Management Software AT-S63 ◆ Menus Interface User’s Guide AT-9400 Series Layer 2+ Gigabit Ethernet Switches Version 2.1.0 613-50570-00 Rev.
Copyright © 2006 Allied Telesyn, Inc. All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesyn, Inc. Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation. Netscape Navigator is a registered trademark of Netscape Communications Corporation. All other product names, company names, logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners. Allied Telesyn, Inc.
Contents Preface ............................................................................................................................................................ 27 How This Guide is Organized........................................................................................................................... 28 Document Conventions ....................................................................................................................................
Contents Configuring the Console Startup Mode ............................................................................................................. 73 Configuring the Console Timer ......................................................................................................................... 74 Configuring the Telnet Server ...........................................................................................................................
AT-S63 Management Software Menus Interface User’s Guide Chapter 8: Static and LACP Port Trunks ................................................................................................... 155 Port Trunk Overview....................................................................................................................................... 156 Static Port Trunk Overview ......................................................................................................................
Contents Chapter 11: File Downloads and Uploads .................................................................................................221 Downloading the AT-S63 Image File onto a Switch........................................................................................222 Guidelines.................................................................................................................................................222 Downloading the AT-S63 Image from a Local Management Session ...
AT-S63 Management Software Menus Interface User’s Guide Chapter 15: Class of Service ...................................................................................................................... 311 Class of Service Overview.............................................................................................................................. 312 Scheduling ........................................................................................................................................
Contents Section III: IGMP Snooping, MLD Snooping, and RRP Snooping ....................379 Chapter 18: IGMP Snooping .......................................................................................................................381 IGMP Snooping Overview...............................................................................................................................382 Configuring IGMP Snooping ...........................................................................................
AT-S63 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Target Parameters Table ....................................................................................... 482 Creating an SNMPv3 Target Parameters Table Entry ............................................................................. 483 Deleting an SNMPv3 Target Parameters Table Entry ............................................................................. 486 Modifying an SNMPv3 Target Parameters Table Entry ....
Contents Adding or Removing a VLAN from an MSTI ID ........................................................................................568 Associating a VLAN to an MSTI ID...........................................................................................................569 Removing a VLAN from an MSTI ID.........................................................................................................570 Associating VLANs to an MSTI ID and Deleting All Associated VLANs....................
AT-S63 Management Software Menus Interface User’s Guide Chapter 26: Multiple VLAN Modes ............................................................................................................. 649 Multiple VLAN Mode Overview....................................................................................................................... 650 802.1Q- Compliant Multiple VLAN Mode ................................................................................................. 650 Non-802.
Contents Chapter 31: 802.1x Port-based Network Access Control .........................................................................721 IEEE 802.1x Port-based Network Access Control Overview ..........................................................................722 Authentication Process.............................................................................................................................723 Port Roles..............................................................................
AT-S63 Management Software Menus Interface User’s Guide Public Keys .............................................................................................................................................. 796 Message Encryption................................................................................................................................. 796 Digital Signatures .............................................................................................................................
Contents GVRP Default Settings ...................................................................................................................................873 IGMP Snooping Default Settings ....................................................................................................................874 Internet Protocol Version 4 Packet Routing ....................................................................................................
AT-S63 Management Software Menus Interface User’s Guide Appendix D: MIB Objects ............................................................................................................................ 911 Access Control Lists ....................................................................................................................................... 912 Class of Service.............................................................................................................................
Contents 16
Figures Chapter 2: Starting a Management Session ............................................................................................... 45 Figure 1: Connecting the Management Cable to the RJ-45 Serial Terminal Port.................................................................46 Figure 2: CLI Prompt ............................................................................................................................................................47 Figure 3: Main Menu.....................
Figures Chapter 8: Static and LACP Port Trunks ................................................................................................... 155 Figure 38: Static Port Trunk Example .................................................................................................................................156 Figure 39: Example of Multiple Aggregators for Multiple Aggregate Trunks.......................................................................
AT-S63 Management Software Menus Interface User’s Guide Chapter 14: Access Control Lists .............................................................................................................. 293 Figure 86: ACL Example 1 .................................................................................................................................................296 Figure 87: ACL Example 2 ............................................................................................................
Figures Chapter 20: RRP Snooping ......................................................................................................................... 403 Figure 136: RRP Snooping Menu .......................................................................................................................................406 Chapter 21: SNMPv3 .................................................................................................................................... 409 Figure 137: MIB Tree .....
AT-S63 Management Software Menus Interface User’s Guide Figure 189: MSTI Menu ......................................................................................................................................................563 Figure 190: VLAN-MSTI Association Menu ........................................................................................................................569 Figure 191: MSTP Port Parameters Menu ...............................................................................
Figures Chapter 29: Internet Protocol Version 4 Routing Interfaces.................................................................... 695 Figure 236: Configure Interface Menu ................................................................................................................................696 Figure 237: Create Interface Menu .....................................................................................................................................
AT-S63 Management Software Menus Interface User’s Guide Figure 281: RADIUS Client Configuration ..........................................................................................................................843 Figure 282: RADIUS Server Configuration .........................................................................................................................844 Figure 283: Show Status Menu ................................................................................................
Figures 24
Tables Table 1: New Features in AT-S63 Version 2.1.0 .................................................................................................................32 Table 2: New Features in AT-S63 Version 2.0.0 .................................................................................................................33 Table 3: New Features in AT-S63 Version 1.3.0 .................................................................................................................
Tables Table 50: Local Interface (AtiStackSwitch MIB) .................................................................................................................922 Table 51: Saving the Configuration and Returning to Default Settings (AtiStackSwitch MIB) ...........................................922 Table 52: Port Mirroring (AtiStackSwitch MIB) ...................................................................................................................
Preface This guide contains instructions on how to configure and maintain an AT-9400 Series Layer 2+ Gigabit Ethernet switch using the menus interface of the AT-S63 management software. For instructions on how to manage the switch from the command line and web browser interfaces, refer to the AT-S63 Management Software Command Line Interface User’s Guide and AT-S63 Management Software Web Browser Interface User’s Guide. The guides are available from the Allied Telesyn web site.
Preface How This Guide is Organized This guide is organized into the following sections Section I: Basic Operations The chapters in this section explain how to start a management session and perform basic tasks including configuring the IP configuration of a switch, port parameters, SNMPv1 and SNMPv2c, enhanced stacking, trunking and mirroring, and viewing Ethernet statistics.
AT-S63 Management Software Menus Interface User’s Guide Document Conventions This document uses the following conventions: Note Notes provide additional information. Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performing or omitting a specific action may result in bodily injury.
Preface Where to Find Web-based Guides The installation and user guides for all Allied Telesyn products are available in portable document format (PDF) on our web site at www.alliedtelesyn.com. You can view the documents online or download them onto a local workstation or server.
AT-S63 Management Software Menus Interface User’s Guide Contacting Allied Telesyn This section provides Allied Telesyn contact information for technical support as well as sales and corporate information. Online Support You can request technical support online by accessing the Allied Telesyn Knowledge Base: http://kb.alliedtelesyn.com. You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions.
Preface History of New Features This section contains the history of new features in the AT-S63 management software. Version 2.1.0 Table 1 lists the new features in version 2.1.0 of the AT-S63 management software. Table 1. New Features in AT-S63 Version 2.1.0 Feature Internet Protocol version 4 packet routing Change Added the following new features: Equal Cost Multi-path (ECMP) to support multiple routes in the routing table to the same remote destination.
AT-S63 Management Software Menus Interface User’s Guide Version 2.0.0 Table 2 lists the new feature in version 2.0.0 of the AT-S63 management software. Table 2. New Features in AT-S63 Version 2.0.0 Feature Internet Protocol version 4 packet routing with: Routing interfaces Static routes Router Information Protocol (RIP) versions 1 and 2 Change New feature.
Preface Version 1.3.0 Table 3 lists the new features in version 1.3.0 of the AT-S63 management software. Table 3. New Features in AT-S63 Version 1.3.0 Feature 802.1x Port-based Network Access Control Management Access Control List 34 Change Chapter Added the following new features: Chapter 31, “802.1x Port-based Network Access Control” on page 721 Guest VLAN. For background information, see “Guest VLAN” on page 735.
AT-S63 Management Software Menus Interface User’s Guide Version 1.2.0 Table 4 lists the new features in version 1.2.0. Table 4. New Features in AT-S63 Version 1.2.0 Feature MAC Address Table Quality of Service Change Added the following new parameters to the CLI commands for displaying and deleting specific types of MAC addresses in the MAC address table: STATIC, STATICUNICAST, and, STATICMULTICAST for displaying and deleting static unicast and multicast MAC addresses.
Preface Table 4. New Features in AT-S63 Version 1.2.0 (Continued) Feature Change Chapter MAC Address-based VLANs New feature. Chapter 28, “MAC Address-based VLANs” on page 673 802.1x Port-based Network Access Control Added a new parameter to authenticator ports: Chapter 31, “802.1x Port-based Network Access Control” on page 721 36 Supplicant Mode for supporting multiple supplicant accounts on an authenticator port.
Chapter 1 Overview This chapter reviews the AT-S63 software functions, the methods you can use to access the software, and the management access levels.
Chapter 1: Overview Management Overview The AT-S63 management software allows you to monitor and adjust the operating parameters of an AT-9400 Series switch.
AT-S63 Management Software Menus Interface User’s Guide Local Management You establish a local management session with an AT-9400 Series switch by connecting the RJ-45 to RS-232 management cable included with the switch to a terminal or a PC with a terminal emulator program and to the terminal port on the switch. The terminal port is located on the front panel of the AT-9400 Series switch.
Chapter 1: Overview Remote Telnet, Secure Shell, and Web Browser Management You can remotely manage the switch from a management station on your network using a Telnet or Secure Shell (SSH) client application or a web browser. Remote Telnet and SSH management support the menus and command line management interfaces while remote web browser management supports the web browser management interface.
AT-S63 Management Software Menus Interface User’s Guide Remote SNMP Management You can use the Simple Network Management Protocol (SNMP) to run a network management application such as AT-View to remotely manage the switch. A familiarity with how to use management information base (MIB) objects is necessary for this type of management.
Chapter 1: Overview Management Access Levels There are two levels of management access in the AT-S63 management software: manager and operator. When you log in as a manager, you can view and configure all of a switch’s operating parameters. When you log in as an operator, you can only view the operating parameters; you cannot change any values. You log in as a manager or an operator by entering the appropriate username and password when you start an AT-S63 management session.
Section I Basic Operations The chapters in this section provide information and procedures for basic switch setup using the AT-S63 management software.
Section I: Basic Operations
Chapter 2 Starting a Management Session This chapter contains the procedures for starting a management session on the switch using a local or remote connection.
Chapter 2: Starting a Management Session Starting a Local Management Session To establish a local management session with an AT-9400 Series switch, connect a terminal or a computer with a terminal emulator program to the terminal port on the front panel of the switch, using the management cable included with the switch.
AT-S63 Management Software Menus Interface User’s Guide 3. Configure the terminal or terminal emulation program as follows: Baud rate: 9600 bps (The baud rate of the Terminal Port is adjustable from 9600 to 115200 bps. The default is 9600 bps. For instructions on changing the baud rate, refer to “Setting the Baud Rate of the Serial Terminal Port” on page 76.
Chapter 2: Starting a Management Session If the switch has been assigned a name, the name is displayed below the switch’s model name. For information about the command line interface, refer to the AT-S63 Management Software Command Line Interface User’s Guide. 7. To use the menus interface, type menu and press Return. The Main Menu is shown in Figure 3.
AT-S63 Management Software Menus Interface User’s Guide Planning for Remote Management There are a number of factors that need to be considered before you can begin to remotely manage an AT-9400 Series switch with the Telnet application protocol, the Secure Shell (SSH) protocol, or a web browser.
Chapter 2: Starting a Management Session Also important to remote management is what’s referred to as the local interface. A switch’s CPU can monitor only one local subnet for remote management packets at a time. You must specify the local subnet on the switch from where your remote management station is reaching the unit. You do that by designating the subnet’s interface as the local interface.
AT-S63 Management Software Menus Interface User’s Guide Here are the general steps to configuring the slave switches of an enhanced stack: 1. Connect the slave switches to the master switch using a common VLAN. 2. If you use the Default_VLAN (VID 1) as the common VLAN of the switches of the stack, you do not need to add a routing interface to it on the slave switches.
Chapter 2: Starting a Management Session Starting a Remote Telnet or SSH Management Session The AT-S63 management software has the Telnet and Secure Shell (SSH) server software for remote management of the device using a Telnet or SSH client.
AT-S63 Management Software Menus Interface User’s Guide Note A switch can support one manager session and eight operator sessions simultaneously. The local management session starts and the command line interface (CLI) prompt is displayed, as shown in Figure 2 on page 47. For information about the command line interface, refer to the AT-S63 Management Software Command Line Interface User’s Guide. If the switch has been configured with a name, the name is displayed below the switch’s model name. 3.
Chapter 2: Starting a Management Session Saving Your Parameter Changes A change to a parameter setting on the switch is immediately implemented as soon as you enter it. For example, a new virtual LAN becomes available as soon as you create it. All changes are initially saved to temporary memory. They are lost the next time you reset or power cycle the unit unless you permanently save them with the S - Save Configuration Changes option in the Main Menu.
AT-S63 Management Software Menus Interface User’s Guide Redundant Twisted Pair Ports Your AT-9400 Series switch may have two or four twisted pair ports that are paired with GBIC or SFP slots. The twisted pair ports are identified with the letter “R” for “Redundant” as part of their number on the front faceplate of the unit. The ports and slots are listed in Table 5.
Chapter 2: Starting a Management Session Note These guidelines do not apply to the SFP slots on the AT-9408LC/SP switch and the XFP slots on the AT-9424Ts/XP and AT-9448Ts/XP switches.
AT-S63 Management Software Menus Interface User’s Guide Restrictions to the Menus Interface The following management tasks are not supported in the menus interface and must be performed from the command line interface.
Chapter 2: Starting a Management Session 58 Section I: Basic Operations
Chapter 3 Basic Switch Parameters This chapter contains the following sections: Section I: Basic Operations “Configuring the Switch’s Name, Location, and Contact” on page 60 “Changing the Manager and Operator Passwords” on page 63 “Setting the System Time” on page 66 “Rebooting the Switch” on page 71 “Configuring the Console Startup Mode” on page 73 “Configuring the Console Timer” on page 74 “Configuring the Telnet Server” on page 75 “Setting the Baud Rate of the Serial Te
Chapter 3: Basic Switch Parameters Configuring the Switch’s Name, Location, and Contact This procedure explains how to assign a name to the switch. The name appears at the top of the menus. Names can help you identify your switches when you manage them and help you avoid performing a configuration procedure on the wrong switch. This procedure also assigns the name of the administrator responsible for maintaining the unit and the location of the switch.
AT-S63 Management Software Menus Interface User’s Guide The System Configuration menu is shown in Figure 5. Allied Telesyn AT-9424Ts - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2006 System Configuration 1 2 3 4 5 6 7 8 - Eth0 Interface............. IP Address ................ Subnet Mask ............... Default Gateway ........... System Name ............... Location .................. Administrator ............. ARP Cache Timeout ......... vlan2-0 184.35.62.11 255.255.255.0 184.35.62.
Chapter 3: Basic Switch Parameters dashes and asterisks. The default is no name. This parameter is optional. 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Changing the Manager and Operator Passwords There are two levels of management access on an AT-94xx switch: manager and operator. When you log in as manager, you can view and configure all of a switch’s operating parameters. When you log in as an operator, you can only view the operating parameters; you cannot change any values.
Chapter 3: Basic Switch Parameters 3. From the Authentication Configuration menu, type 5 to select Passwords Configuration. The Passwords Configuration menu is shown in Figure 7. Allied Telesyn AT-9424Ts - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Passwords Configuration 1 - Set Manager Password 2 - Set Operator Password R - Return to Previous Menu Enter your selection? Figure 7. Passwords Configuration Menu 4. From the Passwords Configuration menu, type 1 to select Set Manager Password.
AT-S63 Management Software Menus Interface User’s Guide 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Resetting the Manager Password If you change the manager password from the default and lose or forget it, you can reset the password to its default value. Note the following about this feature: You must perform this procedure from a local management session.
Chapter 3: Basic Switch Parameters Setting the System Time This procedure explains how to set the switch’s date and time. Setting the system time is important if you configured the switch to send traps to your management stations. Traps from a switch where the time has not been set do not contain the correct date and time. Therefore, it becomes difficult for you to determine when the events represented by the traps occurred.
AT-S63 Management Software Menus Interface User’s Guide Setting the System Time Manually To set the system time manually, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 2 to select System Configuration. The System Configuration menu is shown in Figure 5 on page 61. 3. From the System Configuration menu, type T to select Configure System Time.
Chapter 3: Basic Switch Parameters Setting the System Time from an SNTP or NTP Server To configure the switch to obtain its date and time from an SNTP or NTP server on your network or the Internet, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 2 to select System Configuration. The System Configuration menu is shown in Figure 5 on page 61. 3.
AT-S63 Management Software Menus Interface User’s Guide 8. Type 5 to select Daylight Savings Time (DST) to enable or disable the switch’s ability to adjust its system time to daylight savings time. The following prompt is displayed: Adjust for Daylight Savings Time (E - Enabled, D - Disabled) -> 9. Type E to enable daylight savings time and allow the switch to adjust system time to daylight savings time. This is the default value.
Chapter 3: Basic Switch Parameters The Last Delta option in the menu displays the last adjustment that was applied to system time due to a drift in the system clock between two successive queries to the SNTP server. This is a read only field. Option U, Update System Time, allows you to prompt the switch to poll the SNTP or NTP server for the current time and date. You can use this selection to update the time and date immediately rather than wait for the switch’s next polling period.
AT-S63 Management Software Menus Interface User’s Guide Rebooting the Switch This procedure reboots the switch. Note Any configuration changes not saved are lost after the switch reboots. To save your configuration changes, return to the Main Menu and type S to select Save Configuration Changes. Caution The switch does not forward traffic while it initializes its operating software.
Chapter 3: Basic Switch Parameters Note Item 1 - File Operations, is described in Chapter 10, ”File System” on page 195. Item 2 - Downloads and Uploads is described in Chapter 11, ”File Downloads and Uploads” on page 221. Ping a Remote System, item 3, is described in “Pinging a Remote System” on page 77. Reset to Factory Defaults, item 4, is described in “Returning the AT-S63 Management Software to the Factory Default Values” on page 78. 3.
AT-S63 Management Software Menus Interface User’s Guide Configuring the Console Startup Mode You can configure the AT-S63 management software to display either the Main Menu or the command line interface prompt whenever you start a local or Telnet management session. The default is the command line interface. To change the console startup mode, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2.
Chapter 3: Basic Switch Parameters Configuring the Console Timer The AT-S63 management software uses the console timer, also referred to as the console disconnect interval, to automatically end inactive local and remote management sessions. The management software automatically ends a local or remote management session if a management session is inactive for the length of time specified by the console timer.
AT-S63 Management Software Menus Interface User’s Guide Configuring the Telnet Server This procedure describes how to enable and disable the Telnet server on the switch. You might disable the server to prevent individuals from managing the switch with a Telnet application or if you intend to use the Secure Shell (SSH) protocol. This procedure also explains how to toggle the Telnet server on the switch so that is adds a NULL character after each CR.
Chapter 3: Basic Switch Parameters Setting the Baud Rate of the Serial Terminal Port The default baud rate of the RJ-45 type serial terminal port on the switch is 9600 bps. To change the baud rate, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 3 to select Console (Serial/Telnet) Configuration.
AT-S63 Management Software Menus Interface User’s Guide Pinging a Remote System This procedure instructs the switch to ping a remote device on your network. This can be useful in determining whether a valid link exists between the switch and another network device. The local subnet on the switch where the device is a member must have a routing interface. The switch uses the IP address of the routing interface as its source address when sending the ping.
Chapter 3: Basic Switch Parameters Returning the AT-S63 Management Software to the Factory Default Values The procedure in this section returns all AT-S63 management software parameters to the default values. Please note the following before you perform this procedure: Returning all parameter settings to their default values also deletes all routing interfaces as well as all port-based and tagged VLANs on the switch. This procedure does not delete files from the AT-S63 file system.
AT-S63 Management Software Menus Interface User’s Guide If you respond with yes, the following prompt is displayed: Do you want to reset the serial port baud rate to 9600 bps? [Yes/No] -> 5. To return the baud rate of the terminal port on the switch to 9600 bps, type Y for yes. To retain its current speed setting, type N for no. All of the operating parameters on the switch are automatically returned to their default settings as the unit reboots.
Chapter 3: Basic Switch Parameters Displaying the AT-9400 Series Switch Hardware and Software Information To display information about the switch hardware and software, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 1 to select System Information. The System Information menu is shown in Figure 11.
AT-S63 Management Software Menus Interface User’s Guide IP Address IP address of the local interface. Subnet Mask Subnet mask of the local interface. Gateway For AT-9400 Series switches that support IPv4 routing, such as the AT-9424Ts and AT-9448Ts/XP switches, this field displays the IP address of the next hop of the switch’s default route. The switch uses the default route when it receives a network packet for routing, but cannot find a route for it in the routing table. This field will contain 0.0.0.
Chapter 3: Basic Switch Parameters Note To change the system name, administrator, or location, see “Configuring the Switch’s Name, Location, and Contact” on page 60. For information about selection H, System Hardware Status, refer to “Displaying System Hardware Information” on page 83. For information about selection U, Uplink Information, refer to “Displaying Uplink Port Information” on page 85.
AT-S63 Management Software Menus Interface User’s Guide Displaying System Hardware Information You can view information about the system hardware, including details about the fans and temperature settings. To display the system hardware information, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2.
Chapter 3: Basic Switch Parameters The System Hardware Information menu provides the following information: System 1.25 V Power System 1.8V Power System 2.5 V Power System 3.3 V Power System 5 V Power System 12 V Power The current voltage of the six power supplies in the switch. System Temperature (Celsius) The overall system temperature. System Fan Speed The system fan speed. Main PSU RPS The status of the main power supply unit (PSU) and the redundant power supply (RPS). 4. Return to the Main Menu.
AT-S63 Management Software Menus Interface User’s Guide Displaying Uplink Port Information To display the information about the GBIC or SFP transceivers installed in the uplink ports, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 1 to select System Information The System Information menu is shown in Figure 11 on page 80. 3.
Chapter 3: Basic Switch Parameters 4. Type the number corresponding to the slot where the transceiver is identified as “Present” to view detailed information about that transceiver. The information displayed depends upon the transceiver vendor and whether the slot contains an SFP or a GBIC transceiver. The GBIC/SFP Information menu (page 1) is displayed. Figure 14 shows some possible fields for an SFP.
AT-S63 Management Software Menus Interface User’s Guide The GBIC/SFP Information menu (page 2) is displayed. Figure 15 shows some possible fields of information. Allied Telesyn AT-9424T/GB - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 GBIC/SFP 2 Information Vendor Name ............................ Vendor OUI ............................. Vendor Part Number ..................... Vendor Product Revision ................ Vendor Serial Number ................... Upper Bit Rate Margin ................
Chapter 3: Basic Switch Parameters 88 Section I: Basic Operations
Chapter 4 Enhanced Stacking This chapter explains the enhanced stacking feature.
Chapter 4: Enhanced Stacking Enhanced Stacking Overview Having to manage a large number of network devices typically involves starting a separate management session on each device. This usually means having to end one management session in order to start a new session on another unit. The enhanced stacking feature can simplify this task because it allows you to easily transition among the different AT-9400 Series switches in your network from just one management session.
AT-S63 Management Software Menus Interface User’s Guide Common VLAN A master switch searches for the other switches in an enhanced stack by sending out a broadcast packet out a local subnet. (The designation of the subnet is explained in “Master Switch and Local Interface,” next.) Since a broadcast packet cannot cross a router or a VLAN boundary, you must interconnect the switches of a stack with a common VLAN.
Chapter 4: Enhanced Stacking the interface must be assigned to the common subnet that interconnects the switches of the stack. Furthermore, the interface must be designated as the switch’s local interface. The act of designating an interface as the local interface tells the switch which interface and which subnet it should use for the enhanced stacking feature.
AT-S63 Management Software Menus Interface User’s Guide assign an IP address to an AT-8000 Series, AT-8400 Series, or AT-8500 Series switch, refer to the appropriate user’s guide. Enhanced Stacking Guidelines Section I: Basic Operations Here are the guidelines to using the enhanced stacking feature: There can be up to 24 switches in an enhanced stack. The switches in an enhanced stack must be interconnected by a common port-based or tagged VLAN.
Chapter 4: Enhanced Stacking General Steps Here are the basic steps to implementing the enhanced stacking feature on the AT-9400 Series switches in your network: 1. Select a switch to act as the master switch of the enhanced stack. This can be any Allied Telesyn switch that supports this feature. In a stack with different switch models, Allied Telesyn recommends using an AT-9400 Series as the master switch. For further information, refer to “Enhanced Stacking Compatibility” on page 92. 2.
AT-S63 Management Software Menus Interface User’s Guide Setting a Switch’s Enhanced Stacking Status The enhanced stacking status of the switch can be master switch, slave switch, or unavailable. Each status is described below: Master switch - A master switch of a stack allows you to easily transition to the other switches in the stack during a management session.
Chapter 4: Enhanced Stacking The menu displays the current status of the switch at the end of selection “1 - Switch State.” For example, the switch’s current status in the figure above is master. Note Item 2, Stacking Services, is only displayed on master switches. 2. To change a switch’s stacking status, type 1 to select Switch State. The following prompt is displayed. Enter new setup (M/S/U) -> 3.
AT-S63 Management Software Menus Interface User’s Guide Selecting a Switch in an Enhanced Stack Before you perform a procedure on a switch in an enhanced stack, you should first check to be sure you are performing it on the correct switch. If you assigned system names to your switches, this should be easy. The name of the switch being managed is always displayed at the top of every management menu.
Chapter 4: Enhanced Stacking 3. From the Stacking Services menu, type 1 to select Get/Refresh List of Switches. The master switch polls the common subnet for all the slave and master switches that are a part of the enhanced stack and displays a list of the switches in the Stacking Services menu, as shown in the example in Figure 18.
AT-S63 Management Software Menus Interface User’s Guide A prompt similar to the following is displayed: Enter the switch number -> [1 to 24] 5. Type the number of the switch in the list you want to manage. A prompt is displayed if the switch has been assigned a password. 6. Enter the appropriate username and password for the switch. The Main Menu of the selected switch is displayed. You now can manage the switch. Any management tasks you perform affect only the selected switch.
Chapter 4: Enhanced Stacking Returning to the Master Switch When you are finished managing a slave switch, return to the Main Menu of the switch and type Q for Quit. This returns you to the Stacking Services menu on the master switch where you started the management session. You can either select another switch in the list to manage or, if you want to manage the master switch, type R twice to return to the master switch’s Main Menu.
AT-S63 Management Software Menus Interface User’s Guide Displaying the Enhanced Stacking Status To view the stacking status of a switch in a stack, perform the following procedure: 1. From the Main Menu, type 8 to select Enhanced Stacking. The Enhanced Stacking menu is shown in Figure 19. Allied Telesyn AT-9424Ts - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Enhanced Stacking 1 - Switch State-(M)aster/(S)lave/(U)navailable.... Slave R - Return to Previous Menu Enter your selection? Figure 19.
Chapter 4: Enhanced Stacking 102 Section I: Basic Operations
Chapter 5 SNMPv1 and SNMPv2c This chapter explains how to activate SNMP management on the switch and how to create, modify, and delete SNMPv1 and SNMPv2c community strings.
Chapter 5: SNMPv1 and SNMPv2c SNMPv1 and SNMPv2c Overview The Simple Network Management Program (SNMP) is another way for you to manage the switch. This type of management involves viewing and changing the management information base (MIB) objects on the device using an SNMP application program. The AT-S63 management software supports SNMPv1, SNMPv2c, and SNMPv3. This chapter explains how to configure the switch’s software for SNMPv1 and SNMPv2c.
AT-S63 Management Software Menus Interface User’s Guide string with an access mode of Read can only be used to view but not change the MIB objects on a switch. A community string with a Read/Write access can be used to both view the MIB objects and change them. Operating Status A community string can be enabled or disabled. When disabled, no one can use it to access the switch. You might disable a community string if you suspect someone is using it for unauthorized access to the device.
Chapter 5: SNMPv1 and SNMPv2c Default SNMP Community Strings 106 The AT-S63 management software provides two default community strings: public and private. The public string has an access mode of just Read and the private string has an access mode of Read/Write.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling SNMP Management To enable or disable SNMP management for the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 20.
Chapter 5: SNMPv1 and SNMPv2c Setting the Authentication Failure Trap As mentioned in the SNMP Overview section in this chapter, a trap is a message sent by the switch to a management workstation or server to signal an operating event, such as when the device is reset. An authentication failure trap is similar to other the traps. It too signals an operating event on the switch. But this trap is somewhat special because it relates to SNMP management.
AT-S63 Management Software Menus Interface User’s Guide Creating an SNMP Community String To create a new SNMP community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 20 on page 107. 3.
Chapter 5: SNMPv1 and SNMPv2c The following prompt is displayed: Enter Access Mode [R-Read Only, W-Read/Write]: 6. Specify the access mode for the new SNMP community string. If you specify Read, the community string will only allow you to view the MIB objects on the switch. If you specify Read/Write, the community string will allow you to both view and change the SNMP MIB objects on the switch. The following prompt is displayed: Enter Open Access Status [Y-Yes, N-No]: 7. Specify the open access status.
