT-S63 Management Software Menus Interface User’s Guide Contacting Allied Telesyn This section provides Allied Telesyn contact information for technical support as well as sales or corporate information. This section provides Allied Telesyn contact information for technical support as well as sales or corporate information. Online Support You can request technical support online by accessing the Allied Telesyn Knowledge Base at www.alliedtelesyn.com/kb.
Preface Management Software Updates New releases of management software for our managed products are available for download from either of the following Internet sites: ❑ Allied Telesyn web site: www.alliedtelesyn.com ❑ Allied Telesyn FTP server: ftp://ftp.alliedtelesyn.com If you prefer to download new software from the Allied Telesyn FTP server using your workstation’s command prompt, you will need FTP client software and you must log in to the server.
Chapter 1 Overview This chapter describes the AT-S63 software functions, the types of sessions you can use to access the software, and the management access levels.
Chapter 1: Overview Management Overview The AT-S63 management software is intended for the AT-9400 Series switches. You use the software to monitor and adjust the switch’s operating parameters.
AT-S63 Management Software Menus Interface User’s Guide There are four ways to access the management software on an AT-9400 Series switch. These methods are referred to in this guide as management sessions. They are: ❑ Local management session ❑ Telnet management session ❑ Web browser management session ❑ SNMP management session The following sections in this chapter briefly describe each type of management session.
Chapter 1: Overview Local Management Session You establish a local management session with an AT-9400 Series switch when you use the RJ-45 to RS-232 management cable included with the switch to connect a terminal or a PC with a terminal emulator program to the terminal port on the switch. The terminal port is located on the front panel of the AT-9400 Series switch.
AT-S63 Management Software Menus Interface User’s Guide Telnet Management Session You can use any management station on your network that has the Telnet application to manage an AT-9400 Series switch. This type of management session is referred to in this guide as a remote management session because you do not need to be in the wiring closet where the switch is located. You can manage the switch from any workstation on the network that has the application protocol.
Chapter 1: Overview Web Browser Management Session You can also use a web browser to manage a switch. This too is referred to as remote management, just like a Telnet management session. You can manage a switch from any workstation on your network that has a web browser. It also uses the enhanced stacking feature. This means there needs to be just one switch on the subnet with an Internet Protocol (IP) address for you to be able to manage all the switches with a web browser.
AT-S63 Management Software Menus Interface User’s Guide SNMP Management Session Another way to remotely manage the switch is with an SNMP management program. A familiarity with how to use management information base (MIB) objects is necessary for this type of management.
Chapter 1: Overview Management Access Levels There are two levels of management access in the AT-S63 management software: manager and operator. When you log in as a manager, you can view and configure all of a switch’s operating parameters. When you log in as an operator, you can only view the operating parameters; you cannot change any values. You log in as a manager or an operator when you enter the appropriate username and password when you start an AT-S63 management session.
Section I Basic Features The chapters in this section provide information and procedures for basic switch setup using the AT-S63 management software.
Section I: Basic Features
Chapter 2 Starting a Local or Telnet Management Session This chapter contains the procedure for starting a local or Telnet management session on an AT-9400 Series switch. The sections in the chapter are: ❑ ”Local Management Session” on page 40 ❑ ”Telnet Management Session” on page 44 You can also use a web browser to manage a switch. For instructions on how to start this type of management session, refer to the AT-S63 Management Software Web Browser Interface User’s Guide.
Chapter 2: Starting a Local or Telnet Management Session Local Management Session To establish a local management session, you use the terminal port on the front panel of the AT-9400 Series switch. A local management session is so named because you must be close to the switch, usually within a few meters, to start this type of management session. This means that you must be in the wiring closet where the switch is located. A switch does not need an IP address to be managed from a local management session.
AT-S63 Management Software Menus Interface User’s Guide 2. Connect the other end of the cable to an RS-232 port on a terminal or PC with a terminal emulator program. 3. Configure the terminal or terminal emulation program as follows: ❑ Baud rate: 9600 to 115200 bps ❑ Data bits: 8 ❑ Parity: None ❑ Stop bits: 1 ❑ Flow control: None Note The port settings are for a DEC VT100 or ANSI terminal, or an equivalent terminal emulator program.
Chapter 2: Starting a Local or Telnet Management Session If the switch has been configured with a name, the name is displayed after the software version information and before the command prompt. For information about the command line interface, refer to the AT-S63 Management Software Command Line Interface User’s Guide. 7. Type menu and press Return. The Main Menu is shown in Figure 3.
AT-S63 Management Software Menus Interface User’s Guide Quitting a Local Management Session To quit a local management session, return to the Main Menu and type Q for Quit. You should always exit from a management session when you are finished managing a switch. This can prevent unauthorized individuals from making changes to a switch’s configuration if you leave your management station unattended.
Chapter 2: Starting a Local or Telnet Management Session Telnet Management Session You can use the Telnet application from any workstation on your network to manage an AT-9400 Series switch. This type of management is referred to as remote management because you do not need to be physically close to the switch to start the session, which is required for a local management session. There is no difference between managing a switch locally through the terminal port and remotely with the Telnet application.
AT-S63 Management Software Menus Interface User’s Guide Quitting a Telnet Management Session Section I: Basic Features To end a Telnet management session, return to the Main Menu and type Q for Quit.
Chapter 2: Starting a Local or Telnet Management Session 46 Section I: Basic Features
Chapter 3 Basic Switch Parameters This chapter contains a variety of information and procedures for basic switch setup.
Chapter 3: Basic Switch Parameters ❑ ”Displaying Uplink Port Information” on page 76 48 Section I: Basic Features
AT-S63 Management Software Menus Interface User’s Guide When Does a Switch Need an IP Address? One of the tasks of building or expanding a network is deciding which managed switches need to be assigned a unique IP address. The rule was that a managed switch needed an IP address if you wanted to manage it remotely, such as with the Telnet application. However, if a network contained many managed switches, assigning each one an IP address was often cumbersome and time consuming.
Chapter 3: Basic Switch Parameters How Do You Assign an IP Address? There are two ways that a switch can obtain an IP address. The first way is for you to assign the IP configuration information manually. The procedure for this is explained in ”Configuring the IP Address, Switch Name, and Other Basic Parameters” on page 51. You can initially assign an IP address to a switch only through a local management session.
AT-S63 Management Software Menus Interface User’s Guide Configuring the IP Address, Switch Name, and Other Basic Parameters The procedure in this section explains how to manually assign an IP address, subnet mask, and gateway address to the switch from a local or Telnet management session. (If you want the switch to obtain its IP configuration from a DHCP or BOOTP server on your network, go to the procedure ”Activating the BOOTP and DHCP Client Software” on page 54.
Chapter 3: Basic Switch Parameters The System Configuration menu is shown in Figure 5. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 System Configuration 1 2 3 4 5 6 7 8 9 - BOOTP/DHCP ............. Disabled IP Address ............. 0.0.0.0 Subnet Mask ............ 0.0.0.0 Default Gateway ........ 0.0.0.0 System Name ............ Location ............... Administrator ..........
AT-S63 Management Software Menus Interface User’s Guide from a management station that is separated from the switch by a router. The address must be entered in the format: xxx.xxx.xxx.xxx. The default value is 0.0.0.0. 5 - System Name This parameter specifies a name for the switch (for example, Sales Ethernet switch). The name is displayed at the top of the AT-S63 management menus and pages. The name can be from 1 to 39 characters.
Chapter 3: Basic Switch Parameters Activating the BOOTP and DHCP Client Software The BOOTP and DHCP application protocols were developed to simplify network management. They are used to automatically assign IP configuration information to the devices on your network, such as an IP address, subnet mask, and a default gateway address. The AT-9400 Series switch contains the client software for these protocols and can obtain its IP configuration information from a BOOTP or DHCP server on your network.
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: BOOTP/DHCP (E-Enabled, D-Disabled): 4. Type E to enable BOOTP and DHCP services on the switch or D to disable the services and press Return. The default is disabled. Note If you activated BOOTP/DHCP, the switch immediately begins to query the network for a BOOTP or DHCP server. The switch continues to query the network for its IP configuration until it receives a response.
Chapter 3: Basic Switch Parameters Displaying the AT-9400 Series Switch Hardware and Software Information To display information about the switch hardware and software, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 1 to select System Information. The System Information menu is shown in Figure 6.
AT-S63 Management Software Menus Interface User’s Guide Model Name Model name of the AT-9400 Series switch. You cannot change this setting. Subnet Mask Subnet mask assigned to the switch. To change the subnet mask, see ”Configuring the IP Address, Switch Name, and Other Basic Parameters” on page 51. Serial Number Serial number of the switch. You cannot change this setting. Gateway Gateway assigned to the switch.
Chapter 3: Basic Switch Parameters Rebooting a Switch This procedure reboots the switch. Note Any configuration changes not saved are lost after the switch reboots. To save your configuration changes, return to the Main Menu and type S to select Save Configuration Changes. To reboot the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2.
AT-S63 Management Software Menus Interface User’s Guide Caution The switch does not forward traffic while it reloads its operating software, a process that takes approximately 20 seconds to complete. Some packet traffic may be lost. After the switch finishes rebooting, you must reestablish your management session if you want to continue managing the unit.
Chapter 3: Basic Switch Parameters Configuring the Manager and Operator Passwords There are two levels of management access on an AT-9400 Series switch: manager and operator. When you log in as manager, you can view and configure all of a switch’s operating parameters. When you log in as an operator, you can only view the operating parameters; you cannot change any values.
AT-S63 Management Software Menus Interface User’s Guide The Passwords Configuration menu is shown in Figure 9. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Passwords Configuration 1 - Set Manager Password 2 - Set Operator Password R - Return to Previous Menu Enter your selection? Figure 9. Passwords Configuration Menu 4. Type 1 to select Set Manager Password. The following prompt is displayed: Enter Current Manager Password -> 5.
Chapter 3: Basic Switch Parameters Setting the System Time This procedure explains how to set the switch’s date and time. Setting the system time is important if you configured the switch to send traps to your management stations. Traps from a switch where the time has not been set do not contain the correct date and time. Therefore, it becomes difficult for you to determine when the events represented by the traps occurred.
AT-S63 Management Software Menus Interface User’s Guide The Configure System Time menu is shown in Figure 10. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure System Time 1 2 3 4 5 6 7 - System Time ................... SNTP Status ................... SNTP Server ................... UTC Offset .................... Daylight Savings Time (DST) ... Poll Interval ................. Last Delta ....................
Chapter 3: Basic Switch Parameters 3. From the System Configuration menu, type 8 to select Configure System Time. The Configure System Time menu is shown in Figure 10 on page 63. 4. Type 3 to select SNTP Server to enter the IP address of an SNTP server. Note If the switch is obtaining its IP address and subnet mask from a DHCP server, you can configure the DHCP server to provide the switch with an IP address of an NTP or SNTP server.
AT-S63 Management Software Menus Interface User’s Guide Note The switch does not set DST automatically. If the switch is in a locale that uses DST, you must remember to enable this in April when DST begins and disable it in October when DST ends. If the switch is in a locale that does not use DST, this option should be set to disabled all the time. 10. Type 6 to select Poll Interval to specify the time interval between queries to the SNTP server.
Chapter 3: Basic Switch Parameters Configuring the Console Startup Mode You can configure the AT-S63 management software to display either the Main Menu or the command line interface prompt whenever you start a local or Telnet management session. The default is the command line interface. To change the console startup mode, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2.
AT-S63 Management Software Menus Interface User’s Guide Configuring the Console Timer The AT-S63 management software uses the console timer, also referred to as the console disconnect interval, to automatically end inactive local and remote management sessions. A management session is automatically ended if the management software does not detect any activity from a local or remote management station after the console timer has expired.
Chapter 3: Basic Switch Parameters Enabling or Disabling the Telnet Server This procedure describes how to enable or disable the Telnet server on the switch. You might disable the server to prevent individuals from managing the switch with the Telnet application if you intend to use the Secure Shell (SSH) protocol. To enable or disable the Telnet server, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration.
AT-S63 Management Software Menus Interface User’s Guide Setting the Baud Rate of the RJ-45 Type Serial Terminal Port The default baud rate of the RJ-45 type serial terminal port on the switch is 9600 bps. To change the baud rate, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 3 to select Console (Serial/Telnet) Configuration.
Chapter 3: Basic Switch Parameters Pinging a Remote System You can instruct the switch to ping a remote device on your network. This procedure is useful in determining whether a valid link exists between the switch and another device. Note To perform this procedure, the switch must have an IP address. To instruct the switch to ping a network device, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51.
AT-S63 Management Software Menus Interface User’s Guide Returning the AT-S63 Management Software to the Factory Default Values The procedure in this section returns all AT-S63 management software parameters to the default values. Please note the following before you perform this procedure: ❑ Returning all parameter settings to their default values also deletes any port-based or tagged VLANs you created on the switch. ❑ This procedure does not delete files from the AT-S63 file system.
Chapter 3: Basic Switch Parameters If you respond with yes, the following prompt is displayed: Do you want to reset static IP, Subnet and Gateway? [Yes/No] -> 5. If you type Y for yes, all switch parameters including the IP address, subnet mask, and gateway address are changed to the default values. If you type N for no, all switch parameters excluding the IP address, subnet mask, and gateway address are changed to the default values.
AT-S63 Management Software Menus Interface User’s Guide Displaying and Setting System Hardware Information You can view information about the system hardware, including details about the fans and temperature settings. Displaying System Hardware Information To display the system hardware information, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2.
Chapter 3: Basic Switch Parameters The System Hardware Information menu provides the following information: System 1.25 V Power System 1.8V Power System 2.5 V Power System 3.3 V Power System 5 V Power System 12 V Power The current voltage of the six power supplies in the switch. System Temperature (Celsius) The overall system temperature. System Fan Speed The system fan speed. Main PSU RPS The status of the main power supply unit (PSU) and the redundant power supply (RPS).
AT-S63 Management Software Menus Interface User’s Guide The Configure System Hardware menu is shown in Figure 13. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure System Hardware 1 - Temperature Threshold (Celsius) .......... 73 C R - Return to Previous Menu Enter your selection? Figure 13. Configure System Hardware Menu This menu displays information about the current temperature threshold on the switch. 4.
Chapter 3: Basic Switch Parameters Displaying Uplink Port Information To display the information about the GBIC or SFP transceivers installed in the uplink ports, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 1 to select System Information The System Information menu is shown in Figure 6 on page 56. 3.
AT-S63 Management Software Menus Interface User’s Guide The GBIC/SFP Information menu (page 1) is displayed. Figure 15 shows some possible fields for an SFP. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 GBIC/SFP 2 Information Transceiver Identifier ..................... Extended Transceiver Identifier ............ Connector Type ............................. Encoding Algorithm ......................... Nominal Bit Rate ...........................
Chapter 3: Basic Switch Parameters The information displayed depends upon whether a GBIC or an SFP transceiver is installed and the transceiver vendor.
Chapter 4 SNMPv1 and SNMPv2c This chapter explains how to activate SNMP management on the switch and how to create, modify, and delete SNMPv1 and SNMPv2c community strings.
Chapter 4: SNMPv1 and SNMPv2 Community Strings SNMPv1 and SNMPv2c Overview The Simple Network Management Program (SNMP) is another way for you to manage the switch. This type of management involves viewing and changing the management information base (MIB) objects on the device using an SNMP application program. The AT-S63 management software supports SNMPv1, SNMPv2c, and SNMPv3. This chapter explains how to configure the switch’s software for SNMPv1 and SNMPv2c.
AT-S63 Management Software Menus Interface User’s Guide Access Mode This defines what the community string will allow a network manager to do. There are two access modes: Read and Read/Write. A community string with an access mode of Read can only be used to view but not change the MIB objects on a switch. A community string with a Read/Write access can be used to both view the MIB objects and change them. Operating Status A community string can be enabled or disabled.
Chapter 4: SNMPv1 and SNMPv2 Community Strings It does not matter which community strings you assign your trap receivers. When the switch sends a trap, it looks at all the community strings and sends the trap to all trap receivers on all community strings. This is true even for community strings that have a access mode of only Read. If you are not interested in receiving traps, then you do not need to enter any IP addresses of trap receivers.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling SNMP Management To enable or disable SNMP management for the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 17.
Chapter 4: SNMPv1 and SNMPv2 Community Strings Setting the Authentication Failure Trap As mentioned in the SNMP Overview section in this chapter, a trap is a message sent by the switch to a management workstation or server to signal an operating event, such as when the device is reset. An authentication failure trap is similar to other the traps. It too signals an operating event on the switch. But this trap is somewhat special because it relates to SNMP management.
AT-S63 Management Software Menus Interface User’s Guide Creating an SNMP Community String To create a new SNMP community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 17 on page 83. 3.
Chapter 4: SNMPv1 and SNMPv2 Community Strings The following prompt is displayed: Enter Access Mode [R-Read Only, W-Read/Write]: 6. Specify the access mode for the new SNMP community string. If you specify Read, the community string will only allow you to view the MIB objects on the switch. If you specify Read/Write, the community string will allow you to both view and change the SNMP MIB objects on the switch. The following prompt is displayed: Enter Open Access Status [Y-Yes, N-No]: 7.
AT-S63 Management Software Menus Interface User’s Guide 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 4: SNMPv1 and SNMPv2 Community Strings Modifying a Community String To modify a community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 17 on page 83. 3. From the SNMP Configuration menu, type 3 to select Configure SNMPv1 &SNMPv2c Community.
AT-S63 Management Software Menus Interface User’s Guide The menu options are described below: 1 - Add Attributes to Community If a community string has a closed access mode, you can use this selection to add new IP addresses of management workstations that can use the string. You can also use this option to add IP addresses of new trap receivers. To use this option, do the following: 1. From the Modify SNMP Community menu, type 1 to select Add Attributes to Community.
Chapter 4: SNMPv1 and SNMPv2 Community Strings 3. If you want to remove the IP address of a management workstation from the community string, enter the IP address at the prompt. Otherwise, just press Return. This prompt is displayed: Enter Trap Receiver IP Addr: 4. If you want to remove the IP address of a trap receiver from the community string, enter the IP address at the prompt. Otherwise, just press Return. 5. After making changes, type R until you return to the Main Menu.
AT-S63 Management Software Menus Interface User’s Guide 3. Type E to enable the community string or D to disable it. This confirmation prompt is displayed: Do you want to change Community Status? (Y/N): [Yes/No] -> 4. Type Y to change the string’s status or N to cancel the change. 5. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 5 - Set Community Open Status Use this selection to change a string’s open status.
Chapter 4: SNMPv1 and SNMPv2 Community Strings Displaying the SNMP Community Strings To display the attributes of all the SNMP community strings on the switch, use the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 17 on page 83. 3.
Chapter 5 Enhanced Stacking This chapter explains the enhanced stacking feature.
Chapter 5: Enhanced Stacking Enhanced Stacking Overview The enhanced stacking feature can make it easier for you to manage the AT-9400 Series switches in your network. It offers the following benefits: ❑ You can manage up to 24 switches from one local or remote management session. This eliminates the need of having to initiate a separate management session with each switch in your network. ❑ The switches can share the same IP address.
AT-S63 Management Software Menus Interface User’s Guide ❑ The enhanced stacking feature uses the IP address 172.16.16.16. Do not assign this address to any device on your subnet if you intend to use the enhanced stacking feature. There are three basic tasks to implement this feature on your network: ❑ You must select a switch in each subnet of your network to function as the master switch of the enhanced stack for that subnet.
Chapter 5: Enhanced Stacking Note No IP address is required if you intend to manage the enhanced stack solely through the RJ-45 serial terminal port on a master switch. However, remote management of a stack using Telnet, a web browser, or an SNMP application does require assigning an IP address and subnet mask to a master switch. ❑ Change the enhanced stacking status of the master switch to master. This is explained in ”Setting a Switch’s Enhanced Stacking Status” on page 98.
AT-S63 Management Software Menus Interface User’s Guide To manage the switches of a subnet, you can start a local management session or a remote Telnet management session on one of the master switches in the subnet. You then have management access to all enhanced stacking switches in the same subnet.
Chapter 5: Enhanced Stacking Setting a Switch’s Enhanced Stacking Status The enhanced stacking status of the switch can be master switch, slave switch, or unavailable. Each status is described below: ❑ Master switch - A master switch of a stack can be used to manage all the other switches in a subnet. After you establish a local or remote management session with the master switch, you can access and manage all the switches in the subnet. A master switch must have a unique IP address.
AT-S63 Management Software Menus Interface User’s Guide The Enhanced Stacking menu is shown in Figure 22. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Enhanced Stacking 1 - Switch State-(M)aster/(S)lave/(U)navailable.... Master 2 - Stacking Services R - Return to Previous Menu Enter your selection? Figure 22. Enhanced Stacking Menu The menu displays the current status of the switch at the end of selection “1 - Switch State.
Chapter 5: Enhanced Stacking Selecting a Switch in an Enhanced Stack Before you perform a procedure on a switch in an enhanced stack, you should first check to be sure that you are performing it on the correct switch. If you assigned system names to your switches, this should be easy. The name of the switch being managed is always displayed at the top of every management menu.
AT-S63 Management Software Menus Interface User’s Guide 3. From the Stacking Services menu, type 1 to select Get/Refresh List of Switches. The master switch polls the subnet for all slave and master switches that are a part of the enhanced stack and displays a list of the switches in the Stacking Services menu, as shown in the example in Figure 24.
Chapter 5: Enhanced Stacking 5. Type the number of the switch in the list you want to manage. A prompt is displayed if the switch has been assigned a password. 6. Enter the appropriate username and password for the switch. The Main Menu of the selected switch is displayed. You now can manage the switch. Any management tasks you perform effect only the selected switch.
AT-S63 Management Software Menus Interface User’s Guide Returning to the Master Switch When you have finished managing a slave switch, return to the Main Menu of the slave switch and type Q for Quit. This returns you to the Stacking Services menu. After you see that menu, you are again addressing the master switch from which you started the management session.
Chapter 5: Enhanced Stacking Displaying the Enhanced Stacking Status To view the stacking status of a switch in a stack, perform the following procedure: 1. From the Main Menu, type 9 to select Enhanced Stacking. The Enhanced Stacking menu is shown in Figure 25. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Enhanced Stacking 1 - Switch State-(M)aster/(S)lave/(U)navailable.... Slave R - Return to Previous Menu Enter your selection? Figure 25.
Chapter 6 Port Parameters This chapter contains the procedures for viewing and changing the parameter settings for the individual ports on a switch, and contains the following procedures: ❑ ”Configuring Port Parameters” on page 106 ❑ ”Configuring Head of Line Blocking” on page 111 ❑ ”Configuring Flow Control and Back Pressure” on page 113 ❑ ”Configuring Filtering” on page 116 ❑ ”Setting Up Rate Limiting” on page 118 ❑ ”Resetting a Port” on page 120 ❑ ”Forcing Port Renegotiation” on page 121 ❑ ”Resetting t
Chapter 6: Port Parameters Configuring Port Parameters To configure the most basic parameter settings for a port, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26.
AT-S63 Management Software Menus Interface User’s Guide The Port Configuration menu is shown in Figure 27. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Port Configuration Configuring Port 11 0 1 2 3 4 5 6 X F D - Description ........................ Status ............................. HOL Blocking Prevention Threshold .. Flow Control Filtering Rate Limiting Negotiation ........................
Chapter 6: Port Parameters to the port. After the problem has been fixed, you can enable the port again to resume normal operation. You might also want to disable a port that is not being used to secure it from unauthorized connections. Possible settings for this parameter are: Enabled - The port receives and forwards packets. This is the default setting. Disabled - The port does not receive or forward packets.
AT-S63 Management Software Menus Interface User’s Guide A switch port using autonegotiation defaults to half-duplex if it detects that the end node is not using autonegotiation. This results in a mismatch if the end node is operating at a fixed duplex mode of full-duplex. To avoid this problem, when you connect an end node with a fixed duplex mode of full-duplex to a switch port, you should disable autonegotiation on the port and set the port’s speed and duplex mode manually.
Chapter 6: Port Parameters through or crossover twisted pair cable when connecting any network device to a port on the switch. When a port is using autonegotiation to set its speed and duplex mode, the only available setting for this option is Auto. The port automatically sets its MDI/MDI-X setting. But if you disable autonegotiation on a port and set a port’s speed and duplex mode manually, the auto-MDI/MDI-X feature is also disabled. A port where autonegotiation has been disabled defaults to MDI-X.
AT-S63 Management Software Menus Interface User’s Guide Configuring Head of Line Blocking Head of line (HOL) blocking is a problem that occurs when a port on a switch becomes oversubscribed. An oversubscribed port is receiving more packets from other switch ports than it can transmit in a timely manner. An oversubscribed port can prevent other ports from forwarding packets to each other because ingress packets on a port are buffered in a First In, First Out (FIFO) manner.
Chapter 6: Port Parameters For example, referring to the figure above, when the utilization of the storage capacity of port D exceeds the threshold, the switch signals the other ports to discard packets destined for port D. Port A drops the D packets, enabling it to once again forward packets to port C. The number that you enter for this value represents cells. A cell is 64 bytes. The range is 0 to 8191 cells. The default is 8191. To set up head of line blocking, perform the following procedure: 1.