AT-S63 Management Software Menus Interface User’s Guide 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 5: SNMPv1 and SNMPv2c Modifying a Community String To modify a community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 20 on page 107. 3. From the SNMP Configuration menu, type 3 to select Configure SNMPv1 &SNMPv2c Community.
AT-S63 Management Software Menus Interface User’s Guide The menu options are described below: 1 - Add Attributes to Community If a community string has a closed access mode, you can use this selection to add new IP addresses of management workstations that can use the string. You can also use this option to add IP addresses of new trap receivers. To use this option, do the following: a. From the Modify SNMP Community menu, type 1 to select Add Attributes to Community.
Chapter 5: SNMPv1 and SNMPv2c Enter SNMP Manager IP Addr: c. If you want to remove the IP address of a management workstation from the community string, enter the IP address at the prompt. Otherwise, just press Return. This prompt is displayed: Enter Trap Receiver IP Addr: d. If you want to remove the IP address of a trap receiver from the community string, enter the IP address at the prompt. Otherwise, just press Return. e. After making changes, type R until you return to the Main Menu.
AT-S63 Management Software Menus Interface User’s Guide Enter Community Status [E-Enable, D-Disable]: c. Type E to enable the community string or D to disable it. This confirmation prompt is displayed: Do you want to change Community Status? (Y/N): [Yes/No] -> d. Type Y to change the string’s status or N to cancel the change. e. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 5: SNMPv1 and SNMPv2c Deleting a Community String To delete an SNMPv1 or SNMPv2c community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 20 on page 107. 3. From the SNMP Configuration menu, type 3 to select Configure SNMPv1 &SNMPv2c Community.
AT-S63 Management Software Menus Interface User’s Guide Displaying the SNMP Community Strings To display the attributes of all the SNMP community strings on the switch, use the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 20 on page 107. 3.
Chapter 5: SNMPv1 and SNMPv2c 118 Section I: Basic Operations
Chapter 6 Port Parameters This chapter contains the procedures for viewing and changing the parameter settings for the individual ports on a switch, and contains the following procedures: Section I: Basic Operations “Displaying Port Status” on page 120 “Configuring Port Parameters” on page 123 “Configuring Head of Line Blocking” on page 128 “Configuring Flow Control and Back Pressure” on page 130 “Configuring Port Filtering” on page 132 “Setting Up Rate Limiting” on page 134 “
Chapter 6: Port Parameters Displaying Port Status To display the current status of the ports on the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 24.
AT-S63 Management Software Menus Interface User’s Guide Note The speed, duplex mode, and flow control settings are blank for a port that has not established a link to its end node. The Port Status menu displays a table that contains the following columns of information: Port The port number. Link The status of the link between the port and the end node connected to the port. The possible settings are: Up - Indicates that a valid link exists between the port and the end node.
Chapter 6: Port Parameters Port Type The port type.
AT-S63 Management Software Menus Interface User’s Guide Configuring Port Parameters To configure the basic parameter settings for a port, such as speed and duplex mode, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 24 on page 120. 2. From the Port Configuration menu, type 1 to select Port Configuration. The following prompt is displayed: Enter port-list -> 3. Enter the number of the port to be configured.
Chapter 6: Port Parameters Note If you are configuring multiple ports and the ports have different settings, the Port Configuration menu displays the settings of the lowest numbered port. After you have configured the settings of the port, all its settings are copied to the other selected ports. 4. Adjust the following parameters as necessary. Note A change to a parameter is immediately activated on the port.
AT-S63 Management Software Menus Interface User’s Guide Note When you set negotiation to Manual, items 7 (Speed), 8 (Duplex), and 9 (MDI Crossover) are displayed. If you select Auto for Auto-Negotiation, which is the default setting, the switch sets speed, duplex mode, and MDI crossover for the port automatically. The switch determines the highest possible common speed between the port and its end node and sets the port to that speed.
Chapter 6: Port Parameters 7 - Speed This item is only available when Negotiation is set to Manual. Type 7 to toggle between the following selections: 10 Mbps 100 Mbps 1000 Mbps (Applies only to 1000Base SFP and GBIC modules. This selection should not be used. An SFP or GBIC module should use Auto-Negotiation to set its speed and duplex mode.) 8 - Duplex This item is only available when Negotiation is set to Manual. The possible settings are full-duplex and half-duplex.
AT-S63 Management Software Menus Interface User’s Guide 5. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 6: Port Parameters Configuring Head of Line Blocking Head of line (HOL) blocking is a problem that occurs when a port on a switch becomes oversubscribed. An oversubscribed port is receiving more packets from other switch ports than it can transmit in a timely manner. An oversubscribed port can prevent other ports from forwarding packets to each other because ingress packets on a port are buffered in a First In, First Out (FIFO) manner.
AT-S63 Management Software Menus Interface User’s Guide other ports to discard packets destined for port D. Port A drops the D packets, enabling it to once again forward packets to port C. The number that you enter for this value represents cells. A cell is 128 bytes. The range is 0 to 8191 cells. The default is 682. To set up head of line blocking, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 24 on page 120. 2.
Chapter 6: Port Parameters Configuring Flow Control and Back Pressure A switch port uses flow control to control the flow of ingress packets from its end node when operating in full-duplex mode. A port using flow control issues a special frame, referred to as a PAUSE frame, as specified in the IEEE 802.3x standard, to stop the transmission of data from an end node. When a port needs to stop an end node from transmitting data, it issues this frame. The frame instructs the end node to cease transmission.
AT-S63 Management Software Menus Interface User’s Guide 4. From the Port Configuration menu, type 3 to select Flow Control. The Flow Control menu is shown in Figure 28. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Flow Control Configuring Port 11 1 - Flow Control (Full-Duplex) Status .... Disabled 2 - Flow Control Threshold ............... 7935 cells 3 - Back Pressure (Half-Duplex) Status ... Disabled 4 - Back Pressure Threshold ..............
Chapter 6: Port Parameters Configuring Port Filtering If the performance of your network is affected by heavy traffic, you can use these parameters to restrict ingress and egress broadcast packets as well as unknown unicast and multicast packets forwarded by a port. Activating this feature on a port causes the port to discard all packets of the type you specified. For example, you might configure a port to discard all ingress and egress broadcast packet or perhaps just unknown unicast egress packets.
AT-S63 Management Software Menus Interface User’s Guide 5. From the Filtering menu, type 1 to toggle Unknown Unicast Ingress Filtering between Disabled and Enabled. 6. Type 2 to toggle Unknown Unicast Egress Filtering between Disabled and Enabled. 7. Type 3 to toggle Unknown Multicast Ingress Filtering between Disabled and Enabled. 8. Type 4 to toggle Unknown Multicast Egress Filtering between Disabled and Enabled. 9. Type 5 to toggle Broadcast Ingress Filtering between Disabled and Enabled. 10.
Chapter 6: Port Parameters Setting Up Rate Limiting The rate limiting feature allows you to set the maximum number of ingress packets the port accepts each second. Packets exceeding the threshold are discarded. You can enable rate limiting and set a rate independently for unknown unicast, multicast, and broadcast packets. To set rate limiting, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 24 on page 120. 2.
AT-S63 Management Software Menus Interface User’s Guide b. If you enabled the feature, type 2 to select Unknown Unicast Rate. The following prompt is displayed: Enter the Rate Limit (packets/second):[0 to 262143]-> c. Enter a number for the rate limit. 6. To control multicast packets, do the following: a. Type 3 to toggle Multicast Rate Limiting Status between Enabled and Disabled. b. If you enabled the feature, type 4 to select Multicast Rate.
Chapter 6: Port Parameters Resetting a Port Resetting a port is useful in situations where a port is having problems establishing a valid connection to its end node. Resetting a port does not change any of its parameter settings. To reset a port, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 24 on page 120. 2. From the Port Configuration menu, type 1 to select Port Configuration.
AT-S63 Management Software Menus Interface User’s Guide Forcing Port Renegotiation Port renegotiation prompts a port operating in Auto-Negotiation to renegotiate its speed and duplex mode with its end node. This option is useful if you believe that a port and end node are not operating at the same speed and duplex mode. To force port renegotiation, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 24 on page 120. 2.
Chapter 6: Port Parameters Resetting the Port Configuration to the Default Settings You can return the parameters settings of a port to the default values. To reset a port’s settings to the default settings, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 24 on page 120. 2. From the Port Configuration menu, type 1 to select Port Configuration. The following prompt is displayed: Enter port-list -> 3.
AT-S63 Management Software Menus Interface User’s Guide Displaying Port Statistics To display Ethernet port statistics, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 24 on page 120. 2. From the Port Configuration menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 31.
Chapter 6: Port Parameters The Display Port Statistics menu is shown in Figure 32. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display Port Statistics Port 6 Bytes Rx ......... Frames Rx ........ Bcast Frames Rx... Mcast Frames Rx .. Frames 64 ........ Frames 128-255 ... Frames 512-1023 .. CRC Error ........ No. of Rx Errors . UnderSize Frames . Fragments ........ Frames 1519-1522 . 983409801 815423 107774 11429 110509 1928 157796 0 0 0 0 0 Bytes Tx .........
AT-S63 Management Software Menus Interface User’s Guide Frames 64 Frames 65-127 Frames 128-255 Frames 256-511 Frames 512-1023 Frames 1024-1518 Frames 1519-1522 Number of frames transmitted from the port, grouped by size. CRC Error Number of frames with a cyclic redundancy check (CRC) error but with the proper length (64-1518 bytes) received on the port. Jabber Number of occurrences of corrupted data or useless signals appearing on the port. No. of Rx Errors Number of receive errors. No.
Chapter 6: Port Parameters Clearing Port Statistics To clear the Ethernet port statistics and reset them to “0”, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 24 on page 120. 2. From the Port Configuration menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 31 on page 139. 3. Type 2 to select Clear Statistics.
Chapter 7 MAC Address Table This chapter contains the procedures for viewing the static and dynamic MAC address table. It also explains how to add static MAC addresses to the table.
Chapter 7: MAC Address Table MAC Address Overview The AT-9400 Series switch contains a MAC address table with a storage capacity of 16,000 entries. The switch uses the table to store the MAC addresses of the network nodes connected to its ports, along with the port number on which each address was learned. The switch learns the MAC addresses of the end nodes by examining the source address of each packet received on a port.
AT-S63 Management Software Menus Interface User’s Guide MAC address table from becoming filled with addresses of nodes that are no longer active. The period of time that the switch waits before purging an inactive dynamic MAC address is called the aging time. This value is adjustable on the AT-9400 Series switch. The default value is 300 seconds (5 minutes). For instructions on changing the aging timer, refer to “Changing the Aging Time” on page 154.
Chapter 7: MAC Address Table Displaying the MAC Address Tables The AT-S63 management software has two menu selections for displaying the MAC addresses of a switch. One selection displays the static and dynamic unicast MAC addresses while the other displays the static and dynamic multicast addresses. To display the MAC address tables, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 33.
AT-S63 Management Software Menus Interface User’s Guide Choose one of the following display types. 1 - Display All This selection displays all dynamic addresses learned on the ports of the switch and all static addresses that have been assigned to the ports. An example of a unicast MAC address table is shown in Figure 35.
Chapter 7: MAC Address Table An example of a multicast MAC address table is shown in Figure 36. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display All Page 1 Total Number of MCAST MAC Addresses: 1 MAC Address VLANID Type Port Maps (U:Untagged T:Tagged) ---------------------------------------------------------------01:00:51:00:00:01 1 Static U:1-4 T: U - Update Display R - Return to Previous Menu Enter your selection? Figure 36.
AT-S63 Management Software Menus Interface User’s Guide 5 - Display Specified MAC This selection displays the port number on which a MAC address was assigned or learned. If you want to know on which port a particular MAC address was learned, you can display the MAC address table and scroll through the list looking for the MAC address. But if the switch is part of a large network, finding the address could prove difficult.
Chapter 7: MAC Address Table Adding Static Unicast and Multicast MAC Addresses This section contains the procedure for adding static unicast and multicast MAC addresses to the switch. You can assign up to 255 static addresses per port on an AT-9400 Series switch. To add a static MAC address, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 33 on page 146. 2.
AT-S63 Management Software Menus Interface User’s Guide 5. Enter the number of the port on the switch where you want to assign the static address. If you are adding a static unicast address, you can specify only one port. If you are entering a static multicast address, you must specify the port when the multicast application is located as well as the ports where the host nodes are connected.
Chapter 7: MAC Address Table Deleting Unicast and Multicast MAC Addresses To delete a dynamic or static unicast or multicast address from the MAC address table, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 33 on page 146. 2. From the MAC Address Tables menu, type 2 to select MAC Addresses Configuration. The MAC Addresses Configuration menu is shown in Figure 37 on page 150. 3.
AT-S63 Management Software Menus Interface User’s Guide Deleting All Dynamic MAC Addresses To delete all dynamic unicast and multicast MAC address from the MAC address table, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 33 on page 146. 2. From the MAC Address Tables menu, type 2 to select MAC Addresses Configuration. The MAC Addresses Configuration menu is shown in Figure 37 on page 150. 3.
Chapter 7: MAC Address Table Changing the Aging Time The switch uses the aging time to delete inactive dynamic MAC addresses from the MAC address table. The switch deletes a MAC address from the table when no packets are sent to or received from the end node of the address for the period of time specified by the aging time. This prevents the table from filling with addresses of nodes that are no longer active. The default setting for the aging time is 300 seconds (5 minutes).
Chapter 8 Static and LACP Port Trunks This chapter contains the procedures for creating, modifying, and deleting static and LACP port trunks.
Chapter 8: Static and LACP Port Trunks Port Trunk Overview A port trunk is an economical way for you to increase the bandwidth between the Ethernet switch and another networking device, such as a network server, router, workstation, or another Ethernet switch. A port trunk is a group of ports that have been grouped together to function as one logical path.
AT-S63 Management Software Menus Interface User’s Guide manufacturer. For this reason static trunks are typically employed only between devices from the same vendor. That is not to say that an Allied Telesyn layer 2 managed switch cannot form a static trunk with a device from another manufacturer. But there is the possibility that the implementations of static trunking on the two devices might not be compatible. Also note that a static trunk does not provide for redundancy or link backup.
Chapter 8: Static and LACP Port Trunks LACP Trunk Overview The switch can support up to six static and LACP trunks at a time (for example, four static trunks and two LACP trunks). An LACP trunk is countered against the maximum number of trunks only when it is active. The switch selects the lowest numbered port in the trunk to handle broadcast packets and packets of unknown destination. For example, a trunk of ports 11 to 15 would use port 11 for broadcast packets.
AT-S63 Management Software Menus Interface User’s Guide assumes that the other port is not part of an LACP trunk. Instead it functions as a normal Ethernet port by forwarding network traffic. However, it does continue to send LACPDU packets. If it begins to receive LACPDU packets, it automatically transitions to an active or standby mode as part of an aggregate trunk.
Chapter 8: Static and LACP Port Trunks Here is how the example looks in a table format. Aggregator Description Aggregator Ports Aggregate Trunk Ports Aggregator 1 1-3 1-3 Aggregator 2 12-14 12-14 Caution The example cited here illustrates a loop in a network. Avoid network loops to prevent broadcast storms. If the aggregate trunks go to different devices, you can create one aggregator and let the AT-9400 Series switch form the trunks for you automatically. This is illustrated in Figure 40.
AT-S63 Management Software Menus Interface User’s Guide Here is how this example looks in table format. Aggregator Description Aggregator Ports Aggregate Trunk Ports Aggregator 1 1-3, 12-14 1-3 12-14 You could, if you wanted, create separate aggregators for the different aggregate trunks in the example above. But letting the switch make the determination for you whenever possible saves time later if you physically reassign ports to a different trunk connected to another device.
Chapter 8: Static and LACP Port Trunks Adminkey Parameter The adminkey is a hexadecimal value from 1 to FFFF that identifies an aggregator. Each aggregator on a switch must have a unique adminkey. The adminkey is restricted to a switch. Two aggregators on different switches can have the same adminkey without generating a conflict.
AT-S63 Management Software Menus Interface User’s Guide Load Distribution Methods The load distribution method determines the manner in which the switch distributes the traffic across the active ports of an aggregate trunk. The method is assigned to an aggregator and applies to all aggregate trunks within it. If you want to assign different load distribution methods to different aggregate trunks, you must create a separate aggregator for each trunk.
Chapter 8: Static and LACP Port Trunks Load Distribution Methods The switch can support up to six static and LACP aggregate trunks at a time (for example, four static trunks and two LACP trunks). An LACP trunk is countered against the maximum number of trunks only when it is active. The port with the highest priority in an aggregate trunk carries broadcast packets and packets with an unknown destination.
AT-S63 Management Software Menus Interface User’s Guide In cases where you select a load distribution that employs either a source or destination address but not both, only the last three bits of the designated address are used in selecting a transmission port in a trunk. If you select one of the two load distribution methods that employs both source and destination addresses, port selection is achieved through an XOR operation of the last three bits of both addresses.
Chapter 8: Static and LACP Port Trunks Port trunk mappings on an AT-9400 Series switch can consist of up to eight ports. This corresponds to the maximum number of ports allowed in a static trunk and the maximum number of active ports in an LACP trunk. Inactive ports in an LACP trunk are not applied to the mappings until they transition to the active status. You can assign different load distribution methods to different static trunks on the same switch. The same is true for LACP aggregators.
AT-S63 Management Software Menus Interface User’s Guide Managing Static Port Trunks The following procedures explain how to create, modify, and delete static port trunks: “Creating a Static Port Trunk,” next “Modifying a Static Port Trunk” on page 170 “Deleting a Static Port Trunk” on page 172 For background information, refer to “Static Port Trunk Overview” on page 156. Creating a Static Port Trunk This section contains the procedure for creating a static port trunk on a switch.
Chapter 8: Static and LACP Port Trunks The Port Trunking and LACP menu is shown in Figure 41. Allied Telesyn AT-9448T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Port Trunking and LACP 1 - Static Port Trunking 2 - LACP Configuration R - Return to Previous Menu Enter your selection? Figure 41. Port Trunking and LACP Menu 3. From the Port Trunking and LACP menu, type 1 to select Static Port Trunking. The Static Port Trunking menu is shown in Figure 42.
AT-S63 Management Software Menus Interface User’s Guide DST MAC Destination MAC address. SRC/DST MAC Source address/destination MAC address. SRC IP Source IP address. DST IP Destination IP address. SRC/DST IP Source address/destination IP address. Status - The operating status of the trunk. If the trunk has established a link with the other device, the status will be UP. If the trunk has not establish a link or the ports in the trunk are disabled, the status will be DOWN. 4.
Chapter 8: Static and LACP Port Trunks 3 - Trunk Method Specifies the load distribution method. The possible settings are: SRC MAC - Source MAC address DST MAC - Destination MAC address SRC/DST MAC - Source address /destination MAC address SRC IP - Source IP address trunking DST IP - Destination IP address trunking SRC/DST IP - Source address /destination IP address The default is SRC/DST MAC. For background information, refer to “Load Distribution Methods” on page 164.
AT-S63 Management Software Menus Interface User’s Guide If you are adding a port and the port will not be the lowest numbered port in the trunk, its settings will be changed to match the settings of the existing ports in the trunk. If you are adding a port to a static trunk, you should check to be sure that the new port is an untagged member of the same VLAN as the other trunk ports. A trunk cannot contain ports that are untagged members of different VLANs.
Chapter 8: Static and LACP Port Trunks Note You cannot change a trunk’s ID number. 2 - Trunk Name Specifies the trunk name. Enter a name for the trunk. The name can be up to 16 alphanumeric characters. No spaces or special characters, such as asterisks and exclamation points, are allowed. Each trunk must have a unique name. 3 - Trunk Method Specifies the load distribution method.
AT-S63 Management Software Menus Interface User’s Guide 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Menu, type 4 to select Port Trunking and LACP. The Port Trunking and LACP menu is shown in Figure 41 on page 168. 3. From the Port Trunking and LACP menu, type 1 to select Static Port Trunking. The Static Port Trunking menu is shown in Figure 42 on page 168. 4. Type D to select Delete Trunk. The following prompt is displayed: Enter Trunk ID: [1 to 6] -> 5.
Chapter 8: Static and LACP Port Trunks Managing LACP Port Trunks The following procedures explain how to create and manage LACP trunks: “Enabling or Disabling LACP,” next “Setting the LACP System Priority” on page 175 “Creating an Aggregator” on page 176 “Modifying an Aggregator” on page 179 “Deleting an Aggregator” on page 181 “Displaying LACP Port and Aggregator Status” on page 182 For background information, refer to “LACP Trunk Overview” on page 158.
AT-S63 Management Software Menus Interface User’s Guide The LACP (IEEE 8023ad) Configuration menu is shown in Figure 45. Allied Telesyn AT-9448T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 LACP (IEEE 802.3ad) Configuration 1 2 3 4 5 6 7 - LACP Status ................ Disabled Priority ................... 0x0080 Create Aggregator Modify Aggregator Delete Aggregator Show LACP Port Status Show LACP Aggregator Status R - Return to Previous Menu Enter your selection? Figure 45.
Chapter 8: Static and LACP Port Trunks The following prompt is displayed: Enter Priority [0x1 - 0xFFFF]: [0x1 to 0xffff] -> 0x 5. Enter the new value is hexadecimal. The range is 1 to FFFF. The lower the value, the higher the priority. The prefix “0x” indicates that the number is hexadecimal. The new priority value takes effect immediately on the switch. 6. To permanently save your change, return to the Main Menu and type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide The Create LACP (IEEE 8023ad) Aggregator menu is shown in Figure 46. Allied Telesyn AT-9448T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Create LACP (IEEE 802.3ad) Aggregator 1 2 3 4 C - Aggregator .................. Adminkey .................... 0x0000 Distribution Mode ........... SRC/DST MAC Port Range .................. Create Aggregator R - Return to Previous Menu Enter your selection? Figure 46.
Chapter 8: Static and LACP Port Trunks 3 - Distribution Mode Sets the load distribution method. Possible settings are: SRC MAC - Source MAC address DST MAC - Destination MAC address SRC/DST MAC - Source address /destination MAC address SRC IP - Source IP address trunking DST IP - Destination IP address trunking SRC/DST IP - Source address /destination IP address The default is SRC/DST MAC. For background information, refer to “Load Distribution Methods” on page 164.
AT-S63 Management Software Menus Interface User’s Guide Modifying an Aggregator This procedure explains how to modify an aggregator. You can use this procedure to change the load distribution method of an aggregator or to add or remove ports. To modify an aggregator, you need to know its name. To view the names of the existing aggregators, refer to “Displaying LACP Port and Aggregator Status” on page 182.
Chapter 8: Static and LACP Port Trunks 5. Type 1 to select Aggregator and, when prompted, enter the name of the aggregator to be modified. The name is case-sensitive. (To display the names of the aggregators on a switch, refer to “Displaying LACP Port and Aggregator Status” on page 182) After you enter the aggregator’s name, the specifications of the aggregator are displayed in the menu. 6. Configure the following parameters as necessary: Note You cannot modify the name or adminkey of an aggregator.
AT-S63 Management Software Menus Interface User’s Guide Deleting an Aggregator This procedure deletes an aggregator from the switch. The ports that are members of the aggregator stop transmitting LACPDU packets after the aggregator is deleted. Caution Disconnect the cables from the ports of the aggregator before performing the following procedure. Deleting an aggregator without first disconnecting the cables can create loops in your network topology.
Chapter 8: Static and LACP Port Trunks Displaying LACP Port and Aggregator Status To display LACP port and aggregator status, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 4 to select Port Trunking and LACP. The Port Trunking and LACP menu is shown in Figure 41 on page 168. 3. Type 2 to select LACP Configuration. The LACP (IEEE 8023ad) Configuration menu is shown in Figure 45 on page 175. 4.
AT-S63 Management Software Menus Interface User’s Guide Figure 49 is an example of the LACP (IEEE 802.3ad) Aggregator Status menu. The information is for viewing purposes only. Allied Telesyn AT-9448T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 LACP (IEEE 802.3ad) Aggregator Status Aggregator #1 ................. Adminkey ...................... Oper Key....................... Speed ......................... Distribution Mode ............. Ports configured .............. Ports in LAGID ......
Chapter 8: Static and LACP Port Trunks 184 Section I: Basic Operations
Chapter 9 Port Mirroring This chapter contains the procedures for creating and deleting a port mirror.
Chapter 9: Port Mirroring Port Mirroring Overview The port mirroring feature allows you to unobtrusively monitor the traffic being received and transmitted on one or more ports on a switch by having the traffic copied to another switch port. You can connect a network analyzer to the port where the traffic is being copied and monitor the traffic on the other ports without impacting network performance or speed. The port(s) whose traffic you want to mirror is called the source port(s).
AT-S63 Management Software Menus Interface User’s Guide Creating a Port Mirror To create a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 50. Allied Telesyn AT-9448T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Port Mirroring 1 - Enable/Disable ....................
Chapter 9: Port Mirroring The following prompt is displayed: Mirror-To Port (0-24): 6. Enter the number of the port to function as the destination port. This is the port where the traffic from the source ports will be copied to and where the network analyzer will be located. You can specify only one destination port. 7. To mirror the ingress (received) traffic on one or more ports, do the following: a. Type 3 to select Ingress (Rx) Mirror (Source Ports.
AT-S63 Management Software Menus Interface User’s Guide Disabling a Port Mirror To delete a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 51 on page 187. 3. From the Port Mirroring Menu, type 1 to select Enable/Disable. The following prompt is displayed. Enter Enable(E)/Disable(D): 4. Type D to disable the feature.
Chapter 9: Port Mirroring Modifying a Port Mirror To modify the port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 51 on page 187. 3. Type 2 to select Mirror-To (Destination) Port. The following prompt is displayed: Mirror-To Port (01-24): 4. Enter the number of the port that will function as the destination port.
AT-S63 Management Software Menus Interface User’s Guide Displaying the Port Mirror To display the port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 52. Allied Telesyn AT-9448T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Port Mirroring 1 2 3 4 - Enable/Disable ...................... Mirror-To (Destination) Port ........
Chapter 9: Port Mirroring 192 Section I: Basic Operations
Section II Advanced Operations The chapters in this section contain overview information on some of the advanced features of the AT-9400 Series switch. The chapters also contain procedures for configuring these features using the AT-S63 management software.
Section II: Advanced Operations
Chapter 10 File System The chapter describes the AT-S63 file system, and how you can copy, rename, and delete system files from the file system or from a compact flash card. This chapter also explains how you can use the file system to select which boot configuration file you want the switch to use the next time the device is reset or power cycled.
Chapter 10: File System File System Overview The AT-S63 management software has a file system for storing system files. The file system is a part of flash memory in the switch. You can view a list of files as well as copy, rename, and delete files. For those AT-9400 Series switches that support a compact flash memory card, you can perform the same functions on the files stored on a flash card, as well as copy files between the switch’s file system and a flash card.
AT-S63 Management Software Menus Interface User’s Guide File Naming Conventions The flash memory file system is a flat file system—directories are not supported. However, directories are supported on compact flash cards. In both types of storage, files are uniquely identified by a file name in the following format: filename.ext where: filename is a descriptive name for the file, and may be one to sixteen characters in length.
Chapter 10: File System Using Wildcards to Specify Groups of Files You can use the asterisk character (*) as a wildcard character in some fields to identify groups of files. In addition, a wildcard can be combined with other characters. The following are examples of valid wildcard expressions: *.cfg *.key 28*.cfg Specifying the File Location When you work with files on a switch that supports a compact flash card, the default file location for file system operations is flash memory.
AT-S63 Management Software Menus Interface User’s Guide Working with Boot Configuration Files A boot configuration file contains the series of commands that recreate the current or a specific configuration of the switch when the unit is power cycled or reset. The commands in the file recreate all the VLANs, port settings, spanning tree settings, port trunks, port mirrors, and so forth. A switch can contain multiple boot configuration files, but only one can be active on a switch at a time.
Chapter 10: File System “Selecting the Active Boot Configuration File for the Switch” on page 202 Creating a Boot Configuration File To create a boot configuration file that contains the switch’s current configuration, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 9 to select System Utilities. 3. From the System Utilities menu, type 1 to select File Operations. The File Operations menu is shown in Figure 53.
AT-S63 Management Software Menus Interface User’s Guide 4. From the File Operations menu, type 3 to select Create Configuration File. The following prompt is displayed: Enter the file name: 5. Enter a file name for the new boot configuration file. When entering a file name, observe the following: Be sure to include the “.cfg” extension. The file name can be up to 16 alphanumeric characters. Spaces are allowed. See “File Naming Conventions” on page 197.
Chapter 10: File System Note Only the active boot configuration file is changed when you select the Save Configuration Changes option in the Main Menu. No other boot configuration files stored on the switch are altered. Selecting the Active Boot Configuration File for the Switch You have now created the boot configuration file, made the necessary changes to the switch’s parameter settings, and saved the changes.
AT-S63 Management Software Menus Interface User’s Guide file system, but is instead used and updated directly from the card. If you remove the card and reset the switch, the management software uses its default settings. If the file is on a flash memory card, you must change to the directory where the file is stored before performing this command. The command does not accept a directory path. To change directories on a flash card, see “Changing the Current Flash Card Directory” on page 219.
Chapter 10: File System The name of the file should now appear following selection 1 in the File Operations menu. The file name should be followed by “Exist”, which means that the file exists in the switch’s file system. If the management software is unable to find the file, it displays: The specified file was not found on the system. Check to be sure you entered the name of the file correctly. If necessary, performing “Listing All Files” on page 212 to verify the name of the file. 6.
AT-S63 Management Software Menus Interface User’s Guide The contents of the boot configuration file are displayed in the View File menu. An example is shown in Figure 54. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 View File Viewing file “mydefault.
Chapter 10: File System The following are several guidelines for editing a boot configuration file: 206 The text editor must be able to store the file as ASCII text. Do not use special formatting codes, such as boldface or italics. The boot configuration file must contain AT-S63 command line commands. You enter the commands you want the switch to perform when reset or power cycled. For a description of the commands, refer to the AT-S63 Management Software Command Line Interface User’s Guide.
AT-S63 Management Software Menus Interface User’s Guide Copying a System File This procedure is used to create copies of files stored in a switch’s file system or on a flash memory card. For instance, you might perform this procedure to create a copy of a configuration file so that you have a backup copy. You can also use this procedure is to copy files between a switch’s file system and a flash memory card.
Chapter 10: File System 6. Enter the new file name. The file name can be up to 16 alphanumeric characters, followed by a 3 letter extension. You must keep the same extension as the original file. To store the file on a compact flash card, precede the filename with “cflash:” The following message is displayed: Please wait... Press any key ... 7. Press any key to return to the File Operations menu.
AT-S63 Management Software Menus Interface User’s Guide Renaming a System File This procedure is used to rename files in a system’s file system or a compact flash card. Before renaming a file, note the following: To rename a file on a compact flash card, you must first change to the directory where the file is stored. This procedure does not allow you to specify a directory path. For instructions, refer to “Changing the Current Flash Card Directory” on page 219.
Chapter 10: File System You can enter a file name of up to 16 alphanumeric characters, followed by a 3 letter extension. You must keep the same extension. If the file is located on a compact flash card, precede the filename with “cflash:” The following message is displayed: Please wait... Press any key ... Press any key to return to the File Operations menu. Examples The following examples illustrate how to rename files in a switch’s flash memory and on a compact flash card.
AT-S63 Management Software Menus Interface User’s Guide Deleting a System File This procedure is used to delete files from a system’s flash memory or a compact flash card. Before deleting a file, note the following: Deleting the active boot configuration file and then resetting the switch returns the unit to its default parameter settings, unless you save the current configuration or select another active boot configuration file.
Chapter 10: File System Displaying System Files Use this procedure to display a list of the system files currently stored either in the flash memory of the switch or on a compact flash card. For information about shortcuts for specifying file names, see “File Naming Conventions” on page 197.
AT-S63 Management Software Menus Interface User’s Guide An example of this display is shown in Figure 55. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 List Files File Name Device Size (Bytes) Last Modified ------------------------------------------------------------default.cfg flash 805 01/10/2002 12:01:16 boot.cfg flash 1249 10/24/2003 16:50:40 newcfg.cg flash 1082 07/12/2003 16:59:06 serverkey150.key flash 768 11/30/2003 19:17:35 ProdSw.
Chapter 10: File System Listing Files on the Compact Flash Card To view the files on the compact flash card, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 9 to select System Utilities. 3. From the System Utilities menu, type 1 to select File Operations. The File Operations menu is shown in Figure 53 on page 200. 4. From the File Operations Menu, type 8 to select List Files.
AT-S63 Management Software Menus Interface User’s Guide Working with Flash Memory An AT-9400 Series switch contains flash memory where the file system, which contains files such as the configuration file, and event log are stored. Displaying Information about the Flash Memory To display information about the flash memory, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 9 to select System Utilities. 3.
Chapter 10: File System Formatting the Flash Memory The procedure formats the flash memory in the switch. Caution Formatting the flash memory deletes ALL files from the switch, including the active configuration file, encryption keys, and certificates. Only the AT-S63 image file in the application block is retained. To remove selected files, use the procedure in “Deleting a System File” on page 211. Caution This procedure causes a system reset.
AT-S63 Management Software Menus Interface User’s Guide Working with the Compact Flash Card Some AT-9400 Series switches contain a compact flash card slot, into which you can put a compact flash card. You can then copy files such as configuration files onto the compact flash card, take the card to other switches that have compact flash card slots, and copy files from the compact flash card to that switch through a local connection.
Chapter 10: File System Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display Compact Flash Information Compact Flash: -----------------------------------------------------Current Directory: \ Number of files ......... 0 Number of directories ... 1 Bytes used .............. 0 Card Information: Hardware detected ....... Serial Number ........... Size .................... Used .................... Free ....................
AT-S63 Management Software Menus Interface User’s Guide Size The size in KB of the compact flash card. Used The amount of space that is currently used. Free The amount of space that is free. Changing the Current Flash Card Directory To change the current directory on a compact flash card, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 9 to select System Utilities. 3.
Chapter 10: File System 220 Section II: Advanced Operations
Chapter 11 File Downloads and Uploads This chapter contains the procedures for downloading a new AT-S63 image file onto the switch. This chapter also contains the procedures for uploading and downloading system files, such as a boot configuration file, from the file system in the switch.
Chapter 11: File Downloads and Uploads Downloading the AT-S63 Image File onto a Switch This section contains the following two procedures: “Downloading the AT-S63 Image from a Local Management Session” on page 224 “Downloading the AT-S63 Image from a Remote Management Session” on page 228 These procedures explain how to download a new version of the AT-S63 image file onto a switch from a local management session using either Xmodem or TFTP, or from a remote management session (i.
AT-S63 Management Software Menus Interface User’s Guide interface is assigned the same address. If the unit obtained its IP configuration from a DHCP or BOOTP server, the interface is created with its DHCP or BOOTP client activated. The interface is given the interface number 0 and assigned to the preexisting management VLAN. Furthermore, the interface is designated as the local interface on the switch. For example, if the switch has the static IP address 149.44.44.
Chapter 11: File Downloads and Uploads Downloading the AT-S63 Image from a Local Management Session Review “Guidelines” on page 222 before performing the following download procedure. To download a new AT-S63 software image into the application block portion of the switch’s flash memory, making it the active image file on the switch, from a local management session using Xmodem or TFTP, perform the following procedure: 1.
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: TFTP Server IP address: b. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: c. Enter the file name of the AT-S63 image file stored on the TFTP server. The following message is displayed: Getting the file from Remote TFTP Server - Please wait ... d. If you have not already done so, start the TFTP server software.
Chapter 11: File Downloads and Uploads Note The transfer protocol must be Xmodem or 1K Xmodem. 8. Type Y for Yes. The prompt “Downloading” is displayed. 9. Begin the file transfer. Steps 10 through 13 illustrate how you download a file using the Hilgraeve HyperTerminal program. 10. From the HyperTerminal main window, select Send File from the Transfer menu, as shown in Figure 61. Figure 61. HyperTerminal Window The Send File window is shown in Figure 62. Figure 62. Send File Window 11.
AT-S63 Management Software Menus Interface User’s Guide 13. Click Send. The software immediately begins downloading onto the switch. The Xmodem File Send window in Figure 63 displays the current status of the software download. The download process takes several minutes to complete. Figure 63. XModem File Send Window After receiving the file, the switch compares the version number of the new image file that you just downloaded against the file already in the application block on the switch.
Chapter 11: File Downloads and Uploads Downloading the AT-S63 Image from a Remote Management Session Review “Guidelines” on page 222 before performing the following download procedure. To download a new AT-S62 image file into the application block portion of the switch’s flash memory, making it the active image file on the switch, from a remote management session (i.e, Telnet or SSH) using TFTP, perform the following procedure: 1.
AT-S63 Management Software Menus Interface User’s Guide After the switch has downloaded the image file, the following message is displayed: File received successfully! After receiving the file, the switch compares the version number of the new image file that you just downloaded against the file already in the application block on the switch. If the new image file has an earlier or the same version number as the file in the switch’s application block, it cancels the update process.
Chapter 11: File Downloads and Uploads Uploading the AT-S63 Image File Switch to Switch The procedure in this section uploads an AT-S63 software image from a master AT-9400 Series switch to another AT-9400 Series switch. This procedure is useful in networks that contain a large number of AT-9400 Series switches.
AT-S63 Management Software Menus Interface User’s Guide VLAN. Furthermore, the interface is designated as the local interface on the switch. For example, if the switch has the static IP address 149.44.44.44 and the management VLAN has a VID of 12, the upgrade process automatically creates a routing interface with the same IP address and names it VLAN12-0. It assigns the interface to the VLAN with the VID of 12 and designates it as the switch’s local interface.
Chapter 11: File Downloads and Uploads The following prompt is displayed: Do you want to show remote switch burning flash -> [Yes/ No] 6. You can respond with Yes or No to this prompt. It does not affect the download. The following prompt is displayed: Do you want confirmation before downloading each switch > [Yes/No] 7. If you answer Yes to this prompt, the management software prompts you with a confirmation message before upgrading a switch.
AT-S63 Management Software Menus Interface User’s Guide Uploading an AT-S63 Configuration File Switch to Switch This procedure explains how to upload a boot configuration file on a master AT-9400 Series switch to another AT-9400 Series switch in an enhanced stack. This procedure provides you with an easy way of distributing a configuration file to different switches that are to share a similar configuration.
Chapter 11: File Downloads and Uploads Caution This procedure causes the switch to reset. Some network traffic may be lost. To upload a boot configuration file on the master switch to another switch in an enhanced stack, perform the following procedure: 1. From the Main Menu, type 8 to select Enhanced Stacking. The Enhanced Stacking menu is shown in Figure 16 on page 95. 2. From the Enhanced Stacking menu, type 2 to select Stacking Services.
AT-S63 Management Software Menus Interface User’s Guide After you have entered a name, the following prompt is displayed: Enter the list of switches -> 7. Enter the number (Num column in the menu) of the AT-9400 Series switch where you want to upload the configuration file. You can specify more than one switch at a time (for example, 2,4,5). Note You can upload an AT-9400 Series configuration file only onto other AT-9400 Series switches.
Chapter 11: File Downloads and Uploads Downloading a System File This section contains the following two procedures: “Downloading a System File from a Local Management Session” on page 238 “Downloading a System File from a Remote Management Session” on page 241 Both procedures are used to download files into a switch’s file system. One procedure downloads files from a local management using either Xmodem or TFTP, and the other explains how to do it from a remote management session using TFTP.
AT-S63 Management Software Menus Interface User’s Guide You must use TFTP to download files from a remote management session. If the switch supports a flash memory card, you can use these procedures to download a file to the card rather than the switch’s file system. To download a file to a flash memory card, you should first change to the directory where you want to store the file on the card. This procedure does not accept a directory path.
Chapter 11: File Downloads and Uploads Downloading a System File from a Local Management Session Review “Guidelines” on page 236 before performing this procedure. To download a system file onto a switch from a local management session using Xmodem or TFTP, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 9 to select System Utilities.
AT-S63 Management Software Menus Interface User’s Guide d. Enter a name for the system file. This is the name that the switch will store the file as in its file system. To store the file on a flash memory card in the switch rather than the file system, precede the name with “cflash:”. The following message is displayed: Getting the file from Remote TFTP Server - Please wait ... e. If you have not already done so, start the TFTP server software.
Chapter 11: File Downloads and Uploads The prompt “Downloading” is displayed. 9. Begin the file transfer of the system file using the terminal emulator program. Steps 10 through 14 illustrate how to download a system file using the Hilgraeve HyperTerminal program. 10. From the HyperTerminal main window, select Send File from the Transfer menu, as shown in Figure 64. Figure 64. HyperTerminal Window The Send File window is shown in Figure 65. Figure 65. Send File Window 11.
AT-S63 Management Software Menus Interface User’s Guide The file immediately begins downloading onto the switch. The Xmodem File Send window in Figure 66 displays the current status of the download. Figure 66. XModem File Send Window The download is complete when the Downloads and Uploads menu is redisplayed. 14. If you downloaded a configuration file and want to make it the active boot file on the switch, refer to “Setting the Active Boot Configuration File” on page 202.
Chapter 11: File Downloads and Uploads The System Utilities menu is shown in Figure 9 on page 71. 4. From the System Utilities menu, type 2 to select Downloads and Uploads. The Downloads and Uploads menu is shown in Figure 60 on page 224. 5. From the Downloads and Uploads menu, type 3 to select Download a File. The following prompt is displayed: Only TFTP downloads are available for a Telnet access TFTP Server IP address: 6. Enter the IP address of the TFTP server.
AT-S63 Management Software Menus Interface User’s Guide This completes the procedure for downloading a file into the switch’s file system or flash memory card from a remote management session using TFTP.
Chapter 11: File Downloads and Uploads Uploading a System File This section contains the following two procedures: “Uploading a System File from a Local Management Session” on page 245 “Uploading a System File from a Remote Management Session” on page 248 These procedures explain how to upload files from a switch’s file system to your management workstation or a TFTP server. One procedure explains how to perform the upload from a local management using either Xmodem or TFTP.
AT-S63 Management Software Menus Interface User’s Guide To upload a public key, you must first export it from the key database into the switch’s file system. For instructions, refer to “Exporting an Encryption Key” on page 781. Public keys have the file name extension “.key.” You cannot upload an encryption key pair. Key pairs have the file name extension “.ukf.” (The prohibition against uploading an encryption key pair is to prevent an unauthorized individual from obtaining the private key.
Chapter 11: File Downloads and Uploads 5. From the Downloads and Uploads menu, type 4 to select Upload a File. The following prompt is displayed: Upload Method/Protocol [X-Xmodem, T-TFTP]: 6. To upload a system file using Xmodem, go to Step 7. To upload a file using TFTP, do the following: a. Type T. The following prompt is displayed: TFTP Server IP address: b. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: c.
AT-S63 Management Software Menus Interface User’s Guide 8. Enter the name of the system file on the switch that you want to upload to your computer. You can specify only one file. You cannot use wildcards in the file name. If the file is stored on a flash memory card, precede the name with “cflash:”. The following prompt is displayed: You are going to invoke the Xmodem download utility. Do you wish to continue? [Yes/No] Note: Please select 1K Xmodem protocol for faster download.
Chapter 11: File Downloads and Uploads The Receive File window is shown in Figure 68. Figure 68. Receive File Window 12. Click Browse and specify the location on your computer where you want the system file stored. 13. Click in the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem. 14. Click Receive. 15. When prompted, enter a name for the file. This is the name given the file when it is stored on your workstation.
AT-S63 Management Software Menus Interface User’s Guide 4. From the System Utilities menu, type 2 to select Downloads and Uploads. The Downloads and Uploads menu is shown in Figure 60 on page 224. 5. From the Downloads and Uploads menu, type 4 to select Upload a File. The following prompt is displayed: Only TFTP uploads are available for a Telnet access TFTP Server IP address: 6. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: 7.
Chapter 11: File Downloads and Uploads 250 Section II: Advanced Operations
Chapter 12 Event Logs and Syslog Servers This chapter describes how to monitor the activity of a switch by viewing the event messages in the event logs and sending the messages to a syslog server.
Chapter 12: Event Logs and Syslog Servers Event Log Overview A managed switch is a complex piece of computer equipment that includes both hardware and software. Multiple software features operate simultaneously, interoperating with each other and processing large amounts of network traffic. It is often difficult to determine exactly what is happening when a switch appears not to be operating normally, or what happened when a problem occurred.
AT-S63 Management Software Menus Interface User’s Guide Working with the Event Logs This section contains the following procedures: Enabling or Disabling the Event Logs “Enabling or Disabling the Event Logs,” next “Displaying an Event Log” on page 254 “Modifying the Event Log Full Action” on page 260 “Clearing an Event Log” on page 261 “Saving an Event Log to a File” on page 261 This procedure explains how to enable or disable the event logs on the switch.
Chapter 12: Event Logs and Syslog Servers 3. To enable or disable event logging, type 1 to toggle Event Logging between the two options: Enabled The switch immediately begins to add events to the logs and send events to any defined syslog servers. This is the default. Disabled The switch does not store events in the logs and does not send events to any syslog servers. Note You cannot individually disable or enable the temporary and permanent event logs.
AT-S63 Management Software Menus Interface User’s Guide 4. To select the order of the events in the event log, type 3 to select Display Order and toggle between these two options: Chronological Displays the events in the order from the oldest event to the most recent event. This is the default. Reverse Chronological Displays the events from the most recent event to the oldest event. 5.
Chapter 12: Event Logs and Syslog Servers You can select more than one severity at a time, separated by a comma, for example, E,W. 7. To view the events of a particular AT-S63 software module, type 7 to select Event Module and enter the module. To specify more than one module, separate them by a comma—for example, “system, stp, ptrunk.” The default is ALL, which displays the events of all the modules.
AT-S63 Management Software Menus Interface User’s Guide Table 7.
Chapter 12: Event Logs and Syslog Servers 8. To display the event messages of the log and settings you have chosen, type V to select View Log. Figure 70 shows an example of an event log in Normal mode.
AT-S63 Management Software Menus Interface User’s Guide within the AT-S63 management software that generated the event. The second part is a description of the event. When you display the events in full mode, more information is included. Figure 71 shows the same portion of the event log in Figure 70 on page 258 but displayed in full mode.
Chapter 12: Event Logs and Syslog Servers Modifying the Event Log Full Action This procedure explains how to control the action of the logs when they reach the maximum capacity of 4,000 events for the temporary log and 2,000 events for the permanent log. A log can either delete the oldest entries as it adds new entries or stop adding entries, so as to preserve the existing log contents. You can set the action independently for the two logs. The log full action does not apply to syslog servers.
AT-S63 Management Software Menus Interface User’s Guide Clearing an Event Log To clear all events from an event log, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 69 on page 253. 3. From the Event Log menu, type C to select Clear Log. The following prompt is displayed: Enter output to clear (T=Temporary, P=Permanent) -> 4.
Chapter 12: Event Logs and Syslog Servers When the save process is complete, the word “Complete” is displayed, followed by another prompt: Press any key to continue. 7. Press any key. The log file is saved in the switch’s file system as an ASCII file. 8. To view the log file, type R to return to the System Administration menu. 9. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is displayed, as shown in Figure 9 on page 71. 10.
AT-S63 Management Software Menus Interface User’s Guide 13. To upload the file to your management station, refer to “Uploading a System File” on page 244.
Chapter 12: Event Logs and Syslog Servers Configuring Log Outputs As explained in “Event Log Overview” on page 252, there are two methods for viewing the events generated by the switch. One approach is to display one of the switch’s event logs. The drawback to this method is that you must establish a management session with the switch before you can view the logs and you can view the log of only one switch at a time.
AT-S63 Management Software Menus Interface User’s Guide Creating a Log Output Definition To create a log output definition, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 69 on page 253. 3. From the Event Log menu, type L to select Configure Log Outputs.
Chapter 12: Event Logs and Syslog Servers The Syslog Output Configuration menu is displayed, as shown in Figure 74. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Syslog Output Configuration 1 2 3 4 5 6 7 - Output ID ................ Server IP Address ........ Output Status ............ Message Format ........... Facility Level ........... Event Severity ........... Event Module ............. 0.0.0.
AT-S63 Management Software Menus Interface User’s Guide 11. Type 4 to toggle Message Format between the following options: Normal Sends the severity, module, and description for each event. Extended Sends the same information as Normal along with the date, time, and switch’s IP address. This is the default. 12. Type 5 to select Facility Level.
Chapter 12: Event Logs and Syslog Servers Table 9. Applicable RFC 3164 Numerical Code and AT-S63 Module Mappings (Continued) Numerical Code RFC 3164 Facility AT-S63 Module 9 Clock daemon Time- based modules: - TIME (system time and SNTP) - RTC 22 Local use 6 Physical interface and data link modules: - PCFG - PMIRR - PTRUNK - STP - VLAN 23 Local use 7 SYSTEM events related to major exceptions. 16 Local use 0 All other modules and events.
AT-S63 Management Software Menus Interface User’s Guide Table 10. Numerical Code and Facility Level Mappings (Continued) Numerical Code Facility Level Setting 20 LOCAL4 21 LOCAL5 22 LOCAL6 23 LOCAL7 For example, selecting LOCAL2 as the facility level assigns the numerical code of 18 to all events sent by the switch to the syslog server. 13. To include events of a selected severity, type 6 to select Event Severity.
Chapter 12: Event Logs and Syslog Servers 15. Enter a list of modules separated by a comma—for example, “system, stp, ptrunk.” 16. Type C to create the log output. The switch adds the new syslog server definition to the Configure Log Outputs menu and begins to send events to the sever, if you enabled the definition when you created it. An example of the menu with a new syslog server definition is shown in Figure 75.
AT-S63 Management Software Menus Interface User’s Guide 5. Enter the number of the log output that you want to modify. The Syslog Output Configuration menu is displayed, as shown in Figure 74 on page 266. 6. Refer to “Creating a Log Output Definition” on page 265 for information about the menu selections. 7. When you complete the modifications, type M to select Modify Log Output. The Configure Log Outputs menu as shown in Figure 73 on page 265 is redisplayed. 8.
Chapter 12: Event Logs and Syslog Servers Displaying the Log Output Definition Details To view the settings of a log output definition, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 69 on page 253. 3. From the Event Log menu, type L to select Configure Log Outputs. The Configure Log Outputs menu is shown in Figure 73 on page 265. 4.
Chapter 13 Classifiers This chapter explains classifiers and how you can create classifiers to define traffic flows.
Chapter 13: Classifiers Classifier Overview A classifier defines a traffic flow. A traffic flow consists of packets that share one or more characteristics. A traffic flow can range from being very broad to very specific. An example of the former might be all IP traffic while an example of the latter could be packets with specific source and destination MAC addresses. A classifier contains a set of criteria you configure to match the traffic flow the classifier is to define.
AT-S63 Management Software Menus Interface User’s Guide is dictated by the QoS policy, as explained in Chapter 16, “Quality of Service” on page 325. In summary, a classifier is a list of variables that define a traffic flow. You apply a classifier to an ACL or a QoS policy to define the traffic flow you want the ACL or QoS policy to affect or control. Classifier Criteria The components of a classifier are defined in the following subsections.
Chapter 13: Classifiers Preamble Destination Address Source Address Type/ Length 64 bits 48 bits 48 bits 16 bits Tag Protocol Identifier 16 bits User Priority CFI 3 bits 1 bit Frame Data CRC 368 to 12000 bits 32 bits VLAN Identifier 12 bits Figure 77. User Priority and VLAN Fields within an Ethernet Frame You can identify a traffic flow of tagged packets using the user priority value.
AT-S63 Management Software Menus Interface User’s Guide Observe the following guidelines when using this variable: When selecting a Layer 3 or Layer 4 variable, this variable must be left blank or set to IP. If you choose to specify a protocol by its number, you can enter the value in decimal or hexadecimal format. If you choose the latter, precede the number with the prefix “0x”. The range for the protocol number is 1536 (0x600) to 65535 (0xFFFF).
Chapter 13: Classifiers Observe these guidelines when using this criterion: The Protocol variable must be left blank or set to IP. You cannot specify both an IP ToS value and an IP DSCP value in the same classifier. IP Protocol (Layer 3) You can define a traffic flow by the following Layer 3 protocols: TCP UDP ICMP IGMP IP protocol number If you choose to specify the protocol by its number, you can enter the value in decimal or hexadecimal format.
AT-S63 Management Software Menus Interface User’s Guide Observe this guideline when using these criteria: The Protocol variable must be left blank or set to IP. TCP Source Ports (Layer 4) TCP Destination Ports (Layer 4) A traffic flow can be identified by a source and/or destination TCP port number contained within the header of an IP frame. Observe the following guidelines when using these criteria: The Protocol variable must be left blank or set to IP.
Chapter 13: Classifiers Classifier Guidelines 280 Follow these guidelines when creating a classifier: Each classifier represents a separate traffic flow. The variables within a classifier are linked by AND. The more variables defined within a classifier, the more specific it becomes in terms of the flow it defines.
AT-S63 Management Software Menus Interface User’s Guide Creating a Classifier This section contains the procedure for creating a classifier. As explained in “Classifier Overview” on page 274, a classifier contains a series of variables for defining a traffic flow. This same procedure is used whether the classifier is intended for an ACL or a QoS policy. To create a classifier, perform the following procedure 1. From the Main Menu, type 7 to select Security and Services.
Chapter 13: Classifiers The Classifier Configuration menu is shown in Figure 80. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Classifier Configuration 1 2 3 4 - Create Classifier Modify Classifier Destroy Classifier Show Classifiers P - Purge Classifiers R - Return to Previous Menu Enter your selection? Figure 80. Classifier Configuration Menu 3. From the Classifier Configuration menu, type 1 to select Create Classifier.
AT-S63 Management Software Menus Interface User’s Guide This is the first page of the classifier variables. To view the remaining variables, type N to select Next Page. The Create Classifier menu (page 2) is shown in Figure 82. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Create Classifier 11 12 13 14 15 16 17 18 19 20 E C P U R - - IP Protocol: ... Src IP Addr: ... Src IP Mask: ... Dst IP Addr: ... Dst IP Mask: ... TCP Src Port: .. TCP Dst Port: .. UDP Src Port: ..
Chapter 13: Classifiers 7. Repeat steps 5 and 6 to adjust any other variables necessary to define the traffic flow for this classifier. 8. After configuring the necessary variables, type C to select Create Classifier. The switch creates the classifier. If any of the settings are incompatible, the system displays an error message. Refer to the variable definitions in “Classifier Criteria” on page 275 for assistance in resolving compatibility issues. 9.
AT-S63 Management Software Menus Interface User’s Guide Modifying a Classifier In order to modify a classifier, you need to know its ID number. If you are unsure of the ID number of the classifier you want to modify, refer to “Displaying Classifiers” on page 289. You cannot modify a classifier if it belongs to an ACL or QoS policy that is assigned to a port. You must first remove the port assignments from the ACL or policy before you can modify the classifier.
Chapter 13: Classifiers variable definitions in “Classifier Criteria” on page 275 for assistance in resolving any compatibility issues. 7. To modify other classifiers, repeat this process starting with step 3. 8. To permanently save your change, return to the Main Menu and type S to select Save Configuration Changes. 9. To add the modified classifier to an ACL, refer to “Creating an ACL” on page 301 or “Modifying an ACL” on page 304. To add it to a QoS policy, refer to “Managing Flow Groups” on page 341.
AT-S63 Management Software Menus Interface User’s Guide Deleting a Classifier This procedure deletes a classifier from the switch. To delete a classifier, you need to know its ID number. If you are unsure of the ID number of the classifier you want to delete, refer to “Displaying Classifiers” on page 289. Note You cannot delete a classifier if it belongs to an ACL or QoS policy.You must first remove the classifier from its ACL or policy assignments before you can delete it.
Chapter 13: Classifiers Deleting All Classifiers This procedure deletes all classifiers from the switch. To delete individual classifiers, refer to “Deleting a Classifier” on page 287. Note You cannot delete all classifiers if any of them belong to an ACL or QoS policy.You must first remove all classifiers from their ACL and policy assignments before performing this procedure. To delete all classifiers from the switch, perform the following procedure: 1.
AT-S63 Management Software Menus Interface User’s Guide Displaying Classifiers To display the classifiers on a switch, do the following: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 79 on page 281. 2. From the Security and Services menu, type 1 to select Classifier Configuration. The Classifier Configuration menu is shown in Figure 80 on page 282. 3. From the Classifier Configuration menu, type 4 to select Show Classifiers.
Chapter 13: Classifiers for the classifier. An active ACL or QoS policy has been assigned to a switch port while an inactive ACL or policy has not been assigned to a port. If this number is 0 (zero), the classifier has not been assigned to any ACLs or policies. Number of Active Associations The number of active ACLs and QoS policy assignments for the classifier. An active ACL or policy has been assigned to a switch port.
AT-S63 Management Software Menus Interface User’s Guide The second page of the Display Classifier Details menu is shown in Figure 85. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display Classifier Details 11 12 13 14 15 16 17 18 19 - Src Src Dst Dst TCP TCP UDP UDP TCP IP Addr: ... IP Mask: ... IP Addr: ... IP Mask: ... Src Port: .. Dst Port: .. Src Port: .. Dst Port: .. Flags: .....
Chapter 13: Classifiers 292 Section II: Advanced Operations
Chapter 14 Access Control Lists This chapter explains access control lists (ACL) and how you can use this feature to improve network security and performance.
Chapter 14: Access Control Lists Access Control List (ACL) Overview An ACL is a tool for managing network traffic. You can use this feature to control which ingress packets a port will accept and which it will reject. One of the benefits of this feature is that it can add to network security. An ACL can protect parts of a network from unauthorized access by allowing only permitted traffic to enter the port.
AT-S63 Management Software Menus Interface User’s Guide Here is an overview of how the process works. 1. When an ingress packet arrives on a port, it is checked against the criteria in the classifiers of all the ACLs, both permit and deny, assigned to the port. 2. If the packet matches the criteria of a permit ACL, the port immediately accepts it, even if the packet also matches a deny ACL assigned to the same port, because a permit ACL always overrides a deny ACL. 3.
Chapter 14: Access Control Lists Examples A classifier can be assigned to multiple ACLs. However, a classifier cannot be assigned more than once to a port. Put another way, ACLs that have the same classifier cannot be assigned to the same port. An ACL and a Quality of Service policy assigned to the same port can not have the same classifier. The switch can store up to 64 ACLs. This section contains several examples of ACLs.