AT-S63 Management Software Menus Interface User’s Guide Configuring Flow Control and Back Pressure A switch port uses flow control to control the flow of ingress packets from its end node. Flow control applies only to ports operating in fullduplex mode. A port using flow control issues a special frame, referred to as a PAUSE frame, as specified in the IEEE 802.3x standard, to stop the transmission of data from an end node. When a port needs to stop an end node from transmitting data, it issues this frame.
Chapter 6: Port Parameters 3. Enter the number of the port you want to configure. To configure a range of ports, enter the first and last ports of the range, separated by a dash (for example, 4-8). You cannot specify nonconsecutive ports (for example, 5,7,9) The Port Configuration menu is shown in Figure 27 on page 107. 4. From the Port Configuration menu, type 3 to select Flow Control. The Flow Control menu is shown in Figure 29.
AT-S63 Management Software Menus Interface User’s Guide 8. Type 4 to select Back Pressure Threshold. This selection specifies the maximum number of ingress packets that a port accepts within a 1 second period before initiating back pressure. The range is 1 to 57,344. The default is 8192. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 6: Port Parameters Configuring Filtering If the performance of your network is affected by heavy traffic, you can use this parameter to limit the number of unknown unicast, unknown multicast, or broadcast packets a port receives. When you activate this feature on a port, the port discards all ingress packets of the type you specify. The default setting for each type of packet filter is disabled. When you enable this feature, the port does not accept any ingress packets of the type you specify.
AT-S63 Management Software Menus Interface User’s Guide 6. Type 2 to toggle Unknown Multicast Filtering between Disabled and Enabled. 7. Type 3 to toggle Broadcast Filtering between Disabled and Enabled. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 6: Port Parameters Setting Up Rate Limiting The rate limiting feature allows you to set the maximum number of ingress packets the port accepts each second. Packets exceeding the threshold are discarded. You can enable rate limiting and set a rate independently for unknown unicast, multicast, and broadcast packets. To set rate limiting, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26 on page 106. 2.
AT-S63 Management Software Menus Interface User’s Guide A prompt is displayed: Enter the Rate Limit (packets/second):[0 to 262143]-> 7. Enter a number for the rate limit. 8. Type 3 to toggle Multicast Rate Limiting Status between Enabled and Disabled. 9. Type 2 to select Multicast Rate. A prompt is displayed: Enter the Rate Limit (packets/second):[0 to 262143]-> 10. Enter a number for the rate limit. 11. Type 3 to toggle Multicast Rate Limiting Status between Enabled and Disabled. 12.
Chapter 6: Port Parameters Resetting a Port Resetting a port is useful in situations where a port is having problems establishing a valid connection to its end node. To reset a port, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26 on page 106. 2. From the Port Configuration menu, type 1 to select Port Configuration. The following prompt is displayed: Enter port-list -> 3.
AT-S63 Management Software Menus Interface User’s Guide Forcing Port Renegotiation Port renegotiation prompts the port to autonegotiate with the end node. This option is useful if you believe that a port and end node are not operating at the same speed and duplex mode. To force port renegotiation, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26 on page 106. 2.
Chapter 6: Port Parameters Resetting the Port Configuration to the Defaults You can return port settings to the default values. To reset ports to the default settings, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26 on page 106. 2. From the Port Configuration menu, type 1 to select Port Configuration. The following prompt is displayed: Enter port-list -> 3. Enter the number of the port you want to reset.
AT-S63 Management Software Menus Interface User’s Guide Displaying Port Statistics To display Ethernet port statistics, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26 on page 106. 2. From the Port Configuration menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 32.
Chapter 6: Port Parameters The Display Port Statistics menu is shown in Figure 33. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Display Port Statistics Port 6 Bytes Received .............. Frames Received ............. Broadcast Frames Received.... Multicast Frames Received ... Frames 64 Bytes ............. Frames 128-255 Bytes......... Frames 512-1023 Bytes ....... CRC Error ................... No. of Rx Errors ............ UnderSize Frames ........
AT-S63 Management Software Menus Interface User’s Guide Multicast Frames Sent Number of multicast frames transmitted from the port. Frames 64 Bytes Frames 65 - 127 Bytes Frames 128 - 255 Bytes Frames 256 - 511 Bytes Frames 512 - 1023 Bytes Frames > 1024 Bytes Number of frames transmitted from the port, grouped by size. CRC Error Number of frames with a cyclic redundancy check (CRC) error but with the proper length (64-1518 bytes) received on the port.
Chapter 6: Port Parameters Clearing Port Statistics To clear the Ethernet port statistics and reset them to “0”, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26 on page 106. 2. From the Port Configuration menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 32 on page 123. 3. Type 2 to select Clear Statistics.
AT-S63 Management Software Menus Interface User’s Guide Displaying Port Status To display the current status of the ports on the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26 on page 106. 2. From the Port Configuration menu, type 2 to select Port Status. An example of the Port Status menu is shown in Figure 34.
Chapter 6: Port Parameters Up - Indicates that a valid link exists between the port and the end node. Down - Indicates that the port and the end node have not established a valid link. Neg The status of autonegotiation on the port. Possible values are: Auto - Indicates that the port is using autonegotiation to set operating speed and duplex mode. Manual - Indicates that the operating speed and duplex mode have been set manually. MDIO The operating configuration of the port.
Chapter 7 MAC Address Table The chapter contains the procedures for viewing the static and dynamic MAC address table.
Chapter 7: MAC Address Table MAC Address Overview Each hardware device that you connect to your Ethernet network has a unique MAC address assigned to it by the device’s manufacturer. For example, every network interface card (NIC) that you use to connect your computers to your network has a MAC address assigned to it by the adapter’s manufacturer. The AT-9400 Series switch contains a MAC address table with a storage capacity of 16,000 entries.
AT-S63 Management Software Menus Interface User’s Guide learns by examining the source MAC addresses of the frames received on the ports. Dynamic MAC addresses are not stored indefinitely in the MAC address table. The switch deletes a dynamic MAC address from the table if it does not receive any frames from the node after a specified period of time. The switch assumes that the node with that MAC address is no longer active and that its MAC address can be purged from the table.
Chapter 7: MAC Address Table Displaying the MAC Address Tables The AT-S63 management software has two menu selections for displaying the MAC addresses of a switch. One selection displays the static and dynamic unicast MAC addresses while the other displays the static and dynamic multicast addresses. To display the MAC address tables, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 35.
AT-S63 Management Software Menus Interface User’s Guide Choose one of the following display types. 1 - Display All This selection displays all dynamic addresses learned on the ports of the switch and all static addresses that have been assigned to the ports. An example of a unicast MAC address table is shown in Figure 37.
Chapter 7: MAC Address Table Type The type of the address: static or dynamic. An example of a multicast MAC address table is shown in Figure 38.
AT-S63 Management Software Menus Interface User’s Guide 3 - Display Dynamic This selection displays only the dynamic addresses learned on the ports on the switch. 4 - Display by Port This selection displays the dynamic and static MAC addresses of a particular port. When you select this option, you are prompted for a port number. You can specify more than one port at a time. 5 - Display Specified MAC This selection displays the port number on which a MAC address was assigned or learned.
Chapter 7: MAC Address Table Adding Static Unicast and Multicast MAC Addresses This section contains the procedure for adding static unicast and multicast MAC addresses to the switch. You can assign up to 255 static addresses per port on an AT-9400 Series switch. To add a static MAC address, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 35 on page 132. 2.
AT-S63 Management Software Menus Interface User’s Guide If you are entering a static multicast address, you must specify the port when the multicast application is located as well as the ports where the host nodes are connected. Assigning the address only to the port where the multicast application is located will result in the failure of the multicast packets to be properly forwarded to the host nodes. You can specify the ports individually (e.g., 1,4,5), as a range (e.g., 11-14) or both (e.g.
Chapter 7: MAC Address Table Deleting Unicast and Multicast MAC Addresses To delete a dynamic or static unicast or multicast address from the MAC address table, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 35 on page 132. 2. From the MAC Address Tables menu, type 2 to select MAC Addresses Configuration. The MAC Addresses Configuration menu is shown in Figure 39 on page 136. 3.
AT-S63 Management Software Menus Interface User’s Guide Deleting All Dynamic MAC Addresses To delete all dynamic unicast and multicast MAC address from the MAC address table, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 35 on page 132. 2. From the MAC Address Tables menu, type 2 to select MAC Addresses Configuration. The MAC Addresses Configuration menu is shown in Figure 39 on page 136. 3.
Chapter 7: MAC Address Table Changing the Aging Time The switch uses the aging time to delete inactive dynamic MAC addresses from the MAC address table. When the switch detects that no packets have been sent to or received from a particular MAC address in the table after the period specified by the aging time, the switch deletes the address. This prevents the table from becoming full of addresses of nodes that are no longer active. The default setting for the aging time is 300 seconds (5 minutes).
Chapter 8 Port Trunking This chapter contains the procedures for creating, modifying, and deleting port trunks.
Chapter 8: Port Trunking Port Trunking Overview A port trunk is an economical way for you to increase the bandwidth between two Ethernet switches. A port trunk is a group of ports that have been grouped together to function as one logical path. A port trunk increases the bandwidth between switches and is useful in situations where a single physical data link between switches is insufficient to handle the traffic load.
AT-S63 Management Software Menus Interface User’s Guide ❑ When you cable a trunk, the order of the connections should be maintained on both nodes. The lowest numbered port in a trunk on the switch should be connected to the lowest numbered port of the trunk on the other device, the next lowest numbered port on the switch should be connected to the next lowest numbered port on the other device, and so on. For example, assume that you are connecting a trunk between two AT-9400 Series switches.
Chapter 8: Port Trunking The AT-S63 management software offers six load distribution methods. They are: ❑ Source MAC Address (Layer 2) ❑ Destination MAC Address (Layer 2) ❑ Source MAC Address / Destination MAC Address (Layer 2) ❑ Source IP Address (Layer 3) ❑ Destination IP Address (Layer 3) ❑ Source IP Address / Destination IP Address (Layer 3) The load distribution methods can be divided into two general groups.
AT-S63 Management Software Menus Interface User’s Guide data link provided by an SFP transceiver in switch #2.
Chapter 8: Port Trunking Note that packets sent back from the destination node to the original source node may travel the same data link or a different data link in the trunk. As a general rule, the source address load distribution method is useful in situations where the number of source nodes equals or is greater than the number of data links in the trunk.
AT-S63 Management Software Menus Interface User’s Guide Table 2 shows how switch #2 might distribute the server traffic across the ports of the trunk using the destination MAC address method. Table 2.
Chapter 8: Port Trunking This method is useful when a port trunk needs to send packets from one source node to many destination nodes, something that the source address method is not suited for. This method is also valid when sending from many source nodes to one destination node, or from many sources to many destinations. Table 4 shows a possible matrix for a port trunk of three data links using this method to handle traffic from four sources to four destinations. Table 4.
AT-S63 Management Software Menus Interface User’s Guide Creating a Port Trunk This section contains the procedure for creating a port trunk on the switch. Be sure to review the guidelines in ”Port Trunking Overview” on page 142 before performing the procedure. Caution Do not connect the cables to the trunk ports on the switches until after you have configured the trunk with the AT-S63 management software. Connecting the cables before configuring the software creates a loop in your network topology.
Chapter 8: Port Trunking The Port Trunking menu is shown in Figure 42. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Port Trunking ID Name Ports Method Status -----------------------------------------------------C - Create Trunk D - Delete Trunk M - Modify Trunk R - Return to Previous Menu Enter your selection? Figure 42. Port Trunking Menu 3. From the Port Trunking menu, type C to select Create Trunk. The Create Trunk menu is shown in Figure 43.
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter Trunk Name: 7. Type a name for the trunk. The name can be up to 16 alphanumeric characters. No spaces or special characters, such as asterisks and exclamation points, are allowed. Each trunk must have a unique name. 8.
Chapter 8: Port Trunking Modifying a Port Trunk This section contains the procedure for modifying a port trunk on the switch. Be sure to review the guidelines in ”Port Trunking Overview” on page 142 before performing the procedure. Caution If you will be adding or removing ports from the trunk, disconnect all data cables from the ports of the trunk on the switch before performing the procedure.
AT-S63 Management Software Menus Interface User’s Guide The Modify Trunk menu is displayed. The menu displays the operating specifications of the selected trunk, as shown in Figure 44. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Modify Trunk 1 2 3 4 - Trunk Trunk Trunk Trunk ID ......... Name ....... Method ..... Ports ...... 2 Server11 SRC/DST MAC 12-16 M - Modify Trunk R - Return to Previous Menu Enter your selection? Figure 44.
Chapter 8: Port Trunking 7. To change the ports of a trunk, type 4 to select Trunk Ports and, when prompted, enter the new ports of the trunk. A trunk can contain up to eight ports. You can identify the ports individually (for example, 3,7,10), as a range (for example, 5-11), or both (for example, 2,4,11-14). The new list of ports replaces the existing ports of the trunk. 8. Type M to select Modify Trunk. The modifications to the port trunk are activated on the switch. 9.
AT-S63 Management Software Menus Interface User’s Guide Deleting a Port Trunk Caution Disconnect the cables from the port trunk on the switch before performing the following procedure. Deleting a port trunk without first disconnecting the cables can create loops in your network topology that result in broadcast storms and poor network performance. To delete a port trunk from the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration.
Chapter 8: Port Trunking Displaying the Port Trunks To display a port trunk, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26 on page 106. 2. From the Port Configuration menu, type 4 to select Port Trunking. The Port Trunking menu with a port trunk is shown in Figure 45.
AT-S63 Management Software Menus Interface User’s Guide SRC IP - Source IP address trunking DST IP - Destination IP address trunking SRC/DST IP - Source address /destination IP address Status Whether the trunk is operating (UP) or not operating (DOWN).
Chapter 8: Port Trunking 158 Section I: Basic Features
Chapter 9 Port Mirroring This chapter contains the procedures for creating and deleting a port mirror.
Chapter 9: Port Mirroring Port Mirroring Overview The port mirroring feature allows you to unobtrusively monitor the traffic being received and transmitted on one or more ports on a switch by having the traffic copied to another switch port. You can connect a network analyzer to the port where the traffic is being copied and monitor the traffic on the other ports without impacting network performance or speed. The port(s) whose traffic you want to mirror is called the source port(s).
AT-S63 Management Software Menus Interface User’s Guide Creating a Port Mirror To create a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26 on page 106. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 46.
Chapter 9: Port Mirroring 5. Type 2 to select Mirror-To (Destination) Port. The following prompt is displayed: Mirror-To Port (0-24): 6. Enter the number of the port that functions as the destination port. This is the port where the traffic from the source ports will be copied to and where the network analyzer will be located. You can specify only one destination port. 7. If you want to mirror the ingress (received) traffic on one or more ports, type 3 to select Ingress(Rx) Mirror (Source Ports.
AT-S63 Management Software Menus Interface User’s Guide Disabling a Port Mirror To delete a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26 on page 106. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 47 on page 161. 3. From the Port Mirroring Menu, type 1 to select Enable/Disable. The following prompt is displayed.
Chapter 9: Port Mirroring Modifying a Port Mirror To modify the port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26 on page 106. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 47 on page 161. 3. Type 2 to select Mirror-To (Destinaton) Port. The following prompt is displayed: Mirror-To Port (0-24): 4.
AT-S63 Management Software Menus Interface User’s Guide Displaying the Port Mirror To display the port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26 on page 106. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 48.
Chapter 9: Port Mirroring 166 Section I: Basic Features
Section II Advanced Features The chapters in this section explain additional switch management features of the AT-S63 management software.
Section II: Advanced Features
Chapter 10 File System The chapter describes the AT-S63 file system, and how you can use the file system to copy, rename, and delete system files. This chapter also explains how you can use the file system to select which boot configuration file you want the switch to use the next time the device is reset or power cycled.
Chapter 10: File System File System Overview The AT-S63 management software has a file system for storing system files. You can view the file system, as well as copy, rename, and delete files. The following file types are supported by the AT-S63 file system: ❑ Boot configuration files ❑ Public keys ❑ Public certificates ❑ Certificate enrollment requests For an explanation of a boot configuration file, refer to ”Working with Boot Configuration Files” on page 172.
AT-S63 Management Software Menus Interface User’s Guide where: ❑ filename is a descriptive name for the file, and may be one to sixteen characters in length. Valid characters are lowercase letters (a–z), uppercase letters (A–Z), digits (0–9), and the following characters: ~ ’ @ # $ % ^ & ( ) _ - { }. Invalid characters are: ! * + = “| \ [ ] ; : ? / , < >. ❑ ext is a file name extension of three characters in length, preceded by a period (.). The extension is used by the switch to determine the file type.
Chapter 10: File System Working with Boot Configuration Files A boot configuration file contains a series of commands that configure the switch’s parameter settings when you power cycle or reset the device. The commands in the file recreate all the VLANs, port settings, spanning tree settings, port trunks, port mirrors, and so forth on the switch. A switch can contain multiple boot configuration files, but only one can be active on a switch at a time.
AT-S63 Management Software Menus Interface User’s Guide page 175 Creating a Boot Configuration File Before you begin to configure the switch with the parameter settings that you want to save in a new boot configuration file, you should first create the file. Configuring the parameters first and then creating the new boot configuration file might cause you to inadvertently change a boot configuration file that you might not want to change.
Chapter 10: File System 5. Enter a file name for the new boot configuration file. The file name can be up to 16 alphanumeric characters. Spaces are allowed. The filename must include the extension “.cfg”. See ”File Naming Conventions” on page 170. Note If a filename already exists, the system displays a message asking if you want to overwrite the existing file name. Note You cannot name a boot configuration file “default.cfg.” This file name is reserved by the switch. 6.
AT-S63 Management Software Menus Interface User’s Guide Selecting the Active Boot Configuration File for the Switch You have now created the boot configuration file, made the necessary changes to the switch’s parameter settings, and saved the changes. If you want the switch to use this new boot configuration file the next time you reset or power cycle the switch, no further steps are necessary. The new boot configuration file is already the active boot file on the device.
Chapter 10: File System The file name is displayed following selection 1 in the File Operations menu. The file name should be followed by “Exist”, which means that the file exists in the switch’s file system. In the future, the switch uses the newly selected boot configuration file whenever you reset the unit, unless you designate another boot configuration file as the active boot file. Note If “Not Found” appears, the file does not exist.
AT-S63 Management Software Menus Interface User’s Guide The contents of the boot configuration file are displayed in the View File menu. An example is shown in Figure 50. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 View File Configuration File: mydefault.
Chapter 10: File System The following are several guidelines for editing a boot configuration file: ❑ The text editor must be able to store the file as ASCII text. Do not insert special formatting codes, such as boldface or italics, into a boot configuration file. ❑ The boot configuration file must contain AT-S63 command line commands. You enter the commands you want the switch to perform when reset or power cycled.
AT-S63 Management Software Menus Interface User’s Guide Copying a System File To copy a file in the file system, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown Figure 4 on page 51. 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 7 on page 58. 3. From the System Utilities menu, type 1 to select File Operations.
Chapter 10: File System Renaming a System File To rename a system file, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown Figure 4 on page 51. 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 7 on page 58. 3. From the System Utilities menu, type 1 to select File Operations. The File Operations menu is shown in Figure 49 on page 173. 4.
AT-S63 Management Software Menus Interface User’s Guide Deleting a System File To delete a system file, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown Figure 4 on page 51. 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 7 on page 58. 3. From the System Utilities menu, type 1 to select File Operations.
Chapter 10: File System Displaying System Files Use this procedure to display a list of the system files currently stored on the switch. For information about shortcuts for specifying file names, see ”File Naming Conventions” on page 170. To display a list of current system file names, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown Figure 4 on page 51. 2.
AT-S63 Management Software Menus Interface User’s Guide The List Files menu is displayed. An example of the menu is shown in Figure 51. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 List Files File Name Size (Bytes) Last Modified -----------------------------------------------------default.cfg boot.cfg newcfg.cg serverkey150.key ProdSw.cer ProdSw2.
Chapter 10: File System 184 Section II: Advanced Features
Chapter 11 File Downloads and Uploads This chapter contains the procedures for downloading a new AT-S63 image file onto the switch. This chapter also contains the procedures for uploading and downloading system files, such as a boot configuration file, from the file system in the switch.
Chapter 11: File Downloads and Uploads Downloading the AT-S63 Image File onto a Switch This section contains two procedures for downloading a new AT-S63 image file onto the switch.
AT-S63 Management Software Menus Interface User’s Guide Downloading the AT-S63 Image from a Local Management Session To download a new software image onto a switch from a local management session using Xmodem or TFTP, perform the following procedure: 1. Establish a local management session on the switch where you intend to download the new management software. 2. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 3.
Chapter 11: File Downloads and Uploads The following prompt is displayed: TFTP Server IP address: b. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: c. Enter the directory path and file name of the AT-S63 image file stored on the TFTP server. The following message is displayed: Getting the file from Remote TFTP Server - Please wait ... d. If you have not already done so, start the TFTP server software.
AT-S63 Management Software Menus Interface User’s Guide 10. From the HyperTerminal main window, select Send File from the Transfer menu, as shown in Figure 53. Figure 53. HyperTerminal Window The Send File window is shown in Figure 54. Figure 54. Send File Window 11. Click Browse and specify the location and file to be downloaded onto the switch. 12. Click in the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K Xmodem. 13. Click Send.
Chapter 11: File Downloads and Uploads status of the software download. The download process takes several minutes to complete. Figure 55. XModem File Send Window Note After the switch has downloaded the new image, it begins to initialize the software, a process that takes approximately one minute to complete. The switch does not forward any network traffic during the initialization process. After the management software is initialized, the switch automatically resets.
AT-S63 Management Software Menus Interface User’s Guide 5. From the Downloads and Uploads menu, type 1 to select Download Application Image/Bootloader. The following prompt is displayed: Only TFTP downloads are available for a Telnet access TFTP Server IP address: 6. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: 7. Enter the directory path and file name of the image file or configuration file that you want to download.
Chapter 11: File Downloads and Uploads Downloading an AT-S63 Image File Switch to Switch The previous section contained procedures for downloading an AT-S63 software image onto a switch from a local or Telnet management session. The procedure in this section explains how to download an AT-S63 software image from one AT-9400 Series switch to another AT-9400 Series switch. This procedure is useful in networks that contain a large number of AT-9400 Series switches.
AT-S63 Management Software Menus Interface User’s Guide Note You cannot download AT-S63 software onto any type of enhanced stacking switch other than AT-9400 Series switches. The following prompt is displayed: Do you want to show remote switch burning flash -> [Yes/No] 6. You can respond with Yes or No to this prompt. It does not affect the download. The following prompt is displayed: Do you want confirmation before downloading each switch -> [Yes/No] 7.
Chapter 11: File Downloads and Uploads Downloading an AT-S63 Configuration File Switch to Switch This procedure explains how to download the active boot configuration file on the master AT-9400 Series switch to another AT-9400 Series switch in an enhanced stack. For an explanation of the boot configuration file, refer to ”Working with Boot Configuration Files” on page 172. Note You can perform this procedure from a local or Telnet management session.
AT-S63 Management Software Menus Interface User’s Guide Note You can download an AT-9400 Series configuration file only onto other AT-9400 Series switches. Do not attempt to download the file onto any other type of enhanced stacking switch. The following prompt is displayed: Do you want to show remote switch burning flash -> [Yes/No] 7. You can respond with Yes or No to this prompt. It does not affect the download.
Chapter 11: File Downloads and Uploads Downloading a System File This section contains the procedures for downloading a system file from a workstation or TFTP server into the switch’s file system. You can download any of the following files: ❑ Boot configuration file ❑ Public encryption key ❑ CA certificate Note The CA certificate and key file are supported only on the version of AT-S63 management software that features SSL, PKI, and SSH security.
AT-S63 Management Software Menus Interface User’s Guide ❑ If you are using TFTP, you should start the TFTP server before you begin the download procedure. Downloading a System File from a Local Management Session To download a system file onto a switch from a local management session using Xmodem or TFTP, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2.
Chapter 11: File Downloads and Uploads Getting the file from Remote TFTP Server - Please wait ... e. If you have not already done so, start the TFTP server software. After the switch has downloaded the system file, the following message is displayed: File received successfully! 6. To download a file using Xmodem, type X at the prompt displayed in Step 5. The following prompt is displayed: Local File Name: 7. Enter a name for the system file.
AT-S63 Management Software Menus Interface User’s Guide The Send File window is shown in Figure 54. Figure 57. Send File Window 11. Click Browse and specify the location and system file to be downloaded onto the switch. 12. Click in the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem. 13. Click Send. The file immediately begins downloading onto the switch. The Xmodem File Send window in Figure 55 displays the current status of the download. Figure 58.
Chapter 11: File Downloads and Uploads Downloading a System File from a Telnet Management Session To download a system file onto a switch from a Telnet management session using TFTP, perform the following procedure: 1. Establish a Telnet management session on the switch where you intend to download the new file. 2. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 3.
AT-S63 Management Software Menus Interface User’s Guide Uploading a System File You use the procedures in this section to upload a system file from a switch to a computer or TFTP server. A system file can be any of the following: ❑ Boot configuration file ❑ Public key ❑ PKI certificate ❑ Certificate enrollment request Note The certificate file, certificate enrollment request file, and key file are supported only on the version of AT-S63 management software that features SSL and PKI security.
Chapter 11: File Downloads and Uploads Uploading a System File from a Local Management Session To upload a system file to a workstation from a Telnet management session using Xmodem or TFTP, perform the following procedure: 1. Establish a local management session on the switch where you want to upload the system file. 2. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 3.
AT-S63 Management Software Menus Interface User’s Guide After the switch has uploaded the system file, the following message is displayed: File sent successfully! The file is now stored on the TFTP server. You can now download the file onto another AT-9400 Series switch in your network. 7. To upload a file using Xmodem, type X at the prompt displayed in Step 5. The following message is displayed: Local File Name: 8. Enter the name of the system file on the switch that you want to upload to your computer.
Chapter 11: File Downloads and Uploads 11. From the HyperTerminal main window, select select Receive File from the Transfer menu, as shown in Figure 59. Figure 59. HyperTerminal Window The Receive File window is shown in Figure 60. Figure 60. Receive File Window 12. Click Browse and specify the location on your computer where you want the system file stored. 13. Click in the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem. 14. Click Receive.
AT-S63 Management Software Menus Interface User’s Guide The System Utilities menu is shown in Figure 7 on page 58. 3. From the System Utilities menu, type 2 to select Downloads and Uploads. The Downloads and Uploads menu is shown in Figure 52 on page 187. 4. From the Downloads and Uploads menu, type 4 to select Upload a File. The following prompt is displayed: Only TFTP uploads are available for a Telnet access TFTP Server IP address: 5. Enter the IP address of the TFTP server.
Chapter 11: File Downloads and Uploads 206 Section I: Basic Features
Chapter 12 Event Log This chapter describes the event log that allows you to view information about network activity.
Chapter 12: Event Log Event Log Overview A managed switch is a complex piece of computer equipment that includes both hardware and software. Multiple software features operate simultaneously, interoperating with each other and processing large amounts of network traffic. It is often difficult to determine exactly what is happening when a switch appears not to be operating normally, or what happened when the problem occurred.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling the Event Logs To enable or disable the event logs, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 61. Allied Telesyn AT-9400 Series - ATS63 V1.0.
Chapter 12: Event Log 4. To determine what action the switch takes when the event log reaches its maximum capacity, type 2 to toggle Log Full Action between the two selections: Wrap When the event log reaches its maximum capacity, this option deletes old entries and continues to add new entries. This is the default. Halt When the log file reaches its maximum capacity, the log stops adding new entries. 5. After making changes, type R until you return to the Main Menu.
AT-S63 Management Software Menus Interface User’s Guide Displaying Events Each time that you want to view the event log, you must choose how and what you want displayed. The event log settings are not saved. To specify the type of events you want to display in the event log, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 8 to select Event Log.
Chapter 12: Event Log Full Displays the same information as Normal, plus the file name, line number, and event ID. An example of Full mode is shown in Figure 63 on page 216. 6. To display events of a selected severity, type 6 to select Event Severity. The following prompt is displayed: Enter Severity levels to display (ALL, E - Error, W Warning, I - Information, D - Debug) -> The possible options are: ALL All messages of the following types are displayed. E - Error Only error messages are displayed.
AT-S63 Management Software Menus Interface User’s Guide Table 6 shows the list of modules. Table 6.
Chapter 12: Event Log Table 6. AT-S63 Software Modules (Continued) Name Description SNMP Simple Network Management Protocol SSH Secure Shell protocol SSL Secure Sockets Layer protocol STP Spanning Tree, Rapid Spanning, and Multiple Spanning Tree protocols SYSTEM Hardware status; Manager and Operator log in and log off events.
AT-S63 Management Software Menus Interface User’s Guide Figure 62 shows an example of an event log in Normal mode. Allied Telesyn AT-9400 Series - ATS63 V1.0.
Chapter 12: Event Log When you display the events in full mode, more information is included. Figure 63 shows the same portion of the event log in Figure 62 on page 215 but displayed in full mode. Allied Telesyn AT-9400 Series - ATS63 V1.0.0 Production Switch User: Manager 00:14:33 15-Mar-2004 Event Log S Date Time EventID Source File:Line Number Event -----------------------------------------------------I 02/24/04 12:31:02 323003 atissh.
AT-S63 Management Software Menus Interface User’s Guide Clearing the Event Log You can clear the event log to remove old events and start fresh. To clear the event log, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 61 on page 209. 3. From the Event Log menu, type C to select Clear Log.
Chapter 12: Event Log Saving an Event Log to a File You can save anevent log to a file to review later. The file is saved as an ASCII file so that you can also email the file to someone else for troubleshooting. To save the event log to a file, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 8 to select Event Log.
AT-S63 Management Software Menus Interface User’s Guide The File Operations menu is displayed, as shown in Figure 49 on page 173. 12. From the File Operations menu, type 7 to select View File. The following prompt is displayed: Enter file name to view: 13. Type the file name with the .log file name extension and press Return. A sample log file saved in full mode is shown in Figure 64. Allied Telesyn AT-9400 Series - ATS63 V1.0.
Chapter 12: Event Log 220 Section II: Advanced Features
Chapter 13 Quality of Service This chapter contains the procedures for configuring Quality of Service (QoS).
Chapter 13: Quality of Service Quality of Service Overview When a port on an Ethernet switch becomes oversubscribed—its egress queues contain more packets than the port can handle in a timely manner—the port may be forced to delay the transmission of some packets. This can result in the delay of packets reaching their destinations. A port may be forced to delay transmission while it handles other traffic.
AT-S63 Management Software Menus Interface User’s Guide Each switch port has eight egress queues. The queues are Q0 through Q7. Q0 is the lowest priority queue and Q7 is the highest. A packet in a high priority egress queue is typically transmitted out a port sooner than a packet in a low priority queue. Table 8 lists the mappings between the eight CoS priority levels and the eight egress queues of a switch port. Table 8. Default Mappings of IEEE 802.1p Priority Levels to Priority Queues IEEE 802.
Chapter 13: Quality of Service packets with a priority of 2 should be handled in Q0. The result is shown in Table 9. Table 9. Example of Customized CoS Mappings to Priority Queues IEEE 802.1p Priority Level AT-S63 Priority Queue 0 Q1 1 Q0 2 Q2 3 Q3 4 Q4 5 Q5 6 Q6 7 Q7 The procedure for changing the default mappings is found in ”Mapping CoS Priorities to Egress Queues” on page 230.
AT-S63 Management Software Menus Interface User’s Guide Q3, the highest priority queue, before moving on to the other queues, or should it instead just do a few packets from each queue and, if so, how many? This control mechanism is called scheduling. Scheduling determines the order in which a port handles the packets in its egress queues. The AT-S63 management software has two types of scheduling: ❑ Strict priority ❑ Weighted round robin priority Note Scheduling is set at the switch level.
Chapter 13: Quality of Service Table 10 shows an example of weighted round robin priority scheduling. Table 10. Example of Weighted Round Robin Priority Port Egress Queue Maximum Number of Packets Q7 15 Q6 10 Q5 10 Q4 5 Q3 5 Q2 1 Q1 1 Q0 1 In this example, the port transmits a maximum number of 15 packets from Q7 before moving to Q6, from which it transmits up to 10 packets, and so forth.
AT-S63 Management Software Menus Interface User’s Guide Configuring CoS As explained in ”Quality of Service Overview” on page 222, a tagged packet received on a port is placed it into one of four priority queues on the egress port according to the switch’s mapping of 802.1p priority levels to egress priority queues. The default mappings are shown in Table 8, ”Default Mappings of IEEE 802.1p Priority Levels to Priority Queues” on page 223. These mappings apply at the switch level.
Chapter 13: Quality of Service The Class of Service (CoS) menu is shown in Figure 65. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Class of Service (CoS) 1 2 3 4 - Configure Port CoS Priorities Map CoS Priority to Egress Queue COnfigure Egress Scheduling Show Port CoS Priorities R - Return to Previous Menu Enter your selection? Figure 65. Class of Service (CoS) Menu 2.
AT-S63 Management Software Menus Interface User’s Guide 5. Enter a value from 0to 7 that corresponds to the egress queue where you want all untagged frames on the port to be stored. For example, if you want all ingress untagged packets received on the port stored in egress queue Q2, enter 2. The default is 0, which corresponds to Q0. (If you perform Step 7 and override the priority level in tagged packets, this queue will also be used to store all tagged packets.) The values are listed in Table 11.
Chapter 13: Quality of Service Mapping CoS Priorities to Egress Queues This procedure explains how to change the default mapping of CoS priorities to egress priority queues, shown in Table 10 on page 226. This is set at the switch level. You cannot set this at the per-port level. To change the mappings, perform the following procedure. 1. From the Main Menu, type 7 to select Quality of Service (QoS) Configuration. The Class of Service (CoS) menu is shown in Figure 65 on page 228. 2.
AT-S63 Management Software Menus Interface User’s Guide Configuring Egress Scheduling This procedure explains how to select and configure a scheduling method for QoS. Scheduling determines the order in which the ports handle packets in their egress queues. For an explanation of the two scheduling methods, refer to ”Scheduling” on page 224. Scheduling is set at the switch level. You cannot set this on a per-port basis. To configure egress scheduling, perform the following procedure: 1.
Chapter 13: Quality of Service Leaving the default value of 1 for each queue gives all egress queues the same weight. 5. Return to the Main Menu and type S to select Save Configuration Changes.
Chapter 14 IGMP Snooping This chapter explains how to activate and configure the Internet Group Management Protocol (IGMP) snooping feature on the switch.
Chapter 14: IGMP Snooping IGMP Snooping Overview The IGMP snooping protocol enables routers to create lists of nodes that are members of multicast groups. (A multicast group is a group of end nodes that want to receive multicast packets from a multicast application.) The router creates a multicast membership list by periodically sending out queries to the local area networks connected to its ports. A node wanting to become a member of a particular multicast group responds to a query by sending a report.
AT-S63 Management Software Menus Interface User’s Guide Without IGMP snooping a switch would be obligated to flood multicast packets out all of its ports, except the port on which it received the packet. Such flooding of packets can negatively impact switch and network performance.
Chapter 14: IGMP Snooping Configuring IGMP Snooping To configure IGMP snooping on the switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 69. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Advanced Configuration 1 - IGMP Snooping Configuration 2 - RRP Snooping Configuration R - Return to Previous Menu Enter your selection? Figure 69.
AT-S63 Management Software Menus Interface User’s Guide 3. Adjust the following parameters as necessary: 1 - IGMP Snooping Status Enables or disables IGMP snooping on the switch. After you choose this selection, type E to enable to D to disable this feature. 2 - Multicast Host Toplogy Defines whether there is only one host node per switch port or multiple host nodes per port.
Chapter 14: IGMP Snooping When you select a value for this parameter, it is important to note that the value you enter actually defines the approximate midpoint of a range within which a timeout can occur. Consequently, an actual timeout may occur earlier or later than the value that you enter. The range is from 0.7 to 1.4 of your value. For example, if you leave this parameter set to the default 260 seconds, a timeout can occur from 182 seconds to 364 seconds.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling IGMP Snooping To configure IGMP snooping on the switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 69 on page 236. 2. From the Advanced Configuration menu, type 1 to select IGMP Snooping Configuration. The IGMP Snooping Configuration menu is shown in Figure 70 on page 236. 3.
Chapter 14: IGMP Snooping Displaying a List of Host Nodes You can use the AT-S63 management software to display a list of the multicast groups on a switch, as well as the host nodes. To display the list, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 69 on page 236 2. From the Advanced Configuration menu, type 1 to select IGMP Snooping Configuration.
AT-S63 Management Software Menus Interface User’s Guide Port/Trunk The port on the switch to which a host node of the multicast group is connected. HostIP The IP address of the host node connected to the port. Status The status of the host node. The possible settings are: Active - The host node is an active member of the group. Left Group - The host node has recently left the group.
Chapter 14: IGMP Snooping Displaying a List of Multicast Routers A multicast router is a router that is receiving multicast packets from a multicast application and transmitting the packets to host nodes. You can use the AT-S63 management software to display a list of the multicast routers that are connected to the switch. To display a list of the multicast routers, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration.
AT-S63 Management Software Menus Interface User’s Guide Router IP The IP address of the multicast router.
Chapter 14: IGMP Snooping 244 Section II: Advanced Features
Chapter 15 RRP Snooping This chapter explains RRP snooping and contains the following sections: ❑ ”RRP Snooping Overview” on page 246 ❑ ”Enabling or Disabling RRP Snooping” on page 248 Section II: Advanced Features 245
Chapter 15: RRP Snooping RRP Snooping Overview The Router Redundancy Protocol (RRP) allows multiple routers to share the same virtual IP address and MAC address. In network topologies where redundant router paths or links exist, the protocol enables routers, through an election process, to designate one as the master router. This router functions as the provider of the primary path between LAN segments. Slave routers function as backup paths in the event that the master router or primary path fails.
AT-S63 Management Software Menus Interface User’s Guide The following guidelines apply to the RRP snooping feature: ❑ The default setting for this feature is disabled. ❑ Activating the feature flushes all dynamic MAC addresses from the MAC address table. ❑ RRP snooping is supported on ports operating in the MAC security level of automatic. This feature is not supported on ports operating with a security level of limited, secured, or locked. ❑ RRP snooping is supported on port trunks.
Chapter 15: RRP Snooping Enabling or Disabling RRP Snooping To enable or disable RRP snooping on a switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. 2. From the Advanced Configuration menu, type 2 to select RRP Snooping Configuration. The RRP Snooping Configuration menu is shown in Figure 73. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 RRP Snooping Configuration 1 - RRP Snooping Status .........
Chapter 16 STP and RSTP This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). The chapter also contains procedures on how to adjust the STP and RSTP bridge and port parameters.
Chapter 16: STP and RSTP STP and RSTP Overview The performance of a Ethernet network can be negatively impacted by the formation of a data loop in the network topology. A data loop exists when two or more nodes on a network can transmit data to each other over more than one data path. The problem that data loops pose is that data packets can become caught in repeating cycles, referred to as broadcast storms, that needlessly consume network bandwidth and can significantly reduce network performance.
AT-S63 Management Software Menus Interface User’s Guide Bridge Priority and the Root Bridge The first task that bridges perform when a spanning tree protocol is activated on a network is the selection of a root bridge. A root bridge distributes network topology information to the other network bridges and is used by the other bridges to determine if there are redundant paths in the network.
Chapter 16: STP and RSTP Path Costs and Port Costs After the root bridge has been selected, the bridges must determine if the network contains redundant paths and, if one is found, they must select a preferred path while placing the redundant paths in a backup or blocking state. Where there is only one path between a bridge and the root bridge, the bridge is referred to as the designated bridge and the port through which the bridge is communicating with the root bridge is referred to as the root port.
AT-S63 Management Software Menus Interface User’s Guide Table 14 lists the STP port costs with Auto-Detect when a port is part of a port trunk. Table 14. STP Auto-Detect Port Trunk Costs Port Speed Port Cost 10 Mbps 4 100 Mbps 4 1000 Mbps 2 Table 15 lists the RSTP port costs with Auto-Detect. Table 15. RSTP Auto-Detect Port Costs Port Speed Port Cost 10 Mbps 2,000,000 100 Mbps 200,000 1000 Mbps 20,000 Table 16 lists the RSTP port costs with Auto-Detect when the port is part of a port trunk.
Chapter 16: STP and RSTP priority for a port, you enter the increment of the desired value. Table 17 lists the values and increments. The default value is 128, which is increment 8. Table 17.
AT-S63 Management Software Menus Interface User’s Guide root bridge sufficient time to propagate a topology change throughout the entire network. For small networks, you should not specify a value so large that a topology change is unnecessarily delayed, which could result in the delay or loss of some data packets. Note The forwarding delay parameter applies only to ports on the switch that are operating STP-compatible mode.
Chapter 16: STP and RSTP Series switches that have been connected with one data link. With the link operating in full-duplex, the ports are point-to-point ports.
AT-S63 Management Software Menus Interface User’s Guide A port can be both a point-to-point and an edge port at the same time. It operates in full-duplex and has no STP or RSTP devices connected to it. Figure 76 illustrates a port functioning as both a point-to-point and edge port.
Chapter 16: STP and RSTP on the switches, one of the links is disabled. In the example, the port on the top switch that links the two parts of the Production VLAN is changed to the block state. This leaves the two parts of the Production VLAN unable to communicate with each other.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling a Spanning Tree Protocol The AT-S63 management software supports STP, RSTP, and MSTP. However, only one spanning tree protocol can be active on the switch at a time. Before you can enable a spanning tree protocol, you must first select it as the active spanning tree protocol on the switch. After you have selected it as the active protocol, you can then configure it and enable or disable it.
Chapter 16: STP and RSTP 4. If you selected STP as the active spanning tree protocol, go to ”Configuring STP” on page 261 for further instructions. If you selected RSTP, go to ”Configuring RSTP” on page 267. Multiple Spanning Tree Protocol (MSTP) is described in Chapter 17, ”MSTP” on page 277. Note After you have configured the spanning tree parameters, perform steps 5 through 7 to enable spanning tree. 5. To enable or disable spanning tree, type 1 to select Spanning Tree Status.
AT-S63 Management Software Menus Interface User’s Guide Configuring STP This section contains the following procedures: ❑ ”Configuring STP Bridge Settings”, next ❑ ”Configuring STP Port Settings” on page 263 Configuring STP Bridge Settings This section contains the procedure for configuring a bridge’s STP settings. Caution The default STP parameters are adequate for most networks. Changing them without prior experience and an understanding of how STP works might have a negative effect on your network.
Chapter 16: STP and RSTP 3. Adjust the following parameters as needed. 1 - Bridge Priority The priority number for the bridge. This number is used to determine the root bridge for RSTP. The bridge with the lowest priority number is selected as the root bridge. If two or more bridges have the same priority value, the bridge with the numerically lowest MAC address becomes the root bridge. When a root bridge goes offline, the bridge with the next priority number automatically takes over as the root bridge.
AT-S63 Management Software Menus Interface User’s Guide 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 5. To change STP port settings, go to the next procedure. Configuring STP Port Settings To adjust STP port parameters, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2.
Chapter 16: STP and RSTP The Configure STP Port Settings menu is shown in Figure 81. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure STP Port Settings Configuring Ports 4-6 1 - Port Priority ..... 128 2 - Port Cost ......... Automatic-Update R - Return to Previous Menu Enter your selection? Figure 81. Configure STP Port Settings Menu 7. Adjust the following parameters as needed.
AT-S63 Management Software Menus Interface User’s Guide Displaying STP Port Settings To display STP port settings, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The STP menu is shown in Figure 79 on page 261. 3. From the STP menu, type P to select STP Port Parameters.
Chapter 16: STP and RSTP Cost Port cost of the port. The default is Auto-Update. Priority The number used as a tie breaker when two or more ports have equal costs to the root bridge. Resetting STP to the Default Settings To reset STP to the default settings, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2.
AT-S63 Management Software Menus Interface User’s Guide Configuring RSTP This section contains the following procedures: ❑ ”Configuring RSTP Bridge Settings”, next ❑ ”Configuring RSTP Port Settings” on page 269 Configuring RSTP Bridge Settings This section contains the procedure for configuring a bridge’s RSTP settings. Caution The default RSTP parameters are adequate for most networks.
Chapter 16: STP and RSTP 3. Adjust the following parameters as necessary. 1 - Force Version This selection determines whether the bridge operates with RSTP or in an STP-compatible mode. If you select RSTP, the bridge operates all ports in RSTP, except for those ports that receive STP BPDU packets. If you select Force STP Compatible, the bridge operates in RSTP, using the RSTP parameter settings, but it sends only STP BPDU packets out the ports. 2 - Bridge Priority The priority number for the bridge.
AT-S63 Management Software Menus Interface User’s Guide 6 - Bridge Identifier The MAC address of the bridge. The bridge identifier is used as a tie breaker in the selection of the root bridge when two or more bridges have the same bridge priority value. This value cannot be changed. 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Configuring RSTP Port Settings To adjust RSTP port parameters, perform the following procedure: 1.
Chapter 16: STP and RSTP 4. Enter the number of the port you want to configure. To configure a range of ports, enter the first port of the range. The following prompt is displayed: Ending Port to Configure [1 to 24] -> 5. To configure just one port, enter the same port number here as you entered in the previous step. To configure a range of ports, enter the last port of the range. The Configure RSTP Port Settings menu is shown in Figure 85.
AT-S63 Management Software Menus Interface User’s Guide 3 - Point-to-Point This parameter defines whether the port is functioning as a pointto-point port. The possible settings are Yes, No, and Auto Detect. For an explanation of this parameter, refer to ”Point-to-Point and Edge Ports” on page 255. 4 - Edge Port This parameter defines whether the port is functioning as an edge port. The possible settings are Yes and No.
Chapter 16: STP and RSTP The Display RSTP Port Configuration menu is shown in Figure 86.
AT-S63 Management Software Menus Interface User’s Guide The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The RSTP menu is shown in Figure 79 on page 261. 3. From the RSTP menu, type P to select RSTP Port Parameters. The RSTP Port Parameters menu is shown in Figure 84 on page 269. 4. From the RSTP Port Parameters menu, type 3 to select Display RSTP Port State.
Chapter 16: STP and RSTP ❑ Learning - The port is enabled for receiving, but not forwarding packets. ❑ Forwarding - Normal operation. ❑ Disabled - The port has not established a link with its end node. Role The RSTP role of the port. Possible roles are: ❑ Root - The port that is connected to the root switch, directly or through other switches, with the least path cost. ❑ Alternate - The port offers an alternate path in the direction of the root switch.
AT-S63 Management Software Menus Interface User’s Guide 4. Type Y for Yes or N for No and press Return. The RSTP configuration is reset to the defaults.
Chapter 16: STP and RSTP 276 Section II: Advanced Features
Chapter 17 MSTP This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP) and contains procedures on how to adjust spanning tree bridge and port parameters.
Chapter 17: MSTP MSTP Overview As mentioned in Chapter 16, ”STP and RSTP” on page 249, STP and RSTP are referred to as single-instance spanning trees that search for physical loops across all VLANs in a bridged network. When loops are detected, the protocols stop the loops by placing one or more bridge ports in a blocking state.
AT-S63 Management Software Menus Interface User’s Guide Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MSTIs). A MSTI can span any number of AT-9400 Series switches, and an AT-9400 Series switch can support up to 16 MSTIs at a time. To create a MSTI, you first assign it a number, referred to as the MSTI ID. The range is 1 to 15. (The switch is shipped with a default MSTI with an MSTI ID of 0.
Chapter 17: MSTP In Figure 88, the link between the two parts of the Production VLAN is blocked, resulting in a loss of communications between the two parts of the Production VLAN.
AT-S63 Management Software Menus Interface User’s Guide Figure 89 illustrates the same two AT-9400 Series switches and the same two virtual LANs. But in this example, the two switches are running MSTP and the two VLANs have been assigned different spanning tree instances. Now that they reside in different MSTIs, both links remain active, enabling the VLANs to forward traffic over their respective direct link.
Chapter 17: MSTP A MSTI can contain more than one VLAN. This is illustrated in Figure 90 where there are two AT-9400 Series switches with four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains the Sales and Presales VLANs and MSTI 2 contains the Design and Engineering VLANs.
AT-S63 Management Software Menus Interface User’s Guide ❑ An AT-9400 Series switch can support up to 16 spanning tree instances, including the CIST, at a time. ❑ A MSTI can contain any number of VLANs. ❑ A VLAN can belong to only one MSTI at a time. ❑ A port on the switch can belong to only one spanning tree instance at a time. This means that a port cannot be a tagged and untagged member of VLANs that belong to different MSTIs.
Chapter 17: MSTP that you maintain this number, only that each bridge in a region have the same number. The bridges of a particular region must also have the same VLANs. The names of the VLANs and the VIDs must be same on all bridges of a region. Finally, the VLANs in the bridges must be associated to the same MSTIs. If any of the above information is different on two bridges, MSTP does consider the bridges as residing in different regions.
AT-S63 Management Software Menus Interface User’s Guide Figure 91 illustrates the concept of regions. It shows one MSTP region consisting of two AT-9400 Series switches. Each switch in the region has the same configuration name and revision level. The switches also have the same five VLANs and the VLANs are associated with the same MSTIs.
Chapter 17: MSTP The same is true for any ports connected to bridges running the singleinstance spanning tree STP or RSTP. Those ports are also considered as part of another region. Each MSTI functions as an independent spanning tree within a region. Consequently, each MSTI must have a root bridge to locate physical loops within the spanning tree instance. An MSTI’s root bridge is called a regional root. The MSTIs within a region may share the same regional root or they can have different regional roots.
AT-S63 Management Software Menus Interface User’s Guide ❑ Each MSTI must have a regional root for locating loops in the instance. MSTIs can share the same regional root or have different roots. A regional root is determined by the MSTI priority value and a bridge’s MAC address. ❑ The regional root of a MSTI must be in the same region as the MSTI. Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree instance called the Common and Internal Spanning Tree (CIST).
Chapter 17: MSTP MSTP with STP and RSTP MSTP is fully compatible with STP and RSTP. If a port on an AT-9400 Series switch running MSTP receives STP BPDUs, the port sends only STP BPDU packets. If a port receives RSTP BPDUs, the port sends MSTP BPDUs because RSTP can process MSTP BPDUs. A port connected to a bridge running STP or RSTP is considered to be a boundary port of the MSTP region and the bridge as belonging to a different region. An MSTP region can be considered as a virtual bridge.