AT-S63 Management Software Menus Interface User’s Guide To deny traffic from several subnets on the same port, you can create multiple classifiers and apply them to the same ACL. This example denies traffic on port 4 from three subnets using three classifiers, one for each subnet, assigned to the same ACL. Create Classifier 01 - Classifier ID: ..... 22 02 - Description: ...... 149.11.11 flow . . 12 - Src IP Addr: ..... 149.11.11.0 13 - Src IP Mask: .... 255.255.255.
Chapter 14: Access Control Lists You can achieve the same result by assigning each classifier to a different ACL and assigning the ACLs to the same port, as in this example, again for port 4. Create Access Control Lists (ACL) 1 - ACL ID ................. 4 2 - Description .......... 149.11.11-deny 3 - Action .................. Deny 4 - Classifier List ...... 22 5 - Port List .............. 4 Create Access Control Lists (ACL) 1 - ACL ID ................. 22 2 - Description .......... 149.22.22.
AT-S63 Management Software Menus Interface User’s Guide In this example, the traffic on ports 14 and 15 is restricted to packets from the source subnet 149.44.44.0. All other IP traffic is denied. Classifier ID 11, which specifies the traffic flow to be permitted by the ports, is assigned to an ACL with an action of permit. Classifier ID 17 specifies all IP traffic and is assigned to an ACL whose action is deny. Since a permit ACL overrides a deny ACL, the port will accept the traffic from the 149.44.44.
Chapter 14: Access Control Lists The next example limits the ingress traffic on port 17 to IP packets from the subnet 149.22.11.0 and a Type of Service setting of 6, destined to the end node with the IP address 149.22.22.22. All other IP traffic and ARP packets are prohibited. Create Classifier Create Access Control Lists (ACL) 1 - ACL ID ................. 4 2 - Description .......... ToS 6 traffic - permit 3 - Action .................. Permit 4 - Classifier List ...... 6 5 - Port List ..............
AT-S63 Management Software Menus Interface User’s Guide Creating an ACL This procedure explains how to create an ACL. In order to perform this procedure, you need to know the ID numbers of the classifiers that you want to assign to the ACL. To view classifier ID numbers, refer to “Displaying Classifiers” on page 289. To create an ACL, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 4 to select Access Control Lists.
Chapter 14: Access Control Lists The Create ACL menu is shown in Figure 93. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Create ACL 1 2 3 4 5 - ACL ID ........... 0 Description ....... Action ............ Deny Classifier List ... Port List ......... C - Create ACL R - Return to Previous Menu Enter your selection? Figure 93. Create ACL Menu 4. Type 1 to select ACL ID and, when prompted, enter an ID number for the ACL.
AT-S63 Management Software Menus Interface User’s Guide 9. Type 5 to select Port List and, when prompted, enter the ports where you want to assign the ACL. You can assign an ACL to just one port or to more than one port. When entering multiple ports, you can list the ports individually (e.g., 2,5,7), as a range (e.g., 8-12) or both (e.g., 14,6,8). 10. Type C to select Create ACL. The ACL is created on the switch and immediately activated on the specified ports. 11.
Chapter 14: Access Control Lists Modifying an ACL This procedure explains how to modify an ACL. In order to perform this procedure, you need to know the ID number of the ACL. To display ACL ID numbers, refer to “Displaying ACLs” on page 309. If you plan to add classifiers to the ACL, you also need to know the ID numbers of the classifiers. To view classifier ID numbers, refer to “Displaying Classifiers” on page 289. To modify an ACL, perform the following procedure: 1.
AT-S63 Management Software Menus Interface User’s Guide 5. To change the description of the ACL, type 2 to select Description and enter a new description for the ACL. The description can be up to 31 alphanumeric characters. Spaces are allowed. This parameter is optional, though recommended. Assigning each ACL a name will make it easier for you to identify them. 6. To change the ACL’s action, type 3 to select Action. The following prompt is displayed: Enter Value [0-Deny, 1-Permit] : [0 to 1] -> 0 7.
Chapter 14: Access Control Lists Deleting an ACL This procedure deletes an ACL from the switch. To perform this procedure, you need to know the ID number of the ACL. To display ACL ID numbers, refer to “Displaying ACLs” on page 309. To delete an ACL, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 4 to select Access Control Lists. The Access Control Lists (ACL) menu is shown in Figure 92 on page 301. 3.
AT-S63 Management Software Menus Interface User’s Guide 5. To delete the ACL, type D to select Destroy ACL. To cancel the procedure, type R to select Return to Previous Menu. A deleted ACL is immediately removed from the switch. 6. To delete additional ACLs, repeat this procedure starting with step 3. 7. To permanently save your change, return to the Main Menu and type S to select Save Configuration Changes.
Chapter 14: Access Control Lists Deleting All ACLs This procedure deletes all ACLs from the switch. To delete all ACLs, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 4 to select Access Control Lists. The Access Control Lists (ACL) menu is shown in Figure 92 on page 301. 3. From the Access Control Lists (ACL) menu, type P to selection Purge ACLs. Caution No confirmation prompt is displayed.
AT-S63 Management Software Menus Interface User’s Guide Displaying ACLs To display the ACLs on a switch, perform this procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 4 to select Access Control Lists. The Access Control Lists (ACL) menu is shown in Figure 92 on page 301. 1. From the Access Control Lists (ACL) menu, type 4 to selection Show ACLs. An example of the Show ACLs window is illustrated in Figure 96.
Chapter 14: Access Control Lists 2. To view the details of a ACL, type D to select Detail Classifier Display. The following prompt is displayed: Enter ACL ID : [0 to 250] -> 0 3. Enter the ID number of the ACL you want to display. The details of the selected ACL are displayed. An example of the Display ACL Details window is illustrated in Figure 97. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display ACL Details 1 2 3 4 5 - ACL ID .............. Description ......
Chapter 15 Class of Service This chapter contains the procedures for configuring Class of Service (CoS).
Chapter 15: Class of Service Class of Service Overview When a port on an Ethernet switch becomes oversubscribed—its egress queues contain more packets than the port can handle in a timely manner—the port may be forced to delay the transmission of some packets, resulting in the delay of packets reaching their destinations.
AT-S63 Management Software Menus Interface User’s Guide Table 11 lists the default mappings between the eight CoS priority levels and the eight egress queues of a switch port. Table 11. Default Mappings of IEEE 802.1p Priority Levels to Priority Queues IEEE 802.
Chapter 15: Class of Service Table 12. Customized Mappings of IEEE 802.1p Priority Levels to Priority Queues (Continued) IEEE 802.1p Priority Level Port Priority Queue 5 Q3 6 Q6 7 Q7 (highest) The procedure for changing the default mappings is found in “Mapping CoS Priorities to Egress Queues” on page 320. Note that because all ports must use the same priority-to-egress queue mappings, these mappings are applied at the switch level. They cannot be set on a per-port basis.
AT-S63 Management Software Menus Interface User’s Guide Note Scheduling is set at the switch level. You cannot set this on a perport basis. Strict Priority Scheduling With this type of scheduling, a port transmits all packets out of higher priority queues before transmitting any from the lower priority queues. For instance, as long as there are packets in Q7 it does not handle any packets in Q6.
Chapter 15: Class of Service Table 13. Example of Weighted Round Robin Priority (Continued) Maximum Number of Packets Port Egress Queue Q5 5 Q6 10 Q7 15 In this example, the port transmits a maximum number of 15 packets from Q7 before moving to Q6, from where it transmits up to 10 packets, and so forth. For Q0 to Q6, the range of the maximum number of transmitted packets is 1 to 15. The range for Q7, the highest priority queue, is 0 to 15.
AT-S63 Management Software Menus Interface User’s Guide Configuring CoS As explained in “Class of Service Overview” on page 312, a packet received on a port is placed it into one of eight priority queues on the egress port according to the switch’s mapping of 802.1p priority levels to egress priority queues. The default mappings are shown in Table 11 on page 313. You can override the mappings at the port level by assigning the packets a temporary priority level.
Chapter 15: Class of Service The “Number of CoS Queues” line indicates the number of egress queues on each port. On the AT-9400 Series switch, there are eight queues per port. This value cannot be changed. 3. From the Class of Service menu, type 1 to select Configure Port CoS Priorities. The following prompt is displayed: Enter port number -> [1 to 24] -> 4. Enter the number of the port on the switch where you want to configure CoS. You can specify only one port at a time.
AT-S63 Management Software Menus Interface User’s Guide Note CoS does not change the tagged information in a frame. A tagged frame leaves a switch with the same priority level that it had when it entered. The default for this parameter is No, meaning that the priority level of tagged frames is determined by the priority level specified in the frames themselves. 8. Type C to select Configure Port COS Priorities. A change to a port CoS setting is immediately activated on the port. 9.
Chapter 15: Class of Service Mapping CoS Priorities to Egress Queues This procedure explains how to change the default mappings of CoS priorities to egress priority queues, shown in Table 11 on page 313. This is set at the switch level. You cannot set this at the per-port level. To change the mappings, perform the following procedure. 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 5 to select Class of Service (CoS).
AT-S63 Management Software Menus Interface User’s Guide Configuring Egress Scheduling This procedure explains how to select and configure a scheduling method for Class of Service. Scheduling determines the order in which the ports handle packets in their egress queues. For an explanation of the two scheduling methods, refer to “Scheduling” on page 314. Scheduling is set at the switch level. You cannot set this on a per-port basis. 1. From the Main Menu, type 7 to select Security and Services. 2.
Chapter 15: Class of Service The default value of 1 for each queue gives all egress queues the same weight. For two examples of the weighted round robin scheduling method, refer to Table 13 on page 315 and Table 14 on page 316. 6. To permanently save your change, return to the Main Menu and type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Displaying Port CoS Priorities The following procedure displays a menu that lists the current CoS priority level for each port. 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 5 to select Class of Service (CoS). The Class of Service (CoS) menu is shown in Figure 98 on page 317. 3. From the Class of Service (CoS) menu, type 4 to select Show Port CoS Priorities.
Chapter 15: Class of Service 324 Section II: Advanced Operations
Chapter 16 Quality of Service This chapter describes Quality of Service (QoS).
Chapter 16: Quality of Service Quality of Service Overview Quality of Service allows you to prioritize traffic and/or limit the bandwidth available to it. The concept of QoS is a departure from the original networking protocols, which treated all traffic on the Internet or within a LAN in the same manner. Without QoS, every traffic type is equally likely to be dropped if a link becomes oversubscribed.
AT-S63 Management Software Menus Interface User’s Guide The QoS functionality described in this chapter sorts packets into various flows, according to the QoS policy that applies to the port the traffic is received on. The switch then allocates resources to direct this traffic according to bandwidth or priority settings in the policy. A policy contains traffic classes, flow groups, and classifiers. Therefore, to configure QoS, you: Create classifiers to sort packets into traffic flows.
Chapter 16: Quality of Service Flow Groups Flow groups group similar traffic flows together, and allow more specific QoS controls to be used, in preference to those specified by the traffic class. Flow groups consist of a small set of QoS parameters and a group of classifiers. After a flow group has been added to a traffic class it cannot be added to another traffic class. A traffic class may have many flow groups. Traffic is matched in the order of the flow groups.
AT-S63 Management Software Menus Interface User’s Guide The effects of this behavior become evident when using the maximum bandwidth feature of QoS. Here is an example. Suppose you have a policy that assigns 5 Mbps of maximum bandwidth to an egress port. Now assume there are 10 ports on the switch where ingress traffic matches the criteria specified in the classifier assigned to the policy of the egress port.
Chapter 16: Quality of Service Packet Processing Bandwidth Allocation Packet Prioritization You can use the switch’s QoS tools to perform any combination of the following functions on a packet flow: Limiting bandwidth Prioritizing packets to determine the level of precedence the switch will give to the packet for processing Replacing the VLAN tag User Priority to enable the next switch in the network to process the packet correctly Replacing the TOS precedence or DSCP value to enable the n
AT-S63 Management Software Menus Interface User’s Guide Replacing Priorities VLAN Tag User Priorities DSCP Values DiffServ Domains Section II: Advanced Operations The traffic class or flow group priority (if set) determines the egress queue a packet is sent to when it egresses the switch, but by default has no effect on how the rest of the network processes the packet.
Chapter 16: Quality of Service A simple example of this process is shown in Figure 103, for limiting the amount of bandwidth used by traffic from a particular IP address. In the domain shown, this bandwidth limit is supplied by the class of service represented by a DSCP value of 40. In the next DiffServ domain, this traffic is assigned to the class of service represented by a DSCP value of 3.
AT-S63 Management Software Menus Interface User’s Guide Assign the classifiers to flow groups and the flow groups to traffic classes, with a different traffic class for each DiffServ code point grouping within the DiffServ domain. Give each traffic class the priority and/or bandwidth limiting controls that are required for that type of packet within this part of the domain. These QoS controls need not be the same for each switch. 3.
Chapter 16: Quality of Service Voice Applications Voice applications typically require a small but consistent bandwidth. They are sensitive to latency (interpacket delay) and jitter (delivery delay). Voice applications can be set up to have the highest priority. This example creates two policies that ensure low latency for all traffic sent by and destined to a voice application located on a node with the IP address 149.44.44.44. The policies raise the priority level of the packets to 7, the highest level.
AT-S63 Management Software Menus Interface User’s Guide The parts of the policies are: Section II: Advanced Operations Classifier - Defines the traffic flow by specifying the IP address of the node with the voice application. The classifier for Policy 6 specifies the address as a source address because this classifier is part of a policy for packets coming from the application.
Chapter 16: Quality of Service Video Applications Video applications typically require a larger bandwidth than voice applications. Video applications can be set up to have a high priority and buffering, depending on the application. This example creates policies with low latency and jitter for video streams (for example, net conference calls). The policies in Figure 105 assign the packets a priority level of 4.
AT-S63 Management Software Menus Interface User’s Guide The parts of the policies are: Section II: Advanced Operations Classifier - Specifies the IP address of the node with a video application. The classifier for Policy 17 specifies the address as a source address since this classifier is part of a policy concerning packets coming from the application.
Chapter 16: Quality of Service Critical Database Critical databases typically require a high bandwidth. They also typically require less priority than either voice or video. The policies in Figure 106 assign 50 Mbps bandwidth, with no change to priority, to traffic going to and from a database. The database is located on a node with the IP address 149.44.44.44 on port 1 of the switch. Policy 15 Policy 17 Create Classifier Create Classifier 01 - Classifier ID: ..... 42 02 - Description .......
AT-S63 Management Software Menus Interface User’s Guide Policy Component Hierarchy The purpose of this example is to illustrate the hierarchy that exists among the components of a QoS policy and how that hierarchy needs to be taken into account when assigning new priority and DSCP values. A new priority can be set at the flow group and traffic class levels, while a new DSCP value can be set at all three levels—flow group, traffic class and policy.
Chapter 16: Quality of Service Create Classifier 01 - Classifier ID: ..... 1 . 14 - Dst IP Addr ..... 149.11.11.0 15 - Dst IP Mask ..... 255.255.255.0 Create Classifier Create Flow Group 1 - Flow Group ID ......... 1 . 3 - DSCP Value ............. 10 . 9 - Classifier List ............1,2 01 - Classifier ID: ..... 2 . 14 - Dst IP Addr ..... 149.22.22.0 15 - Dst IP Addr ...... 255.255.255.0 Create Traffic Class 1 - Traffic Class ID: ........ 1 . 5 - DSCP value ............. 30 . E - Flow Group List .....
AT-S63 Management Software Menus Interface User’s Guide Managing Flow Groups This section contains the following procedures: Creating a Flow Group “Creating a Flow Group,” next “Modifying a Flow Group” on page 344 “Deleting a Flow Group” on page 345 “Displaying Flow Groups” on page 347 To create a flow group, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service.
Chapter 16: Quality of Service The Flow Group Configuration menu is shown in Figure 109. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Flow Group Configuration 1 2 3 4 - Create Flow Group Modify Flow Group Destroy Flow Group Show Flow Groups R - Return to Previous Menu Enter your selection? Figure 109. Flow Group Configuration Menu 4. From the Flow Group Configuration menu, type 1 to select Create Flow Group. The Create Flow Group menu is shown in Figure 110.
AT-S63 Management Software Menus Interface User’s Guide 2 - Description Specifies a description for the flow group. The description can be from 1 to 15 alphanumeric characters including spaces. This parameter is optional, but recommended. Names can help you identify the groups on the switch. 3 - DSCP value Specifies a replacement value to write into the DSCP (TOS) field of the packets. The range is 0 to 63. A new DSCP value can be set at all three levels: flow group, traffic class, and policy.
Chapter 16: Quality of Service 7. To create another flow group, repeat this procedure starting with step 4. To assign the flow group to a traffic class, go to “Managing Traffic Classes” on page 350. 8. To permanently save your change, return to the Main Menu and type S to select Save Configuration Changes. Modifying a Flow Group To modify a flow group, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2.
AT-S63 Management Software Menus Interface User’s Guide Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify Flow Group 1 2 3 4 5 6 7 8 9 - Flow Group ID .............. Description ................ DSCP value ................. Priority ................... Remark Priority ............ ToS ........................ Move ToS to Priority ....... Move Priority to ToS ....... Classifier List ............
Chapter 16: Quality of Service 3. From the Quality of Service (QoS) menu, type 1 to select Flow Group Configuration. The Flow Group Configuration menu is shown in Figure 109 on page 342. 4. From the Flow Group Configuration menu, type 3 to select Destroy Flow Group. The following prompt is displayed: Available Flow Group(s): 0-10 Enter Flow Group ID : [0 to 1023] -> 0 5. Enter the ID number of the flow group you want to delete. You can delete only one flow group at a time.
AT-S63 Management Software Menus Interface User’s Guide Displaying Flow Groups To display flow groups, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service. The Quality of Service (QoS) menu is shown in Figure 108 on page 341. 3. From the Quality of Service (QoS) menu, type 1 to select Flow Group Configuration. The Flow Group Configuration menu is shown in Figure 109 on page 342. 4.
Chapter 16: Quality of Service Active The status of the flow group. If the flow group is part of a QoS policy that is assigned to one or more ports, the flow group is deemed active. If the flow group has not been assigned to a policy or if the policy has not been assigned to any ports, the flow group is deemed inactive. 5. To display the specifics of a flow group, type D to select Display Flow Group Details.
AT-S63 Management Software Menus Interface User’s Guide Priority The new user priority value for the packets. Remark Priority Replaces the user priority value in the packets with the Priority value. ToS Specifies a replacement value to write into the Type of Service (ToS) field of IPv4 packets. The range is 1 to 7. Move ToS to Priority If set to Yes, replaces the value in the 802.1p priority field with the value in the ToS priority field on IPv4 packets.
Chapter 16: Quality of Service Managing Traffic Classes This section contains the following procedures: Creating a Traffic Class “Creating a Traffic Class,” next “Modifying a Traffic Class” on page 354 “Deleting a Traffic Class” on page 356 “Displaying Traffic Classes” on page 357 To create a traffic class, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service.
AT-S63 Management Software Menus Interface User’s Guide The Create Traffic Class menu is shown in Figure 116. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Create Traffic Class 1 2 3 4 5 6 7 8 9 A B D E - Traffic Class ID .......... Description ............... Exceed Action ............. Exceed Remark Value ....... DSCP value ................ Max bandwidth ............. Burst Size ................ Priority .................. Remark Priority ........... ToS ...........
Chapter 16: Quality of Service 5 - DSCP value Specifies a replacement value to write into the DSCP (TOS) field of the packets. The range is 0 to 63. A new DSCP value can be set at all three levels: flow group, traffic class, and policy. A DSCP value specified in a flow group overrides a DSCP value specified at the traffic class or policy level. A DSCP value specified at the traffic class level is used only if no value has been specified at the flow group level.
AT-S63 Management Software Menus Interface User’s Guide matches the number being used by the traffic. However, no unused tokens will accumulate in the bucket. If the traffic increases, the excess traffic will be discarded since no tokens are available for handling the increase. If the traffic is below the maximum bandwidth, unused tokens will accumulate in the bucket since the actual bandwidth falls below the specified maximum.
Chapter 16: Quality of Service D - Move Priority to ToS If set to yes, replaces the value in the ToS priority field with the value in the 802.1p priority field on IPv4 packets. If set to No, which is the default, the packets retain their preexisting ToS priority level. E- Flow Group List Specifies the flow groups to be assigned to the traffic class. The specified flow groups must already exist. Separate multiple IDs with commas (e.g., 4,11,13). 6.
AT-S63 Management Software Menus Interface User’s Guide The selected traffic class is displayed in the Modify Traffic Class menu. An example is shown in Figure 117. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify Traffic Class 1 2 3 4 5 6 7 8 9 A B D E - Traffic Class ID .......... Description ............... Exceed Action ............. Exceed Remark Value ....... DSCP value ................ Max bandwidth ............. Burst Size ................ Priority .......
Chapter 16: Quality of Service Deleting a Traffic Class To delete a traffic class, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service. The Quality of Service (QoS) menu is shown in Figure 108 on page 341. 3. From the Quality of Service (QoS) menu, type 2 to select Traffic Class Configuration. The Traffic Class Configuration menu is shown in Figure 115 on page 350. 4.
AT-S63 Management Software Menus Interface User’s Guide The traffic class is deleted from the switch. The class is removed from any policies to which it is assigned. 7. To delete another traffic class, repeat this procedure starting with step 4. 8. To permanently save your change, return to the Main Menu and type S to select Save Configuration Changes. Displaying Traffic Classes To display the traffic classes, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services.
Chapter 16: Quality of Service The Show Traffic Classes menu provides the following information: ID The traffic class’ ID number. Description A description of the traffic class. Parent Policy ID The ID number of the policy where the traffic class is assigned. A traffic class can belong to only one policy at a time. Active The status of the traffic class. If the traffic class is part of a QoS policy that is assigned to one or more ports, the traffic class is deemed active.
AT-S63 Management Software Menus Interface User’s Guide The Display Traffic Class Details menu provides the following information: Traffic Class ID The traffic class ID number. Description The description of the traffic class. Exceed Action The action taken if the traffic of the traffic class exceeds the maximum bandwidth. Exceed Remark Value The DSCP replacement value for traffic that exceeds the maximum bandwidth. DSCP value The replacement value to write into the DSCP (TOS) field of the packets.
Chapter 16: Quality of Service Managing Policies This section contains the following procedures: Creating a Policy “Creating a Policy,” next “Modifying a Policy” on page 363 “Deleting a Policy” on page 364 “Displaying Policies” on page 365 To create a policy, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service.
AT-S63 Management Software Menus Interface User’s Guide The Create Policy menu is shown in Figure 122. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Create Policy 1 2 3 4 5 6 7 8 9 A B D - Policy ID ................ Description .............. Remark DSCP .............. DSCP value ............... ToS ...................... Move ToS to Priority ..... Move Priority to ToS ..... Send to Mirror Port ...... Traffic Class List ....... Redirect Port ............
Chapter 16: Quality of Service 5 - ToS Specifies a replacement value to write into the Type of Service (ToS) field of IPv4 packets. The range is 0 to 7. A ToS value specified at the policy level is used only if no value has been specified at the flow group and traffic class levels. 6 - Move ToS to Priority If set to yes, replaces the value in the 802.1p priority field with the value in the ToS priority field on IPv4 packets. If set to No, which is the default, the packets retain their preexisting 802.
AT-S63 Management Software Menus Interface User’s Guide 8. To permanently save your change, return to the Main Menu and type S to select Save Configuration Changes. Modifying a Policy To modify a policy, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service. The Quality of Service (QoS) menu is shown in Figure 108 on page 341. 3.
Chapter 16: Quality of Service 6. Modify the settings as needed. For parameter definitions, refer to “Creating a Policy” on page 360. When you modify a policy, note the following: You cannot change the traffic class ID number. To delete a value from a variable so as to leave it blank, select the variable and then use the backspace key to delete its default value. Specifying an invalid value for a parameter that already has a value causes the parameter to revert to its default value. 7.
AT-S63 Management Software Menus Interface User’s Guide 7. To delete another policy, repeat this procedure starting with step 4. 8. To permanently save your change, return to the Main Menu and type S to select Save Configuration Changes. Displaying Policies To display policies, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service.
Chapter 16: Quality of Service Active The status of the policy. A policy that is assigned to one or more ports is deemed active while a policy that is not assigned to any ports is deemed inactive. 5. To display the specifics of a policy, type D to select Display Policy Details. The following prompt is displayed: Available Policy(ies): 0-4 Enter Policy ID : [0 to 255] -> 0 6. Enter the ID number of the policy you want to view. You can display only one policy at a time.
AT-S63 Management Software Menus Interface User’s Guide DSCP value The replacement value to write into the DSCP (TOS) field of the packets. ToS Specifies a replacement value to write into the Type of Service (ToS) field of IPv4 packets. The range is 1 to 7. A ToS value specified at the policy level is used only if no value has been specified at the flow group and traffic class levels. Move ToS to Priority If set to yes, replaces the value in the 802.
Chapter 16: Quality of Service 368 Section II: Advanced Operations
Chapter 17 Denial of Service Defense This chapter contains procedures for configuring the switch to protect against denial of service (DoS) attacks.
Chapter 17: Denial of Service Defense Denial of Service Overview The AT-S63 management software can help protect your switch against the following types of denial of service attacks. SYN Flood Attack Smurf Attack Land Attack Teardrop Attack Ping of Death Attack IP Options Attack The following subsections briefly describe each type of attack and the mechanism employed by the AT-S63 management software to protect your network.
AT-S63 Management Software Menus Interface User’s Guide Smurf Attack This DoS attack is instigated by an attacker sending a ICMP Echo (Ping) request containing the network’s IP broadcast address as the destination address and the address of the victim as the source of the ICMP Echo (Ping) request. This overwhelms the victim with a large number of ICMP Echo (Ping) replies from the other network nodes.
Chapter 17: Denial of Service Defense The following is a overview of how the process takes place. This example assumes that you have activated the feature on port 4, which is connected to a device local to your network, and that you specified port 1 as the uplink port, which is connected to the device that leads outside your network. The steps below review what happens when an ingress IP packet from the local device arrives on port 4: 1.
AT-S63 Management Software Menus Interface User’s Guide Teardrop Attack An attacker sends an IP packet in several fragments with a bogus offset value, used to reconstruct the packet, in one of the fragments to a victim. The victim is unable to reassemble the packet, possibly causing it to freeze operations. The defense mechanism for this type of attack has all ingress fragmented IP traffic received on a port sent to the switch’s CPU.
Chapter 17: Denial of Service Defense Also note that an attacker can circumvent the defense by sending a stream of ICMP Echo (Ping) requests with a size of 63,488 to 65,534 bits. A large number of requests could overwhelm the switch’s CPU. IP Options Attack In the basic scenario of an IP attack, an attacker sends packets containing bad IP options. There are several types of IP option attacks and the AT-S63 management software does not distinguish between them.
AT-S63 Management Software Menus Interface User’s Guide Denial of Service Defense Guidelines Section II: Advanced Operations Below are guidelines to observe when using this feature: A switch port can support more than one DoS defense at a time. The Teardrop and the Ping of Death defenses are CPU intensive. Use these defenses with caution.
Chapter 17: Denial of Service Defense Configuring Denial of Service Defense To configure DoS defense, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security Configuration menu, type 3 to select Denial of Service (DoS). The Denial of Service (DoS) menu is shown in Figure 126.
AT-S63 Management Software Menus Interface User’s Guide b. Type 1 to select IP Address. The following prompt is displayed: Enter the IP Address for the LAN: Enter the IP address of one of the devices connected to the switch, preferably the lowest IP address. c. Type 2 to select Subnet Mask. The following prompt is displayed: Enter the Subnet Mask for the LAN: Enter the subnet mask for your network. For example, the subnet mask for a network with the IP address range 149.11.11.1 to 149.11.11.50 is 255.
Chapter 17: Denial of Service Defense A menu is displayed containing either one or two options, depending on the DoS defense you selected. An example of the menu is shown in Figure 128. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 SYN Flood Configuration Configuring DoS for Port 2 1 - Attack Detection ................. Disabled R - Return to Previous Menu Enter your selection? Figure 128. SYN Flood Configuration Menu 6. Adjust the following parameters as necessary.
Section III IGMP Snooping, MLD Snooping, and RRP Snooping The chapters in this section contain overview information on IGMP snooping, MLD snooping, and RRP snooping. The chapters also explain how to configure these features from the menus interface of the AT-S63 management software.
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
Chapter 18 IGMP Snooping This chapter explains how to activate and configure the Internet Group Management Protocol (IGMP) snooping feature on the switch.
Chapter 18: IGMP Snooping IGMP Snooping Overview IGMP enables IPv4 routers to create lists of nodes that are members of multicast groups. (A multicast group is a group of end nodes that want to receive multicast packets from a multicast application.) The router creates a multicast membership list by periodically sending out queries to the local area networks connected to its ports. A node wanting to become a member of a multicast group responds to a query by sending a report.
AT-S63 Management Software Menus Interface User’s Guide Without IGMP snooping a switch would have to flood multicast packets out all of its ports, except the port on which it received the packet. Such flooding of packets can negatively impact network performance.
Chapter 18: IGMP Snooping Configuring IGMP Snooping To configure IGMP snooping on the switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 129. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Advanced Configuration 1 - RRP Snooping Configuration 2 - IGMP Snooping Configuration 3 - MLD Snooping Configuration R - Return to Previous Menu Enter your selection? Figure 129.