AT-S63 Management Software Menus Interface User’s Guide ❑ All of the bridges in a region must have the same configuration name, revision level, VLANs, and VLAN to MSTI associations. ❑ An MSTI cannot span multiple regions. ❑ Each MSTI must have a regional root for locating loops in the instance. MSTIs can share the same regional root or have different roots. A regional root is determined by the MSTI priority value and a bridge’s MAC address.
Chapter 17: MSTP that the port is a member of both CIST and MSTI 7, while the BPDUs from port 1 would indicate the port is a member of the CIST and MSTI 10.
AT-S63 Management Software Menus Interface User’s Guide To avoid this issue, always assign all VLANs on a switch, including the Default_VLAN, to an MSTI. This guarantees that all ports on the switch have an MSTI ID and that helps to ensure that loop detection is based on MSTI, not CIST. Connecting VLANs Across Different Regions Special consideration needs to be taken into account when you connect different MSTP regions or an MSTP region and a single-instance STP or RSTP region.
Chapter 17: MSTP There are several ways to address this issue. One is to have only one MSTP region for each subnet in your network. Another approach is to group those VLANs that need to span regions into the same MSTI. Those VLANs that do not span regions can be assigned to other MSTIs. Here is an example.
AT-S63 Management Software Menus Interface User’s Guide Selecting MSTP as the Spanning Tree Protocol To select and activate MSTP as the spanning tree protocol, or to disable spanning tree, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2. To change the active version of spanning tree on the switch, type 2 to select Active Protocol Version.
Chapter 17: MSTP Configuring MSTP Bridge Settings To configure a bridge’s MSTP settings, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2. From the Spanning Tree menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 95.
AT-S63 Management Software Menus Interface User’s Guide 2 - Hello Time The time interval between generating and sending configuration messages by the bridge. The range of this parameter is 1 to 10 seconds. The default is 2 seconds. This value is active only if the bridge is selected as the root bridge of the network. 3 - Forwarding Delay The waiting period before a bridge changes to a new state, for example, becomes the new root bridge after the topology changes.
Chapter 17: MSTP revision level must be the same on all bridges in a region. Different regions can have the same revision level without conflict. 8 - Bridge Identifier The MAC address of the bridge. The bridge identifier is used as a tie breaker in the selection of a root bridge when two or more bridges have the same bridge priority value. This value cannot be changed. 9 - Root Identifier If this MAC address is the same as the bridge’s MAC address, then the switch is also functioning as a root bridge.
AT-S63 Management Software Menus Interface User’s Guide Configuring the CIST Priority This procedure explains how to adjust the bridge’s CIST priority. To change the CIST priority, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 95 on page 294. 3.
Chapter 17: MSTP The following prompt is displayed: Enter new priority [the value will be multiplied by 4096]: [0 to 15] -> 5. Enter the increment that represents the new CIST priority value. The range is 0 (zero) to 61,440 in increments of 4,096, with 0 being the highest priority. For a list of the increments, refer to Table 12 on page 251. 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Displaying the CIST Priority To change the CIST priority, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 95 on page 294. 3. From the MSTP menu, type M to select MSTI menu.
Chapter 17: MSTP Path Cost Specifies the path cost from the bridge to the regional root. If the bridge is the regional root, the value is 0. Associated VLANs Specifies the VIDs of the VLANs that have been associated with the MSTI ID. The table does not include the CIST. The table is empty if no MSTI IDs have been created.
AT-S63 Management Software Menus Interface User’s Guide Creating, Deleting, and Modifying MSTI IDs The following sections contain procedures for working with MSTI IDs: ❑ ”Creating an MSTI ID” next ❑ ”Deleting an MSTI ID” on page 302 ❑ ”Modifying an MSTI ID” on page 302 Creating an MSTI ID To create an MSTI ID, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2.
Chapter 17: MSTP 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an MSTI ID To delete an MSTI ID, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 95 on page 294. 3.
AT-S63 Management Software Menus Interface User’s Guide Enter the MSTI ID to be modified: [1 to 15] -> 5. Enter the MSTP IDs that you want to modify. The range is 1 to 15. You can specify only one MSTI ID at a time. The following prompt is displayed: Enter new priority [the value will be multiplied by 4096] [0 to 15] -> 8 6. Enter a new MSTI priority number for this MSTI on the bridge. This parameter is used in selecting a regional root for the MSTI.
Chapter 17: MSTP Adding, Removing, or Modifying VLAN Associations to MSTI IDs When you create a new MSTI ID, you are given the opportunity of associating VLANs to it. But after an MSTI ID is created, you may want to add more VLANs to it, or perhaps remove VLANs. This procedure explains how to associate VLANs on the switch to an existing MSTI ID and also how to remove VLANs. Before performing this procedure, note the following: ❑ You must create a MSTI ID before you can assign VLANs to it.
AT-S63 Management Software Menus Interface User’s Guide The VLAN-MSTI Association menu is shown in Figure 98.
Chapter 17: MSTP 4. From the MSTP menu, type V to select VLAN-MSTI Association menu. The VLAN-MSTI Association menu is shown in Figure 98 on page 305. 5. From the VLAN-MSTI Association menu, type 1 to select Add VLANs to MSTI. The following prompt is displayed: Enter the MSTI ID [0 to 15] -> 6. Enter the MSTI ID to which you want to associate a VLAN. A prompt similar to the following is displayed: Enter the list of VLANs: 7.
AT-S63 Management Software Menus Interface User’s Guide 6. Enter the MSTI ID to which you want to associate a VLAN. A prompt similar to the following is displayed: Enter the list of VLANs: 7. Enter the VLAN ID of the virtual LAN that you want to remove from the MSTI ID. You can enter more than one VLAN at a time (for example, 2,4,7) To view VIDs, refer to ”Displaying VLANs” on page 451. A removed VLAN is returned to CIST. 8. After making changes, type R until you return to the Main Menu.
Chapter 17: MSTP The VLANs already associated with the MSTI ID are removed when the new VLANs are added. The removed VLANs are returned to CIST. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Clearing VLAN to MSTI Associations To clear VLAN to MSTI associations, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2.
AT-S63 Management Software Menus Interface User’s Guide Configuring MSTP Port Settings To configure a port’s MSTP parameters, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 95 on page 294. 3. From the MSTP menu, type P to select MSTP Port Parameters.
Chapter 17: MSTP The Configure MSTP Port Settings menu is shown in Figure 100. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure MSTP Port Settings 1 2 3 4 5 - Port Priority ............... Port Internal Path Cost ..... Port External Path Cost ..... Point-to-Point .............. Edge Port ...................
AT-S63 Management Software Menus Interface User’s Guide Table 19 lists the RSTP port costs with Auto-Detect when the port is part of a port trunk. Table 19. RSTP Auto-Detect Port Trunk Costs Port Speed Port Cost 10 Mbps 20,000 100 Mbps 20,000 1000 Mbps 2,000 3- Port External Path Cost The port cost of the port if the port is connected to a bridge which is a member of another MSTP region or is running STP or RSTP. The range is 0 to 200,000,000. The default setting is 200,000.
Chapter 17: MSTP Displaying the MSTP Port Configuration To display the MSTP port configuration, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 95 on page 294. 3. From the MSTP menu, type P to select MSTP Port Parameters.
AT-S63 Management Software Menus Interface User’s Guide Port The port number. Edge-Port Whether or not the port is functioning as an edge port. The possible settings are Yes and No. Point-to-Point Whether or not the port is functioning as a point-to-point port. The possible settings are Yes, No, and Auto-Detect. External or Internal Port Cost External Port Cost The port cost of the port if the port is connected to a bridge which is a member of another MSTP region or is running STP or RSTP.
Chapter 17: MSTP Displaying the MSTP Port State To display the MSTP port state, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 95 on page 294. 3. From the MSTP menu, type P to select MSTP Port Parameters.
AT-S63 Management Software Menus Interface User’s Guide The MSTP Port State menu displays a table that contains the following columns of information: Port The port number. State The MSTP state of the port. The possible states are: Discarding - The port is discarding received packets and is not submitting forwarded packets for transmission. Learning - The port is learning the MAC address from the received packet, but does not process or forward the packet. Forwarding - Normal operation.
Chapter 17: MSTP Resetting MSTP to the Defaults To reset MSTP to the defaults, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 78 on page 259. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 95 on page 294. 3. From the MSTP menu, type D to select Reset MSTP to Defaults.
Chapter 18 SNMPv3 This chapter provides a description of the AT-S63 implementation of the SNMPv3 protocol. In addition, the chapter contains procedures that allow you to create and modify SNMPv3 entities.
Chapter 18: SNMPv3 SNMPv3 Overview The SNMPv3 protocol builds on the existing SNMPv1 and SNMPv2c protocol implementation which is described in Chapter 4, ”SNMPv1 and SNMPv2c” on page 79. In SNMPv3, User-based Security Model (USM) authentication is implemented along with encryption, allowing you to configure a secure SNMP environment. In addition, SNMP terminology changes in the SNMPv3 protocol. In the SNMPv1 and SNMPv2c protocols, the terms agent and manager are used.
AT-S63 Management Software Menus Interface User’s Guide ❑ ”SNMPv3 Tables” on page 322 ❑ ”SNMPv3 Configuration Example” on page 326 SNMPv3 Authentication Protocols The SNMPv3 protocol supports two authentication protocols—HMACMD5-96 (MD5) and HMAC-SHA-96 (SHA). Both MD5 and SHA use an algorithm to generate a message digest. Each authentication protocol authenticates a user by checking the message digest. In addition, both protocols use keys to perform authentication.
Chapter 18: SNMPv3 SNMPv3 MIB Views The SNMPv3 protocol allows you to configure MIB views for users and groups. The MIB tree is defined by RFC 1155 (Structure of Management Information). See Figure 103.
AT-S63 Management Software Menus Interface User’s Guide a MIB subtree view and a subtree mask is analogous to the relationship between an IP address and a subnet mask. The switch uses the subnet mask to determine which portion of an IP address represents the network address and which portion represents the node address. In a similar way, the subtree mask further refines the subtree view and enables you to restrict a MIB view to a specific row of the OID MIB table.
Chapter 18: SNMPv3 ❑ Privacy Protocol ❑ Group To configure the SNMP security information, you associate a user and its related information—View, Security Level, Security Model, Authentication Level, Privacy Protocol and Group—with the type of message and the host IP address. SNMPv3 Tables The SNMPv3 configuration is neatly divided into configuring SNMPv3 user information and configuring the message notification. You must configure all seven tables to successfully configure the SNMPv3 protocol.
AT-S63 Management Software Menus Interface User’s Guide operator privileges. See Appendix B, ”SNMPv3” on page 317 for an example of manager and operator configurations. After you configure an SNMPv3 user, you need to configure SNMPv3 message notification.
Chapter 18: SNMPv3 ❑ ”SNMPv3 User Table” on page 324 ❑ ”SNMPv3 View Table” on page 324 ❑ ”SNMPv3 SecurityToGroup Table” on page 325 ❑ ”SNMPv3 Notify Table” on page 325 ❑ ”SNMPv3 Target Address Table” on page 325 ❑ ”SNMPv3 Target Parameters Table” on page 326 ❑ ”SNMPv3 Community Table” on page 326 SNMPv3 User Table The Configure SNMPv3 User Table menu allows you to create an SNMPv3 user and provides the options of configuring authentication and privacy protocols.
AT-S63 Management Software Menus Interface User’s Guide For each group, you can assign read, write, and notify views of the MIB table. The views you assign here have been previously defined in the Configure SNMPv3 View Table menu. For example, the Read View allows group members to view the specified portion of the OID MIB table. The Write View allows group members to write to, or modify, the MIBs in the specified MIB view. The Notify View allows group members to send trap messages defined by the MIB view.
Chapter 18: SNMPv3 SNMPv3 Target Parameters Table The Configure SNMPv3 Target Parameters Table menu allows you to define which user can send messages to the host IP address defined in the Configure SNMPv3 Target Address Table. The user and its associated information is previously configured in the Configure SNMPv3 User Table, SNMPv3 View Table, SNMPv3 Access Table, and SNMPv3 SecurityToGroup Table.
AT-S63 Management Software Menus Interface User’s Guide Configuring SNMPv3 Entities This section describes how to configure SNMPv3 entities using the SNMPv3 Tables. To successfully configure this protocol, you must perform the procedures in the order given. For overview information about SNMPv3, see the ”SNMPv3 Overview” on page 318.
Chapter 18: SNMPv3 Configuring the SNMPv3 User Table This section contains a description of the SNMPv3 User Table and how to create, delete, and modify table entries. Configure the SNMPv3 User Table first. Creating this table, allows you to create an entry in an SNMPv3 User Table for a User Name.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 Table menu is shown in Figure 106. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure SNMPv3 Table 1 2 3 4 5 6 7 8 9 - SNMP Engine...............
Chapter 18: SNMPv3 5. To create a new user table, type 1 to select Create SNMPv3 Table Entry. The following prompt is displayed: Enter User (Security) Name: 6. Enter a descriptive name of the user. You can enter a name that consists of up to 32 alphanumeric characters. The following prompt is displayed: Enter Authentication Protocol [M-MD5, S-SHA, N-None]: 7. Enter one of the following: M-MD5 This value represents the MD5 authentication protocol.
AT-S63 Management Software Menus Interface User’s Guide 8. Enter an authentication password of up to 32 alphanumeric characters and press Return. You are prompted to re-enter the password. The following prompt is displayed: Enter Privacy Protocol [D-DES, N-None]: Note You can only configure the Privacy Protocol if you have configured the Authentication Protocol with the MD5 or SHA values. 9.
Chapter 18: SNMPv3 N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 User Table to nonvolatile memory. After making changes to an SNMPv3 User Table entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Allied Telesyn recommends this storage type. Note The Row Status parameter is a read-only field. The Active value indicates the SNMPv3 User Table entry takes effect immediately.
AT-S63 Management Software Menus Interface User’s Guide Modifying an SNMPv3 User Table Entry This section describes how to modify parameters in an SNMPv3 Notify Table entry.
Chapter 18: SNMPv3 4. To change the authentication protocol and password, type 1 to select Set Authentication Protocol & Password. The following prompt is displayed: Enter User Name: 5. Enter the User Name of the User Table you want to modify. The following prompt is displayed: Enter Authentication Protocol [M-MD5, S-SHA, N-None]: 6. Enter one of the following: M-MD5 This value represents the MD5 authentication protocol.
AT-S63 Management Software Menus Interface User’s Guide Authentication protocol algorithm has been changed. The following prompt is displayed: Please enter privacy password to regenerate privacy key. 9. Enter the Privacy Password for this User Name. The following prompt is displayed: Re-enter Privacy password: 10. Re-enter the password. 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 18: SNMPv3 The following prompt is displayed: Enter Privacy Protocol [D-DES, N-None]: 6. Choose one of the following Privacy Protocols: D -DES Select this value to make the DES privacy (or encryption) protocol the privacy protocol for this User Table entry. With this selection, messages transmitted between the host and the switch are encrypted with the DES protocol. N -None Select this value if you do not want a privacy protocol for this User Table entry.
AT-S63 Management Software Menus Interface User’s Guide The Modify SNMPv3 Table menu is shown in Figure 108 on page 333. 4. To change the storage type, type 3 to select Set Storage Type. The following prompt is displayed: Enter User (Security) Name: 5. Enter the User Name. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 6.
Chapter 18: SNMPv3 Configuring the SNMPv3 View Table This section contains a description of the SNMPv3 View Table and how to create, delete, and modify table entries. Creating this table, allows you to specify a view using the following parameters: ❑ Subtree OID ❑ Subtree Mask ❑ MIB OID Table View To configure the SNMPv3 View Table, you need to be very familiar with the OID table. You can be very specific about the view a user can or cannot access—down to a column or row of the table.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 View Table menu is shown in Figure 109. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure SNMPv3 View Table View Name ................. Subtree OID ............... Subtree Mask .............. View Type ................. Storage Type .............. Row Status ................ internet 1.3.6.
Chapter 18: SNMPv3 tcp The following prompt is displayed: Enter Subtree Mask (Hex format): 6. Enter a subtree mask in hexidecimal format. This is an optional parameter that is used to further refine the value in the View Subtree parameter. This parameter is in binary format. The relationship between a subtree mask and a subtree is similar to the relationship between an IP address and a subnet mask. The subnet mask further refines the IP address.
AT-S63 Management Software Menus Interface User’s Guide making changes to an SNMPv3 View Table entry with a Volatile storage type, the S - Save Configuration Changes option does not appear on the Main Menu. N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 View Table to the configuration file.
Chapter 18: SNMPv3 5. Enter the subtree for this view. Do you want to delete this table entry?(Y/N):[Yes/No]-> 6. Enter Y to delete the view or N to save the view. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 View Table Entry This section describes how to modify parameters in an SNMPv3 Notify Table entry.
AT-S63 Management Software Menus Interface User’s Guide The Modify SNMPv3 View Table menu is shown in Figure 110. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Modify SNMPv3 View Table View Name ................. Subtree OID ............... Subtree Mask .............. View Type ................. Storage Type .............. Row Status ................ tcp 1.3.6.1.2.1.
Chapter 18: SNMPv3 This is an optional parameter that is used to further refine the value in the View Subtree parameter. This parameter is in binary format. A subtree mask and a subtree have a similar relationship as an IP address and a subnet mask. The subnet mask further refines the IP address. In the same way, the OID table entry defines a MIB View and the subtree mask further restricts a user’s view to a specific the column and row of the MIB View.
AT-S63 Management Software Menus Interface User’s Guide Enter View Name: 5. Enter a View Name that was previously configured. The following prompt is displayed: Enter View Subtree (OID format/Text Name): 6. Enter the View Subtree value for this View Name. You can enter either a numeric value in hex format or the equivalent text name. For example, the OID hex format for TCP/IP is: 1.3.6.1.2.1.
Chapter 18: SNMPv3 3. From the Configure SNMPv3 View Table menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Table menu is shown in Figure 110 on page 343. 4. To modify the storage type, type 3 to select Set Storage Type. The following prompt is displayed: Enter View Name: 5. Enter the View Name you want to modify. The following prompt is displayed: Enter View Subtree (OID format/Text Name): 6. Enter the View Subtree for this View Name.
AT-S63 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Access Table This section contains a description of the SNMPv3 Access Table and how to create, delete, and modify table entries. The SNMPv3 Access Table allows you to configure a security group. Each user must belong to a security group. After you have configured a security group, use the SecurityToGroup Table to assign users to security groups. See ”Creating an SNMPv3 SecurityToGroup Table Entry” on page 363.
Chapter 18: SNMPv3 The Configure SNMPv3 Access Table menu is shown in Figure 111. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure SNMPv3 Access Table Group Name .... Context Prefix. Read View...... Write View .... Notify View ... softwareengineering internet tcp tcp Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
AT-S63 Management Software Menus Interface User’s Guide Note The Context Prefix and the Context Match fields are a read only fields. The Context Prefix field is always set to null. The Context Match field is always set to exact. The following prompt is displayed: Enter Security Model [1-v1, 2-v2c, 3-v3]: 5. Select one of the following SNMP protocols as the Security Model for this Group Name. 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol.
Chapter 18: SNMPv3 P-AuthPriv This option represents authentication and the privacy protocol. Select this security level to encrypt messages using a privacy protocol and authenticate SNMP entities. This level provides the greatest level of security. You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. The following prompt is displayed: Enter Read View Name: 7. Enter a value that you configured with the View Name parameter in the SNMPv3 View Table.
AT-S63 Management Software Menus Interface User’s Guide storage type, the S - Save Configuration Changes option does not appear on the Main Menu. N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 Access Table to the configuration file. After making changes to an SNMPv3 Access Table entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes.
Chapter 18: SNMPv3 Enter Group Name: 4. Enter the Group Name that you want to delete. The following prompt is displayed: Enter Security Model [1-v1, 2-v2c, 3-v3]: 5. Enter the Security Model of this Group Name. Select one of the following security levels: 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol. 2-v2c Select this value to associate the Group Name with the SNMPv2c protocol. 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol.
AT-S63 Management Software Menus Interface User’s Guide protocol and authenticate SNMP entities. This level provides the greatest level of security. You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. The following prompt is displayed: Do you want to delete this table entry?(Y/N):[Yes/No]-> 7. Enter Y to delete the view or N to save the view. The following prompt is displayed: 8. After making changes, type R until you return to the Main Menu.
Chapter 18: SNMPv3 1. Follow steps 1 through 5 in the procedure described in ”Creating an SNMPv3 User Table Entry” on page 328. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 106 on page 329. 2. From the Configure SNMPv3 Table menu, type 4 to select Configure SNMPv3 Access Table. The Configure SNMPv3 Access Table is shown in Figure 111 on page 348. 3. From the Configure SNMPv3 Access Table, type 3 to select Modify SNMPv3 Table Entry.
AT-S63 Management Software Menus Interface User’s Guide 6. Enter the Security Model configured for this Group Name. You cannot change the value of the Security Model parameter. Select one of the following SNMP protocols: 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol. 2-v2c Select this value to associate the Group Name with the SNMPv2c protocol. 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol.
Chapter 18: SNMPv3 Enter Read View Name: 8. Enter a value that you configured with the View Name parameter in the SNMPv3 View Table. See ”Creating an SNMPv3 View Table Entry” on page 338. A Read View Name allows the users assigned to this Security Group to view the information specified in the View Table. This value does not need to be unique. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Select one of the following SNMP protocols: 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol. 2-v2c Select this value to associate the Group Name with the SNMPv2c protocol. 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Enter the Security Level configured for this Group Name.
Chapter 18: SNMPv3 Enter Write View Name: 8. Enter a value that you configured with the View Name parameter in the SNMPv3 View Table. A Write View Name allows the people assigned to this Security Group to write, or modify, to the information in the specified View Table. This value does not need to be unique. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol. 2-v2c Select this value to associate the Group Name with the SNMPv2c protocol. 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter.
Chapter 18: SNMPv3 8. Enter a value that you configured with the View Name parameter in the SNMPv3 View Table. A Notify View Name permits the users assigned to this Security Group to send traps specified in this view of the MIB tree. This value does not need to be unique. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol. 2-v2c Select this value to associate the Group Name with the SNMPv2c protocol. 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter.
Chapter 18: SNMPv3 8. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Access Table to the configuration file. After making changes to an SNMPv3 Access Table entry with a Volatile storage type, the S - Save Configuration Changes option does not appear on the Main Menu.
AT-S63 Management Software Menus Interface User’s Guide Configuring the SNMPv3 SecurityToGroup Table This section contains a description of the SNMPv3 SecurityToGroup Table and how to create, delete, and modify table entries. The SNMPv3 SecurityToGroup Table allows you to associate a User Name with a Group Name. The User Name is configured in the Configure SNMPv3 User Table menu while the Group Name is configured in the Configure SNMPv3 Access Table menu.
Chapter 18: SNMPv3 The Configure SNMPv3 SecurityToGroup Table menu is shown in Figure 113. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
AT-S63 Management Software Menus Interface User’s Guide 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Enter Group Name: 6. Enter a Group Name that you configured in the SNMPv3 Access Table. See ”Creating an SNMPv3 Access Table Entry” on page 347.
Chapter 18: SNMPv3 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 SecurityToGroup Table Entry You may want to delete an entry from the SNMPv3 SecurityToGroup Table. When you delete an SNMPv3 SecurityToGroup Table entry, there is no way to undelete, or recover, the entry. To delete an entry in the SNMPv3 SecurityToGroup Table, perform the following procedure: 1.
AT-S63 Management Software Menus Interface User’s Guide 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Do you want to delete this table entry?(Y/N):[Yes/No]-> 6. Enter Y to delete this SecurityToGroup entry or N to save the entry. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 18: SNMPv3 The Modify SecurityToGroup Table is displayed as shown Figure 113. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Modify SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
AT-S63 Management Software Menus Interface User’s Guide 3-v3 Select this value to associate the User Name with the SNMPv3 protocol. The following prompt is displayed: Enter Group Name: 7. Enter the new Group Name. This value must match a value configured in the Group Name parameter in the Configure SNMPv3 Access Table. See ”Creating an SNMPv3 Access Table Entry” on page 347. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 18: SNMPv3 6. Enter the Security Model configured for this User Name. You cannot change the value of the Security Model parameter. Select one of the following SNMP protocols: 1-v1 Select this value if this User Name is configured with the SNMPv1 protocol. 2-v2c Select this value if this User Name is configured with the SNMPv2c protocol. 3-v3 Select this value if this User Name is configured with the SNMPv3 protocol.
AT-S63 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Notify Table This section contains a description of the SNMPv3 Notify Table menu and how to create, delete, and modify table entries. The Configure SNMPv3 Notify Table menu allows you to define a name for sending traps. For each Notify Name, you define if a trap or inform message ia sent. The two message types, trap and inform, have different packet formats.
Chapter 18: SNMPv3 The Configure SNMPv3 Notify Table menu is shown in Figure 115. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure SNMPv3 Notify Table Notify Name ...................... Notify Tag ....................... Notify Type ...................... Storage Type ..................... Row Status .......................
AT-S63 Management Software Menus Interface User’s Guide I-Inform Indicates this notify table is used to send inform messages. With this message type, the switch expects a response from the host. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 7. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Notify Table to the configuration file.
Chapter 18: SNMPv3 The Configure SNMPv3 Notify Table menu is shown in Figure 115 on page 372. Note To display a Group Name and its associated parameters from the Configure SNMPv3 SecurityToGroup Table menu, type N to display the Next Page and P to display the previous page. 3. To delete an SNMPv3 Notify Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Notify Name: 4. Enter a Notify Name.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 Notify Table menu is shown in Figure 115 on page 372. 3. From the Configure SNMPv3 Notify Table menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Notify Table menu is displayed as shown in Figure 116. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Modify SNMPv3 Notify Table Notify Name ................... Notify Tag..................... Notify Type...........
Chapter 18: SNMPv3 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying a Notify Type To modify the Notify Type parameter in an SNMPv3 Notify Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in ”Creating an SNMPv3 User Table Entry” on page 328. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 106 on page 329. 2.
AT-S63 Management Software Menus Interface User’s Guide Modifying a Storage Type To modify the Storage Type parameter in an SNMPv3 Notify Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in ”Creating an SNMPv3 User Table Entry” on page 328. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 106 on page 329. 2. From the Configure SNMPv3 Table menu, type 6 to select Configure SNMPv3 Notify Table.
Chapter 18: SNMPv3 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Target Address Table This section contains a description of the SNMPv3 Target Address Table menu and how to create, delete, and modify table entries. You use the SNMPv3 Target Address Table menu to assign the IP address of a host that is used for generating notifications. The Configure SNMPv3 Target Address Table menu is linked internally to the Configure SNMPv3 Notify Table through the Tag List parameter.
Chapter 18: SNMPv3 The Configure SNMPv3 Table menu is shown in Figure 106 on page 329. 2. From the Configure SNMPv3 Table menu, type 7 to select Configure SNMPv3 Target Address Table. The Configure SNMPv3 Target Address Table menu is shown in Figure 117. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure SNMPv3 Target Address Table Target Addr Name ... Target Parameters .. IP Address ......... Storage Type ....... Tag List ...........
AT-S63 Management Software Menus Interface User’s Guide 6. Enter a UDP port. You can enter a UDP port in the range of 0 to 65,535. The default UDP port is 162. The following prompt is displayed: Enter Timeout (10mS): [0 to 2147483647]-> 1500 7. Enter a timeout value in milliseconds. When an Inform message is generated, a response from the switch is required. The timeout value determines how long the switch considers the Inform message an active message. This parameter applies to Inform messages only.
Chapter 18: SNMPv3 Target Parameters Name parameter in the Configure SNMPv3 Target Parameters Table. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 11. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Target Address Table to the configuration file.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 Target Address Table menu is shown in Figure 119 on page 393. Note To display a Group Name and its associated parameters from the Configure SNMPv3 SecurityToGroup Table menu, type N to display the Next Page and P to display the previous page. 3. To delete an SNMPv3 Target Address Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Target Address Name: 4. Enter a Target Address Name.
Chapter 18: SNMPv3 1. Follow steps 1 through 5 in the procedure described in ”Creating an SNMPv3 User Table Entry” on page 328. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 106 on page 329. 2. From the Configure SNMPv3 Table menu, type 7 to select Configure SNMPv3 Target Address Table. The Configure SNMPv3 Target Address Table menu is shown in Figure 117 on page 380. 3.
AT-S63 Management Software Menus Interface User’s Guide This is the name of the SNMP manager, or host, that manages the SNMP activity on your switch. You can enter a name of up to 32 alphanumeric characters. The following prompt is displayed: Enter IP Address: 6. Enter the IP address of the host. Use the following format for an IP address: XXX.XXX.XXX.XXX 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 18: SNMPv3 The following prompt is displayed: Enter UDP Port#: [0 to 65535]-> 162 6. Enter a UDP port. You can enter a UDP port in the range of 0 to 65,535. The default UDP port is 162. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Address Timeout The Target Address Timeout parameter only applies when the message type is an Inform message.
AT-S63 Management Software Menus Interface User’s Guide Enter Timeout (10mS): [0 to 2147483647]-> 1500 6. Enter a timeout value in milliseconds. When an Inform message is generated, a response from the switch is required. The timeout value determines how long the switch considers the Inform message an active message. This parameter applies to Inform messages only. The range is from 0 to 2,147,483,647 milliseconds. The default value is 1500 milliseconds. 7.
Chapter 18: SNMPv3 The following prompt is displayed: Enter Retries:[0 to 255]-> 3 6. Enter the number of times the switch will retry, or resend, the Inform message. The range is 0 to 255 retries. The default is 3 retries. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Address Tag List To modify the Target Address Tag List parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1.
AT-S63 Management Software Menus Interface User’s Guide Enter a Tag List of up to 256 alphanumeric characters. Use a space to separate entries. This list consists of a tag or list of tags you configured in a Configure SNMPv3 Notify Table entry with the Notify Tag parameter. See ”Creating an SNMPv3 Notify Table Entry” on page 371. 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 18: SNMPv3 The value configured here must match the value configured with the Target Parameters Name parameter in the Configure SNMPv3 Target Parameters Table. This name can consist of up to 32 alphanumeric characters. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Storage Type To modify the Storage Type parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1.
AT-S63 Management Software Menus Interface User’s Guide file. After making changes to an SNMPv3 Target Address Table entry with a Volatile storage type, the S - Save Configuration Changes option does not appear on the Main Menu. N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 Target Address Table to the configuration file.
Chapter 18: SNMPv3 Configuring the SNMPv3 Target Parameters Table This section contains a description of the SNMPv3 Target Parameters Table and how to create, delete, and modify table entries. The SNMPv3 Target Parameters Table links the user security information with the message notification information configured in the Configure SNMPv3 Notify Table menu and Configure SNMPv3 Target Address Table menu.
AT-S63 Management Software Menus Interface User’s Guide ❑ Storage Type There are three functions you can perform with the Configure SNMPv3 Target Parameters Table menu.
Chapter 18: SNMPv3 3. To create an SNMPv3 Target Parameters Table, type 1 to select Create SNMPv3 Table Entry. The following prompt is displayed: Enter Target Parameters Name: 4. Enter a name of the Target Parameters. Enter a value of up to 32 alphanumeric characters. Note You are prompted to enter a value for the Message Processing Model parameter only if you select SNMPv1 or SNMPv2c as the Security Model.
AT-S63 Management Software Menus Interface User’s Guide Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Select one of the following Security Levels: Note The value you configure for the Security Level must match the value configured for the User Name in the Configure SNMPv3 User Table menu. See ”Creating an SNMPv3 User Table Entry” on page 328. N-NoAuthNoPriv This option represents no authentication and no privacy protocol.
Chapter 18: SNMPv3 N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 Target Parameters Table to the configuration file. After making changes to an SNMPv3 Target Parameters Table entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Allied Telesyn recommends this storage type. Note The Row Status parameter is a read-only field.
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Do you want to delete this table entry?(Y/N):[Yes/No]-> 5. Enter Y to delete the SNMPv3 Target Address Table entry or N to save the entry. 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 Target Parameters Table Entry This section provides procedures for modifying parameters in an SNMPv3 Target Parameters Table entry.
Chapter 18: SNMPv3 Note You cannot modify the Target Params Name parameter. Note You cannot modify an entry in the SNMPv3 Target Parameter Table that contains a value of “default” in the Target Parameters Name field. Modifying the Security Name (User Name) In the AT-S63 implementation of the SNMPv3 protocol, the Security Name and the User Name parameters are equivalent. In the SNMPv3 Target Parameters Table menu, the Security Name and the User Name parameters are used interchangeably.
AT-S63 Management Software Menus Interface User’s Guide The Modify SNMPv3 Target Parameters Table menu is shown in Figure 120. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Modify SNMPv3 Target Parameters Table Target Parameters Name ... Message Processing Model . Security Model............ Security Name ............ Security Level ........... Storage Type ............. Row Status ...............
Chapter 18: SNMPv3 Modifying the Security Model For the Security or User Name you have selected, the value of the Security Model parameter in an SNMPv3 Target Parameter Table entry must match the value of the Security Model parameter in the SNMPv3 Access Table entry. Caution If the values of the Security Model parameter in the SNMPv3 User Table and the SNMPv3 Target Parameter Table entry do not match, notification messages are not generated on behalf of this User (Security) Name.
AT-S63 Management Software Menus Interface User’s Guide 1-v1 Select this value if this User Name is associated with the SNMPv1 protocol. 2-v2c Select this value if this User Name is associated with the SNMPv2c protocol. 3-v3 Select this value if this User Name is associated with the SNMPv3 protocol. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 18: SNMPv3 Enter a value of up to 32 alphanumeric characters. The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 6. Enter the Security Level. Select one of the following Security Levels: Note The value you configure for the Security Level must match the value configured for the User Name in the Configure SNMPv3 User Table menu. See ”Creating an SNMPv3 User Table Entry” on page 328.
AT-S63 Management Software Menus Interface User’s Guide Modifying the Message Process Model You can modify the Message Process Model for SNMPv1 and SNMPv2c protocol configurations only. When you configure the SNMPv3 protocol, the Message Process Model is automatically assigned to the SNMPv3 protocol. To modify the Message Process Model parameter in an SNMPv3 Target Parameter Table entry, perform the following procedure. 1.
Chapter 18: SNMPv3 3-v3 Select this value to process messages with the SNMPv3 protocol. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Storage Type To modify the Storage Type parameter in an SNMPv3 Target Parameter Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in ”Creating an SNMPv3 User Table Entry” on page 328. Or, from the Main Menu type 5->1->1->8->5.
AT-S63 Management Software Menus Interface User’s Guide N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 Target Parameters Table to the configuration file. After making changes to an SNMPv3 Target Parameters Table entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Allied Telesyn recommends this storage type. 7.
Chapter 18: SNMPv3 Configuring the SNMPv3 Community Table This section contains a description of the SNMPv3 Community Table and how to create, delete, and modify table entries. The SNMPv3 Community Table allows you to create SNMPv1 and SNMPv2c Communities using the SNMPv3 Tables. Allied Telesyn does not recommend that you use the menu described in this section to configure SNMPv1 and SNMPv2c communities. Instead, use the procedures described in ”Enabling or Disabling SNMP Management” on page 83.
AT-S63 Management Software Menus Interface User’s Guide For each SNMPv3 Community Table entry, you can configure the following parameters: ❑ Community Index ❑ Community Name ❑ Security Name ❑ Transport Tag ❑ Storage Type In addition, you can display the entries configured with the Configure SNMPv1 & SNMPv2c Community menu in the Configure SNMPv3 Community Table menu. However, you cannot modify an SNMPv1 & SNMPv2c Community Table entry with the Configure SNMPv3 Community Table menu.
Chapter 18: SNMPv3 The Configure SNMPv3 Community Table menu is shown in Figure 121. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter Security Name: 6. Enter the name of an SNMPv1 and SNMPv2c user. This name must be unique. Enter a value of up to 32 alphanumeric characters. Note Do not use a value configured with the User Name parameter in the SNMPv3 User Table. The following prompt is displayed: Enter Transport Tag: 7. Enter a name of up to 32 alphanumeric characters for the Transport Tag.
Chapter 18: SNMPv3 Note The Row Status parameter is a read-only field. The Active value indicates the SNMPv3 Community Table entry takes effect immediately. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 Community Table Entry You may want to delete an entry from the SNMPv3 Community Table. When you delete an entry in the SNMPv3 Community Table, there is no way to undelete or recover the entry.
AT-S63 Management Software Menus Interface User’s Guide Modifying an SNMPv3 Community Table Entry For each entry in the SNMPv3 Community Table, you can modify the following parameters: ❑ Community Name ❑ Security Name ❑ Transport Tag ❑ Storage Type However, you cannot modify the Community Index parameter.
Chapter 18: SNMPv3 The Modify SNMPv3 Community Table menu is shown in Figure 122. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Modify SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
AT-S63 Management Software Menus Interface User’s Guide Modifying the Security Name To modify the Security Name parameter in an SNMPv3 Community Table entry, perform the following procedure: 1. Follow steps 1 through 5 in the procedure described in ”Creating an SNMPv3 User Table Entry” on page 328. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is displayed as shown in Figure 106 on page 329. 2.
Chapter 18: SNMPv3 The Configure SNMPv3 Table menu is displayed as shown in Figure 106 on page 329. 2. From the Configure SNMPv3 Table menu, type 9 to select Configure SNMPv3 Community Table. The Configure SNMPv3 Community Table menu is shown in Figure 121 on page 408. 3. From the Configure SNMPv3 Community Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Community Table menu is shown in Figure 122 on page 412. 4. To change the Transport Tag, type 3 to select Set Transport Tag.
AT-S63 Management Software Menus Interface User’s Guide 3. From the Configure SNMPv3 Community Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Community Table Menu is shown in Figure 122 on page 412. 4. To change the Storage Type, type 4 to select Set Storage Type. The following prompt is displayed: Enter Community Index: 5. Enter the Community Index of the Storage Type you want to change. The following prompt is displayed: Enter Storage type [V-volatile, N-NonVolatile]: 6.
Chapter 18: SNMPv3 Displaying SNMPv3 Table Menus The procedures in this section describe how to display the SNMPv3 Tables.
AT-S63 Management Software Menus Interface User’s Guide The Display SNMPv3 Table menu is shown in Figure 123.
Chapter 18: SNMPv3 1. Follow steps 1 through 5 in the procedure described in ”Displaying the Display SNMPv3 User Table Menu” on page 416. Or, from the Main menu type 5->1->1->8->6. 2. From the Display SNMPv3 Table menu, type 2 to select Display SNMPv3 View Table. The Display SNMPv3 View Table menu is shown in Figure 125. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Display SNMPv3 View Table View Name ................... Subtree OID .................
AT-S63 Management Software Menus Interface User’s Guide The Display SNMPv3 Access Table menu is shown in Figure 126. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Display SNMPv3 Access Table Group Name .... technicalsales Context Prefix. Read View...... internet Write View .... Notify View ... Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
Chapter 18: SNMPv3 The Display SNMPv3 SecurityToGroup Table menu is shown in Figure 127. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Display SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
AT-S63 Management Software Menus Interface User’s Guide Displaying the Display SNMPv3 Target Address Table Menu This section describes how to display the Display SNMPv3 Target Address Table menu. For information about the SNMPv3 Target Address Table parameters, see ”Creating an SNMPv3 Target Address Table Entry” on page 379. To display the Display SNMPv3 Target Address Table menu, perform the following procedure. 1.
Chapter 18: SNMPv3 The Display SNMPv3 Target Parameters Table menu is shown in Figure 127. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Display SNMPv3 Target Parameters Table Target Parameters Name ... Message Processing Model . Security Model ........... Security Name ............ Security Level ........... Storage Type ............. Row Status ...............
AT-S63 Management Software Menus Interface User’s Guide The Display SNMPv3 Community Table menu is shown in Figure 127. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Display SNMPv3 Community Table Community Index ........ Community Name ......... Security Name .......... Transport Tag........... Storage Type ........... Row Status .............
Chapter 18: SNMPv3 424 Section II: Advanced Features
Section III VLANs The chapters in this section explain how to set up VLANs using the AT-S63 management software.
Section III: VLANs
Chapter 19 Port-based and Tagged VLANs This chapter contains basic information about virtual LANs (VLANs) and procedures for creating, modifying, and deleting VLANs from a local or Telnet management session.
Chapter 19: Port-based and Tagged VLANs VLAN Overview A VLAN is a group of ports on an Ethernet switch that form a logical Ethernet segment. The ports of a VLAN form an independent traffic domain where the traffic generated by the nodes of a VLAN remains within the VLAN. With VLANs, you can segment your network through the switch’s AT-S63 management software and so be able to group nodes with related functions into their own separate, logical LAN segments.
AT-S63 Management Software Menus Interface User’s Guide But with VLANS, you can change the LAN segment assignment of an end node connected to the switch through the switch’s AT-S63 management software. You can change the VLAN memberships through the management software without moving the workstations physically, or changing group memberships by moving cables from one switch port to another. In addition, a virtual LAN can span more than one switch.
Chapter 19: Port-based and Tagged VLANs Port-based VLAN Overview As explained in ”VLAN Overview” on page 428, a VLAN consists of a group of ports on one or more Ethernet switches that form an independent traffic domain. Traffic generated by the end nodes of a VLAN remains within the VLAN and does not cross over to the end nodes of other VLANs unless there is an interconnection device, such as a router or Layer 3 switch.
AT-S63 Management Software Menus Interface User’s Guide recognize and forward frames belonging to the same VLAN even though the VLAN spans multiple switches. For example, if you had a port-based VLAN titled Marketing that spanned three AT-9400 Series switches, you would assign the Marketing VLAN on each switch the same VID. You can assign this number manually or allow the AT-S63 management software to do it automatically.
Chapter 19: Port-based and Tagged VLANs General Rules for Creating a Port-based VLAN Below is a summary of the general rules to observe when creating a portbased VLAN. ❑ Each port-based VLAN must be assigned a unique VID. If a particular VLAN spans multiples switches, each part of the VLAN on the different switches should be assigned the same VID. ❑ A port can be an untagged member of only one port-based VLAN at a time. ❑ Each port must be assigned a PVID.
AT-S63 Management Software Menus Interface User’s Guide Port-based Example 1 Figure 132 illustrates an example of one AT-9424T/SP Gigabit Ethernet Switch with three port-based VLANs. (For purposes of the following examples, the Default_VLAN is not shown.
Chapter 19: Port-based and Tagged VLANs Port-based Example 2 Sales VLAN (VID 2) Figure 133 illustrates more port-based VLANs. In this example, two VLANs, Sales and Engineering, span two AT-9400 Series Gigabit Ethernet switches.
AT-S63 Management Software Menus Interface User’s Guide The table below lists the port assignments for the Sales, Engineering, and Production VLANs on the switches: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) AT-9424T/SP Switch (top) Ports 1 - 2, 4, 6, 8 (PVID 2) Ports 11 - 14, 19 (PVID 3) Ports 19, 21 - 23 (PVID 4) AT-9424T/GB Switch (bottom) Ports 1 - 4, 7 (PVID 2) none Ports 14, 16, 18-19, 22 (PVID 3) ❑ Sales VLAN - This VLAN spans both switches.
Chapter 19: Port-based and Tagged VLANs Tagged VLAN Overview The second type of VLAN supported by the AT-S63 management software is the tagged VLAN. VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assigned to the ports determine VLAN membership. The VLAN information within an Ethernet frame is referred to as a tag or tagged header.
AT-S63 Management Software Menus Interface User’s Guide ❑ VLAN Identifier ❑ Tagged and Untagged Ports ❑ Port VLAN Identifier Note For explanations of VLAN name and VLAN identifier, refer back to ”VLAN Name” on page 430 and ”VLAN Identifier” on page 430. Tagged and Untagged Ports You need to specify which ports will be members of the VLAN. In the case of a tagged VLAN, it is usually a combination of both untagged ports and tagged ports.
Chapter 19: Port-based and Tagged VLANs General Rules for Creating a Tagged VLAN Below is a summary of the rules to observe when you create a tagged VLAN. ❑ Each tagged VLAN must be assigned a unique VID. If a particular VLAN spans multiple switches, each part of the VLAN on the different switches must be assigned the same VID. ❑ A tagged port can be a member of multiple VLANs. ❑ An untagged port can be an untagged member of only one VLAN at a time.
AT-S63 Management Software Menus Interface User’s Guide Tagged VLAN Example Figure 134 illustrates how tagged ports can be used to interconnect IEEE 802.1Q-based products. Engineering VLAN IEEE 802.
Chapter 19: Port-based and Tagged VLANs AT-9424T/GB Switch (bottom) Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) 1-4 (PVID 2) 114, 16, 18, 22 (PVID 3) none 7 7 none This example is nearly identical to the ”Port-based Example 2” on page 434. Tagged ports have been added to simplify network implementation and management. One of the tagged ports is port 5 on the top switch. This port has been made a tagged member of the three VLANs. It is connected to an IEEE 802.
AT-S63 Management Software Menus Interface User’s Guide Creating a New Port-based or Tagged VLAN To create a new port-based or tagged VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 VLAN Configuration 1 2 3 4 5 6 7 - Ingress Filtering Status ........ Enabled VLANs Mode ......................
Chapter 19: Port-based and Tagged VLANs The Configure VLANs menu is shown in Figure 136. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure VLANs 1 2 3 4 - Create VLAN Modify VLAN Delete VLAN Reset to Default VLAN R - Return to Previous Menu Enter your selection? Figure 136. Configure VLANs Menu 3. From the Configure VLANs menu, type 1 to select Create VLAN. The Create VLAN menu is shown in Figure 137.
AT-S63 Management Software Menus Interface User’s Guide The name can be from one to fifteen alphanumeric characters in length. The name should reflect the function of the nodes that will be a part of the VLAN (for example, Sales or Accounting). The name cannot contain spaces or special characters, such as asterisks (*) or exclamation points (!). If the VLAN will be unique in your network, then the name should be unique as well.
Chapter 19: Port-based and Tagged VLANs 8. If the VLAN will contain tagged ports, type 3 to select Tagged Ports and specify the ports. If this VLAN will not contain any tagged ports, leave this field empty. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 7-9), or both (e.g., 2,5,7-9). 9. Type 4 to select Untagged Ports and specify the ports on the switch to function as untagged ports in the VLAN. If this VLAN will not contain any untagged ports, leave this field empty.
AT-S63 Management Software Menus Interface User’s Guide Example of Creating a Port-based VLAN The following procedure creates the Sales VLAN illustrated in ”Portbased Example 1” on page 433. This VLAN will be assigned a VID of 2 and will consist of four untagged ports, ports 1, 2, 4, and 6. The VLAN will not contain any tagged ports. To create the Sales VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration.
Chapter 19: Port-based and Tagged VLANs Example of Creating a Tagged VLAN The following procedure creates the Engineering VLAN in the top switch illustrated in ”Tagged VLAN Example” on page 439. This VLAN will be assigned a VID of 3. It will consist of four untagged ports, ports 7 to 10, and two untagged ports, ports 5 and 6. To create the example Engineering VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration.
AT-S63 Management Software Menus Interface User’s Guide Modifying a VLAN Note To modify a VLAN, you need to know its VID. To view VLAN VIDs, refer to ”Displaying VLANs” on page 451. To modify a VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135 on page 441. 2. From the VLAN Configuration menu, type 4 to select Configure VLANs. The Configure VLANs menu is shown in Figure 136 on page 442.
Chapter 19: Port-based and Tagged VLANs Enter new value -> [1 to 4096] -> 5. Enter the VID of the VLAN you want to modify. The Modify VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 139. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Modify VLAN 1 2 3 4 - VLAN Name .............. VLAN ID (VID) .......... Tagged Ports ........... Untagged Ports .........
AT-S63 Management Software Menus Interface User’s Guide 3 - Tagged Ports Use this selection to add or remove tagged ports from the VLAN. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 7-9), or both (e.g., 2,5,7-9). When you add or remove tagged ports, observe the following guidelines: ❑ The new list of tagged ports will replace the existing tagged ports. ❑ If the VLAN contains tagged ports and you want to remove them all, enter 0 (zero) for this value.
Chapter 19: Port-based and Tagged VLANs and reentering them again using the VID of the VLAN to which the port has been moved to. For information on how to add static MAC addresses, refer to ”Adding Static Unicast and Multicast MAC Addresses” on page 136. For instructions on how to delete addresses, refer to ”Deleting Unicast and Multicast MAC Addresses” on page 138. 8. Press any key. The Modify VLAN menu in Figure 138 on page 447 is displayed again. 9.
AT-S63 Management Software Menus Interface User’s Guide Displaying VLANs To view the name, VID number, and member ports of all the VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135 on page 441. 2. From the VLAN Configuration menu, type 5to select Show VLANs. The Show VLANs menu is shown in Figure 140.
Chapter 19: Port-based and Tagged VLANs Protocol The protocol associated with this VLAN. The possible settings are: Blank - The VLAN is a port-based or tagged VLAN. GARP - The VLAN is a dynamic GVRP VLAN or the port is a dynamic GVRP port of a static VLAN. Untagged (U) / Tagged (T) The untagged and tagged ports that are part of the VLAN.
AT-S63 Management Software Menus Interface User’s Guide Deleting a VLAN Note To delete a VLAN, you need to know its VID. To view VLAN VIDs, refer to ”Displaying VLANs” on page 451. To delete a VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135 on page 441. 2. From the VLAN Configuration menu, type 4 to select Configure VLANs. The Configure VLANs menu is shown in Figure 136 on page 442.
Chapter 19: Port-based and Tagged VLANs Note You cannot delete the Default_VLAN, which has a VID of 1. The Delete VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 142. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Delete VLAN 1 2 3 4 - VLAN Name .............. VLAN ID (VID) .......... Tagged Ports ........... Untagged Ports .........
AT-S63 Management Software Menus Interface User’s Guide 9. Repeat this procedure starting with Step 4 to delete other VLANs. 10. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 19: Port-based and Tagged VLANs Resetting to the Default VLAN The following procedure for deletes all VLANs, except the Default_VLAN, on a switch. To delete selected VLANs, perform the procedure in ”Deleting a VLAN” on page 453. To return all ports to the default VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135 on page 441. 2. From the VLAN Configuration menu, type 4 to select Configure VLANs.