AT-S63 Management Software Menus Interface User’s Guide The IGMP Snooping Configuration menu is shown in Figure 130. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 IGMP Snooping Configuration 1 2 3 4 5 6 7 - IGMP Snooping Status ........... Host Topology .................. Host/Router Timeout Interval ... Maximum IGMP Multicast Groups .. Router Port(s) .................
Chapter 18: IGMP Snooping If a switch has a mixture of host nodes, that is, some connected directly to the switch and others through an Ethernet hub, you should select the Multi-Host Port (Intermediate) selection. 3 - Host/Router Timeout Interval Specifies the time period in seconds at which the switch determines that a host node is inactive. An inactive host node is a node that has not sent an IGMP report during the specified time interval. The range is from 0 second to 86,400 seconds (24 hours).
AT-S63 Management Software Menus Interface User’s Guide Note Selection 6, View IGMP Multicast Hosts List, is described in “Displaying a List of Host Nodes” on page 389. Selection 7, View IGMP Multicast Routers List, is described in “Displaying a List of Multicast Routers” on page 391. 4. To permanently save your change, return to the Main Menu and type S to select Save Configuration Changes.
Chapter 18: IGMP Snooping Enabling or Disabling IGMP Snooping To activate or deactivate IGMP snooping on the switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 129 on page 384. 2. From the Advanced Configuration menu, type 2 to select IGMP Snooping Configuration. The IGMP Snooping Configuration menu is shown in Figure 130 on page 385. 3.
AT-S63 Management Software Menus Interface User’s Guide Displaying a List of Host Nodes You can use the AT-S63 management software to display a list of the multicast groups on a switch, as well as the host nodes. To display the list, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 129 on page 384 2. From the Advanced Configuration menu, type 2 to select IGMP Snooping Configuration.
Chapter 18: IGMP Snooping VLAN The VID of the VLAN where the port is an untagged member. Port/Trunk The port on the switch where the host node is connected. If the host node is connected to the switch through a trunk, the trunk ID number, not the port number, is displayed. HostIP The IP address of the host node connected to the port. IGMP Ver. The version of IGMP used by the host. Exp. Time The number of seconds remaining before the host is timed out if no further IGMP reports are received from it.
AT-S63 Management Software Menus Interface User’s Guide Displaying a List of Multicast Routers A multicast router is a router that is receiving multicast packets from a multicast application and transmitting the packets to host nodes. You can use the AT-S63 management software to display a list of the multicast routers that are connected to the switch. To display a list of the multicast routers, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration.
Chapter 18: IGMP Snooping switch learned the router on a port trunk, the trunk ID number, not the port number, is displayed. Router IP The IP address of the multicast router.
Chapter 19 MLD Snooping This chapter explains how to activate and configure Multicast Listener Discovery (MLD) snooping on the switch.
Chapter 19: MLD Snooping MLD Snooping Overview MLD snooping performs the same function as IGMP snooping. The switch uses the feature to build multicast membership lists and uses the lists to forward multicast packets only to switch ports where there are host nodes that are members of the multicast groups. The difference between the two is that MLD snooping is for IPv6 and IGMP snooping for IPv4 environments. (For background information on IGMP snooping, refer to “IGMP Snooping Overview” on page 382.
AT-S63 Management Software Menus Interface User’s Guide Configuring MLD Snooping To configure MLD snooping on the switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 129 on page 384. 2. From the Advanced Configuration menu, type 3 to select MLD Snooping Configuration. The MLD Snooping Configuration menu is shown in Figure 133.
Chapter 19: MLD Snooping additional multicast packets out the port where the host node is connected. Multiple Host/Ports (Intermediate) The Multi-Host setting is appropriate if there is more than one host node connected to a switch port, such as when a port is connected to an Ethernet hub to which multiple host nodes are connected. With this setting selected the switch continues sending multicast packets out a port even after it receives a leave request from a host node on the port.
AT-S63 Management Software Menus Interface User’s Guide Note A change to any parameter in this menu is immediately activated on the switch. Note Selection 6, View MLD Multicast Hosts List, is described in “Displaying a List of Host Nodes” on page 399. Selection 7, View MLD Multicast Routers List, is described in “Displaying a List of Multicast Routers” on page 401. 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 19: MLD Snooping Enabling or Disabling MLD Snooping To activate or deactivate MLD snooping on the switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 129 on page 384. 2. From the Advanced Configuration menu, type 3 to select MLD Snooping Configuration. The MLD Snooping Configuration menu is shown in Figure 133 on page 395. 3.
AT-S63 Management Software Menus Interface User’s Guide Displaying a List of Host Nodes You can use the AT-S63 management software to display a list of the multicast groups on a switch, as well as the host nodes. To display the list, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 129 on page 384 2. From the Advanced Configuration menu, type 3 to select MLD Snooping Configuration.
Chapter 19: MLD Snooping node is connected to the switch through a trunk, the trunk ID number, not the port number, is displayed. HostIP The IP address of the host node connected to the port. Exp. Time The number of seconds remaining before the host is timed out if no further MLD reports are received from it.
AT-S63 Management Software Menus Interface User’s Guide Displaying a List of Multicast Routers A multicast router is a router that is receiving multicast packets from a multicast application and transmitting the packets to host nodes. You can use the AT-S63 management software to display a list of the multicast routers that are connected to the switch. To display a list of the multicast routers, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration.
Chapter 19: MLD Snooping Port/Trunk ID The port on the switch where the multicast router is connected. If the switch learned the router on a port trunk, the trunk ID number, not the port number, is displayed. Router IP The IP address of the multicast router.
Chapter 20 RRP Snooping This chapter explains RRP snooping and contains the following sections: “RRP Snooping Overview” on page 404 “Enabling or Disabling RRP Snooping” on page 406 Section III: IGMP Snooping, MLD Snooping, and RRP Snooping 403
Chapter 20: RRP Snooping RRP Snooping Overview The Router Redundancy Protocol (RRP) allows multiple routers to share the same virtual IP address and MAC address. In network topologies where redundant router paths or links exist, the protocol enables routers, through an election process, to designate one as the master router. This router functions as the provider of the primary path between LAN segments. Slave routers function as backup paths in the event that the master router or primary path fails.
AT-S63 Management Software Menus Interface User’s Guide RRP snooping is supported on ports operating in the MAC addressbased port security level of automatic. This feature is not supported on ports operating with a security level of limited, secured, or locked. RRP snooping is supported on port trunks.
Chapter 20: RRP Snooping Enabling or Disabling RRP Snooping To enable or disable RRP snooping on a switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. 2. From the Advanced Configuration menu, type 1 to select RRP Snooping Configuration. The RRP Snooping Configuration menu is shown in Figure 136. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 RRP Snooping Configuration 1 - RRP Snooping Status ............
Section IV SNMPv3 The chapter in this section contains overview information on SNMPv3. The chapter also explains how to configure this feature from the menus interface of the AT-S63 management software.
Section IV: SNMPv3
Chapter 21 SNMPv3 This chapter provides a description of the AT-S63 implementation of the SNMPv3 protocol. In addition, the chapter contains procedures that allow you to create and modify SNMPv3 entities.
Chapter 21: SNMPv3 SNMPv3 Overview The SNMPv3 protocol builds on the existing SNMPv1 and SNMPv2c protocol implementation which is described in Chapter 5, “SNMPv1 and SNMPv2c” on page 103. In SNMPv3, User-based Security Model (USM) authentication is implemented along with encryption, allowing you to configure a secure SNMP environment. In addition, SNMP terminology changes in the SNMPv3 protocol. In the SNMPv1 and SNMPv2c protocols, the terms agent and manager are used.
AT-S63 Management Software Menus Interface User’s Guide SNMPv3 Authentication Protocols “SNMPv3 Configuration Example” on page 418 The SNMPv3 protocol supports two authentication protocols—HMACMD5-96 (MD5) and HMAC-SHA-96 (SHA). Both MD5 and SHA use an algorithm to generate a message digest. Each authentication protocol authenticates a user by checking the message digest. In addition, both protocols use keys to perform authentication.
Chapter 21: SNMPv3 SNMPv3 MIB Views The SNMPv3 protocol allows you to configure MIB views for users and groups. The MIB tree is defined by RFC 1155 (Structure of Management Information). See Figure 137.
AT-S63 Management Software Menus Interface User’s Guide MIB subtree view and a subtree mask is analogous to the relationship between an IP address and a subnet mask. The switch uses the subnet mask to determine which portion of an IP address represents the network address and which portion represents the node address. In a similar way, the subtree mask further refines the subtree view and enables you to restrict a MIB view to a specific row of the OID MIB table.
Chapter 21: SNMPv3 Level, Privacy Protocol and Group—with the type of message and the host IP address. SNMPv3 Tables The SNMPv3 configuration is neatly divided into configuring SNMPv3 user information and configuring the message notification. You must configure all seven tables to successfully configure the SNMPv3 protocol.
AT-S63 Management Software Menus Interface User’s Guide Configure SNMPv3 Notify Table Configure SNMPv3 Target Address Table Configure SNMPv3 Target Parameters Table You start the message notification configuration by defining the type of message you want to send with the SNMPv3 Notify Table. Then you define a IP address that is used for notification in the Configure SNMPv3 Target Address Table. This is the IP address of the SNMPv3 host.
Chapter 21: SNMPv3 “SNMPv3 Target Parameters Table” on page 417 “SNMPv3 Community Table” on page 417 SNMPv3 User Table The Configure SNMPv3 User Table menu allows you to create an SNMPv3 user and provides the options of configuring authentication and privacy protocols. With the SNMPv3 protocol, users are authenticated when they send and receive messages. In addition, you can configure a privacy protocol and password so messages a user sends and receives are encrypted.
AT-S63 Management Software Menus Interface User’s Guide SNMPv3 SecurityToGroup Table The Configure SNMPv3 SecurityToGroup Table menu allows you to associate a User Name with a security group called a Group Name. The User Name is previously configured with the Configure SNMPv3 User Table menu. The security group is previously configured with the Configure SNMPv3 Access Table menu. Lastly, you can configure a storage type for this table entry which allows you to save the entry to flash memory.
Chapter 21: SNMPv3 Tables to configure SNMPv1 and SNMPv2c communities, start with the SNMPv3 Community Table. See “Configuring the SNMPv3 Community Table” on page 495. Note Allied Telesyn recommends that you use the procedures described in Chapter 5, “SNMPv1 and SNMPv2c” on page 103 to configure the SNMPv1 and SNMPv2c protocols. SNMPv3 Configuration Example 418 You may want to have two classes of SNMPv3 users—Managers and Operators.
AT-S63 Management Software Menus Interface User’s Guide Configuring SNMPv3 Entities This section describes how to configure SNMPv3 entities using the SNMPv3 Tables. To successfully configure this protocol, you must perform the procedures in the order given. For overview information about SNMPv3, see the “SNMPv3 Overview” on page 410.
Chapter 21: SNMPv3 Configuring the SNMPv3 User Table This section contains a description of the SNMPv3 User Table and how to create, delete, and modify table entries. Configure the SNMPv3 User Table first. Creating this table, allows you to create an entry in an SNMPv3 User Table for a User Name.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 Table menu is shown in Figure 140. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 Table 1 2 3 4 5 6 7 8 9 - SNMP Engine...............
Chapter 21: SNMPv3 5. To create a new user table, type 1 to select Create SNMPv3 Table Entry. The following prompt is displayed: Enter User (Security) Name: 6. Enter a descriptive name of the user. You can enter a name that consists of up to 32 alphanumeric characters. The following prompt is displayed: Enter Authentication Protocol [M-MD5, S-SHA, N-None]: 7. Enter one of the following: M-MD5 This value represents the MD5 authentication protocol.
AT-S63 Management Software Menus Interface User’s Guide You are prompted to re-enter the password. The following prompt is displayed: Enter Privacy Protocol [D-DES, N-None]: Note You can only configure the Privacy Protocol if you have configured the Authentication Protocol with the MD5 or SHA values. 9. Select one of the following options: D -DES Select this value to make the DES privacy (or encryption) protocol the privacy protocol for this User Table entry.
Chapter 21: SNMPv3 allowing you to save your changes. Allied Telesyn recommends this storage type. Note The Row Status parameter is a read-only field. The Active value indicates the SNMPv3 User Table entry takes effect immediately. 12. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 User Table Entry You may want to delete an entry from the SNMPv3 User Table.
AT-S63 Management Software Menus Interface User’s Guide “Modifying the Privacy Protocol and Password” on page 427 “Modifying the Storage Type” on page 428 Modifying the Authentication Protocol and Password To modify the Authentication Protocol and Password in an SNMPv3 User Table entry, perform the following procedure. 7. Follow steps 1 through 5 in the procedure described in “Configuring the SNMPv3 User Table” on page 420. Or, from the Main Menu type 5->1->1->8->5.
Chapter 21: SNMPv3 11. Enter the User Name of the User Table you want to modify. The following prompt is displayed: Enter Authentication Protocol [M-MD5, S-SHA, N-None]: 12. Enter one of the following: M-MD5 This value represents the MD5 authentication protocol. With this selection, users (SNMP entities) are authenticated with the MD5 authentication protocol after a message is received. This algorithm generates the message digest.
AT-S63 Management Software Menus Interface User’s Guide Re-enter Privacy password: 16. Re-enter the password. 17. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Privacy Protocol and Password To modify the Privacy Protocol and Password in an SNMPv3 User Table entry, perform the following procedure. Note You can only configure the Privacy Protocol if you have configured the Authentication Protocol with the MD5 or SHA values.
Chapter 21: SNMPv3 messages transmitted between the host and the switch are encrypted with the DES protocol. N -None Select this value if you do not want a privacy protocol for this User Table entry. With this selection, messages transmitted between the host and the switch are not encrypted. If you select None, proceed to step 9. If you select DES, the following prompt is displayed: Enter Privacy Password: 7. Enter a privacy password of up to 32 alphanumeric characters.
AT-S63 Management Software Menus Interface User’s Guide 5. Enter the User Name. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 6. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 User Table to nonvolatile memory.
Chapter 21: SNMPv3 Configuring the SNMPv3 View Table This section contains a description of the SNMPv3 View Table and how to create, delete, and modify table entries. Creating this table, allows you to specify a view using the following parameters: Subtree OID Subtree Mask MIB OID Table View To configure the SNMPv3 View Table, you need to be very familiar with the OID table. You can be very specific about the view a user can or cannot access—down to a column or row of the table.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 View Table menu is shown in Figure 143. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 View Table View Name ................. Subtree OID ............... Subtree Mask .............. View Type ................. Storage Type .............. Row Status ................ internet 1.3.6.
Chapter 21: SNMPv3 tcp The following prompt is displayed: Enter Subtree Mask (Hex format): 6. Enter a subtree mask in hexadecimal format. This is an optional parameter that is used to further refine the value in the View Subtree parameter. This parameter is in binary format. The relationship between a subtree mask and a subtree is similar to the relationship between an IP address and a subnet mask. The subnet mask further refines the IP address.
AT-S63 Management Software Menus Interface User’s Guide N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 View Table to the configuration file. After making changes to an SNMPv3 View Table entry with a NonVolatile storage type, the S Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Allied Telesyn recommends this storage type. Note The Row Status parameter is a read-only field.
Chapter 21: SNMPv3 6. Enter Y to delete the view or N to save the view. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 View Table Entry This section describes how to modify parameters in an SNMPv3 Notify Table entry.
AT-S63 Management Software Menus Interface User’s Guide The Modify SNMPv3 View Table menu is shown in Figure 144. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify SNMPv3 View Table View Name ................. Subtree OID ............... Subtree Mask .............. View Type ................. Storage Type .............. Row Status ................ tcp 1.3.6.1.2.1.
Chapter 21: SNMPv3 This is an optional parameter that is used to further refine the value in the View Subtree parameter. This parameter is in binary format. A subtree mask and a subtree have a similar relationship as an IP address and a subnet mask. The subnet mask further refines the IP address. In the same way, the OID table entry defines a MIB View and the subtree mask further restricts a user’s view to a specific the column and row of the MIB View.
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter View Subtree (OID format/Text Name): 6. Enter the View Subtree value for this View Name. You can enter either a numeric value in hex format or the equivalent text name. For example, the OID hex format for TCP/IP is: 1.3.6.1.2.1.6 The text format is for TCP/IP is: tcp The following prompt is displayed: Enter View Type [I-Included, E-Excluded]: 7.
Chapter 21: SNMPv3 The Modify SNMPv3 Table menu is shown in Figure 144 on page 435. 4. To modify the storage type, type 3 to select Set Storage Type. The following prompt is displayed: Enter View Name: 5. Enter the View Name you want to modify. The following prompt is displayed: Enter View Subtree (OID format/Text Name): 6. Enter the View Subtree for this View Name. The following prompt is displayed: Enter Storage Type [V-Volatile, N-Nonvolatile]: 7.
AT-S63 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Access Table This section contains a description of the SNMPv3 Access Table and how to create, delete, and modify table entries. The SNMPv3 Access Table allows you to configure a security group. Each user must belong to a security group. After you have configured a security group, use the SecurityToGroup Table to assign users to security groups. See “Creating an SNMPv3 SecurityToGroup Table Entry” on page 454.
Chapter 21: SNMPv3 The Configure SNMPv3 Access Table menu is shown in Figure 145. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 Access Table Group Name .... Context Prefix. Read View...... Write View .... Notify View ... softwareengineering internet tcp tcp Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
AT-S63 Management Software Menus Interface User’s Guide Note The Context Prefix and the Context Match fields are a read only fields. The Context Prefix field is always set to null. The Context Match field is always set to exact. The following prompt is displayed: Enter Security Model [1-v1, 2-v2c, 3-v3]: 5. Select one of the following SNMP protocols as the Security Model for this Group Name. 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol.
Chapter 21: SNMPv3 P-AuthPriv This option represents authentication and the privacy protocol. Select this security level to encrypt messages using a privacy protocol and authenticate SNMP entities. This level provides the greatest level of security. You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. The following prompt is displayed: Enter Read View Name: 7. Enter a value that you configured with the View Name parameter in the SNMPv3 View Table.
AT-S63 Management Software Menus Interface User’s Guide N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 Access Table to the configuration file. After making changes to an SNMPv3 Access Table entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Allied Telesyn recommends this storage type. Note The Row Status parameter is a read-only field.
Chapter 21: SNMPv3 The following prompt is displayed: Enter Security Model [1-v1, 2-v2c, 3-v3]: 5. Enter the Security Model of this Group Name. Select one of the following security levels: 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol. 2-v2c Select this value to associate the Group Name with the SNMPv2c protocol. 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol.
AT-S63 Management Software Menus Interface User’s Guide Do you want to delete this table entry?(Y/N):[Yes/No]-> 7. Enter Y to delete the view or N to save the view. The following prompt is displayed: 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 Access Table Entry This section describes how to modify parameters in an SNMPv3 Access Table entry.
Chapter 21: SNMPv3 3. From the Configure SNMPv3 Access Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Access Table is shown in Figure 146. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify SNMPv3 Access Table Group Name .... Context Prefix. Read View...... Write View .... Notify View ... 1 2 3 4 - Set Set Set Set sales systemmanagers salespeople salespeople Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
AT-S63 Management Software Menus Interface User’s Guide 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP entities and you do not want to encrypt messages using a privacy protocol.
Chapter 21: SNMPv3 Modifying the Write View Name To modify the Write View Name parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 420. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 140 on page 421. 2. From the Configure SNMPv3 Table menu, type 4 to select Configure SNMPv3 Access Table.
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol.
Chapter 21: SNMPv3 Modifying the Notify View Name To modify the Notify View Name parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 420. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 140 on page 421. 2. From the Configure SNMPv3 Table menu, type 4 to select Configure SNMPv3 Access Table.
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol.
Chapter 21: SNMPv3 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 420. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 140 on page 421. 2. From the Configure SNMPv3 Table menu, type 4 to select Configure SNMPv3 Access Table. The Configure SNMPv3 Access Table is shown in Figure 145 on page 440. 3. From the Configure SNMPv3 Access Table, type 3 to select Modify SNMPv3 Table Entry.
AT-S63 Management Software Menus Interface User’s Guide 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP entities and you do not want to encrypt messages using a privacy protocol. This security level provides the least security.
Chapter 21: SNMPv3 Configuring the SNMPv3 SecurityToGroup Table This section contains a description of the SNMPv3 SecurityToGroup Table and how to create, delete, and modify table entries. The SNMPv3 SecurityToGroup Table allows you to associate a User Name with a Group Name. The User Name is configured in the Configure SNMPv3 User Table menu while the Group Name is configured in the Configure SNMPv3 Access Table menu.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 SecurityToGroup Table menu is shown in Figure 147. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
Chapter 21: SNMPv3 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Enter Group Name: 6. Enter a Group Name that you configured in the SNMPv3 Access Table. See “Creating an SNMPv3 Access Table Entry” on page 439. There are four default values for this field: defaultV1GroupReadOnly defaultV1GroupReadWrite defaultV2cGroupReadOnly defaultV2cGroupReadWrite These values are reserved for SNMPv1 and SNMPv2c implementations.
AT-S63 Management Software Menus Interface User’s Guide Deleting an SNMPv3 SecurityToGroup Table Entry You may want to delete an entry from the SNMPv3 SecurityToGroup Table. When you delete an SNMPv3 SecurityToGroup Table entry, there is no way to undelete, or recover, the entry. To delete an entry in the SNMPv3 SecurityToGroup Table, perform the following procedure: 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 420.
Chapter 21: SNMPv3 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Do you want to delete this table entry? (Y/N):[Yes/No]-> 6. Enter Y to delete this SecurityToGroup entry or N to save the entry. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide The Modify SecurityToGroup Table is displayed as shown Figure 147. Allied Telesyn AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Modify SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
Chapter 21: SNMPv3 3-v3 Select this value to associate the User Name with the SNMPv3 protocol. The following prompt is displayed: Enter Group Name: 7. Enter the new Group Name. This value must match a value configured in the Group Name parameter in the Configure SNMPv3 Access Table. See “Creating an SNMPv3 Access Table Entry” on page 439. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide 6. Enter the Security Model configured for this User Name. You cannot change the value of the Security Model parameter. Select one of the following SNMP protocols: 1-v1 Select this value if this User Name is configured with the SNMPv1 protocol. 2-v2c Select this value if this User Name is configured with the SNMPv2c protocol. 3-v3 Select this value if this User Name is configured with the SNMPv3 protocol.
Chapter 21: SNMPv3 Configuring the SNMPv3 Notify Table This section contains a description of the SNMPv3 Notify Table menu and how to create, delete, and modify table entries. The Configure SNMPv3 Notify Table menu allows you to define a name for sending traps. For each Notify Name, you define if a trap or inform message ia sent. The two message types, trap and inform, have different packet formats.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 Notify Table menu is shown in Figure 149. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 Notify Table Notify Name ...................... Notify Tag ....................... Notify Type ...................... Storage Type ..................... Row Status .......................
Chapter 21: SNMPv3 I-Inform Indicates this notify table is used to send inform messages. With this message type, the switch expects a response from the host. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 7. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Notify Table to the configuration file.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 Notify Table menu is shown in Figure 149 on page 463. Note To display a Group Name and its associated parameters from the Configure SNMPv3 SecurityToGroup Table menu, type N to display the Next Page and P to display the previous page. 3. To delete an SNMPv3 Notify Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Notify Name: 4. Enter a Notify Name.
Chapter 21: SNMPv3 3. From the Configure SNMPv3 Notify Table menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Notify Table menu is shown in Figure 150. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify SNMPv3 Notify Table Notify Name ................... Notify Tag..................... Notify Type.................... Storage Type .................. Row Status ....................
AT-S63 Management Software Menus Interface User’s Guide Modifying a Notify Type To modify the Notify Type parameter in an SNMPv3 Notify Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 420. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 140 on page 421. 2. From the Configure SNMPv3 Table menu, type 6 to select Configure SNMPv3 Notify Table.
Chapter 21: SNMPv3 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 420. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 140 on page 421. 2. From the Configure SNMPv3 Table menu, type 6 to select Configure SNMPv3 Notify Table. The Configure SNMPv3 Notify Table menu is shown in Figure 149 on page 463. 3. From the Configure SNMPv3 Notify Table menu, type 3 to select Modify SNMPv3 Table Entry.
AT-S63 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Target Address Table This section contains a description of the SNMPv3 Target Address Table menu and how to create, delete, and modify table entries. You use the SNMPv3 Target Address Table menu to assign the IP address of a host that is used for generating notifications. The Configure SNMPv3 Target Address Table menu is linked internally to the Configure SNMPv3 Notify Table through the Tag List parameter.
Chapter 21: SNMPv3 The Configure SNMPv3 Target Address Table menu is shown in Figure 151. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 Target Address Table Target Addr Name ... Target Parameters .. IP Address ......... Storage Type ....... Tag List ........... host451 Timeout ..... 1500 SNMPmanagerPC Retries ..... 3 198.35.11.1 UDP Port# ... 162 NonVolatile Row Status ..
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter Timeout (10mS): [0 to 2147483647]-> 1500 7. Enter a timeout value in milliseconds. When an Inform message is generated, a response from the switch is required. The timeout value determines how long the switch considers the Inform message an active message. This parameter applies to Inform messages only. The range is from 0 to 2,147,483,647 milliseconds. The default value is 1500 milliseconds.
Chapter 21: SNMPv3 V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Target Address Table to the configuration file. After making changes to an SNMPv3 Target Address Table entry with a Volatile storage type, the S - Save Configuration Changes option does not appear on the Main Menu. N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 Target Address Table to the configuration file.
AT-S63 Management Software Menus Interface User’s Guide 3. To delete an SNMPv3 Target Address Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Target Address Name: 4. Enter a Target Address Name. The following prompt is displayed: Do you want to delete this table entry?(Y/N):[Yes/No]-> 5. Enter Y to delete the SNMPv3 Target Address Table entry or N to save the entry. 6. After making changes, type R until you return to the Main Menu.
Chapter 21: SNMPv3 The Configure SNMPv3 Target Address Table menu is shown in Figure 151 on page 470. 3. From the Configure SNMPv3 Target Address Table menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Target Address Table menu is shown in Figure 152. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager11:20:02 02-Mar-2005 Modify SNMPv3 Target Address Table Target Addr Name ... Target Parameters .. IP Address ......... Storage Type ....... Tag List ...........
AT-S63 Management Software Menus Interface User’s Guide Use the following format for an IP address: XXX.XXX.XXX.XXX 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Address UDP Port To modify the Target Address UDP Port parameter in an SNMPv3 Target Address Table entry, perform the following procedure: 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 420.
Chapter 21: SNMPv3 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Address Timeout The Target Address Timeout parameter only applies when the message type is an Inform message. To modify the Target Address Timeout parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 420.
AT-S63 Management Software Menus Interface User’s Guide Inform messages only. The range is from 0 to 2,147,483,647 milliseconds. The default value is 1500 milliseconds. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Address Retries The Target Address Retries parameter only applies when the message type is an Inform message.
Chapter 21: SNMPv3 The range is 0 to 255 retries. The default is 3 retries. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Address Tag List To modify the Target Address Tag List parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 420. Or, from the Main Menu type 5->1->1->8->5.
AT-S63 Management Software Menus Interface User’s Guide 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Parameters Field To modify the Target Parameters field in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 420. Or, from the Main Menu type 5->1->1->8->5.
Chapter 21: SNMPv3 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Storage Type To modify the Storage Type parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 420. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 140 on page 421. 2.
AT-S63 Management Software Menus Interface User’s Guide N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 Target Address Table to the configuration file. After making changes to an SNMPv3 Target Address entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Allied Telesyn recommends this storage type. 7. After making changes, type R until you return to the Main Menu.
Chapter 21: SNMPv3 Configuring the SNMPv3 Target Parameters Table This section contains a description of the SNMPv3 Target Parameters Table and how to create, delete, and modify table entries. The SNMPv3 Target Parameters Table links the user security information with the message notification information configured in the Configure SNMPv3 Notify Table menu and Configure SNMPv3 Target Address Table menu.
AT-S63 Management Software Menus Interface User’s Guide Creating an SNMPv3 Target Parameters Table Entry “Deleting an SNMPv3 Target Parameters Table Entry” on page 486 “Modifying an SNMPv3 Target Parameters Table Entry” on page 487 To create an entry in the Configure SNMPv3 Target Parameters Table, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 420. Or, from the Main Menu type 5->1->1->8->5.
Chapter 21: SNMPv3 Note You are prompted to enter a value for the Message Processing Model parameter only if you select SNMPv1 or SNMPv2c as the Security Model. If you select the SNMPv3 protocol as the Security Model, then the Message Processing Model is automatically assigned to SNMPv3. The following prompt is displayed: Enter User (Security) Name: 5. Enter a User Name. The value of this parameter is previously configured with the Configure SNMPv3 User Table.
AT-S63 Management Software Menus Interface User’s Guide N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP entities and you do not want to encrypt messages using a privacy protocol. This security level provides the least security. Note If you have selected SNMPv1 or SNMPv2c, N-NoAuthNoPriv is the only security level you can select. A-AuthNoPriv This option represents authentication, but no privacy protocol.
Chapter 21: SNMPv3 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 Target Parameters Table Entry You may want to delete an entry from the SNMPv3 Target Parameters Table. When you delete an SNMPv3 Target Parameters Table entry, there is no way to undelete, or recover, the entry. To delete an entry in the SNMPv3 Target Parameters Table, perform the following procedure: 1.