AT-S63 Management Software Menus Interface User’s Guide 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 19: Port-based and Tagged VLANs Displaying PVIDs The following procedure displays a menu that lists the PVIDs for all the ports on the switch. To display the PVID settings on the switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135 on page 441. 2. From the VLAN Configuration menu, type 6 to select Show PVIDs . The Show PVIDs menu is shown in Figure 143.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling Ingress Filtering There are rules a switch follows when it receives and forwards an Ethernet frame. There are rules for frames as they enter a port (called ingress rules) and rules for when a frame is transmitted out a port (called egress rules). A switch does not accept and forward a frame unless the frame passes the ingress and egress rules. There are many ingress and egress rules for Gigabit Ethernet switches.
Chapter 19: Port-based and Tagged VLANs Activating or deactivating ingress filtering has no effect on the switch’s handling of priority tags. A switch will always examines a priority tag in a tagged frame, without regard to the status of ingress filtering. In most cases, you will probably want to leave ingress filtering activated on the switch, which is the default. You can enable or disable ingress filtering on a per switch basis. You cannot set this per port.
AT-S63 Management Software Menus Interface User’s Guide Specifying a Management VLAN The management VLAN is the VLAN on which an AT-9400 Series switch expects to receive management packets. This VLAN is important if you will be managing a switch remotely or using the enhanced stacking feature of the switch. Management packets are packets generated by a management station when you manage a switch using the Telnet application protocol or a web browser.
Chapter 19: Port-based and Tagged VLANs need to create the NMS VLAN on each AT-9400 Series switch that you want to manage remotely, being sure to assign each NMS VLAN the VID of 24. Then you need to be sure that the uplink and downlink ports connecting the switches together are either tagged or untagged members of the NMS VLAN. You also need to specify the NMS VLAN as the management VLAN on each switch using the AT-S63 management software.
Chapter 20 Multiple VLANs This chapter describes the multiple VLAN modes and how to select a mode.
Chapter 20: Multiple VLANs Multiple VLAN Mode Overview The multiple VLAN modes are designed to simplify the task of configuring the switch in network environments that require a high degree of network segmentation. In a multiple VLAN mode, the ports on a switch are prohibited from forwarding traffic to each other and are only allowed to forward traffic to a user-designated uplink port. These configurations isolate the traffic on each port from all other ports, while providing access to the uplink port.
AT-S63 Management Software Menus Interface User’s Guide VLANs. It also assigns the PVID values as well. For example, the PVID for port 4 is assigned as 4, to match the VID of 4. A user-designated port on the switch functions as an uplink port, which can be connected to a shared device such as a router for access to a WAN. This port is placed as a tagged port in each VLAN. Thus, while the switch ports are separated from each other in their individual VLANs, they all have access to the uplink port.
Chapter 20: Multiple VLANs Table 20. 802.
AT-S63 Management Software Menus Interface User’s Guide Another difference with this mode is that the uplink port is untagged. Consequently, you would use this mode when the device connected to the uplink port is not IEEE 802.1Q compatible, meaning that the device cannot handle tagged packets. Note When the uplink port receives a packet with a destination MAC address that is not in the MAC address table, the port broadcasts the packet to all switch ports.
Chapter 20: Multiple VLANs Selecting a VLAN Mode The following procedure explains how to select a VLAN mode. Available modes are: ❑ User-configured VLAN mode (port-based and tagged VLANs) ❑ IEEE 802.1Q Compliant Multiple VLAN mode ❑ Non-IEEE 802.1Q Compliant Multiple VLAN mode Note Any port-based or tagged VLANs you created are not retained when you change the VLAN mode from the user-configured mode to a multiple VLAN mode and, at some point, reset the switch.
AT-S63 Management Software Menus Interface User’s Guide Displaying VLAN Information To view the VLANs on the switch while the unit is operating in Multiple VLAN mode, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu (multiple VLAN mode) is shown in Figure 144. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 VLAN Configuration 1 2 3 4 5 6 - Ingress Filtering Status ........
Chapter 20: Multiple VLANs The Show Multiple VLANs menu is shown in Figure 145.
Chapter 21 GARP VLAN Registration Protocol This chapter describes the GARP VLAN Registration Protocol (GVRP) and contains the following sections: ❑ ”GARP VLAN Registration Protocol (GVRP) Overview” on page 472 ❑ ”Configuring GVRP” on page 480 ❑ ”Enabling or Disabling GVRP on a Port” on page 482 ❑ ”Displaying the GVRP Port Configuration” on page 484 ❑ ”Displaying GVRP Counters” on page 485 ❑ ”Displaying the GVRP Database” on page 490 ❑ ”Displaying the GIP Connected Ports Ring” on page 492 ❑ ”Displaying the
Chapter 21: GARP VLAN Registration Protocol GARP VLAN Registration Protocol (GVRP) Overview The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information. The main purpose of GVRP is to allow switches to automatically discover some of the VLAN information that would otherwise need to be manually configured in each switch. This is helpful in networks where VLANs span more than one switch.
AT-S63 Management Software Menus Interface User’s Guide Figure 146 provides an example of how GVRP works.
Chapter 21: GARP VLAN Registration Protocol VLAN. If it is not a member, it automatically adds the port to the VLAN as an tagged dynamic GVRP port. If the port is already a member of the VLAN, then no change is made. 5. Switch #3 sends a PDU out port 4 to switch #2. 6. Switch #2 receives the PDU on port 3 and then adds the port as a tagged dynamic GVRP port to the dynamic GVRP_VLAN_11 VLAN. There is now a communications path for the end nodes of the Sales VLAN on switches #1 and #3.
AT-S63 Management Software Menus Interface User’s Guide ❑ You can convert dynamic GVRP VLANs and dynamic GVRP port assignments to static VLANs and static port assignments. The procedure for this is found in ”Modifying a VLAN” on page 447. ❑ The default port settings on the switch for GVRP is active, meaning that the ports participate in GVRP. Allied Telesyn recommends disabling GVRP on those ports that are connected to GVRPinactive devices, meaning that they do not feature GVRP.
Chapter 21: GARP VLAN Registration Protocol Generic Attribute Registration Protocol (GARP) Overview The following is a technical overview of GARP. An understanding of GARP may prove helpful when you use GVRP. The purpose of the Generic Attribute Registration Protocol (GARP) is to provide a generic framework whereby devices in a bridged LAN, for example end stations and switches, can register and deregister attribute values, such as VLAN Identifiers, with each other.
AT-S63 Management Software Menus Interface User’s Guide GARP architecture is shown in Figure 147. Switch GARP Participant GARP Participant GARP Application GARP Application GIP MAC Layer: Port 1 GARP PDUs GID LLC GARP PDUs LLC GARP PDUs GARP PDUs GID MAC Layer: Port 2 Figure 147.
Chapter 21: GARP VLAN Registration Protocol the applicant and registrar. This is shown in Figure 148. GID Attribute ... state: Attribute C state: Attribute B state: Attribute A state: Applicant State Registrar State Figure 148. GID Architecture GARP registers and deregisters attribute values through GARP messages sent at the GID level. A GARP participant that wishes to make a declaration (an applicant registering an attribute value) sends a JoinIn or JoinEmpty message.
AT-S63 Management Software Menus Interface User’s Guide The job of the registrar is to record whether an attribute is registered, in the process of being deregistered, or is not registered for an instance of GID. To control the applicant state machine, an applicant administrative control parameter is provided. This parameter determines whether or not the applicant state machine participates in GARP protocol exchanges. The default value has the applicant participating in the exchanges.
Chapter 21: GARP VLAN Registration Protocol Configuring GVRP To configure GVRP, perform the following procedure: The timers in the following menus are in increments of centi seconds which is a hundredth of a second. To configure GVRP, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135 on page 441. 2. From the VLAN Configuration menu, type 7 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 149.
AT-S63 Management Software Menus Interface User’s Guide 5. Type 2 to select GVRP GIP Status. The following prompt is displayed: Enter your new value (E-Enabled, D-Disabled): 6. Type E to enable GIP or D to disable GIP. Note Do not disable GIP if you intend to use GVRP. GIP is required to propagate VLAN information among the ports of the switch. Caution The following steps change the three GVRP timers. Please note that the settings for these timers must be the same on all GVRP-active network devices. 7.
Chapter 21: GARP VLAN Registration Protocol Enabling or Disabling GVRP on a Port This procedure enables and disables GVRP on a switch port. The default setting for GVRP on a port is enabled. Only those ports where GVRP is enabled transmit PDUs. Note Allied Telesyn recommends disabling GVRP on unused ports and those ports that are connected to GVRP-inactive devices. This protects against unauthorized access to restricted areas of your network.
AT-S63 Management Software Menus Interface User’s Guide 5. Enter a port or a list of ports. The Configure GVRP Port Settings menu is shown in Figure 151. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure GVRP Port Settings Configuring Port 1-8 1 - Port Mode ............. Normal R - Return to Previous Menu Enter your selection? Figure 151. Configure GVRP Port Settings Menu 6. Type 1 to select Port Mode.
Chapter 21: GARP VLAN Registration Protocol Displaying the GVRP Port Configuration To display the GVRP port configuration, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135 on page 441. 2. From the VLAN Configuration menu, type 7 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 149 on page 480. 3. From the GVRP Port Parameters menu, type 2 to select Display GVRP Port Configuration.
AT-S63 Management Software Menus Interface User’s Guide Displaying GVRP Counters To display GVRP counters, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135 on page 441. 2. From the VLAN Configuration menu, type 7 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 149 on page 480. 3. From the GARP-GVRP menu, type O to select Other GVRP Parameters.
Chapter 21: GARP VLAN Registration Protocol The GVRP Counters menu (page 1) is shown in Figure 154.
AT-S63 Management Software Menus Interface User’s Guide Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 GVRP Counters Receive: -------GARP Messages: --------------LeaveAll JoinEmpty JoinIn LeaveEmpty LeaveIn Empty Bad Message Bad Attribute Transmit: --------7 0 68 0 0 5 0 0 LeaveAll JoinEmpty JoinIn LeaveEmpty LeaveIn Empty 77 58 285 1 0 21 P - Previous Page U - Update Display R - Return to Previous Menu Enter your selection? Figure 155.
Chapter 21: GARP VLAN Registration Protocol Table 21. GVRP Counters (Continued) 488 Parameter Meaning Receive Discarded: Port Not Listening Number of GARP PDUs discarded because the port that received the PDUs was not listening, that is, MODE=NONE was set on the port. Transmit Discarded: Port Not Sending Number of GARP PDUs discarded because the port that the PDUs were to be transmitted on was not sending, that is, MODE=NONE was set on the port.
AT-S63 Management Software Menus Interface User’s Guide Table 21. GVRP Counters (Continued) Section III: VLANs Parameter Meaning Receive GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages received for all attributes in the GARP application. Transmit GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages transmitted for all attributes in the GARP application.
Chapter 21: GARP VLAN Registration Protocol Displaying the GVRP Database To display GVRP database, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135 on page 441. 2. From the VLAN Configuration menu, type 8 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 149 on page 480. 3. From the GARP-GVRP menu, type O to select Other GVRP Parameters menu.
AT-S63 Management Software Menus Interface User’s Guide GID index Value of the GID index corresponding to the attribute. GID indexes begin at 0. If the GARP application has no attributes presently registered, “No attributes have been registered” is displayed. VLAN ID The VLAN ID. Used Indicates whether the GID index is currently being used by any port in the GARP application.
Chapter 21: GARP VLAN Registration Protocol Displaying the GIP Connected Ports Ring To display the GIP connected ports ring, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135 on page 441. 2. From the VLAN Configuration menu, type 8 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 149 on page 480. 3. From the GARP-GVRP menu, type O to select Other GVRP Parameters menu.
AT-S63 Management Software Menus Interface User’s Guide STP ID Present if the GARP application is GVRP; identifies the spanning tree instance associated with the GIP context. Connected Ring The ring of connected ports. Only ports presently in the spanning tree Forwarding state are eligible for membership in the GIP connected ring. If no ports exist in the GIP connected ring, “No ports are connected” is displayed. If the GARP application has no ports, “No ports have been assigned” is displayed.
Chapter 21: GARP VLAN Registration Protocol Displaying the GVRP State Machine To display the GVRP state machine, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135 on page 441. 2. From the VLAN Configuration menu, type 7 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 149 on page 480. 3. From the GARP-GVRP menu, type O to select Other GVRP Parameters menu.
AT-S63 Management Software Menus Interface User’s Guide The GVRP State Machine menu (page 2) is displayed, as shown in Figure 159.
Chapter 21: GARP VLAN Registration Protocol Table 22. GVRP State Machine Parameters (Continued) Parameter Meaning App Applicant state machine for the GID index on that particular port.
AT-S63 Management Software Menus Interface User’s Guide Table 22.
Chapter 21: GARP VLAN Registration Protocol 498 Section III: VLANs
Chapter 22 Protected Ports VLANs This chapter explains protected ports VLANs.
Chapter 22: Protected Ports VLANs Protected Ports VLAN Overview The purpose of a protected ports VLAN is to allow multiple ports on the switch to share the same uplink port but not share traffic with each other. This feature has some of the same characteristics as the multiple VLAN modes described in the previous chapter. In a protected ports VLAN, each port is considered a separate LAN segment that can only communicate with an uplink port.
AT-S63 Management Software Menus Interface User’s Guide In contrast, the uplink port in a protected ports VLAN, which is shared by the ports in the different groups, can be either tagged or untagged. The device connected to it does not necessarily need to be 802.1Q compliant. Note For explanations of VIDs and tagged and untagged ports, refer to Chapter 19, ”Port-based and Tagged VLANs” on page 427.
Chapter 22: Protected Ports VLANs information when you create the VLAN, and having the tables handy will make the job easier. Protected Ports VLAN Guidelines Following are some guidelines for implementing protected ports VLANS: ❑ A switch can contain multiple protected ports VLANs. ❑ A protected ports VLAN should contain a minimum of two groups. A protected ports VLAN of only one group has little value. Create a port-based or tagged VLAN instead. ❑ A protected ports VLAN can contain any number of groups.
AT-S63 Management Software Menus Interface User’s Guide Creating a Protected Ports VLAN To create a new protected ports VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. 2. From the VLAN Configuration menu, type 4 to select Configure VLANs. Note If the menu does not include selection 4, Configure VLANs, the switch is running a multiple VLAN mode. To change the switch’s VLAN mode, refer to ”Selecting a VLAN Mode” on page 468. 3.
Chapter 22: Protected Ports VLANs Note A VLAN must be assigned a name. 6. Type 2 to select VLAN ID (VID. The following prompt is displayed: Enter new value -> [2 to 4094] -> 7. Type a VID value for the new VLAN. The range for the VID value is 1 to 4094. The AT-S63 management software uses the next available VID number on the switch as the default value.
AT-S63 Management Software Menus Interface User’s Guide 11. To make this a protected ports VLAN, type Y. If you do not want this to be a protected ports VLAN and want it to be a port-based or tagged VLAN, type N. 12. Type C to select Create VLAN. The following prompt is displayed: Enter Uplink Ports (4 - 12) -> The prompt will shown the ports that you specified as belonging to the VLAN. 13. Enter the port in the VLAN that will function as the uplink port for the different VLAN groups.
Chapter 22: Protected Ports VLANs Modifying a Protected Ports VLAN Please note the following before you perform this procedure: ❑ To modify this type of VLAN, you must recreate it by reselecting the uplink port(s) and reassigning the ports to the groups. For this reason Allied Telesyn recommends that before you perform this procedure you first display the details of the protected ports VLAN you want to modify and write down on paper the VLAN’s current configuration (i.e.
AT-S63 Management Software Menus Interface User’s Guide 3. From the Configure VLANs menu, type 2 to select Modify VLAN. The Modify VLAN menu is shown in Figure 138 on page 447. 4. Type 1 to select VLAN ID (VID). The following prompt is displayed: Enter new value -> [1 to 4096] -> 5. Enter the VID of the VLAN you want to modify. The Modify VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 161.
Chapter 22: Protected Ports VLANs 2 - VLAN ID (VID) This is the VLAN’s VID value. You cannot change this value. 3 - Tagged Ports Use this selection to add or remove tagged ports from the VLAN. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 7-9), or both (e.g., 2,5,7-9). The new list of tagged ports will replace the existing tagged ports. 4 - Untagged Ports Use this selection to add or remove untagged ports from the VLAN. You can specify the ports individually (e.g.
AT-S63 Management Software Menus Interface User’s Guide 11. If there are ports within the VLAN that still need to be assigned to a group, the prompt in Step 8 is displayed again, showing the unassigned ports. You must repeat Steps 9 and 10, creating additional groups, until all of the ports in the VLAN have been assigned to a group. After you have created all of the groups, this prompt is displayed: SUCCESS - Press any key to continue. Press any key to continue.
Chapter 22: Protected Ports VLANs Displaying a Protected Ports VLAN To view the name, VID number, and member ports of all the VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135 on page 441. 2. From the VLAN Configuration menu, type 6 to select Show VLANs. The Show VLANs menu is shown in Figure 162.
AT-S63 Management Software Menus Interface User’s Guide An example of the Show VLANs window is shown in Figure 163.
Chapter 22: Protected Ports VLANs Deleting a Protected Ports VLAN All untagged ports in a deleted protected ports VLAN are automatically returned to the Default_VLAN. To delete a protected ports VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 135 on page 441. 2. From the VLAN Configuration menu, type 4 to select Configure VLANs. The Configure VLANs menu is shown in Figure 136 on page 442.
AT-S63 Management Software Menus Interface User’s Guide The Delete VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 165. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Delete VLAN 1 2 3 4 - VLAN Name .............. VLAN ID (VID) .......... Tagged Ports ........... Untagged Ports ......... Sales 3 7,9 20-24 D - Delete VLAN R - Return to Previous Menu Enter your selection? Figure 165.
Chapter 22: Protected Ports VLANs 9. Repeat this procedure starting with Step 4 to delete other VLANs. 10. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Section IV Security The chapters in this section describe the security features you can implement for an AT-9400 Series switch using the AT-S63 management software.
Section IV: Security
Chapter 23 Port Security This chapter explains how you can use the dynamic and static MAC addresses learned on the ports of the switch to control which end nodes can forward packets through the device. The sections in this chapter include: ❑ ”MAC Address Security Overview” on page 518 ❑ ”Configuring MAC Address Port Security” on page 521 ❑ ”Displaying Port Security Levels” on page 524 Note This type of port security does not apply to ports located on optional GBIC and SFP modules.
Chapter 23: Port Security MAC Address Security Overview This feature can enhance the security of your network. You can use it to control which end nodes can forward frames through the switch, and so prevent unauthorized individuals from accessing your network or particular parts of the network. This type of network security uses a frame’s source MAC address to determine whether the switch should forward a frame or discard it. The source address is the MAC address of the end node that sent the frame.
AT-S63 Management Software Menus Interface User’s Guide A dynamic MAC address learned on a port operating in the Limited security mode never times out from the MAC address table, even when the corresponding end node is inactive. Static MAC addresses are retained by the port and are not included in the count of maximum dynamic addresses.
Chapter 23: Port Security port after the port had reached its maximum number of dynamic MAC addresses, or that was not assigned to the port as a static address. ❑ Secured Security Level - An invalid frame for this security level is an ingress frame with a source MAC address that was not entered as a static address on the port. ❑ Locked - An invalid frame for this security level is an ingress frame with a source MAC address that the port has not already learned or that was not assigned as a static address.
AT-S63 Management Software Menus Interface User’s Guide Configuring MAC Address Port Security To set the port security level, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 26 on page 106. 2. From the Port Configuration menu, type 5 to select Port Security. The Port Security menu is shown in Figure 166.
Chapter 23: Port Security 5. From the Configure Port Security menu, type 1 to select Security Mode. The following prompt is displayed: Enter new mode (A-Automatic, L-Limited, S-Secured, KlocKed): 6. Select the desired security level. For definitions of the security levels, refer to ”MAC Address Security Overview” on page 518. If you select Automatic, which disables port security on the port, return to the Main Menu to save your change.
AT-S63 Management Software Menus Interface User’s Guide T - Trap: The port discards invalid frames and sends an SNMP trap. D - Disable: The port discards invalid frames, sends an SNMP trap, and disables the port. 8. If you selected the trap or disable intrusion action, type 3 to toggle the Port Participating option to Yes. Option 3, Port Participating, applies only when the intrusion action is set to trap or disable. This option does not apply when intrusion action is set to No Action (discard).
Chapter 23: Port Security Displaying Port Security Levels To view the current security levels for the ports on the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 169.
AT-S63 Management Software Menus Interface User’s Guide The Display Port Security menu is shown in Figure 170.
Chapter 23: Port Security Participating This column applies only when the intrusion action for a port is set to trap or disable. This option does not apply when intrusion action is set to No Action (discard). If this option is set to No when intrusion action is set to trap or disable, the port discards invalid packets, but it does not send a trap or disable the port.
Chapter 24 Access Control Lists This chapter explains how to create an access control list (ACL) to restrict Telnet and web browser management access to the switch.
Chapter 24: Access Control Lists Management ACL Security Overview This chapter explains how to restrict remote management access of a switch by creating a management access control list (management ACL). This feature controls which management stations can remotely manage the device using the Telnet application protocol or a web browser. The switch uses the management ACL to filter the management packets that it receives.
AT-S63 Management Software Menus Interface User’s Guide Mask You need to enter a mask that indicates the parts of the IP address the switch should filter on. A binary “1” indicates the switch should filter on the corresponding bit of the address, while a “0” indicates that it should not. If you are filtering on a specific IP address, use the mask 255.255.255.255. If you are filtering on a subnet, enter the appropriate mask. For example, to allow all management stations in the subnet 149.11.11.
Chapter 24: Access Control Lists them. ❑ The protocol is always TCP. ❑ The management ACL does not control local management or remote SNMP management of a switch. ❑ Activating this feature without specifying any ACEs prohibits you from managing the switch remotely using a Telnet application or web browser because the switch discards all Telnet and web browser management packets. ❑ You can apply management ACLs to both master and slave switches in an enhanced stack.
AT-S63 Management Software Menus Interface User’s Guide Mask Protocol Interface 255.255.255.0 TCP Web A management ACL can contain multiple ACEs. The two ACEs in this ACL allow all management packets from the subnets 149.11.11.0 and 149.22.22.0 to manage the switch using the Telnet application, but not a web browser: ACE #1 IP Address Subnet Mask Protocol Interface 149.11.11.0 255.255.255.0 TCP Telnet ACE #2 IP Address Subnet Mask Protocol Interface 149.22.22.0 255.255.255.
Chapter 24: Access Control Lists Creating the Management ACL To create a management ACL, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 7 to select Management ACL. The Management ACL menu is shown in Figure 171.
AT-S63 Management Software Menus Interface User’s Guide 5. Enter a mask that indicates the parts of the IP address the switch should filter on. A binary “1” indicates the switch should filter on the corresponding bit of the address, while a “0” indicates that it should not. If you are filtering on a specific IP address, use the mask 255.255.255.255. If you are filtering on a subnet, enter the appropriate mask. For example, to allow all management stations in the subnet 149.11.11.
Chapter 24: Access Control Lists 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Adding an ACE To add an ACE, repeat the procedure in ”Creating the Management ACL” on page 532. The new ACEs that you enter are added to the ACEs that are already in the management ACL.
Chapter 24: Access Control Lists Deleting an ACE To delete an ACE, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 7 to select Management ACL menu. The Management ACL menu is shown in Figure 171 on page 532. 3. From the Management ACL menu, type 3 to select Delete Management ACL Entry. The following prompt is displayed: Enter the IP Address: 4.
AT-S63 Management Software Menus Interface User’s Guide Displaying the ACEs To display the ACEs, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 7 to select Management ACL menu. The Management ACL menu is shown in Figure 171 on page 532. 3. From the Management ACL menu, type 4 to select Display All Management ACL Entries.
Chapter 24: Access Control Lists Interface The interface that the management station uses to manage the switch. The options are Telnet, Web, and All (both Telnet and Web.
Chapter 25 Web Server The chapter provides an overview of the web server feature and procedures to configure the server.
Chapter 25: Web Server Web Server Overview The AT-S63 management software is shipped with web server software. The software is available so that you can remotely manage the switch with a web browser from any management station on your network. (The instructions for managing a switch with a web browser are described in the AT-S63 Network Management Web Browser Interface User’s Guide.) The web server can operate in two modes. The first is referred to as nonsecure HTTP mode.
AT-S63 Management Software Menus Interface User’s Guide ❑ TLS (Transmission Layer Security) version 1.
Chapter 25: Web Server Configuring the Web Server This procedure explains how to enable and disable the web server and how to configure the HTTP and HTTPS settings from a local or Telnet management session. The default setting for the web server is enabled, with the non-secure HTTP mode as the active web server mode. Before you configure the web server, please note the following: ❑ You cannot make any changes to the HTTP or HTTPS settings while the web server is enabled.
AT-S63 Management Software Menus Interface User’s Guide The Web Server Configuration menu is shown in Figure 173. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Web Server Configuration 1 - Status ............................ Disabled 2 - Mode .............................. HTTP 3 - Port Number ....................... 80 R - Return to Previous Menu Enter your selection? Figure 173. Web Server Configuration Menu 3.