AT-S63 Management Software Menus Interface User’s Guide Modifying an SNMPv3 Target Parameters Table Entry This section provides procedures for modifying parameters in an SNMPv3 Target Parameters Table entry. The parameter values configured in the Target Parameters Table must match those configured in the other tables. For a more detailed explanation, see “Creating an SNMPv3 Target Parameters Table Entry” on page 483.
Chapter 21: SNMPv3 When you modify the Security Name parameter, you must use a value that you configured with the User Name parameter in the Configure SNMPv3 User Table menu. If you do not use a value configured with the User Name parameter, messages are not sent on behalf of this User Name. See “Creating an SNMPv3 User Table Entry” on page 420. To modify the Security Name parameter in an SNMPv3 Target Parameter Table entry, perform the following procedure. 1.
AT-S63 Management Software Menus Interface User’s Guide 4. To change the Security Name parameter, type 1 to select Set Security Name. The following prompt is displayed: Enter Target Parameters Name: 5. Enter a previously configured Target Parameters Name. Enter a value of up to 32 alphanumeric characters. The following prompt is displayed: Enter User (Security) Name: 6. Enter a User Name. Enter a value that you previously configured with the Configure SNMPv3 User Table menu.
Chapter 21: SNMPv3 The Configure SNMPv3 Target Parameters Table menu is shown in Figure 153. 3. From the Configure SNMPv3 Target Parameters Table menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Target Parameters Table menu is shown in Figure 154 on page 488. 4. To change the Security Model, type 2 to select Security Model. The following prompt is displayed: Enter Target Parameters Name: 5. Enter a previously configured Target Parameters Name.
AT-S63 Management Software Menus Interface User’s Guide 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 140 on page 421. 2. From the Configure SNMPv3 Table menu, type 8 to select Configure SNMPv3 Target Address Table. The Configure SNMPv3 Target Parameters Table menu is shown in Figure 153. 3. From the Configure SNMPv3 Target Parameters Table menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Target Parameters Table menu is shown in Figure 154 on page 488. 4.
Chapter 21: SNMPv3 A-AuthNoPriv This option represents authentication, but no privacy protocol. Select this security level if you want to authenticate SNMP users, but you do not want to encrypt messages using a privacy protocol.You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. P-AuthPriv This option represents authentication and the privacy protocol. Select this security level to encrypt messages using a privacy protocol and authenticate SNMP entities.
AT-S63 Management Software Menus Interface User’s Guide 5. Enter a previously configured Target Parameters Name. Enter a value of up to 32 alphanumeric characters. The following prompt is displayed: Enter Message Processing Model[1-v1,2-v2c,3-v3]: 6. Select one of the following SNMP protocols that is used to process, or send messages: 1-v1 Select this value to process messages with the SNMPv1 protocol.
Chapter 21: SNMPv3 5. Enter a previously configured Target Parameters Name. Enter a value of up to 32 alphanumeric characters. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 6. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Target Parameters Table to the configuration file.
AT-S63 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Community Table This section contains a description of the SNMPv3 Community Table and how to create, delete, and modify table entries. The SNMPv3 Community Table allows you to create SNMPv1 and SNMPv2c Communities using the SNMPv3 Tables. Allied Telesyn does not recommend that you use the menu described in this section to configure SNMPv1 and SNMPv2c communities.
Chapter 21: SNMPv3 Security Name Transport Tag Storage Type In addition, you can display the entries configured with the Configure SNMPv1 & SNMPv2c Community menu in the Configure SNMPv3 Community Table menu. However, you cannot modify an SNMPv1 & SNMPv2c Community Table entry with the Configure SNMPv3 Community Table menu. There are three functions you can perform with the Configure SNMPv3 Target Parameters Table menu.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 Community Table menu is shown in Figure 155. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
Chapter 21: SNMPv3 The following prompt is displayed: Enter Security Name: 6. Enter the name of an SNMPv1 and SNMPv2c user. This name must be unique. Enter a value of up to 32 alphanumeric characters. Note Do not use a value configured with the User Name parameter in the SNMPv3 User Table. The following prompt is displayed: Enter Transport Tag: 7. Enter a name of up to 32 alphanumeric characters for the Transport Tag.
AT-S63 Management Software Menus Interface User’s Guide Note The Row Status parameter is a read-only field. The Active value indicates the SNMPv3 Community Table entry takes effect immediately. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 Community Table Entry You may want to delete an entry from the SNMPv3 Community Table.
Chapter 21: SNMPv3 Modifying an SNMPv3 Community Table Entry For each entry in the SNMPv3 Community Table, you can modify the following parameters: Community Name Security Name Transport Tag Storage Type However, you cannot modify the Community Index parameter. Although you can display the SNMPv1 and SNMPv2c configuration created with the procedures described in “Creating an SNMP Community String” on page 109, you cannot modify these Community Table entries with the SNMPv3 Tables.
AT-S63 Management Software Menus Interface User’s Guide The Modify SNMPv3 Community Table menu is shown in Figure 156. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
Chapter 21: SNMPv3 Modifying the Security Name To modify the Security Name parameter in an SNMPv3 Community Table entry, perform the following procedure: 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 420. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is displayed as shown in Figure 140 on page 421. 2. From the Configure SNMPv3 Table menu, type 9 to select Configure SNMPv3 Community Table.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 Table menu is displayed as shown in Figure 140 on page 421. 2. From the Configure SNMPv3 Table menu, type 9 to select Configure SNMPv3 Community Table. The Configure SNMPv3 Community Table menu is shown in Figure 155 on page 497. 3. From the Configure SNMPv3 Community Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Community Table menu is shown in Figure 156 on page 501. 4.
Chapter 21: SNMPv3 3. From the Configure SNMPv3 Community Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Community Table Menu is shown in Figure 156 on page 501. 4. To change the Storage Type, type 4 to select Set Storage Type. The following prompt is displayed: Enter Community Index: 5. Enter the Community Index of the Storage Type you want to change. The following prompt is displayed: Enter Storage type [V-volatile, N-NonVolatile]: 6.
AT-S63 Management Software Menus Interface User’s Guide Displaying SNMPv3 Table Menus The procedures in this section describe how to display the SNMPv3 Tables.
Chapter 21: SNMPv3 The Display SNMPv3 Table menu is shown in Figure 157.
AT-S63 Management Software Menus Interface User’s Guide Display SNMPv3 User Table Menu” on page 505. Or, from the Main menu type 5->1->1->8->6. 2. From the Display SNMPv3 Table menu, type 2 to select Display SNMPv3 View Table. The Display SNMPv3 View Table menu is shown in Figure 159. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display SNMPv3 View Table View Name ................... Subtree OID ................. Subtree Mask ................ View Type ................
Chapter 21: SNMPv3 The Display SNMPv3 Access Table menu is shown in Figure 160. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display SNMPv3 Access Table Group Name .... technicalsales Context Prefix. Read View...... internet Write View .... Notify View ... Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
AT-S63 Management Software Menus Interface User’s Guide The Display SNMPv3 SecurityToGroup Table menu is shown in Figure 161. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
Chapter 21: SNMPv3 Displaying the Display SNMPv3 Target Address Table Menu This section describes how to display the Display SNMPv3 Target Address Table menu. For information about the SNMPv3 Target Address Table parameters, see “Creating an SNMPv3 Target Address Table Entry” on page 469. To display the Display SNMPv3 Target Address Table menu, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Displaying the Display SNMPv3 User Table Menu” on page 505.
AT-S63 Management Software Menus Interface User’s Guide The Display SNMPv3 Target Parameters Table menu is shown in Figure 161. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display SNMPv3 Target Parameters Table Target Parameters Name ... Message Processing Model . Security Model ........... Security Name ............ Security Level ........... Storage Type ............. Row Status ...............
Chapter 21: SNMPv3 The Display SNMPv3 Community Table menu is shown in Figure 161. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display SNMPv3 Community Table Community Index ........ Community Name ......... Security Name .......... Transport Tag........... Storage Type ........... Row Status ............. atiindex14 sunnyvale hoa sampletag14 NonVolatile Active U - Update Display R - Return to Previous Menu Enter your selection? Figure 165.
Section V Spanning Tree Protocols The chapters in this section contain overview information on the different spanning tree protocols supported on the AT-9400 Series switch. The chapters also explain how to configure the spanning tree protocols from the menu interface of the AT-S63 management software.
Section V: Spanning Tree Protocols
Chapter 22 Spanning Tree and Rapid Spanning Tree Protocols This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). The chapter also contains procedures on how to adjust the STP and RSTP bridge and port parameters.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols STP and RSTP Overview The performance of a Ethernet network can be negatively impacted by the formation of a data loop in the network topology. A data loop exists when two or more nodes on a network can transmit data to each other over more than one data path.
AT-S63 Management Software Menus Interface User’s Guide Bridge Priority and the Root Bridge The first task that bridges perform when a spanning tree protocol is activated on a network is the selection of a root bridge. A root bridge distributes network topology information to the other network bridges and is used by the other bridges to determine if there are redundant paths in the network.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols Where there is only one path between a bridge and the root bridge, the bridge is referred to as the designated bridge and the port through which the bridge is communicating with the root bridge is referred to as the root port. If redundant paths exist, the bridges that are a part of the paths must determine which path will be the primary, active path, and which path(s) will be placed in the standby, blocking mode.
AT-S63 Management Software Menus Interface User’s Guide Table 18 lists the RSTP port costs with Auto-Detect. Table 18. RSTP Auto-Detect Port Costs Port Speed Port Cost 10 Mbps 2,000,000 100 Mbps 200,000 1000 Mbps 20,000 Table 19 lists the RSTP port costs with Auto-Detect when the port is part of a port trunk. Table 19. RSTP Auto-Detect Port Trunk Costs Port Speed Port Cost 10 Mbps 20,000 100 Mbps 20,000 1000 Mbps 2,000 You can override Auto-Detect and set the port cost manually.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols Table 20. Port Priority Value Increments Increment Bridge Priority Bridge Priority Increment 5 80 13 208 6 96 14 224 7 112 15 240 Forwarding Delay and Topology Changes If there is a change in the network topology due to a failure, removal, or addition of any active components, the active topology also changes. This may trigger a change in the state of some blocked ports.
AT-S63 Management Software Menus Interface User’s Guide brought online, it issues a BPDU in order to determine whether a root bridge has already been selected on the network, and if not, whether it has the lowest bridge priority number of all the bridges and should therefore become the root bridge. The root bridge periodically transmits a BPDU to determine whether there have been any changes to the network topology and to inform other bridges of topology changes.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols If a port is operating in half-duplex mode and is not connected to any further bridges participating in STP or RSTP, then the port is an edge port. Figure 167 illustrates an edge port on an AT-9400 switch. The port is connected to an Ethernet hub, which in turn is connected to a series of Ethernet workstations.
AT-S63 Management Software Menus Interface User’s Guide Mixed STP and RSTP Networks RSTP IEEE 802.1w is fully compliant with STP IEEE 802.1d. Your network can consist of bridges running both protocols. STP and RSTP in the same network can operate together to create a single spanning tree domain. If you decide to activate spanning tree on the switch, there is no reason not to activate RSTP on an AT-9400 Series switch even when all other switches are running STP.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols You can avoid this problem by not activating spanning tree or by connecting VLANs using tagged instead of untagged ports. (For information on tagged and untagged ports, refer to Chapter 24, “Portbased and Tagged VLANs” on page 587.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling a Spanning Tree Protocol The AT-S63 management software supports STP, RSTP, and MSTP. However, only one spanning tree protocol can be active on the switch at a time. Before you can enable a spanning tree protocol, you must first select it as the active spanning tree protocol on the switch. After you have selected it as the active protocol, you can then configure it and enable or disable it.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols 4. If you selected STP as the active spanning tree protocol, go to “Configuring STP” on page 527 for further instructions. If you selected RSTP, go to “Configuring RSTP” on page 534. Multiple Spanning Tree Protocol (MSTP) is described in Chapter 23, “Multiple Spanning Tree Protocol” on page 543. Note After you have configured the spanning tree parameters, perform steps 5 through 7 to enable spanning tree. 5.
AT-S63 Management Software Menus Interface User’s Guide Configuring STP This section contains the following procedures: Configuring STP Bridge Settings ”Configuring STP Bridge Settings”, next “Configuring STP Port Settings” on page 530 “Displaying STP Port Settings” on page 531 “Resetting STP to the Default Settings” on page 533 This section contains the procedure for configuring a bridge’s STP settings. Caution The default STP parameters are adequate for most networks.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The STP menu is shown in Figure 171. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 STP Menu 1 2 3 4 5 6 7 8 - Bridge Priority ..... Bridge Hello Time ... Bridge Forwarding ... Bridge Max Age ...... Bridge Identifier ... Root Bridge ......... Root Priority ....... Root Path Cost ......
AT-S63 Management Software Menus Interface User’s Guide 3 - Bridge Forwarding The waiting period in seconds before a bridge changes to a new state, for example, becomes the new root bridge after the topology changes. If the bridge transitions too soon, not all links may have yet adapted to the change, resulting in network loops. The range is 4 to 30 seconds. The default is 15 seconds. 4 - Bridge Max Age The length of time after which stored bridge protocol data units (BPDUs) are deleted by the bridge.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 5. To change STP port settings, go to the next procedure. Configuring STP Port Settings To adjust STP port parameters, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 170 on page 525. 2.
AT-S63 Management Software Menus Interface User’s Guide The Configure STP Port Settings menu is shown in Figure 173. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure STP Port Settings Configuring Ports 4-6 1 - Port Priority ..... 128 2 - Port Cost ......... Automatic-Update R - Return to Previous Menu Enter your selection? Figure 173. Configure STP Port Settings Menu 7. Adjust the following parameters as needed.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols The STP Port Parameters menu is shown in Figure 172 on page 530. 4. From the STP Port Parameters menu, type 2 to select Display STP Port Configuration. The Display STP Port Configuration menu is shown in Figure 174.
AT-S63 Management Software Menus Interface User’s Guide Resetting STP to the Default Settings To reset STP to the default settings, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 170 on page 525. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The STP menu is shown in Figure 171 on page 528. 3. From the STP menu, type D to select Reset STP to Defaults.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols Configuring RSTP This section contains the following procedures: Configuring RSTP Bridge Settings ”Configuring RSTP Bridge Settings”, next “Configuring RSTP Port Settings” on page 537 “Displaying the RSTP Port Configuration” on page 539 “Displaying the RSTP Port State” on page 541 “Resetting RSTP to the Default Settings” on page 542 This section contains the procedure for configuring a bridge’s RSTP settings.
AT-S63 Management Software Menus Interface User’s Guide 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The RSTP menu is shown in Figure 175. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 RSTP Menu 1 2 3 4 5 6 7 8 9 - Force Version .......... Bridge Priority ........ Bridge Hello Time ...... Bridge Forwarding ...... Bridge Max Age ......... Bridge Identifier ...... Root Bridge ............ Root Priority ..........
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols 4096, with 0 being the highest priority. For a list of the increments, refer to Table 15, “Bridge Priority Value Increments” on page 517. 3 - Bridge Hello Time The time interval between generating and sending configuration messages by the bridge. This parameter can be from 1 to 10 seconds. The default is 2 seconds.
AT-S63 Management Software Menus Interface User’s Guide 9 - Root Path Cost The cost of the path from the current switch to the root switch of the spanning tree domain. If the current switch is the root switch, root path cost will be “0”. This value cannot be changed and is only displayed when RSTP is activated on the switch. 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols The following prompt is displayed: Ending Port to Configure [1 to 24] -> 7. To configure just one port, enter the same port number here as you entered in the previous step. To configure a range of ports, enter the last port of the range. The Configure RSTP Port Settings menu is shown in Figure 177.
AT-S63 Management Software Menus Interface User’s Guide 4 - Edge Port This parameter defines whether the port is functioning as an edge port. The possible settings are Yes and No. For an explanation of this parameter, refer to “Point-to-Point and Edge Ports” on page 521. C - Check Migration To RSTP on Selected Ports (MCHECK) The MCHECK parameter is displayed only when RSTP is enabled. This parameter resets an RSTP port, allowing it to send RSTP BPDUs.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols The Display RSTP Port Configuration menu is shown in Figure 178.
AT-S63 Management Software Menus Interface User’s Guide Displaying the RSTP Port State To display the RSTP port state, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 170 on page 525. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The RSTP menu is shown in Figure 171 on page 528. 3. From the RSTP menu, type P to select RSTP Port Parameters.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols The possible states for a port connected to a device running STP are Listening, Learning, Forwarding, and Blocking. The possible states for a port not being used or where spanning tree is not activated is Disabled. Role The RSTP role of the port. Possible roles are: Root - The port that is connected to the root switch, directly or through other switches, with the least path cost.
Chapter 23 Multiple Spanning Tree Protocol This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP) and contains procedures on how to adjust spanning tree bridge and port parameters.
Chapter 23: Multiple Spanning Tree Protocol MSTP Overview As mentioned in Chapter 22, ”Spanning Tree and Rapid Spanning Tree Protocols” on page 515, STP and RSTP are referred to as single-instance spanning trees that search for physical loops across all VLANs in a bridged network. When loops are detected, the protocols stop the loops by placing one or more bridge ports in a blocking state.
AT-S63 Management Software Menus Interface User’s Guide Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MSTIs). A MSTI can span any number of AT-9400 Series switches, and an AT-9400 Series switch can support up to 16 MSTIs at a time. To create a MSTI, you first assign it a number, referred to as the MSTI ID. The range is 1 to 15. (The switch is shipped with a default MSTI with an MSTI ID of 0.
Chapter 23: Multiple Spanning Tree Protocol Figure 181 illustrates the same two AT-9400 Series switches and the same two virtual LANs. But in this example, the two switches are running MSTP and the two VLANs have been assigned different spanning tree instances. Now that they reside in different MSTIs, both links remain active, enabling the VLANs to forward traffic over their respective direct link.
AT-S63 Management Software Menus Interface User’s Guide A MSTI can contain more than one VLAN. This is illustrated in Figure 182 where there are two AT-9400 Series switches with four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains the Sales and Presales VLANs and MSTI 2 contains the Design and Engineering VLANs.
Chapter 23: Multiple Spanning Tree Protocol MSTI Guidelines Following are several guidelines to keep in mind about MSTIs: An AT-9400 Series switch can support up to 16 spanning tree instances, including the CIST. A MSTI can contain any number of VLANs. A VLAN can belong to only one MSTI at a time. A switch port can belong to more than one spanning tree instance at a time. This allows you to assign a port as an untagged and tagged member of VLANs that belong to different MSTI’s.
AT-S63 Management Software Menus Interface User’s Guide internal path cost, a port can have a different priority value for each of its MSTI’s. Multiple Spanning Tree Regions Another important concept of MSTP is regions. A MSTP region is defined as a group of bridges that share exactly the same MSTI characteristics. Those characteristics are: Configuration name Revision number VLANs VLAN to MSTI ID associations A configuration name is a name you assign to a region to help you identify it.
Chapter 23: Multiple Spanning Tree Protocol Figure 183 illustrates the concept of regions. It shows one MSTP region consisting of two AT-9400 Series switches. Each switch in the region has the same configuration name and revision level. The switches also have the same five VLANs and the VLANs are associated with the same MSTIs.
AT-S63 Management Software Menus Interface User’s Guide The same is true for any ports connected to bridges running the singleinstance spanning tree STP or RSTP. Those ports are also considered as part of another region. Each MSTI functions as an independent spanning tree within a region. Consequently, each MSTI must have a root bridge to locate physical loops within the spanning tree instance. An MSTI’s root bridge is called a regional root.
Chapter 23: Multiple Spanning Tree Protocol Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree instance called the Common and Internal Spanning Tree (CIST). This instance has an MSTI ID of 0. This instance has unique features and functions that make it different from the MSTIs that you create yourself. Firstly, you cannot delete this instance and you cannot change its MSTI ID.
AT-S63 Management Software Menus Interface User’s Guide An MSTP region can be considered as a virtual bridge. The implication is that other MSTP regions and STP and RSTP single-instance spanning trees cannot discern the topology or constitution of a MSTP region. The only bridge they are aware of is the regional root of the CIST instance. Summary of Guidelines Section V: Spanning Tree Protocols Careful planning is essential for the successful implementation of MSTP.
Chapter 23: Multiple Spanning Tree Protocol Note The AT-S63 MSTP implementation complies fully with the new IEEE 802.1s standard. Any other vendor’s fully compliant 802.1s implementation is interoperable with the AT-S63 implementation. Associating VLANs to MSTIs Allied Telesyn recommends that you assign all VLANs on a switch to an MSTI. You should not leave a VLAN assigned to just the CIST, including the Default_VLAN. This is to prevent the blocking of a port that should be in the forwarding state.
AT-S63 Management Software Menus Interface User’s Guide belongs only to CIST with its MSTI ID 0.
Chapter 23: Multiple Spanning Tree Protocol exists between the regions, and Switch B would block a port.
AT-S63 Management Software Menus Interface User’s Guide Selecting MSTP as the Active Spanning Tree Protocol To select and activate MSTP as the active spanning tree protocol on the switch, or to disable spanning tree, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 170 on page 525. 2. To change the active version of spanning tree on the switch, type 2 to select Active Protocol Version.
Chapter 23: Multiple Spanning Tree Protocol Configuring MSTP Bridge Settings To configure a bridge’s MSTP settings, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 170 on page 525. 2. From the Spanning Tree menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 187.
AT-S63 Management Software Menus Interface User’s Guide 3. Configure the following parameters as necessary. 1 - Force Version This selection determines whether the bridge operates with MSTP or in an STP-compatible mode. If you select MSTP, the bridge operates all ports in MSTP, except for those ports that receive STP or RSTP BPDU packets. If you select Force STP Compatible, the bridge uses its MSTP parameter settings, but sends only STP BPDU packets from the ports.
Chapter 23: Multiple Spanning Tree Protocol BPDU is deleted. The counter is reset to its original value if a BPDU crosses a MSTP regional boundary. 6 - Configuration Name The name of the MSTP region. The range is 0 (zero) to 32 alphanumeric characters in length. The name, which is case sensitive, must be the same on all bridges in a region. Examples include Sales Region and Production Region. 7 - Revision Level The revision level of an MSTP region. The range is 0 (zero) to 255.
AT-S63 Management Software Menus Interface User’s Guide Configuring the CIST Priority This procedure explains how to adjust the bridge’s CIST priority. To change the CIST priority, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 170 on page 525. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 187 on page 558. 3.
Chapter 23: Multiple Spanning Tree Protocol The following prompt is displayed: Enter new priority [the value will be multiplied by 4096]: [0 to 15] -> 5. Enter the increment that represents the new CIST priority value. The range is 0 (zero) to 61,440 in increments of 4,096, with 0 being the highest priority. For a list of the increments, refer to Table 20, “Port Priority Value Increments” on page 519. 6. After making changes, type R until you return to the Main Menu.
AT-S63 Management Software Menus Interface User’s Guide Displaying the CIST Priority To change the CIST priority, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 170 on page 525. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 187 on page 558. 3. From the MSTP menu, type M to select MSTI menu.
Chapter 23: Multiple Spanning Tree Protocol Path Cost Specifies the path cost from the bridge to the regional root. If the bridge is the regional root, the value is 0. Associated VLANs Specifies the VIDs of the VLANs that have been associated with the MSTI ID. The table does not include the CIST. The table is empty if no MSTI IDs have been created.
AT-S63 Management Software Menus Interface User’s Guide Creating, Deleting, and Modifying MSTI IDs The following sections contain procedures for working with MSTI IDs: Creating an MSTI ID ”Creating an MSTI ID” next “Deleting an MSTI ID” on page 566 “Modifying an MSTI ID” on page 566 To create an MSTI ID, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 170 on page 525. 2.
Chapter 23: Multiple Spanning Tree Protocol 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an MSTI ID To delete an MSTI ID, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 170 on page 525. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol.
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter the MSTI ID to be modified: [1 to 15] -> 5. Enter the MSTP IDs that you want to modify. The range is 1 to 15. You can specify only one MSTI ID at a time. The following prompt is displayed: Enter new priority [the value will be multiplied by 4096] [0 to 15] -> 8 6. Enter a new MSTI priority number for this MSTI on the bridge. This parameter is used in selecting a regional root for the MSTI.
Chapter 23: Multiple Spanning Tree Protocol Adding, Removing, and Modifying VLAN Associations to MSTI IDs When you create a new MSTI ID, you are given the opportunity of associating VLANs to it. But after an MSTI ID is created, you may want to add more VLANs to it, or perhaps remove VLANs. This procedure explains how to associate VLANs on the switch to an existing MSTI ID and also how to remove VLANs.
AT-S63 Management Software Menus Interface User’s Guide The VLAN-MSTI Association menu is shown in Figure 190.
Chapter 23: Multiple Spanning Tree Protocol 4. From the MSTP menu, type V to select VLAN-MSTI Association menu. The VLAN-MSTI Association menu is shown in Figure 190 on page 569. 5. From the VLAN-MSTI Association menu, type 1 to select Add VLANs to MSTI. The following prompt is displayed: Enter the MSTI ID [0 to 15] -> 6. Enter the MSTI ID to which you want to associate a VLAN. A prompt similar to the following is displayed: Enter the list of VLANs: 7.
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter the MSTI ID [0 to 15] -> 6. Enter the MSTI ID to which you want to associate a VLAN. A prompt similar to the following is displayed: Enter the list of VLANs: 7. Enter the VLAN ID of the virtual LAN that you want to remove from the MSTI ID. You can enter more than one VLAN at a time (for example, 2,4,7) To view VIDs, refer to “Displaying VLANs” on page 611.
Chapter 23: Multiple Spanning Tree Protocol 8. Enter the VLAN ID of the virtual LAN that you want to associate with the MSTI ID. You can enter more than one VLAN at a time (for example, 2,4,7) (To view VIDs, refer to “Displaying VLANs” on page 611.) The VLANs already associated with the MSTI ID are removed when the new VLANs are added. The removed VLANs are returned to CIST. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Configuring MSTP Port Settings As explained in “Ports in Multiple MSTIs” on page 548, MSTP port settings are divided into two groups. The parameters in the first group are set just once on a port, regardless of the number of MSTIs in which a port is a member.
Chapter 23: Multiple Spanning Tree Protocol The MSTP Port Parameters menu is shown in Figure 191. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 MSTP Port Parameters 1 2 3 4 - Configure Generic Port Settings Configure Per Spanning Tree Port Settings Display MSTP Port Configuration Display MSTP Port State R - Return to Previous Menu Enter your selection? Figure 191. MSTP Port Parameters Menu 4.
AT-S63 Management Software Menus Interface User’s Guide 7. Adjust the following parameters as necessary: 1- Port External Path Cost The port cost of the port if the port is connected to a bridge which is a member of another MSTP region or is running STP or RSTP. The range is 0 to 200,000,000. The default setting is Auto, which sets port cost depending on the speed of the port. Table 21 lists the MSTP port costs with the Auto setting when the port is not a member of a trunk.
Chapter 23: Multiple Spanning Tree Protocol Configuring MSTI-specific Port Parameters This procedure explains how to set a port’s priority and internal path cost. These parameters can be set independently on a port for each MSTI in which a port is a member. To configure the parameters, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 170 on page 525. 2.
AT-S63 Management Software Menus Interface User’s Guide Configure Per Spanning Tree Port Settings Menu is shown in Figure 193. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure Per Spanning Tree Port Settings Spanning Tree List: 4 Configuring Ports: 7-7 1 - Port Priority ............... 128 2 - Port Internal Path Cost ..... Auto Update R - Return to Previous Menu Enter your selection? Figure 193.
Chapter 23: Multiple Spanning Tree Protocol Table 24 lists the RSTP port costs with Auto-Detect when the port is part of a port trunk. Table 24. RSTP Auto-Detect Port Trunk Costs Port Speed Port Cost 10 Mbps 20,000 100 Mbps 20,000 1000 Mbps 2,000 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Displaying the MSTP Port Configuration To display the MSTP port configuration, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 170 on page 525. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 187 on page 558. 3. From the MSTP menu, type P to select MSTP Port Parameters.
Chapter 23: Multiple Spanning Tree Protocol The Display MSTP Port Configuration menu displays a table that contains the following columns of information: Port The port number. Edge-Port Whether or not the port is functioning as an edge port. The possible settings are Yes and No. Point-to-Point Whether or not the port is functioning as a point-to-point port. The possible settings are Yes, No, and Auto-Detect.
AT-S63 Management Software Menus Interface User’s Guide Displaying the MSTP Port State To display the MSTP port state, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 170 on page 525. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 187 on page 558. 3. From the MSTP menu, type P to select MSTP Port Parameters.
Chapter 23: Multiple Spanning Tree Protocol The Display MSTP Port State menu is shown in Figure 195.
AT-S63 Management Software Menus Interface User’s Guide Backup - The port on a designated switch that provides a backup for the path provided by the designated port. Designated - The port on the designated switch for a LAN that has the least cost path to the root switch. This port connects the LAN to the root switch. Master - Similar to the root port. When the port is a boundary port, the MSTI port roles follow the CIST port roles. The MSTI port role is called “master” when the CIST role is “root.
Chapter 23: Multiple Spanning Tree Protocol Resetting MSTP to the Defaults To reset MSTP to the defaults, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 170 on page 525. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 187 on page 558. 3. From the MSTP menu, type D to select Reset MSTP to Defaults.