Chapter 25: Web Server 7. To enable the web server, type 1 to toggle Status to Enabled. The Web Server Configuration menu is redisplayed. Figure 174 shows an example of the menu configured for HTTPS that contains the SSL Key ID. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Web Server Configuration 1 2 3 4 - Status ............................ Mode .............................. Port Number ....................... SSL Key ID ........................
AT-S63 Management Software Menus Interface User’s Guide General Steps for Configuring the Web Server for Encryption There are several procedures you need to perform in order to implement HTTPS and web browser encryption on the switch. This section is here to provide you with the general steps that you need to do to and the procedures for performing them. There is a section for configuring the web server with a self-signed certificate and another for a public or private CA certificate.
Chapter 25: Web Server 6. After you have received the appropriate certificates back from the CA, download them into the AT-S63 file system from your management station or a TFTP server, as explained in ”Downloading a System File” on page 196. 7. Add the certificates to the certificate database, as explained in ”Adding a Certificate to the Database” on page 588. 8. Configure the web server on the switch by activating HTTPS and specifying the key pair used to create the enrollment request as the active key.
Chapter 26 Encryption Keys This chapter describes encryption keys and how you can use keys to improve the security of your switches. Because of the complexity of the feature, this chapter contains several overview sections. The Basic Overview section offers a general review of the purpose of this feature along with relevant guidelines. For additional information, refer to the two Technical Overview sections.
Chapter 26: Encryption Keys Basic Overview Protecting your managed switches from unauthorized management access is an important role for a network manager. Network operations and security can be severely compromised if an intruder gains access to critical switch information, such as a manager’s login username and password, and uses that information to alter a switch’s configuration settings.
AT-S63 Management Software Menus Interface User’s Guide Encryption Key Length To create a key pair, you must specify its length. The length is given in bits. The range is 512 to 1,536 bits, in increments of 256 bits. The default is 512 bits. The general rule on key lengths is that the longer the key, the more difficult it is for someone to break (decipher).
Chapter 26: Encryption Keys packets are sent encrypted. The web server on an AT-9400 Series switch, can operate in either mode. Enhanced stacking switches that do not support SSL, such as the AT-8000 Series switches, use HTTP exclusively. A web browser management session of the switches in an enhanced stack cannot alternate between the different security modes during a session.
AT-S63 Management Software Menus Interface User’s Guide Technical Overview of Secure Sockets Layer This section describes the Secure Sockets Layer (SSL) feature, a security protocol that provides a secure and private TCP connection between a client and server. SSL can be used with many higher layer protocols including HTTP, File Transfer Protocol (FTP) and Net News Transfer Protocol (NNTP).
Chapter 26: Encryption Keys with by a third party because any change to the message changes the MAC. SSL uses asymmetrical (Public Key) encryption to establish a connection between client and server, and symmetrical (Secret Key) encryption for the data transfer phase. User Verification An SSL connection has two phases: handshake and data transfer. The handshake initiates the SSL session, during which data is securely transmitted between a client and server.
AT-S63 Management Software Menus Interface User’s Guide Authentication Authentication is the process of ensuring that both the web site and the end user are genuine. In other words, they are not imposters. Both the server and an individual users need to be authenticated. This is especially important when transmitting secure data over the Internet. To verify the authenticity of a server, the server has a public and private key. The public key is given to the user. SSL uses certificates for authentication.
Chapter 26: Encryption Keys Technical Overview of Encryption The encryption feature provides the following data security services: ❑ Data encryption ❑ Data authentication ❑ Key exchange algorithms ❑ Key creation and storage Data Encryption Data encryption for switches is driven by the need for organizations to keep sensitive data private and secure.
AT-S63 Management Software Menus Interface User’s Guide Plaintext is divided into 64-bit blocks which are encrypted with the DES algorithm and key. For a given input block of plaintext ECB always produces the same block of ciphertext. ❑ Cipher Block Chaining (CBC) is the most popular form of DES encryption. CBC also operates on 64-bit blocks of data, but includes a feedback step which chains consecutive blocks so that repetitive plaintext data, such as ASCII blanks, does not yield identical ciphertext.
Chapter 26: Encryption Keys Asymmetrical (Public Key) Encryption Asymmetrical encryption algorithms use two keys—one for encryption and one for decryption. The encryption key is called the public key because it cannot be used to decrypt a message and therefore does not need be kept secret. Only the decryption, or private key, needs to be kept secret. The other name for this type of algorithm is public key encryption.
AT-S63 Management Software Menus Interface User’s Guide Typically a MAC is calculated using a keyed one-way hash algorithm. A keyed one-way hash function operates on an arbitrary-length message and a key. It returns a fixed length hash.
Chapter 26: Encryption Keys The Diffie-Hellman algorithm, which is used by the AT-S63 management software, is one of the more commonly used key exchange algorithms. It is not an encryption algorithm because messages cannot be encrypted using Diffie-Hellman. Instead, it provides a method for two parties to generate the same shared secret with the knowledge that no other party can generate that same value. It uses public key cryptography and is commonly known as the first public key algorithm.
AT-S63 Management Software Menus Interface User’s Guide Creating an Encryption Key This section contains the procedure for creating an encryption key pair. Caution Key generation is a CPU-intensive process. Because this process may affect switch behavior, Allied Telesyn recommends creating keys when the switch is not connected to a network or during periods of low network activity. To create an encryption key, perform the following procedure: 1. From the Main Menu, type 8 to select Security Configuration.
Chapter 26: Encryption Keys The Keys/Certificate Configuration menu is shown in Figure 176. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Keys/Certificates Configuration 1 - Switch Distinguished Name (DN) 2 - Key Management 3 - Public Key Infrastructure (PKI) Configuration R - Return to Previous Menu Enter your selection? Figure 176. Keys/Certificate Configuration Menu 3. From the Keys/Certificates Configuration menu, type 2 to select Key Management.
AT-S63 Management Software Menus Interface User’s Guide The Create Key menu is shown in Figure 178. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Create Key 1 2 3 4 5 - Key ID ............. 0 Key Type ........... RSA-Private Key Length ......... 512 Key Description .... Generate Key U - Update Display R - Return to Previous Menu Enter your selection? Figure 178. Create Key Menu 5. Type 1 to select Key ID.
Chapter 26: Encryption Keys 9. Type 4 to select Key Description. The following prompt is displayed: Enter new Description -> 10. Enter a description for the key. For instance, the description could reflect the name of the switch (for example, Production switch web server key). You can enter up to 40 alphanumeric values including spaces. 11. Type 5 to select Generate Key. The following message is displayed: Key generation will take some time. Please wait...
AT-S63 Management Software Menus Interface User’s Guide Deleting an Encryption Key This section contains the procedure for deleting an encryption key pair from the switch. Note the following before performing this procedure. ❑ Deleting a key pair from the key management database also deletes the key’s corresponding “.ukf” file from the AT-S63 file system. ❑ You cannot delete a key pair if it is being used by SSL or SSH.
Chapter 26: Encryption Keys Modifying an Encryption Key The Key Management menu has a selection for modifying the description of an encryption key. This is the only item of a key that you can modify. You cannot change a key’s ID, type, or length. To change the description of a key, perform the following procedure: 1. From the Main Menu, type 8 to select Security Configuration. The Security Configuration menu is shown in Figure 175 on page 559. 2.
AT-S63 Management Software Menus Interface User’s Guide Exporting an Encryption Key The following procedure exports the public key of a key pair into the AT-S62 file system. (The management software does not allow you to export a private key.) Before performing this procedure, please note the following: ❑ The only circumstance in which you are likely to perform this procedure is if you are using an SSH client that does not download the key automatically when you start an SSH management session.
Chapter 26: Encryption Keys The Export Key to File menu is shown in Figure 179. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Export Key to File 1 2 3 4 5 - Key ID ............ 0 Key Type .......... RSA-Public Key File Format ... HEX Key File Name Export Key to File R - Return to Previous Menu Enter your selection? Figure 179. Export Key to File Menu 5. Type 1 to select Key ID. The following prompt is displayed: Enter Key ID -> [0 to 65535] -> 6.
AT-S63 Management Software Menus Interface User’s Guide Key Export in Progress. Please wait...Done 11. Press any key to return to the Key Management menu. To view the public key in the switch’s file system, refer to ”Displaying System Files” on page 182. Returning to the Main Menu to save your changes is not necessary with this procedure. This type of change is automatically saved by the management software.
Chapter 26: Encryption Keys Importing an Encryption Key Use the following procedure to import a public key from the AT-S62 file system into the key management database. If a file contains both public and private keys, only the public key is imported. The private key is ignored. Note It is unlikely that you will ever need to perform this procedure for an SSL public key. A switch can only use those SSL public keys that it has generated itself. This procedure starts from the Key Management menu.
AT-S63 Management Software Menus Interface User’s Guide The Import Key from File menu is shown in Figure 180. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Import Key from File 1 2 3 4 5 - Key ID ............ 0 Key Type .......... RSA-Public Key File Format ... HEX Key File Name ..... Import Key from File R - Return to Previous Menu Enter your selection? Figure 180. Import Key from File Menu 5. Type 1 to select Key ID.
Chapter 26: Encryption Keys 10. Type 5 to select Import Key From File to import a key to the switch from an external file. The following message is displayed: Key Import in Progress. Please wait...Done After you receive this message, the key is added to the Key Management database. See the Key Management menu in Figure 177 on page 560. Returning to the Main Menu to save your changes is not necessary with this procedure. This type of change is automatically saved by the management software.
AT-S63 Management Software Menus Interface User’s Guide Displaying the Encryption Keys To display the encryption keys, perform the following procedure: 1. From the Main Menu, type 8 to select Security Configuration. The Security Configuration menu is shown in Figure 175 on page 559. 2. From the Security Configuration menu, type 3 to select Keys/Certificate Configuration. The Keys/Certificate Configuration menu is shown in Figure 176 on page 560. 3.
Chapter 26: Encryption Keys Length The length of the key in bits. Digest The CRC32 value of the MD5 digest of the public key. Description The key’s description.
Chapter 27 PKI Certificates and SSL This chapter contains the procedures for creating public key infrastructure (PKI) certificates for web server security. Because of the complexity of this feature, two overview sections are provided. The Basic Overview section offers a general review of the purpose of certificates along with relevant guidelines. For additional information refer to the Technical Overview section.
Chapter 27: PKI Certificates and SSL Note This feature is only supported on the version of AT-S63 management software that features secure sockets layer (SSL) and public key infrastructure (PKI).
AT-S63 Management Software Menus Interface User’s Guide Basic Overview This chapter describes the second part of the encryption feature of the AT-S63 management software—PKI certificates. The first part is explained in Chapter 26, ”Encryption Keys” on page 547. Encryption keys and certificates allow you to encrypt the communications between your management station and a switch when you manage the device with a web browser.
Chapter 27: PKI Certificates and SSL company’s network equipment. The value of a private CA is that the company can keep track of the certificates and control access to various network devices. If your company is large enough, it might have a private CA and you might want that group to issue any AT-9400 Series switch certificates, if for no other reason than to follow company policy. What is required to create a certificate by a public or private CA? First, you must create a key pair.
AT-S63 Management Software Menus Interface User’s Guide Following are a few examples. This distinguished name contains only one part, the name of the switch: cn=Production Switch This distinguished name omits the common name, but includes everything else: ou=Network Support,o=XYZ Inc.,st=CA,c=US So what would be a good distinguished name for a certificate for an AT-8524M switch? If the switch has an IP address, such as a master switch, you could use its address as the name.
Chapter 27: PKI Certificates and SSL Guidelines The guidelines for creating certificates are: ❑ A certificate can have only one key. ❑ A switch can use only those certificates that contain a key that was generated on the switch. ❑ You can create multiple certificates on a switch, but the device uses the certificate whose key pair has been designated as the active key pair for the switch’s web server.
AT-S63 Management Software Menus Interface User’s Guide Technical Overview The public key infrastructure (PKI) feature is part of the switch’s suite of security modules, and consists of a set of tools for managing and using certificates. The tools that make up the PKI allow the switch to securely exchange public keys, while being sure of the identity of the key holder. The switch acts as an End Entity (EE) in a certificate-based PKI.
Chapter 27: PKI Certificates and SSL Caution Although a certificate binds a public key to a subject to ensure the public key’s security, it does not guarantee that the security of the associated private key has not been breached. A secure system is dependent upon private keys being kept secret, by protecting them from malicious physical and virtual access. Certificates A certificate is an electronic identity document.
AT-S63 Management Software Menus Interface User’s Guide Elements of a Public Key Infrastructure A public key infrastructure is a set of applications which manage the creation, retrieval, validation and storage of certificates. A PKI consists of the following key elements: ❑ At least one certification authority (CA), which issues and revokes certificates. ❑ At least one publicly accessible repository, which stores certificates and Certificate Revocation Lists.
Chapter 27: PKI Certificates and SSL Certificate Validation To validate a certificate, the end entity verifies the signature in the certificate, using the public key of the CA who issued the certificate. CA Hierarchies and Certificate Chains It may not be practical for every individual certificate in an organization to be signed by one certification authority. A certification hierarchy may be formed, in which one CA (for example, national headquarters) is declared to be the root CA.
AT-S63 Management Software Menus Interface User’s Guide PKI Implementation The following sections discuss Allied Telesyn’s implementation of PKI for the AT-9400 Series switches.
Chapter 27: PKI Certificates and SSL Creating a Self-signed Certificate This section contains the procedure for creating a self-signed certificate. Please review the following before you perform the procedure: ❑ The switch’s time and date must be set before you create a certificate. You can set this manually or you can configure the switch to obtain the date and time from an SNTP server on your network. For instructions, refer to ”Setting the System Time” on page 62.
AT-S63 Management Software Menus Interface User’s Guide The Public Key Infrastructure (PKI) Configuration menu is shown in Figure 182. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Public Key Infrastructure (PKI) Configuration 1 - Maximum Number of Certificates....... 256 2 - X509 Certificate Management 3 - Generate Enrollment Request R - Return to Previous Menu Enter your selection? Figure 182. Public Key Infrastructure (PKI) Configuration Menu 4.
Chapter 27: PKI Certificates and SSL Note In the X509 Certificate Management menu, MTrust means manually trusted. This field indicates that you verified the certificate. The Source field indicates the certificate was generated on the switch. Both MTrust and Source are read-only fields. 5. Type 1 to select Create Self-Signed Certificate. The Create Self-Signed Certificate menu is shown in Figure 184.
AT-S63 Management Software Menus Interface User’s Guide 9. Enter the ID number of the encryption key that you want to use to create this certificate. The encryption key must already exist on the switch. (If you have forgotten the key ID number, return to the Key Management menu to view the keys on the switch.) The value can be from 0 to 65,535. 10. Type 3 to select Format to choose the encoding format for the certificate.
Chapter 27: PKI Certificates and SSL Adding a Certificate to the Database After you have created a certificate or received a certificate from a public or private CA, you need to add it into the certificate database to make it available for use by the switch’s web server. After you add a certificate to the certificate database, it appears in the X509 Certificate Management menu. To add a certificate to the certificate database, perform the following procedure: 1.
AT-S63 Management Software Menus Interface User’s Guide The Add Certificate menu is shown in Figure 185. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Add Certificate 1 2 3 4 5 - Certificate Name ............. State ........................ Trusted Type ......................... EE File Name .................... Add Certificate R - Return to Previous Menu Enter your selection? Figure 185. Add Certificate Menu 6. Type 1 to select Certificate Name.
Chapter 27: PKI Certificates and SSL Note This parameter has no affect on the operation of a certificate. The parameter is included only for informational purposes when the certificate is displayed in the certificate database. 9. Type 3 to select Type (of certificate). The possible settings are: EE - The certificate was issued by a CA, such as VeriSign. This is the default. CA - The certificate belongs to a CA. Self - This certificate is a self-signed certificate.
AT-S63 Management Software Menus Interface User’s Guide Modifying a Certificate The procedure in this section modifies a certificate. (The certificate to be modified must be in the certificate database.) Here are the certificate items you can modify: ❑ State - trusted or untrusted ❑ Type - EE, CA, or Self Note These parameters have no affect on the operation of a certificate. They are included only for informational purposes when the certificate is displayed in the certificate database.
Chapter 27: PKI Certificates and SSL 6. Enter the name of the certificate you want to modify. (This field is case sensitive.) The Modify Certificate menu is shown in Figure 186. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Modify Certificate 1 2 3 4 - Certificate Name................. Switch12 State ........................... Trusted Type ............................
AT-S63 Management Software Menus Interface User’s Guide 10. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 27: PKI Certificates and SSL Deleting a Certificate The procedure in this section deletes a certificate from the certificate database. Please note the following before performing this procedure: ❑ Deleting a certificate from the database does not delete it from the switch. It continues to reside in the AT-S62 file system. To completely remove a certificate from the switch, you must also delete it from the file system. For instructions, refer to ”Copying a System File” on page 179.
AT-S63 Management Software Menus Interface User’s Guide 5. From the X509 Certificate Management menu, type 3 to select Delete Certificate. The following prompt is displayed: Enter certificate name (ALL - delete all) -> 6. Enter the name of the certificate you want to delete. (This field is case sensitive.) To delete all the certificates, enter ALL. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 27: PKI Certificates and SSL Viewing a Certificate This procedure displays information about a certificate, such as its distinguished name and serial number. This procedure starts from the X509 Certificate Management menu. If you are unsure how to access the menu, perform steps 1 to 4 in the procedure ”Adding a Certificate to the Database” on page 588. To view the details of a certificate, perform the following procedure: 1. From the Main Menu, type 8 to select Security Configuration.
AT-S63 Management Software Menus Interface User’s Guide The View Certificate Details menu (page 1) is shown in Figure 187. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 View Certificate Details Certificate Details: Name ............... State .............. Manually Trusted ... Type ............... Source ............. Version ............ Serial Number ...... Signature Alg ...... Public Key Alg ..... Not Valid Before ... Not Valid After ....
Chapter 27: PKI Certificates and SSL Public Key Alg The public key algorithm. Not Valid Before The date the certificate became active. Not Valid After The date the certificate expires. Self-signed certificates are valid for two years. 7. Type N to see the second page of certificate details. The View Certificate Details menu (page 2) is shown in Figure 188. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 View Certificate Details Subject ......... CN=149.
AT-S63 Management Software Menus Interface User’s Guide Generating an Enrollment Request To request a certificate from a CA, you need to generate an enrollment request. The request contains the public key for the certificate, a distinguished name, and other information. The request is stored as a file with a “.csr” extension in the AT-S63 file system, from where you can upload it onto your management station or FTP server for submission to the CA.
Chapter 27: PKI Certificates and SSL The Generate Enrollment Request menu is shown in Figure 189. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Generate Enrollment Request 1 2 3 4 5 - Request Name.................... KeyPair ID ..................... 0 Format ......................... PEM Type ........................... PKCS10 Generate Enrollment Request R - Return to Previous Menu Enter your selection? Figure 189.
AT-S63 Management Software Menus Interface User’s Guide Note You cannot change option 4, Type. The PKCS10 value indicates the internal format of an enrollment request. 12. Type 5 to select Generate Enrollment Request. After the switch has finished generating the request, a message similar to the following is displayed: Enrollment request is being generated. Please wait ...Done. Enrollment Request available in file [Switch 12.csr]. Press any key to continue ...
Chapter 27: PKI Certificates and SSL Installing CA Certificates onto a Switch This section lists the procedures that you will need to perform if the switch’s certificate was created by a public or private CA. It should be noted that a CA generated certificate actually consists of several certificates. There is a minimum of two. All the certificates from the CA must be installed on the switch.
AT-S63 Management Software Menus Interface User’s Guide Viewing or Configuring the Number of Certificates in the Database The maximum number of certificates you can add to the certificate database is 12 to 256. The default value is 256. There should be little cause or need for you to adjust this value. To view or change the number of certificates in the certificate database, perform the following procedure: 1. From the Main Menu, type 8 to select Security Configuration.
Chapter 27: PKI Certificates and SSL Configuring SSL To configure the SSL protocol, perform the following procedure: 1. From the Main Menu, type 8 to select Security Configuration. The Security Configuration menu is shown in Figure 175 on page 559. 2. From the Security Configuration menu, type 5 to select Secure Socket Layer (SSL). The Secure Socket Layer (SSL) menu is shown in Figure 190.
AT-S63 Management Software Menus Interface User’s Guide 5. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 27: PKI Certificates and SSL 606 Section IV: Security
Chapter 28 Secure Shell (SSH) The chapter contains overview information about the Secure Shell (SSH) protocol as well a procedure for configuring this protocol on a switch using a local or Telnet management session.
Chapter 28: Secure Shell (SSH) SSH Overview Secure management is increasingly important in modern networks, as the ability to easily and effectively manage switches and the requirement for security are two universal requirements. Switches are often remotely managed using remote sessions via the Telnet protocol. This method, however, has a serious security problem—it is only protected by plaintext usernames and passwords which are vulnerable to wiretapping and password guessing.
AT-S63 Management Software Menus Interface User’s Guide ❑ RSA public keys with lengths of 512 to 2048 bits are supported. Keys are stored in a format compatible with other Secure Shell implementations, and mechanisms are provided to copy keys to and from the switch. ❑ Compression of SSH traffic. The following SSH options and features are not supported: ❑ IDEA or Blowfish encryption ❑ Nonencrypted Secure Shell sessions ❑ Tunnelling of TCP/IP traffic Note Non-encrypted Secure Shell sessions serve no purpose.
Chapter 28: Secure Shell (SSH) You can download client software from the Internet. Two popular SSH clients are PuTTY and CYGWIN. To install SSH client software, follow the directions from the vendor. After you have configured the SSH client software, you can use the client software to log in to the SSH server as a manager, operator, or as RADIUS/TACACS+ users. The SSH server supports multiple client connections. The maximum number of SSH clients allowed is 10 users with one manager login.
AT-S63 Management Software Menus Interface User’s Guide 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT L/A 1000 LINK / ACT 10/100 LINK / HDX / FDX D/C 1 SFP 3 5 7 9 13 Gigabit Ethernet Switch ACT COL 11 15 17 19 STATUS TERMINAL PORT 21 23R L/A SFP D/C 1000 LINK / SFP FAULT ACT MASTER L/A L/A 23 4 6 8 10 12 14 16 18 20 22 23 24R POWER 2 24 Slave Switch RPS 24 D/C 2 4 6 8 10 12 14 16 18 20 22 24R Plai
Chapter 28: Secure Shell (SSH) 1. Create two encryption key pairs on the master switch of the enhanced switch. One pair will function as the host key and the other the server key. 2. Configure and activate the Secure Shell server on the switch by specifying the two encryption keys in the server software. For instructions, see ”Configuring SSH” on page 613. 3. Install SSH client software on your management station. Follow the directions provided with the client software.
AT-S63 Management Software Menus Interface User’s Guide Configuring SSH This section describes how to configure the switch as an SSH server. For a description of all the steps required to configure an SSH server, see ”General Steps for Configuring SSH” on page 611. Before you begin this procedure, you need to configure a host and server keys for SSH. See Chapter 26, ”Encryption Keys” on page 547. The minimum bit size of the server key is 512 bits. The recommended bit size for a server key is 768 bits.
Chapter 28: Secure Shell (SSH) 3. Type 2 to select Host Key ID. The following prompt is displayed: Enter Host Key ID [0 to 65535] -> 0 Enter a host key ID. The default is Not Defined. Enter a value that you configured in the encryption menus. See Chapter 26, ”Encryption Keys” on page 547. 4. Type 3 to select Server Key ID. The following prompt is displayed: Enter Server vKey ID [0 to 65535 -> 0 Enter a server key ID. The default is Not Defined. Enter a value that you configured in the encryption menus.
AT-S63 Management Software Menus Interface User’s Guide Type E to enable the SSH server. Select this value after you have finished configuring SSH and want to log on to the server. Or, type D to disable SSH while you are configuring the protocol. SSH must be disabled while you are configuring the protocol. This is the default. Note When there are active SSH connections, you cannot disable the SSH server. If you attempt to disable the SSH server when it is in this state, you receive a warning message.
Chapter 28: Secure Shell (SSH) Displaying SSH Information To display SSH server information, perform the following procedure: 1. From the Main Menu, type 8 to select Security Configuration. The Security Configuration menu is shown in Figure 175 on page 559. 2. From the Security Configuration menu, type 4 to select Secure Shell (SSH). The Secure Shell (SSH) menu is shown in Figure 192 on page 613. 3. From the Secure Shell (SSH) menu, type 6 to select Show Server Information.
AT-S63 Management Software Menus Interface User’s Guide Server Port The well-known port for SSH. The default is port 22. Host Key ID The host key ID defined for SSH. Host Key Bits Number of bits in the host key. Server Key ID Server key ID defined for SSH. Server Key Expiry Length of time, in hours, until the server key is regenerated. The default is 0 hours which means the server key is not regenerated.
Chapter 28: Secure Shell (SSH) 618 Section IV: Security
Chapter 29 802.1x Port-based Network Access Control This chapter explains 802.1x Port-based Network Access Control and how you can use this feature to restrict access to the network ports on the switch. Sections are as follows: ❑ ”IEEE 802.1x Port-based Network Access Control Overview” on page 620 ❑ ”Setting Port Roles” on page 629 ❑ ”Enabling or Disabling 802.
Chapter 29: 802.1x Port-based Network Access Control IEEE 802.1x Port-based Network Access Control Overview The AT-S63 management software offers you several different methods for protecting your network and its resources from unauthorized access. For instance, Chapter 23, ”Port Security” on page 517, explains how you can restrict network access using the MAC addresses that belong to the end nodes of your network. This chapter explains yet another way.
AT-S63 Management Software Menus Interface User’s Guide prohibits network access by a supplicant until the network user has entered a valid username and password. ❑ Authentication server - The authentication server is the network device that has the RADIUS server software. This is the device that does the actual authenticating of the user names and password from the supplicants. The AT-9400 Series switch does not authenticate any of the username and passwords from the end users.
Chapter 29: 802.1x Port-based Network Access Control Port Roles Part of the task of implementing this feature is specifying the roles of the ports on the switch. A port can have one of three roles: ❑ None ❑ Authenticator ❑ Supplicant None Role A switch port in the None role does not participate in port-based access control. Any device can connect to the port and send traffic through it and receive traffic from it without providing a username and password. This is the default setting for the switch ports.
AT-S63 Management Software Menus Interface User’s Guide 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 3 5 7 9 11 15 17 19 TERMINAL PORT 21 23R 1000 LINK / D/C ACT L/A L/A 23 4 6 8 10 12 14 16 18 20 22 24R 23 24 STATUS FAULT SFP SFP 24 MASTER RPS POWER D/C 2 Gigabit Ethernet Switch ACT COL 13 L/A SFP 2 4 6 8 10 12 14 16 18 20 22 24R Port 22 in None Role
Chapter 29: 802.
AT-S63 Management Software Menus Interface User’s Guide ❑ The date and time when the event occurred ❑ The number of packets transmitted and received by the switch port during a supplicant’s session. (This information is sent only when the client logs off.) You can also configure the accounting feature to send interim updates so you can monitor which clients are still active.
Chapter 29: 802.1x Port-based Network Access Control ❑ The IP addresses of up to three RADIUS servers. ❑ The encryption key used by the authentication servers. The instructions for this step are in ”Configuring RADIUS” on page 654. 4. Next, you must configure the port access control settings on the switch. This involves the following: ❑ Specifying the port roles. ❑ Configuring 802.1x port parameters. ❑ Enabling 802.1x Port-based Network Access Control.
AT-S63 Management Software Menus Interface User’s Guide log on. ❑ A username and password combination is not tied to the MAC address of an end node. This allows end users to use the same username and password when working at different workstations. ❑ After a supplicant has successfully logged on, the MAC address of the end node is added to the switch’s MAC address table as an authenticated address. It remains in the table until the end user logs off the network. Only then is the address removed.
Chapter 29: 802.1x Port-based Network Access Control ❑ Set ports used to interconnect switches to the none role. This is illustrated in Figure 196.
AT-S63 Management Software Menus Interface User’s Guide Setting Port Roles This procedure sets port roles. For an explanation of port roles, refer to ”Port Roles” on page 622. You must set up the port roles before you enable port access control. To set port roles, perform the following procedure: 1. From the Main Menu, type 8 to select Security Configuration. The Security Configuration menu is shown in Figure 175 on page 559. 2.
Chapter 29: 802.1x Port-based Network Access Control The Configure Port Access Role menu is shown in Figure 198. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure Port Access Role Configuring Port 3 1 - Port Role ......... None R - Return to Previous Menu Enter your selection? Figure 198. Configure Port Access Role Menu 5. Type 1 to select Port Role.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling 802.1x Port-based Network Access Control This procedure explains how to enable and disable port-based access control on the switch. If you have not assigned port roles and configured the parameter settings, you should skip this procedure and go first to ”Setting Port Roles” on page 629. To enable or disable 802.1x Port-based Network Access Control, perform the following procedure: 1.
Chapter 29: 802.1x Port-based Network Access Control Configuring Authenticator Port Parameters To configure authenticator port parameters, perform the following procedure: 1. From the Main Menu, type 8 to select Security Configuration. The Security Configuration menu is shown in Figure 175 on page 559. 2. From the Security Configuration menu, type 1 to select Port Access Control (802.1X). The Port Access Control (802.1X) menu is shown in Figure 197 on page 629. 3.
AT-S63 Management Software Menus Interface User’s Guide The Configure Authenticator Port Access Parameters menu is shown in Figure 200. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure Authenticator Port Access Parameters Configuring Port 3 1 2 3 4 5 6 7 8 - Port Control ............. Quiet Period ............. TX Period ................ Reauth Period ............ Supplicant Timeout ....... Server Timeout ........... Max Requests ............
Chapter 29: 802.1x Port-based Network Access Control 2 - Quiet Period The quiet period is the number of seconds that the port remains in the quiet state following a failed authentication exchange with the client. The default value is 60 seconds. The range is 0 to 65,535 seconds. 3 - TX Period This parameter sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request. The default value is 30 seconds.
AT-S63 Management Software Menus Interface User’s Guide Ingress - A port, when in the unauthorized state, discards all ingress broadcast and multicast packets from the client, but forwards all egress broadcast and multicast traffic to the same client. Both - A port, when in the unauthorized state, does not forward ingress or egress broadcast and multicast packets from or to the same client until the client logs in. This is the default. 7.
Chapter 29: 802.1x Port-based Network Access Control Configuring Supplicant Port Parameters To configure supplicant port parameters, perform the following procedure: 1. From the Main Menu, type 8 to select Security Configuration. The Security Configuration menu is shown in Figure 175 on page 559. 2. From the Security Configuration menu, type 1 to select Port Access Control (802.1X). The Port Access Control (802.1X) menu is shown in Figure 197 on page 629. 3.
AT-S63 Management Software Menus Interface User’s Guide The Configure Supplicant Port Access Parameters menu is shown in Figure 200. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Configure Supplicant Port Access Parameters Configuring Port 5-8 1 2 3 4 5 6 - Auth Period........... Held Period........... Max Start ........... Start Period.......... User Name: ........... User Password: .......
Chapter 29: 802.1x Port-based Network Access Control 5 - User Name The user name is the username for the switch port. The port sends the name to the authentication server for verification when the port logs on to the network. The username can be from 1 to 16 alphanumeric characters (A to Z, a to z, 1 to 9). Do not use spaces or special characters, such as asterisks or exclamation points. The username is case sensitive. 6 - User Password This parameter specifies the password for the switch port.
AT-S63 Management Software Menus Interface User’s Guide Displaying the Port Access Parameters To display the port access parameters for the ports on the switch, perform the following procedure: 1. From the Main Menu, type 8 to select Security Configuration. The Security Configuration menu is shown in Figure 175 on page 559. 2. From the Security Configuration menu, type 1 to select Port Access Control (802.1X). The Port Access Control (802.1X) menu is shown in Figure 197 on page 629. 3.
Chapter 29: 802.1x Port-based Network Access Control Port Role Port access role configured for the port. The possible settings are None, Authenticator, or Supplicant. State State of the port. The state field is dependent on whether a port is configured as an authenticator or a supplicant.
AT-S63 Management Software Menus Interface User’s Guide Configuring RADIUS Accounting The AT-S63 management software supports RADIUS accounting for ports operating in the Authenticator role. The accounting information sent by the switch to a RADIUS server includes the date and time when clients log on and log off, as well as the number of packets sent and received by a switch port during a client session. For background information on this feature, refer to ”RADIUS Accounting” on page 624.
Chapter 29: 802.1x Port-based Network Access Control 2 - Port This parameter specifies the UDP port for RADIUS accounting. The default is port 1813. 3 - Type This parameter specifies the type of RADIUS accounting. The default is Network. This value cannot be changed. 4 - Trigger Type This parameter specifies the action that causes the switch to send accounting information to the RADIUS server.
AT-S63 Management Software Menus Interface User’s Guide Section IV: Security 643
Chapter 30 TACACS+ and RADIUS Protocols This chapter describes how you can use two authentication protocols, TACACS+ and RADIUS, to control who can log onto a switch to manage it.
AT-S63 Management Software Menus Interface User’s Guide TACACS+ and RADIUS Overview The AT-S63 management software has two standard manager login accounts: manager and operator. The manager account lets you change a switch’s parameter settings while the operator account lets you view the settings, but not change them. Each account has its own password. The manager account has a default password of “friend” and the operator account has a default password “operator.
Chapter 30: TACACS+ and RADIUS Protocols password combination that you create on the server software. The access level can either Manager or Operator. The final function of an authentication protocol is accounting, which keeps track of user activity on network devices. The AT-S63 management software does not support RADIUS or TACACS+ accounting as part of manager accounts. However, it does support RADIUS accounting with the 802.1x Port-based Network Access Control feature, as explained in Chapter 29, ”802.
AT-S63 Management Software Menus Interface User’s Guide Administrative for this attribute gives the username and password combination Manager access. A value of NAS Prompt assigns the combination Operator status. Note This manual does not explain how to configure TACACS+ or RADIUS server software. For that you need to refer to the documentation that came with the software.
Chapter 30: TACACS+ and RADIUS Protocols Enabling or Disabling TACACS+ or RADIUS To enable or disable the server-based authentication feature on the switch and to configure the RADIUS or TACACS+ settings, perform one of the following procedures. Enabling TACACS+ or RADIUS To enable TACACS+ or RADIUS, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2.
AT-S63 Management Software Menus Interface User’s Guide Note Before enabling server-based authentication on the switch, you should first configure the TACACS+ or RADIUS settings. If you selected TACACS+, go to ”Configuring TACACS+” on page 650. If you selected RADIUS, go to ”Configuring RADIUS” on page 654. Disabling TACACS+ or RADIUS To disable the authentication feature on the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration.
Chapter 30: TACACS+ and RADIUS Protocols Configuring TACACS+ To configure the TACACS+ client software, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Configuration menu is shown in Figure 205 on page 648. 3. From the Authentication Configuration menu, type 3 to select TACACS+ Configuration.
AT-S63 Management Software Menus Interface User’s Guide If you will be specifying more than one TACACS+ server and if all of the servers use the same encryption secret, you can answer No to this prompt and enter the encryption secret using the TAC Global Secret parameter. However, if you are specifying only one TACACS+ server or if the servers have difference encryption secrets, then respond with Yes to this prompt.
Chapter 30: TACACS+ and RADIUS Protocols Displaying the TACACS+ Settings To display the TACACS+ settings, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Configuration menu is shown in Figure 205 on page 648. 3. Type 3 to select TACACS+ Configuration.
AT-S63 Management Software Menus Interface User’s Guide TAC Timeout The maximum amount of time the switch waits for a response from a TACACS+ server before assuming the server is not responding.
Chapter 30: TACACS+ and RADIUS Protocols Configuring RADIUS To configure the RADIUS protocol, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Configuration menu is shown in Figure 205 on page 648. 3. Type 4 to select RADIUS Configuration.
AT-S63 Management Software Menus Interface User’s Guide the list. If there are no more servers, then the switch defaults to the standard Manager and Operator accounts. The default is 10 seconds. The range is 1 to 60 seconds. 3 - RADIUS Server 1 Configuration 4 - RADIUS Server 1 Configuration 5 - RADIUS Server 1 Configuration Use these parameters to specify the IP addresses of up to three network servers containing the RADIUS server software.
Chapter 30: TACACS+ and RADIUS Protocols Displaying RADIUS Status and Settings To display the RADIUS status and settings, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 51. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Configuration menu is shown in Figure 205 on page 648. 3.
AT-S63 Management Software Menus Interface User’s Guide Auth Port UDP port of the RADIUS protocol. Encryption Key Encryption key for the RADIUS server. Auth Req Number of authentication requests the switch has made to the RADIUS server. Auth Resp Number of responses that the switch has received back from the server.
Chapter 30: TACACS+ and RADIUS Protocols Section IV: Security 658
Chapter 31 Denial of Service Defense This chapter contains procedures for configuring the switch to protect against denial of service (DoS) attacks.
Chapter 31: Denial of Service Defense Denial of Service Overview The AT-S63 management software can help protect your switch against the following types of denial of service attacks. ❑ SYN Flood Attack ❑ SMURF Attack ❑ Land Attack ❑ Teardrop Attack ❑ Ping of Death Attack ❑ IP Options Attack The following subsections briefly describe each type of attack and the mechanism employed by the AT-S63 management software to protect your network.
AT-S63 Management Software Menus Interface User’s Guide SMURF Attack This DoS attack is instigated by an attacker sending a ICMP Echo (Ping) request containing a broadcast address as the destination address and the address of the victim as the source of the ICMP Echo (Ping) request. This overwhelms the victim with a large number of ICMP Echo (Ping) replies from the other network nodes.
Chapter 31: Denial of Service Defense Following is a simplified overview of how the process takes place. This example assumes that you have activated the feature on port 4 and that you have specified port 1 as the uplink port. The steps below review what happens when an ingress IP packet arrives on port 4: 1. When port 4 receives an ingress IP packet with a destination MAC address learned on uplink port 1, it examines the packet’s destination IP addresses before forwarding the packet. 2.
AT-S63 Management Software Menus Interface User’s Guide If one is found, the following occurs: ❑ The switch sends an SNMP trap to the management stations. ❑ The switch port discards the fragment with the invalid offset and, for a one minute period, discards all ingress fragmented IP traffic. Because the CPU only samples the ingress IP traffic, this defense mechanism may catch some, though not necessarily all, of this form of attack. Caution This defense is extremely CPU intensive; use with caution.
Chapter 31: Denial of Service Defense IP Options Attack In the basic scenario of an IP attack, an attacker sends packets containing bad IP options. There are several types of IP option attacks and the AT-S63 management software does not distinguish between them. Rather, the defense mechanism counts the number of ingress IP packets containing IP options received on a port.
AT-S63 Management Software Menus Interface User’s Guide Configuring Denial of Service Defense To configure DoS defense, perform the following procedure: 1. From the Main Menu, type 8 to select Security Configuration. The Security Configuration menu is shown in Figure 175 on page 559. 2. From the Security Configuration menu, type 2 to select Denial of Service (DoS). The Denial of Service (DoS) menu is shown in Figure 211.
Chapter 31: Denial of Service Defense b. Type 1 to select IP Address. The following prompt is displayed: Enter the IP Address for the LAN: Enter the IP address of one of the devices connected to the switch, preferably the lowest IP address. c. Type 2 to select Subnet Mask. The following prompt is displayed: Enter the Subnet Mask for the LAN: Enter the mask. A binary “1” indicates the switch should filter on the corresponding bit of the IP address, while a “0” indicates that it should not.
AT-S63 Management Software Menus Interface User’s Guide A menu is displayed containing either one or two options, depending on the DoS defense you selected. An example of the menu is shown in Figure 213. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 SYN Flood Configuration Configuring DoS for Port 2 1 - DoS Status ................. Disabled R - Return to Previous Menu Enter your selection? Figure 213. SYN Flood Configuration Menu 6.
Chapter 31: Denial of Service Defense 668 Section IV: Security
Appendix A AT-S63 Default Settings This appendix lists the AT-S63 factory default settings.
Appendix A: AT-S63 Default Settings ❑ ”Management Access Control List Default Setting” on page 692 670
AT-S63 Management Software Menus Interface User’s Guide Basic Switch Default Settings This section lists the default settings for basic switch parameters.
Appendix A: AT-S63 Default Settings Management Interface Setting Default Console Disconnect Timer Interval 10 minutes Note Login names and passwords are case sensitive. RJ-45 Serial Terminal Port Default Settings SNTP Default Settings 672 The following table lists the RJ-45 serial terminal port default settings. RJ-45 Serial Terminal Port Setting Default Data Bits 8 Stop Bits 1 Parity None Flow Control None Baud Rate 9600 bps The following table lists the SNTP default settings.
AT-S63 Management Software Menus Interface User’s Guide Switch Administration Default Settings System Software Default Settings The following table describes the switch administration default settings. Administration Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.0 Gateway Address 0.0.0.0 System Name None Administrator None Comments None BOOTP/DHCP Disabled MAC Address Aging Time 300 seconds The following table lists the system software default settings.
Appendix A: AT-S63 Default Settings Enhanced Stacking Default Setting The following table lists the enhanced stacking default setting.
AT-S63 Management Software Menus Interface User’s Guide SNMP Default Settings The following table describes the SNMP default settings.
Appendix A: AT-S63 Default Settings Port Configuration Default Settings The following table lists the port configuration default settings.
AT-S63 Management Software Menus Interface User’s Guide Event Log Default Settings The following table lists the event log default settings.
Appendix A: AT-S63 Default Settings Quality of Service The following table lists the default mappings of IEEE 802.1p priority levels to egress port priority queues 678 IEEE 802.
AT-S63 Management Software Menus Interface User’s Guide IGMP Snooping Default Settings The following table lists the IGMP Snooping default settings.
Appendix A: AT-S63 Default Settings Denial of Service Prevention Default Settings The following table lists the default settings for the Denial of Service prevention feature. 680 Denial of Service Prevention Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.
AT-S63 Management Software Menus Interface User’s Guide STP, RSTP, and MSTP Default Settings This section provides the spanning tree, STP RSTP, and MSTP, default settings. Spanning Tree Switch Settings STP Default Settings RSTP Default Settings The following table describes the Spanning Tree Protocol default settings for the switch. STP Switch Setting Default Spanning Tree Status Disabled Active Protocol Version RSTP The following table describes the STP default settings.
Appendix A: AT-S63 Default Settings MSTP Default Settings 682 RSTP Setting Default Port Priority 128 The following table lists the MSTP default settings.
AT-S63 Management Software Menus Interface User’s Guide VLAN Default Settings This section provides VLAN default settings.
Appendix A: AT-S63 Default Settings GVRP Default Settings This section provides the default settings for GVRP.
AT-S63 Management Software Menus Interface User’s Guide Port Security Default Settings The following table lists the port security default settings.
Appendix A: AT-S63 Default Settings 802.1x Port-Based Network Access Control Default Settings The following table describes the 802.1x Port-based Network Access Control default settings. 802.1x Port-based Network Access Control Settings Default Port Access Control Disabled Authentication Method RADIUS EAP Port Role None The following table lists the default settings for RADIUS accounting.
AT-S63 Management Software Menus Interface User’s Guide Web Server Default Settings The following table lists the web server default settings.
Appendix A: AT-S63 Default Settings SSL Default Settings The following table lists the SSL default settings.
AT-S63 Management Software Menus Interface User’s Guide PKI Default Settings The following table lists the PKI default settings, including the generate enrollment request settings.
Appendix A: AT-S63 Default Settings SSH Default Settings The following table lists the SSH default settings.
AT-S63 Management Software Menus Interface User’s Guide Server-Based Authentication Default Settings This section describes the server-based authentication, RADIUS, and TACACS+ client default settings. Server-Based Authentication Default Settings RADIUS Default Settings TACACS+ Client Default Settings The following table describes the server-based authentication default settings.
Appendix A: AT-S63 Default Settings Management Access Control List Default Setting The following table lists the default setting for the Management Access Control List.
Appendix B SNMPv3 Configuration Examples This appendix provides two examples of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to use as an aid when configuring the SNMPv3 protocol.
Appendix B: SNMPv3 Configuration Examples SNMPv3 Configuration Examples This appendix provides SNMPv3 configuration examples for the following types of users: ❑ a Manager ❑ an Operator In addition an SNMPv3 Configuration Table is provided to record your SNMPv3 configuration. For more information about the SNMPv3 protocol, see Chapter 5, ”SNMPv3” on page 317. SNMPv3 Manager Configuration This section provides a sample configuration for a Manager with a User Name of systemadmin24.
AT-S63 Management Software Menus Interface User’s Guide Configure SNMPv3 SecurityToGroup Table User Name:systemadmin24 Security Model:v3 Group Name: Managers Storage Type: NonVolatile Configure SNMPv3 Notify Table Notify Name: sysadminTrap Notify Tag: sysadminTag Notify Type: Trap Storage Type: NonVolatile Configure SNMPv3 Target Address Table Target Address Name: host451 Target IP Address: 198.35.11.
Appendix B: SNMPv3 Configuration Examples Configure SNMPv3 View Table Menu View Name: internet View Subtree OID: 1.3.6.1 (or internet) Subtree Mask: View Type: Included Storage Type: NonVolatile Configure SNMPv3 Access Table Group Name: Operators Security Model: SNMPv3 Security Level: Authentication Read View Name: internet Write View Name: Notify View Name: SNMPv3 Worksheet This section supplies a table that you can use a worksheet when configuring SNMPv3.
AT-S63 Management Software Menus Interface User’s Guide SNMPv3 Parameters (Continued) Group Name Security Model Security Level Read View Name Write View Name Notify View Name Storage Type SNMPv3 SecurityToGroup Table User Name Security Model Group Name Storage Type SNMPv3 Notify Table Notify Name Notify Tag Notify Type Storage Type SNMPv3 Target Address Table Target Address Name Target IP Address UDP Port Timeout Retries Tag List Target Parms Name Storage Type 697
Appendix B: SNMPv3 Configuration Examples SNMPv3 Parameters (Continued) SNMPv3 Target Parameters Table Target Parameters Name User (Security) Name Security Model Security Level Storage Type 698
Index Numerics 802.
Index forced 121 status 128 B back pressure default setting 676 described 113 baud rate, terminal port 69 boot configuration file configuring parameters 174 creating 172 displaying 176 editing 177 overview 172 selecting 175 selecting active 175 Boot Protocol (BootP) activating 54 deactivating 54 default setting 673 defined 54 BPDU.
AT-S63 Management Software Menus Interface User’s Guide downloading switch to switch 194 configuration name 283, 295 console disconnect interval configuring 67 default setting 672 console startup mode configuring 66 default setting 673 console timer 67 CoS. See Class of Service (CoS) CRL.
Index software module list 213 F factory defaults list 669 resetting 71 file naming conventions 170 file system, description 170 files, upoading 201 filtering, configuring 116 flow control default setting 676 described 113 force renegotiation, configuring 121 force version default setting 681 Multiple Spanning Tree Protocol (MSTP) 294 Rapid Spanning Tree Protocol (RSTP) 268 forwarding delay 254 G GARP Information Declaration (GID), diagram 478 GARP Information Propagation (GIP) connected ports ring, displa
AT-S63 Management Software Menus Interface User’s Guide IEEE 802.1p standard 222 IEEE 802.
Index MIB tree diagram 320 RFC 320 MIB view 320 MIBs supported 35 viewing 318 MSTI association to a VLAN creating 305 removing 306 MSTI ID associating to VLANs 307 creating 301 deleting 302 list 299 modifying 302 removing a VLAN association 307 MSTI priority, defined 286 MSTI.
AT-S63 Management Software Menus Interface User’s Guide path cost 300 path cost, desciption 252 PEM certificate format 587, 600 Ping of Death attack 663 pinging 70 PKI certificates adding to database 588 certificate database 583 chains 582 creating 584 database storage 583 described 580 displaying 596 maximum number of certificates, default setting 689 modifying 591 validating 582 PKI.
Index diagram 433 displaying 451, 469 drawbacks 432 modifying 447 rules 432 ports, untagged 431 priority level and egress queue mappings 223 privacy 319 private keys 579 protected ports VLAN creating 503 deleting 512 described 500 displaying 510 guidelines 502 modifying 506 VLAN name, configuring 503 public key encryption 579 Public Key Infrastructure (PKI) certificate database 583, 603 certificates adding 583 adding to database 588 chains 582 creating 584 deleting 594 displaying 596 fingerprint 583 format
AT-S63 Management Software Menus Interface User’s Guide configuring 230, 231 described 224 strict priority configuring 231 described 225 weighted round robin configuring 231 described 225 Secure Shell (SSH) and enhanced stacking 610 AT-S63 implementation 608 ciphers 608 clients, described 609 configuration overview 611 default settings 690 encryption algorithms 608 encryption keys 609 overview 608 server configuring 613 described 609 displaying information 616 users adding 609 deleting 609 modifying 609 Se
Index SNMPv3 Access Table, described 324 SNMPv3 community 406 SNMPv3 Community Table entry creating 407 deleting 410 displaying 422 modifying community name 411 security name 413 storage type 414 transport tag 413 SNMPv3 Community Table, described 326 SNMPv3 Engine ID, defined 319 SNMPv3 entities 318 SNMPv3 Notify Table entry creating 371 deleting 373 displaying 420 modifying notify tag 374 storage type 377 SNMPv3 Notify Table, described 325 SNMPv3 protocol authentication protocols 319 community name param
AT-S63 Management Software Menus Interface User’s Guide Spanning Tree Protocol (STP) and VLANs 257 bridge forwarding delay 262 bridge hello time 262 bridge identifier 262 bridge max age 262 bridge parameters, configuring 261 bridge priority 262 default settings 681 defined 250 disabling 259 enabling 259 forwarding delay 262 port cost 264 port settings, configuring 263 port settings, displaying 265 resetting to defaults 266 spanning tree, default setting 681 SSH server status parameter 614 SSH.
Index temperature threshold, setting 74 terminal port baud rate, setting 69 TFTP default setting for remote management 671 downloading and uploading files 186, 201 trap receivers 81 Triple DES (3DES) encryption algorithms, described 555 U unavailable status, defined 98 uplink port configuring 468 default setting 683 described 467 VLAN 465 uplink port information, displaying 76 User-based Security Model (USM) authentication VLAN, tagged. See tagged VLAN VLAN.