Section VI Virtual LANs The chapters in this section contain overview information on the different types of virtual LANs supported by the AT-9400 Series switch. The chapters also explain how to configure these features from the menu interface of the AT-S63 management software.
Section VI: Virtual LANs
Chapter 24 Port-based and Tagged VLANs This chapter contains basic information about virtual LANs (VLANs) and procedures for creating, modifying, and deleting VLANs from a local or Telnet management session.
Chapter 24: Port-based and Tagged VLANs VLAN Overview A VLAN is a group of ports on an Ethernet switch that form a logical Ethernet segment. The ports of a VLAN form an independent traffic domain where the traffic generated by the nodes of a VLAN remains within the VLAN. With VLANs, you can segment your network through the switch’s AT-S63 management software and so be able to group nodes with related functions into their own separate, logical LAN segments.
AT-S63 Management Software Menus Interface User’s Guide management software. You can change the VLAN memberships through the management software without moving the workstations physically, or changing group memberships by moving cables from one switch port to another. In addition, a virtual LAN can span more than one switch. This means that the end nodes of a VLAN do not need to be connected to the same switch and so are not restricted to being in the same physical location.
Chapter 24: Port-based and Tagged VLANs Port-based VLAN Overview As explained in “VLAN Overview” on page 588, a VLAN consists of a group of ports on one or more Ethernet switches that form an independent traffic domain. Traffic generated by the end nodes of a VLAN remains within the VLAN and does not cross over to the end nodes of other VLANs unless there is an interconnection device, such as a router or Layer 3 switch.
AT-S63 Management Software Menus Interface User’s Guide For example, if you had a port-based VLAN titled Marketing that spanned three AT-9400 Series switches, you would assign the Marketing VLAN on each switch the same VID. You can assign this number manually or allow the AT-S63 management software to do it automatically. If you allow the management software to do it automatically, it selects the next available VID. This is acceptable when you are creating a new, unique VLAN.
Chapter 24: Port-based and Tagged VLANs Guidelines to Creating a Portbased VLAN Drawbacks of Port-based VLANs 592 Below are the guidelines to creating a port-based VLAN. Each port-based VLAN must be assigned a unique VID. If a particular VLAN spans multiples switches, each part of the VLAN on the different switches should be assigned the same VID. A port can be an untagged member of only one port-based VLAN at a time.
AT-S63 Management Software Menus Interface User’s Guide Port-based Example 1 Figure 196 illustrates an example of one AT-9424T/SP Gigabit Ethernet Switch with three port-based VLANs. (For purposes of the following examples, the Default_VLAN is not shown.) Engineering VLAN (VID 3) Production VLAN (VID 4) Sales VLAN (VID 2) 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 AT-9424T/SP Gigabit Ethernet Switch WAN Router Figure 196.
Chapter 24: Port-based and Tagged VLANs In the example, each VLAN has one port connected to the router. The router interconnects the various VLANs and functions as a gateway to the WAN. Port-based Example 2 Figure 197 illustrates more port-based VLANs. In this example, two VLANs, Sales and Engineering, span two AT-9400 Series Gigabit Ethernet switches.
AT-S63 Management Software Menus Interface User’s Guide The table below lists the port assignments for the Sales, Engineering, and Production VLANs on the switches: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) AT-9424T/SP Switch (top) Ports 1 - 6 (PVID 2) Ports 9 - 13 (PVID 3) Ports 17, 19 - 21 (PVID 4) AT-9424T/GB Switch (bottom) Ports 2 - 4, 6, 8 (PVID 2) Ports 16, 18-20, 22 (PVID 3) none Sales VLAN - This VLAN spans both switches.
Chapter 24: Port-based and Tagged VLANs Tagged VLAN Overview The second type of VLAN supported by the AT-S63 management software is the tagged VLAN. VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assigned to the ports determine VLAN membership. The VLAN information within an Ethernet frame is referred to as a tag or tagged header.
AT-S63 Management Software Menus Interface User’s Guide Tagged and Untagged Ports Port VLAN Identifier Note For explanations of VLAN name and VLAN identifier, refer back to “VLAN Name” on page 590 and “VLAN Identifier” on page 590. Tagged and Untagged Ports You need to specify which ports will be members of the VLAN. In the case of a tagged VLAN, it is usually a combination of both untagged ports and tagged ports. You specify which ports are tagged and which untagged when you create the VLAN.
Chapter 24: Port-based and Tagged VLANs Tagged VLAN Example Figure 198 illustrates how tagged ports can be used to interconnect IEEE 802.1Q-based products. Engineering VLAN (VID 3) Sales VLAN (VID 2) Production VLAN (VID 4) Legacy Server 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 AT-9424T/SP Gigabit Ethernet Switch IEEE 802.
AT-S63 Management Software Menus Interface User’s Guide The port assignments for the VLANs are as follows: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) Untagged Ports Tagged Ports Untagged Ports Tagged Ports Untagged Ports Tagged Ports AT-9424T/ SP Switch (top) 1, 3 to 5 (PVID 2) 2, 10 9, 11 to 13 (PVID 3) 2, 10 17, 19 to 21 (PVID 4) 2 AT-9424T/ GB Switch (bottom) 2, 4, 6, 8 (PVID 2) 9 16, 18, 20, 22 (PVID 3) 9 none none This example is nearly identical to the
Chapter 24: Port-based and Tagged VLANs Creating a Port-based or Tagged VLAN To create a port-based or tagged VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 VLAN Configuration 1 2 3 4 5 6 - Ingress Filtering Status ........ Disabled VLANs Mode ......................
AT-S63 Management Software Menus Interface User’s Guide The Configure VLANs menu is shown in Figure 200. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure VLANs 1 2 3 4 - Create VLAN Modify VLAN Delete VLAN Reset to Default VLAN R - Return to Previous Menu Enter your selection? Figure 200. Configure VLANs Menu 3. From the Configure VLANs menu, type 1 to select Create VLAN. The Create VLAN menu is shown in Figure 201.
Chapter 24: Port-based and Tagged VLANs contain spaces or special characters, such as asterisks (*) or exclamation points (!). If the VLAN will be unique in your network, then the name should be unique as well. If the VLAN will be part of a larger VLAN that spans multiple switches, then the name for the VLAN should be the same on each switch where nodes of the VLAN are connected. Note A VLAN must be assigned a name. 6. Type 2 to select VLAN ID (VID.
AT-S63 Management Software Menus Interface User’s Guide Note The MAC Based setting for option 3 is used to create MAC addressbased VLANs. For instructions, refer to Chapter 28, “MAC Addressbased VLANs” on page 673. 9. If the VLAN will contain tagged ports, type 4 to select Tagged Ports and specify the ports. If this VLAN will not contain any tagged ports, leave this field empty. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 79), or both (e.g., 2,5,7-9). 10.
Chapter 24: Port-based and Tagged VLANs Note Untagged ports of a new VLAN are automatically removed from their current untagged VLAN assignment. For example, if you are creating a new VLAN on a switch that contains only the Default_VLAN, the untagged ports of the new VLAN are automatically removed from the Default_VLAN. Note Tagged ports are not removed from any current VLAN assignments because tagged ports can belong to more than one VLAN at a time.
AT-S63 Management Software Menus Interface User’s Guide Example of Creating a Port-based VLAN The following procedure creates the Sales VLAN illustrated in “Port-based Example 1” on page 593. This VLAN will be assigned a VID of 2 and will consist of four untagged ports, ports 1, 3 to 5. The VLAN will not contain any tagged ports. To create the Sales VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration.
Chapter 24: Port-based and Tagged VLANs Example of Creating a Tagged VLAN The following procedure creates the Engineering VLAN in the top switch illustrated in “Tagged VLAN Example” on page 598. This VLAN will be assigned a VID of 3. It will consist of four untagged ports, ports 9, 11 to 13, and two tagged ports, ports 2 and 10. To create the example Engineering VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration.
AT-S63 Management Software Menus Interface User’s Guide Modifying a Port-based or Tagged VLAN Note To modify a VLAN, you need to know its VID. To view VLAN VIDs, refer to “Displaying VLANs” on page 611. To modify a VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199 on page 600. 2. From the VLAN Configuration menu, type 3 to select Configure VLANs. The Configure VLANs menu is shown in Figure 200 on page 601.
Chapter 24: Port-based and Tagged VLANs 5. Enter the VID of the port-based or tagged VLAN you want to modify. The Modify VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 203. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify VLAN 1 2 3 4 5 6 - VLAN Name .............. VLAN ID (VID) .......... VLAN Type .............. Tagged Ports ........... Untagged Ports ......... Protected Ports ........
AT-S63 Management Software Menus Interface User’s Guide 4 - Tagged Ports Use this selection to add or remove tagged ports from the VLAN. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 7-9), or both (e.g., 2,5,7-9). When you add or remove tagged ports, observe the following guidelines: The new list of tagged ports will replace the existing tagged ports. If the VLAN contains tagged ports and you want to remove them all, enter 0 (zero) for this value.
Chapter 24: Port-based and Tagged VLANs If you added or removed from the VLAN a port with one or more static MAC addresses assigned to it, you must update the static addresses by deleting their entries from the MAC address table and reentering them again using the VID of the VLAN to which the port has been moved to. For information on how to add static MAC addresses, refer to “Adding Static Unicast and Multicast MAC Addresses” on page 150.
AT-S63 Management Software Menus Interface User’s Guide Displaying VLANs To view the name, VID number, and member ports of all the VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199 on page 600. 2. From the VLAN Configuration menu, type 4 to select Show VLANs. The Show VLANs menu is shown in Figure 204.
Chapter 24: Port-based and Tagged VLANs VLAN Name Name of the VLAN. VLAN Type The VLAN type. The possible settings are: Port Based - The VLAN is a port-based or tagged VLAN. MAC Based - The VLAN is a MAC address-based VLAN. Protected - The VLAN is a protected ports VLAN. GARP - The VLAN was automatically created by GARP. Protocol The protocol associated with this VLAN. The possible settings are: Blank - The VLAN is a port-based, tagged, or MAC address-based VLAN.
AT-S63 Management Software Menus Interface User’s Guide Deleting a Port-based or Tagged VLAN This procedure deletes port-based and tagged VLANs from the switch. Note the following before performing this procedure: You cannot delete the Default_VLAN. You cannot delete a VLAN if it has a routing interface. The interface must be deleted first. For instructions, refer to “Deleting a Routing Interface” on page 702.
Chapter 24: Port-based and Tagged VLANs 4. From the Delete VLAN menu, type 1 to select VLAN ID (VID). The following prompt is displayed: Enter new value -> [2 to 4094] -> 5. Enter the VID of the VLAN you want to delete. You can specify only one VID at a time. Note You cannot delete the Default_VLAN, which has a VID of 1. The Delete VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 206. You can use this menu to confirm that you are deleting the correct VLAN.
AT-S63 Management Software Menus Interface User’s Guide 8. Press any key. 9. Repeat this procedure starting with Step 4 to delete other VLANs. 10. To permanently save your changes, return to the Main Menu and type S to select Save Configuration Changes.
Chapter 24: Port-based and Tagged VLANs Deleting All VLANs The following procedure deletes all port-based, tagged, protected ports, and MAC address-based VLANs on a switch. To delete selected VLANs, perform the procedure in “Deleting a Port-based or Tagged VLAN” on page 613. Note the following before performing this procedure: You cannot delete the Default_VLAN. You cannot delete a VLAN if it has a routing interface. The interface must be deleted first.
AT-S63 Management Software Menus Interface User’s Guide Any static addresses assigned to the ports of the VLANs are now obsolete, except for the Default_VLAN, because the VLANs have been deleted. Those addresses should be deleted from the MAC address table. For instructions on how to delete addresses, refer to “Deleting All Dynamic MAC Addresses” on page 153. 5. Press any key. 6. To permanently save your changes, return to the Main Menu and type S to select Save Configuration Changes.
Chapter 24: Port-based and Tagged VLANs Displaying PVIDs The following procedure displays a menu that lists the PVIDs for all the ports on the switch. To display the PVID settings on the switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199 on page 600. 2. From the VLAN Configuration menu, type 5 to select Show PVIDs. The Show PVIDs menu is shown in Figure 207.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling Ingress Filtering There are rules a switch follows when it receives and forwards an Ethernet frame. There are rules for frames as they enter a port (called ingress rules) and rules for when a frame is transmitted out a port (called egress rules). A switch does not accept and forward a frame unless the frame passes the ingress and egress rules. There are many ingress and egress rules for Gigabit Ethernet switches.
Chapter 24: Port-based and Tagged VLANs In most cases, you will probably want to leave ingress filtering activated on the switch, which is the default. You can enable or disable ingress filtering on a per switch basis. You cannot set this per port. To enable or disable ingress filtering, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199 on page 600. 2.
Chapter 25 GARP VLAN Registration Protocol This chapter describes the GARP VLAN Registration Protocol (GVRP) and contains the following sections: Section VI: Virtual LANs “GARP VLAN Registration Protocol (GVRP) Overview” on page 622 “Configuring GVRP” on page 630 “Enabling or Disabling GVRP on a Port” on page 632 “Converting a Dynamic GVRP VLAN” on page 634 “Displaying the GVRP Port Configuration” on page 635 “Displaying GVRP Counters” on page 636 “Displaying the GVRP Database
Chapter 25: GARP VLAN Registration Protocol GARP VLAN Registration Protocol (GVRP) Overview The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information. The main purpose of GVRP is to allow switches to automatically discover some of the VLAN information that would otherwise need to be manually configured in each switch. This is helpful in networks where VLANs span more than one switch.
AT-S63 Management Software Menus Interface User’s Guide Figure 208 provides an example of how GVRP works.
Chapter 25: GARP VLAN Registration Protocol as an tagged dynamic GVRP port. If the port is already a member of the VLAN, then no change is made. 5. Switch #3 sends a PDU out port 4 to switch #2. 6. Switch #2 receives the PDU on port 3 and then adds the port as a tagged dynamic GVRP port to the dynamic GVRP_VLAN_11 VLAN. There is now a communications path for the end nodes of the Sales VLAN on switches #1 and #3.
AT-S63 Management Software Menus Interface User’s Guide GVRP and Network Security PDUs are transmitted to only those switch ports where GVRP is enabled. GVRP should be used with caution because it can expose your network to unauthorized access. A network intruder can access to restricted parts of the network by connecting to a switch port running GVRP and transmitting a bogus GVRP PDU containing VIDs of restricted VLANs.
Chapter 25: GARP VLAN Registration Protocol The GARP application specifies what the attribute represents. GARP defines the architecture, rules of operation, state machines and variables for the registration and deregistration of attribute values. By itself, GARP is not directly used by devices in a bridged LAN. It is the applications of GARP that perform meaningful actions.
AT-S63 Management Software Menus Interface User’s Guide GARP architecture is shown in Figure 209. Switch GARP Participant GARP Participant GARP Application GARP Application GIP MAC Layer: Port 1 GARP PDUs GID LLC GARP PDUs LLC GARP PDUs GARP PDUs GID MAC Layer: Port 2 Figure 209.
Chapter 25: GARP VLAN Registration Protocol GID Attribute ... state: Attribute C state: Attribute B state: Attribute A state: Applicant State Registrar State Figure 210. GID Architecture GARP registers and deregisters attribute values through GARP messages sent at the GID level. A GARP participant that wishes to make a declaration (an applicant registering an attribute value) sends a JoinIn or JoinEmpty message.
AT-S63 Management Software Menus Interface User’s Guide To control the applicant state machine, an applicant administrative control parameter is provided. This parameter determines whether or not the applicant state machine participates in GARP protocol exchanges. The default value has the applicant participating in the exchanges. To control the registrar state machine, a registrar administrative control parameter is provided.
Chapter 25: GARP VLAN Registration Protocol Configuring GVRP To configure GVRP, perform the following procedure: Note The timers in the following menus are in increments of centi seconds which is one hundredth of a second. To configure GVRP, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199 on page 600. 2. From the VLAN Configuration menu, type 6 to select Configure GARPGVRP.
AT-S63 Management Software Menus Interface User’s Guide 4. Type E to enable GVRP or D to disable GVRP. The default setting is disabled. 5. Type 2 to select GVRP GIP Status. The following prompt is displayed: Enter your new value (E-Enabled, D-Disabled): 6. Type E to enable GIP or D to disable GIP. Note Do not disable GIP if you intend to use GVRP. GIP is required to propagate VLAN information among the ports of the switch. Caution The following steps change the three GVRP timers.
Chapter 25: GARP VLAN Registration Protocol Enabling or Disabling GVRP on a Port This procedure enables and disables GVRP on a switch port. The default setting for GVRP on a port is enabled. Only those ports where GVRP is enabled transmit PDUs. Note Allied Telesyn recommends disabling GVRP on unused ports and those ports that are connected to GVRP-inactive devices. This protects against unauthorized access to restricted areas of your network.
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter port-list: 5. Enter a port or a list of ports. The Configure GVRP Port Settings menu is shown in Figure 213. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure GVRP Port Settings Configuring Port 1-8 1 - Port Mode ............. Normal R - Return to Previous Menu Enter your selection? Figure 213. Configure GVRP Port Settings Menu 6. Type 1 to select Port Mode.
Chapter 25: GARP VLAN Registration Protocol Converting a Dynamic GVRP VLAN This procedure converts a dynamic GVRP VLAN into a static VLAN. You can perform this procedure to permanently retain the VLANs the switch learned through GVRP. Note This procedure cannot convert a dynamic GVRP port in a static VLAN into a static port. For that you must manually modify the static VLAN by specifying the dynamic port as either a tagged or untagged member of the VLAN.
AT-S63 Management Software Menus Interface User’s Guide Displaying the GVRP Port Configuration To display the GVRP port configuration, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199 on page 600. 2. From the VLAN Configuration menu, type 6 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 211 on page 630. 3. From the GVRP Port Parameters menu, type 2 to select Display GVRP Port Configuration.
Chapter 25: GARP VLAN Registration Protocol Displaying GVRP Counters To display GVRP counters, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199 on page 600. 2. From the VLAN Configuration menu, type 6 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 211 on page 630. 3. From the GARP-GVRP menu, type O to select Other GVRP Parameters. The Other GVRP Parameters menu is shown in Figure 215.
AT-S63 Management Software Menus Interface User’s Guide The GVRP Counters menu (page 1) is shown in Figure 216.
Chapter 25: GARP VLAN Registration Protocol Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 GVRP Counters Receive: -------GARP Messages: --------------LeaveAll JoinEmpty JoinIn LeaveEmpty LeaveIn Empty Bad Message Bad Attribute Transmit: --------7 0 68 0 0 5 0 0 LeaveAll JoinEmpty JoinIn LeaveEmpty LeaveIn Empty 77 58 285 1 0 21 P - Previous Page U - Update Display R - Return to Previous Menu Enter your selection? Figure 217.
AT-S63 Management Software Menus Interface User’s Guide Table 25. GVRP Counters (Continued) Parameter Section VI: Virtual LANs Meaning Receive Discarded: Port Not Listening Number of GARP PDUs discarded because the port that received the PDUs was not listening, that is, MODE=NONE was set on the port. Transmit Discarded: Port Not Sending Number of GARP PDUs discarded because the port that the PDUs were to be transmitted on was not sending, that is, MODE=NONE was set on the port.
Chapter 25: GARP VLAN Registration Protocol Table 25. GVRP Counters (Continued) Parameter 640 Meaning Transmit GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages transmitted for all attributes in the GARP application. Receive GARP Messages: LeaveIn Total number of GARP LeaveIn messages received for all attributes in the GARP application. Transmit GARP Messages: LeaveIn Total number of GARP LeaveIn messages transmitted for all attributes in the GARP application.
AT-S63 Management Software Menus Interface User’s Guide Displaying the GVRP Database To display GVRP database, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199 on page 600. 2. From the VLAN Configuration menu, type 6 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 211 on page 630. 3. From the GARP-GVRP menu, type O to select Other GVRP Parameters menu.
Chapter 25: GARP VLAN Registration Protocol begin at 0. If the GARP application has no attributes presently registered, “No attributes have been registered” is displayed. VLAN ID The VLAN ID. Used Indicates whether the GID index is currently being used by any port in the GARP application. The definition of “used” is whether the Applicant and Registrar state machine for the GID index are in a non-initialized state, that is, not in {Vo, Mt} state. The value of this parameter is either “Yes” or “No”.
AT-S63 Management Software Menus Interface User’s Guide Displaying the GIP Connected Ports Ring To display the GIP connected ports ring, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199 on page 600. 2. From the VLAN Configuration menu, type 6 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 211 on page 630. 3. From the GARP-GVRP menu, type O to select Other GVRP Parameters menu.
Chapter 25: GARP VLAN Registration Protocol STP ID Present if the GARP application is GVRP; identifies the spanning tree instance associated with the GIP context. Connected Ring The ring of connected ports. Only ports presently in the spanning tree Forwarding state are eligible for membership in the GIP connected ring. If no ports exist in the GIP connected ring, “No ports are connected” is displayed. If the GARP application has no ports, “No ports have been assigned” is displayed.
AT-S63 Management Software Menus Interface User’s Guide Displaying the GVRP State Machine To display the GVRP state machine, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199 on page 600. 2. From the VLAN Configuration menu, type 6 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 211 on page 630. 3. From the GARP-GVRP menu, type O to select Other GVRP Parameters menu.
Chapter 25: GARP VLAN Registration Protocol The GVRP State Machine menu (page 2) is displayed, as shown in Figure 221.
AT-S63 Management Software Menus Interface User’s Guide Table 26. GVRP State Machine Parameters (Continued) Parameter App Meaning Applicant state machine for the GID index on that particular port.
Chapter 25: GARP VLAN Registration Protocol Table 26. GVRP State Machine Parameters (Continued) Parameter Reg Meaning Registrar state machine for the GID index on that particular port. One of: “Mt” Empty “Lv3” Leaving substate 3 (final Leaving substate) “Lv2” Leaving substate 2 “Lv1” Leaving substate 1 “Lv” Leaving substate (initial Leaving substate) “In” In “Fix” Registration Fixed “For” Registration Forbidden The initialized state for the Registrar is Mt.
Chapter 26 Multiple VLAN Modes This chapter describes the multiple VLAN modes and how to select a mode.
Chapter 26: Multiple VLAN Modes Multiple VLAN Mode Overview The multiple VLAN modes are designed to simplify the task of configuring the switch in network environments that require a high degree of network segmentation. In a multiple VLAN mode, the ports on a switch are prohibited from forwarding traffic to each other and are only allowed to forward traffic to a user-designated uplink port.
AT-S63 Management Software Menus Interface User’s Guide A user-designated port on the switch functions as an uplink port, which can be connected to a shared device such as a router for access to a WAN. This port is placed as a tagged port in each VLAN. Thus, while the switch ports are separated from each other in their individual VLANs, they all have access to the uplink port. The uplink port also has its own VLAN, where it is an untagged member. This VLAN is called Uplink_VLAN. Note In 802.
Chapter 26: Multiple VLAN Modes Table 27. 802.
AT-S63 Management Software Menus Interface User’s Guide Note When the uplink port receives a packet with a destination MAC address that is not in the MAC address table, the port broadcasts the packet to all switch ports. This can result in ports receiving packets that are not intended for them. Also note that a switch operating in this mode can be remotely managed through any port on the switch, not just the uplink port.
Chapter 26: Multiple VLAN Modes Selecting a VLAN Mode The following procedure explains how to select a VLAN mode. Available modes are: User-configured VLAN mode (port-based, tagged, MAC addressbased, and protected ports VLANs) IEEE 802.1Q Compliant Multiple VLAN mode Non-IEEE 802.1Q Compliant Multiple VLAN mode Note All current VLANs on the switch are delete when the VLAN mode is changed from the user-configured mode to a multiple VLAN mode and, at some point, the switch is reset.
AT-S63 Management Software Menus Interface User’s Guide The new VLAN mode is now active on the switch. 5. To permanently save your changes, return to the Main Menu and type S to select Save Configuration Changes.
Chapter 26: Multiple VLAN Modes Displaying VLAN Information To view the VLANs on the switch while the unit is operating in a multiple VLAN mode, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu (multiple VLAN mode) is shown in Figure 222. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 VLAN Configuration 1 2 3 4 5 6 - Ingress Filtering Status ........ Enabled VLANs Mode ......................
AT-S63 Management Software Menus Interface User’s Guide The Show Multiple VLANs menu is shown in Figure 223.
Chapter 26: Multiple VLAN Modes 658 Section VI: Virtual LANs
Chapter 27 Protected Ports VLANs This chapter explains protected ports VLANs.
Chapter 27: Protected Ports VLANs Protected Ports VLAN Overview The purpose of a protected ports VLAN is to allow multiple ports on the switch to share the same uplink port but not share traffic with each other. This feature has some of the same characteristics as the multiple VLAN modes described in the previous chapter, but it offers several advantages. One is that it provides more flexibility. With the multiple VLAN modes, you can select only one uplink port which is shared by all the other ports.
AT-S63 Management Software Menus Interface User’s Guide To create a protected ports VLAN, you perform many of the same steps that you do when you create a new port-based or tagged VLAN. You give it a name and a unique VID, and you indicate which of the ports will be tagged and untagged. What makes creating this type of VLAN different is that you must assign the ports of the VLAN to their respective groups. Following is an example of a protected ports VLAN.
Chapter 27: Protected Ports VLANs Protected Ports VLAN Guidelines 662 Following are guidelines for implementing protected ports VLANS: A protected ports VLAN should contain a minimum of two groups. A protected ports VLAN of only one group can be replaced with a portbased or tagged VLAN instead. A protected ports VLAN can contain any number of groups. A group can contain any number of ports. The ports of a group can be tagged or untagged.
AT-S63 Management Software Menus Interface User’s Guide Creating a Protected Ports VLAN To create a new protected ports VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. 2. From the VLAN Configuration menu, type 3 to select Configure VLANs. 3. From the Configure VLANs menu, type 1 to select Create VLAN. The Create VLAN menu is shown in Figure 224.
Chapter 27: Protected Ports VLANs Note A VLAN must be assigned a name. 6. Type 2 to select VLAN ID (VID. The following prompt is displayed: Enter new value -> [2 to 4094] -> 7. Type a VID value for the new VLAN. The range for the VID value is 1 to 4094. The AT-S63 management software uses the next available VID number on the switch as the default value.
AT-S63 Management Software Menus Interface User’s Guide The prompt displays the ports of the VLAN. 13. Enter the port in the VLAN to function as the uplink port for the groups in the VLAN. You can specify more than one uplink port. The following prompt is displayed: Enter Group Ports (4 - 11) -> The prompt includes the ports in the VLAN, minus the uplink port specified in the previous step. 14. Specify the ports of one of the groups of the protected ports VLAN.
Chapter 27: Protected Ports VLANs Modifying a Protected Ports VLAN Note the following before performing this procedure: To modify a protected ports VLAN, you have to recreate it. You must reselect the uplink port(s) and reassign the ports to the groups. To make the process easier, Allied Telesyn recommends displaying the details of the VLAN before performing this procedure, and writing down on paper the current configuration (i.e., uplink port and port to group assignments).
AT-S63 Management Software Menus Interface User’s Guide The Modify VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 225. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify VLAN 1 2 3 4 5 6 - VLAN Name .............. VLAN ID (VID) .......... VLAN Type .............. Tagged Ports ........... Untagged Ports ......... Protected Ports ........
Chapter 27: Protected Ports VLANs 6 - Protected Ports This identifies the VLAN as a protected ports VLAN. This option can not be changed. To convert a protected ports VLAN into a tagged or port-based VLAN, you must delete it and recreate it as a tagged or port-based VLAN. 7. After making the desired changes, type M to select Modify VLAN. The following prompt is displayed: Enter Uplink Ports (4 - 12) -> This prompt lists the ports of the VLAN. 8.
AT-S63 Management Software Menus Interface User’s Guide Displaying a Protected Ports VLAN To view the name, VID number, and member ports of all the VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199 on page 600. 2. From the VLAN Configuration menu, type 4 to select Show VLANs. The Show VLANs menu is shown in Figure 226.
Chapter 27: Protected Ports VLANs An example of the Show VLANs window is shown in Figure 227.
AT-S63 Management Software Menus Interface User’s Guide Deleting a Protected Ports VLAN To delete a protected ports VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. 2. From the VLAN Configuration menu, type 3 to select Configure VLANs. The Configure VLANs menu is shown in Figure 200 on page 601. 3. From the Configure VLANs menu, type 3 to select Delete VLAN. The Delete VLAN menu is shown in Figure 228.
Chapter 27: Protected Ports VLANs The Delete VLAN menu expands to contain the relevant information about the VLAN. You can use the information to confirm that you are deleting the correct VLAN. An example is shown in Figure 229. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Delete VLAN 1 2 3 4 5 6 - VLAN Name .............. VLAN ID (VID) .......... VLAN Type .............. Tagged Ports ........... Untagged Ports ......... Protected Ports ........
Chapter 28 MAC Address-based VLANs This chapter contains the procedures for creating MAC address-based VLANs.
Chapter 28: MAC Address-based VLANs MAC Address-based VLAN Overview Note MAC address-based VLANs are supported on the AT-9424Ts, AT-9424Ts/XP, AT-9448T/SP, and AT-9448Ts/XP switches. This feature is not supported on the AT-9408LC/SP, AT-9424T/GB and AT-9424T/SP switches. As explained in “VLAN Overview” on page 588, VLANs are a means for creating independent LAN segments within a network and are typically employed to improve network performance and security.
AT-S63 Management Software Menus Interface User’s Guide Table 28 illustrates a simple example of the mapping of addresses to egress ports for a MAC address-based VLAN of 6 nodes. The example consists of four workstations, a printer, and a server. For instance, Workstation 1 is connected to port 1 on the switch and is mapped to egress ports 5 for the server and 6 for the printer. Table 28.
Chapter 28: MAC Address-based VLANs addresses or egress ports from a VLAN. Here is how the example might look. Table 29.
AT-S63 Management Software Menus Interface User’s Guide VLANs That Span Switches If the packet’s destination MAC address is in the MAC address table but the port where the address was learned is not one of the VLAN’s egress ports, the switch discards the packet. A MAC address-based VLAN can span switches, but it does require a large degree of management in terms of entering the MAC addresses.
Chapter 28: MAC Address-based VLANs Table 30.
AT-S63 Management Software Menus Interface User’s Guide Guidelines Section VI: Virtual LANs Follow these guidelines when implementing a MAC address-based VLAN: MAC address-based VLANs are not supported on the AT-9408LC/SP, AT-9424T/GB and AT-9424T/SP switches. The switch can support up to a total of 4094 port-based, tagged, protected ports, and MAC address-based VLANs. The source nodes of this type of VLAN must send only untagged packets.
Chapter 28: MAC Address-based VLANs 680 Since this type of VLAN does not support tagged packets, it is not suitable in environments where a network device, such as a network server, needs to be shared between multiple VLANs. Ports 49 and 50 on the AT-9448Ts/XP switch cannot be designated as egress ports of a MAC address-based VLAN. SFP ports 45 to 48 on the AT-9448T/SP switch cannot be designated as egress ports of a MAC address-based VLAN.
AT-S63 Management Software Menus Interface User’s Guide Creating a MAC Address-based VLAN This is the first stage to creating a MAC address-based VLAN. This procedure assigns the VLAN a name and a VID and sets the VLAN type. After completing this procedure you can add the source MAC addresses to the VLAN, as explained in “Adding and Deleting MAC Addresses” on page 683 and, finally, the egress ports, as explained in “Adding and Deleting Egress Ports” on page 685.
Chapter 28: MAC Address-based VLANs The following prompt is displayed: Enter new value -> [2 to 4094] -> 7. Type a VID value for the new VLAN. The range for the VID value is 1 to 4094. The AT-S63 management software uses the next available VID number on the switch as the default value. If this VLAN is unique in your network, then its VID should also be unique. If this VLAN is part of a larger VLAN that spans multiple switches, than the VID value for the VLAN should be the same on each switch.
AT-S63 Management Software Menus Interface User’s Guide Adding and Deleting MAC Addresses This procedure explains how to add and delete MAC addresses from a MAC address-based VLAN. If you are creating a new VLAN, you perform this procedure after you initially create the VLAN by giving it a name and a VID and setting the VLAN type, as explained in “Creating a MAC Addressbased VLAN” on page 681.
Chapter 28: MAC Address-based VLANs 5. To add a MAC address to a MAC address-based VLAN, type 1 to select Add MAC Address. To delete an address, type 2 to select Delete MAC Address. The following prompt is displayed: Please enter VLAN ID -> [1 to 4094] -> 2 6. Enter the VID of the MAC address-based VLAN where you want to add or delete a MAC address. You can enter only one VID. To display the VIDs, refer to “Displaying MAC Address-based VLANs” on page 689.
AT-S63 Management Software Menus Interface User’s Guide Adding and Deleting Egress Ports This procedure explains how to add and delete egress ports from the MAC addresses in a MAC address-based VLAN. Before adding egress ports to a MAC address, review the following: The egress ports of a MAC address-based VLAN are considered as a community. Assigning a port to one address makes it an egress port for all the addresses in the same VLAN. A MAC address must have at least one egress port.
Chapter 28: MAC Address-based VLANs 6. Enter the VID of the MAC address-based VLAN where you want to add or delete an egress port. You can enter only one VID. To display the VIDs, refer to “Displaying MAC Address-based VLANs” on page 689. The following prompt is displayed: Please enter MAC address -> 7. Enter the MAC address where you want to add or delete an egress port. You can specify only one address and the address must already exist in the VLAN.
AT-S63 Management Software Menus Interface User’s Guide Deleting a MAC Address-based VLAN Note To delete a VLAN, you need to know its VID. To view VLAN VIDs, refer to “Displaying MAC Address-based VLANs” on page 689. To delete a VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199 on page 600. 2. From the VLAN Configuration menu, type 3 to select Configure VLANs.
Chapter 28: MAC Address-based VLANs The Delete VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 233. You can use this menu to confirm that you are deleting the correct VLAN. Allied Telesyn AT-9448T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Delete VLAN 1 2 3 4 5 6 - VLAN Name .............. VLAN ID (VID) .......... VLAN Type .............. Tagged Ports ........... Untagged Ports ......... Protected Ports ........
AT-S63 Management Software Menus Interface User’s Guide Displaying MAC Address-based VLANs To view the details of a MAC address-based VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 199 on page 600. 2. From the VLAN Configuration menu, type 4 to select Show VLANs. The Show VLANs menu is shown in Figure 234.
Chapter 28: MAC Address-based VLANs Port Based - The VLAN is a port-based or tagged VLAN. MAC Based - The VLAN is a MAC address-based VLAN. GARP - The VLAN was automatically created by GARP. Protocol The protocol associated with this VLAN. The possible settings are: Blank - The VLAN is a port-based, tagged, or MAC address-based VLAN. GARP - The VLAN is a dynamic GVRP VLAN or the port is a dynamic GVRP port of a static VLAN. Member Port(s) The untagged and tagged ports of a VLAN.
AT-S63 Management Software Menus Interface User’s Guide The Detail Information Display menu is shown in Figure 235.
Chapter 28: MAC Address-based VLANs 692 Section VI: Virtual LANs
Section VII Internet Protocol Routing The chapter in this section contains the procedures for managing routing interfaces of the Internet Protocol version 4 (IPv4) packet routing feature.
Section VII: Internet Protocol Routing
Chapter 29 Internet Protocol Version 4 Routing Interfaces This chapter contains the following procedures for managing Internet Protocol Version 4 (IPv4) routing interfaces: “Creating a New Routing Interface” on page 696 “Modifying a Routing Interface” on page 699 “Deleting a Routing Interface” on page 702 “Displaying the IP Address of the Local Interface” on page 703 “Setting the Default Route or Default Gateway” on page 705 “Setting the Local Interface” on page 706 “Setting the
Chapter 29: Internet Protocol Version 4 Routing Interfaces Creating a New Routing Interface A routing interface is a logical connection to a local network or subnet for routing IPv4 packets. Interfaces route packets between the local networks and subnets directly connected to the switch and also function as anchor points for static routes and RIP. To create a new routing interface, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. 2.
AT-S63 Management Software Menus Interface User’s Guide If a routing interface has been designated as the local interface of a switch, its name is followed by “eth0”. The local interface is used for enhanced stacking and remote Telnet, SSH, and web browser management. IPAddress The IP address of the interface. NetMask The subnet mask of the interface. Status The status of the interface. The status “UP” means the VLAN of the interface has at least one active port.
Chapter 29: Internet Protocol Version 4 Routing Interfaces The following prompt is displayed: Enter IP Address [STATIC IP|DHCP|BOOTP]: 8. Enter a static IP address for the new interface or enter “DHCP” or “BOOTP” to activate the DHCP or BOOTP client. Note Skip steps 9 and 10 if you selected DHCP or BOOTP in step 8. 9. To change the default subnet mask for a static IP address, type 3 to select Subnet Mask. The following prompt is displayed: Enter Subnet Mask: 10.
AT-S63 Management Software Menus Interface User’s Guide Modifying a Routing Interface This procedure modifies the IP address and subnet mask of a routing interface. Note the following before performing this procedure: Modifying the IP address of a routing interface deletes all static routes assigned to the interface. Modifying the IP address of a routing interface that has RIP removes the routing protocol from the interface and deletes all RIP routes learned on the interface from the routing table.
Chapter 29: Internet Protocol Version 4 Routing Interfaces The specifications of the interface are displayed in the Modify Interface menu. An example is shown in Figure 237. Allied Telesyn AT-9424Ts - AT-S63 Marketing User: Manager 11:20:02 02-Jun-2006 Modify Interface 1 - Interface Name .................. VLAN2-0 2 - IP Address ...................... 149.55.22.21 3 - Subnet Mask ..................... 255.255.255.0 M - Modify Interface R - Return to Previous Menu Enter your selection? Figure 238.
AT-S63 Management Software Menus Interface User’s Guide 10. Type M to select Modify Interface. The following prompt is displayed: Interface Modified Successfully? Press any key to continue... 11. Press any key. The modifications are immediately implemented on the routing interface. 12. To modify another routing interface, repeat this procedure starting with step 4. 13. To permanently save your change, return to the Main Menu and type S to select Save Configuration Changes.
Chapter 29: Internet Protocol Version 4 Routing Interfaces Deleting a Routing Interface This procedure deletes a routing interface from the switch. Note the following before performing this command: All IPv4 packet routing to and from the local network or subnet of a deleted interface ceases. All static routes assigned to the interface are deleted from the routing table. If RIP was assigned to the interface, all dynamic routes learned by the interface are deleted from the routing table.
AT-S63 Management Software Menus Interface User’s Guide Displaying the IP Address of the Local Interface This procedure displays the IP address and subnet mask of the local interface on the switch. The local interface on the master switch of an enhanced stack designates the common VLAN of the switches in the stack, as explained in “Enhanced Stacking Overview” on page 90.
Chapter 29: Internet Protocol Version 4 Routing Interfaces 4 - Default Gateway This parameter specifies the IP address of the default route or default gateway for the switch. For instructions, refer to “Setting the Default Route or Default Gateway” on page 705.
AT-S63 Management Software Menus Interface User’s Guide Setting the Default Route or Default Gateway If you are configuring an AT-9400 Series switch that supports IPv4 packet routing, such as the AT-9424Ts and AT-9448Ts/XP switches, you can configure the default route from the menus interface. The default route is used by the switch when it receives a network packet for routing, but cannot find a route for it.
Chapter 29: Internet Protocol Version 4 Routing Interfaces Setting the Local Interface This procedure designates the local interface of a switch. The local interface indicates the common VLAN of the switches in an enhanced stack, as explained in “Enhanced Stacking Overview” on page 90. It is also used for remote Telnet, SSH, or web browser management, as explained in “Planning for Remote Management” on page 49. A switch can have only one local interface.
AT-S63 Management Software Menus Interface User’s Guide Setting the ARP Cache Timeout The ARP cache contains mappings of IP addresses to physical addresses for hosts where the switch has recently routed packets. To have an entry in the ARP cache, a host must have attempted to access another host, and it must have found the physical address by using the ARP protocol. (You must use the command line interface to view the ARP cache.) This procedure sets the ARP cache timeout value.
Chapter 29: Internet Protocol Version 4 Routing Interfaces 708 Section VII: Internet Protocol Routing
Section VIII Port Security The chapters in this section contain overview information on the port security features of the AT-9400 Series switch. The chapters also explain how to configure these features from the menu interface of the AT-S63 management software. The chapters include: Section VIII: Port Security Chapter 30, “MAC Address-based Port Security” on page 711 Chapter 31, “802.
Section VIII: Port Security
Chapter 30 MAC Address-based Port Security This chapter explains how you can use the dynamic and static MAC addresses learned or manually added to the switch’s MAC address table to control which end nodes can forward packets through the device.
Chapter 30: MAC Address-based Port Security MAC Address Port Security Overview This feature can enhance the security of your network. You can use it to control which end nodes can forward frames through the switch, and so prevent unauthorized individuals from accessing your network or particular parts of the network. This type of network security uses a frame’s source MAC address to determine whether the switch should forward a frame or discard it.
AT-S63 Management Software Menus Interface User’s Guide Secured The Secured security level instructs a port to forward frames using only static MAC addresses. The port does not learn any dynamic MAC addresses and deletes any dynamic addressees that it has already learned. Only those end nodes whose MAC addresses are entered as static addresses are able to forward frames through the port.
Chapter 30: MAC Address-based Port Security But with the Limited security mode you can specify an intrusion action. Here are the options: MAC Address Port Security Guidelines 714 Discard the invalid frame. Discard the invalid frame and send an SNMP trap. (SNMP must be enabled on the switch for the trap to be sent.) Discard the invalid frame, send an SNMP trap, and disable the port.
AT-S63 Management Software Menus Interface User’s Guide Configuring MAC Address Port Security To set the port security level, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 5 to select Port Security. The Port Security menu is shown in Figure 239.
Chapter 30: MAC Address-based Port Security The menu displays the current security level on the selected port. If you are configuring a range of ports and the ports have different security levels, the menu displays the security level of the lowest number port. Note Option D, Select Default Port Security, sets the security mode for the port to the default value of Automatic. 5. From the Configure Port Security menu, type 1 to select Security Mode.
AT-S63 Management Software Menus Interface User’s Guide Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure Port Security Configuring Port Security 4 1 2 3 4 - Security Mode ..................... Intruder Action ................... Port Participating ................ Threshold ......................... Limited No Action No 100 D - Set Default Port Security R - Return to Previous Menu Enter your selection? Figure 241. Configure Port Security Menu #2 8.
Chapter 30: MAC Address-based Port Security 10. If you selected the trap or disable intrusion action, type 4 to toggle the Port Participating option to Yes. Option 3, Port Participating, only applies when the intrusion action is set to trap or disable. This option does not apply when intrusion action is set to discard. If this option is set to No when intrusion action is set to trap or disable, the port discards invalid packets, but it does not send an SNMP trap or disable the port.
AT-S63 Management Software Menus Interface User’s Guide Displaying Port Security Levels To view the current security levels and intrusion actions for the ports on the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. 2. From the Port Configuration menu, type 5 to select Port Security. The Port Security menu is shown in Figure 239 on page 715. 3. From the Port Security menu, type 2 to select Display Port Security.
Chapter 30: MAC Address-based Port Security Intruder Action The action taken by a port if it receives an invalid frame while operating in the Limited security mode. The possible settings are: Discard - The port discards invalid frames. This is the default. Trap - The port discards invalid frames and sends a trap. Trap/Disable - The port discards invalid frames, sends a trap, and disables the port.
Chapter 31 802.1x Port-based Network Access Control This chapter explains 802.1x Port-based Network Access Control and how this feature can increase network security by restricting access to the network ports on the switch. Sections are as follows: Section VIII: Port Security “IEEE 802.1x Port-based Network Access Control Overview” on page 722 “Setting Port Roles” on page 741 “Enabling or Disabling 802.
Chapter 31: 802.1x Port-based Network Access Control IEEE 802.1x Port-based Network Access Control Overview The AT-S63 management software offers you several different methods for protecting your network and its resources from unauthorized access. For instance, Chapter 30, “MAC Address-based Port Security” on page 711, explains how you can restrict network access using the MAC addresses that belong to the end nodes of your network. This chapter explains yet another way. This method, referred to as 802.
AT-S63 Management Software Menus Interface User’s Guide Authenticator - The authenticator is a port on the switch that prohibits network access by a supplicant until the supplicant has been validated by the RADIUS server. Authentication server - The authentication server is the network device that has the RADIUS server software. This is the device that does the actual authenticating of the supplicants. The AT-9400 Series switch does not authenticate any of the supplicants connected to its ports.
Chapter 31: 802.1x Port-based Network Access Control Port Roles None Role Part of the task of implementing this feature is specifying the roles of the ports on the switch. A port can have one of three roles: None Authenticator Supplicant A switch port in the None role does not participate in port-based access control. Any device can connect to the port and send traffic through it and receive traffic from it without being validated.
AT-S63 Management Software Menus Interface User’s Guide authentication is not tied to any specific computer or node. An end user can log on from any system and still be verified by the RADIUS server as a valid user of the switch and network. This authentication method requires 802.1x client software on the supplicant nodes. MAC address-based authentication An alternative method is to use the MAC address of a node as the username and password combination for the device.
Chapter 31: 802.1x Port-based Network Access Control Force-unauthorized - Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate. The port forwards EAPOL frames, but discards all other traffic. This setting is analogous to disabling a port. As mentioned earlier, the switch itself does not authenticate the user names and passwords from the clients. That function is performed by the authentication server, which contains the RADIUS server software.
AT-S63 Management Software Menus Interface User’s Guide Authenticator Ports with Single and Multiple Supplicants An authenticator port has two operating modes. The modes relate to the number of clients using the port and, in situations where an authenticator port is supporting more than one client, whether just one client or all the clients must log on to use the switch port. The operating modes are: Single Multiple Single Operating Mode The Single operating mode is used in two situations.
Chapter 31: 802.
AT-S63 Management Software Menus Interface User’s Guide 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT AT-9400 Series Switch L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 3 5 7 9 11 15 17 19 TERMINAL PORT 21 23R 1000 LINK / ACT L/A L/A 23 24 6 8 10 12 14 16 18 20 22 24R 23 24 MASTER RPS POWER D/C 4 STATUS FAULT SFP SFP D/C 2 Gigabit Ethernet Switch ACT COL 13 L/A SFP 2 4 6 8 10 12 14 16 18 20 22 24R
Chapter 31: 802.1x Port-based Network Access Control If the clients are connected to an 802.1x-compliant device, such as another AT-9400 Series switch, you can automate the initial log on and reauthentications by configuring one of the switch ports as a supplicant. In this manner, the log on and reauthentications are performed automatically, eliminating the need for relying on an individual to perform the task. This scenario is illustrated in Figure 246.
AT-S63 Management Software Menus Interface User’s Guide 1 3 5 7 9 11 13 15 17 19 21 23R AT-9400 Series Switch (A) AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 SFP 3 5 7 9 11 15 17 19 TERMINAL PORT 21 23R SFP 1000 LINK / 23 MASTER RPS 24 POWER D/C 4 6 8 10 12 14 16 18 20 22 24R 23 2 24 Port 6: Role: None or Role: Authenticator Operating Mode: Single Piggy-back Mode: Enabled STATUS FAULT ACT L/A L/A
Chapter 31: 802.1x Port-based Network Access Control An example of this authenticator operating mode is illustrated in Figure 248. The clients are connected to a hub or non-802.1x-compliant switch which is connected to an authenticator port on an AT-9400 Series switch. If the authenticator port is set to the 802.1x authentication method, the clients must provide their username and password combinations before they can forward traffic through the AT-9400 Series switch.
AT-S63 Management Software Menus Interface User’s Guide not be logged on to the port. Also note that the ports where the clients are connected on switch B are set to the none role. This is because a client can log on only once. If, in this example, you were to make a client’s port an authenticator, the client would have to log on twice when trying to access switch A, once on its port on switch B as well as the authenticator port on switch A. This is not permitted.
Chapter 31: 802.1x Port-based Network Access Control Providing network users with access to their network resources while also maintaining network security is often achieved through the use of VLANs. As explained in “VLAN Overview” on page 588, a VLAN is an independent traffic domain where the traffic generated by the nodes within the VLAN is restricted to nodes of the same VLAN, unless there is a router or Layer 3 interconnection device.
AT-S63 Management Software Menus Interface User’s Guide Multiple Operating Mode The initial authentication on an authenticator port running in the Multiple operating mode is handled in the same fashion as with the Single operating mode. If the switch receives a valid VLAN ID or name from the RADIUS server, it moves the authenticator port to the designated VLAN and changes the port to the authorized state.
Chapter 31: 802.1x Port-based Network Access Control Note The Guest VLAN feature is only supported on an authenticator port in the Single operating mode. RADIUS Accounting The AT-S63 management software supports RADIUS accounting for switch ports set to the Authenticator role. This feature sends information to the RADIUS server about the status of its supplicants. You can view this information on the RADIUS server to monitor network activity and use.
AT-S63 Management Software Menus Interface User’s Guide General Steps Here are the general steps to implementing 802.1x Port-based Network Access Control and RADIUS accounting on the switch: 1. You must install a RADIUS server on one or more of your network servers or management stations. Authentication protocol server software is not available from Allied Telesyn. Funk Software SteelBelted Radius and Free Radius have been verified as fully compatible with the AT-S63 management software.
Chapter 31: 802.1x Port-based Network Access Control 802.1x Port-based Network Access Control Guidelines The following are general guidelines to using this feature: Ports operating under port-based access control do not support dynamic MAC address learning. The appropriate port role for a port on an AT-9400 Series switch connected to a RADIUS authentication server is None. The authentication method of an authenticator port can be either 802.
AT-S63 Management Software Menus Interface User’s Guide If a switch port set to the supplicant role is connected to a port on another switch that is not set to the authenticator role, the port, after a timeout period, assumes that it can send traffic without having to log on. GVRP must be disabled on an authenticator port. When 802.1x port-based network access control is activated on a switch, the feature polls all RADIUS servers specified in the RADIUS configuration.
Chapter 31: 802.1x Port-based Network Access Control Here are guidelines that apply to adding VLAN assignments to supplicant accounts on a RADIUS server: 740 The VLAN can be either port-based or tagged. The VLAN must already exist on the switch. A client can have only one VLAN associated with it on the RADIUS server. When a supplicant logs on, the switch port is moved as an untagged port to the designated VLAN.
AT-S63 Management Software Menus Interface User’s Guide Setting Port Roles This procedure sets port roles. For an explanation of port roles, refer to “Port Roles” on page 724. You must set up the port roles before you enable port access control. To set port roles, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 79 on page 281. 2. From the Security and Services menu, type 2 to select Port Access Control (802.
Chapter 31: 802.1x Port-based Network Access Control The Configure Port Access Role menu is shown in Figure 251. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure Port Access Role Configuring Port 3 1 - Port Role ......... None R - Return to Previous Menu Enter your selection? Figure 251. Configure Port Access Role Menu 5. Type 1 to select Port Role. The following prompt is displayed: Enter new Port Role [N-None, A-Authenticator, S-Supplicant] -> 6.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling 802.1x Port-based Network Access Control This procedure explains how to enable and disable port-based access control on the switch. If you have not assigned port roles and configured the parameter settings, you should skip this procedure and go first to “Setting Port Roles” on page 741.
Chapter 31: 802.1x Port-based Network Access Control Configuring Authenticator Port Parameters Note A port must already be set to the authenticator role before you can configure its settings. For instructions on how to change the role of a port, refer to “Setting Port Roles” on page 741. To configure the parameters of an authenticator port, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 79 on page 281. 2.
AT-S63 Management Software Menus Interface User’s Guide The Configure Authenticator Port Access Parameters menu is shown in Figure 253. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure Authenticator Port Access Parameters Configuring Port 3 0 1 2 3 4 5 6 7 8 9 A B C D E - Authentication Mode ...... Supplicant Mode .......... Port Control ............. Quiet Period ............. TX Period ................ Reauth Enabled ........... Reauth Period ............
Chapter 31: 802.1x Port-based Network Access Control 1 - Supplicant Mode This parameter can take the following values on an authenticator port: Single: Configures the authenticator port to accept only one authentication. This supplicant mode should be used together with the piggy-back mode. When an authenticator port is set to the Single mode and the piggy-back mode is disabled, only the one client who is authenticated can use the port. Packets from or to other clients on the port are discarded.
AT-S63 Management Software Menus Interface User’s Guide 5 - Reauth Enabled Specifies if reauthentication should occur according to the reauthentication period. The options are Enabled or Disabled. If disabled, the supplicant is not require to reauthenticate after the initial authentication. 6 - Reauth Period Specifies the time period in seconds between reauthentications of the client when the Reauth. Enabled option is set to Enabled. The default value is 3600 seconds. The range is 1 to 65,535 seconds.
Chapter 31: 802.1x Port-based Network Access Control On: Specifies that only those supplicants with the same VLAN assignment as the initial supplicant are authenticated. Supplicants with a different or no VLAN assignment are denied entry to the port. This is the default setting. Off: Specifies that all supplicants, regardless of their assigned VLANs, are authenticated.
AT-S63 Management Software Menus Interface User’s Guide Note This parameter is only available when the authenticator’s mode is set to Single. For further information, refer to “Authenticator Ports with Single and Multiple Supplicants” on page 727. E - Guest VLAN This parameter specifies the name or VID of a Guest VLAN. The authenticator port is a member of a Guest VLAN when no supplicant is logged on. Clients do not log on to access a Guest VLAN.
Chapter 31: 802.1x Port-based Network Access Control Configuring Supplicant Port Parameters Note A port must already be set to the supplicant role before you can configure its settings. For instructions on how to change the role of a port, refer to “Setting Port Roles” on page 741. To configure supplicant port parameters, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 79 on page 281. 2.
AT-S63 Management Software Menus Interface User’s Guide The Configure Supplicant Port Access Parameters menu is shown in Figure 253. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure Supplicant Port Access Parameters Configuring Port 5-8 1 2 3 4 5 6 - Auth Period........... Held Period........... Max Start ........... Start Period.......... User Name: ........... User Password: .......
Chapter 31: 802.1x Port-based Network Access Control characters, such as asterisks or exclamation points. The username is case sensitive. 6 - User Password This parameter specifies the password for the switch port. The port sends the password to the authentication server for verification when the port logs on to the network. The password can be from 1 to 16 alphanumeric characters (A to Z, a to z, 1 to 9). Do not use spaces or special characters, such as asterisks or exclamation points.
AT-S63 Management Software Menus Interface User’s Guide Displaying the Port Access Parameters To display the port access parameters for the ports on the switch, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 79 on page 281. 2. From the Security and Services menu, type 2 to select Port Access Control (802.1X). The Port Access Control (802.1X) menu is shown in Figure 250 on page 741. 3.
Chapter 31: 802.1x Port-based Network Access Control Port Role Port access role configured for the port. The possible settings are None, Authenticator, or Supplicant. AuthMode The port’s authentication mode: 802.1x or MAC Based. For further information, refer to “Authentication Modes” on page 724. State State of the port. The state field is dependent on whether a port is configured as an authenticator or a supplicant.
AT-S63 Management Software Menus Interface User’s Guide Configuring RADIUS Accounting The AT-S63 management software supports RADIUS accounting for ports operating in the Authenticator role. The accounting information sent by the switch to a RADIUS server includes the date and time when clients log on and log off, as well as the number of packets sent and received by a switch port during a client session. For background information on this feature, refer to “RADIUS Accounting” on page 736.
Chapter 31: 802.1x Port-based Network Access Control 4. Adjust the following parameters as necessary. 1 - Status This parameter activates or deactivates RADIUS accounting on the switch. Select Enabled to activate the feature or Disabled to deactivate it. The default is Disabled. 2 - Port This parameter specifies the UDP port for RADIUS accounting. The default is port 1813. 3 - Type This parameter specifies the type of RADIUS accounting. The default is Network. This value cannot be changed.
Section IX Management Security The chapters in this section contain overview information on the management security features of the AT-9400 Series switch. The chapters also explain how to configure these features from the menu interface of the AT-S63 management software.
Section IX: Management Security
Chapter 32 Web Server The chapter provides an overview of the web server feature and procedures for configuring the server.
Chapter 32: Web Server Web Server Overview The AT-S63 management software comes with web server software for remotely managing the switch with a web browser from a management station on your network. (The instructions for managing a switch with a web browser are described in the AT-S63 Network Management Web Browser Interface User’s Guide.) The web server can operate in two modes. The first is referred to as nonsecure HTTP mode.
AT-S63 Management Software Menus Interface User’s Guide Configuring the Web Server This procedure explains how to enable and disable the web server and how to configure the HTTP and HTTPS settings from a local or Telnet management session. The default setting for the web server is enabled, with the non-secure HTTP mode as the active web server mode. Before you configure the web server, note the following: You cannot make any changes to the HTTP or HTTPS settings while the web server is enabled.
Chapter 32: Web Server 3. Type 1 to select Status to enable or disable the web server. To configure the web server, you must first disable it. Possible settings are: Enabled - Enables the web server. This is the default setting. Disabled - Disables the web server. (To change any of the web server settings, you must first disable it.) 4. Type 2 to select Mode to set the mode of the web server. The following prompt is displayed: Enter Web Server Mode (1 - HTTP, 2 - HTTPS): [1 to 2] -> 1.
AT-S63 Management Software Menus Interface User’s Guide The default port number for HTTP is 80. The default port number for HTTPS is 443. 1. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 32: Web Server General Steps for Configuring the Web Server for Encryption There are several procedures you need to perform in order to implement HTTPS and web browser encryption on the switch. This section is here to provide you with the general steps you need to do and the procedures for performing them. There is a section for configuring the web server with a self-signed certificate and another for a public or private CA certificate.
AT-S63 Management Software Menus Interface User’s Guide 6. After you have received the appropriate certificates from the CA, download them into the switch’s file system from your management station or a TFTP server, as explained in “Downloading a System File” on page 236. 7. Add the certificates to the certificate database, as explained in “Adding a Certificate to the Database” on page 805. 8.
Chapter 32: Web Server 766 Section IX: Management Security
Chapter 33 Encryption Keys This chapter describes encryption keys and how you can use keys to improve the security of your switches. Because of the complexity of the feature, this chapter contains several overview sections. The Basic Overview section offers a general review of the purpose of this feature along with relevant guidelines. For additional information, refer to the two Technical Overview sections.
Chapter 33: Encryption Keys Basic Overview Protecting your managed switches from unauthorized management access is an important role for a network manager. Network operations and security can be severely compromised if an intruder gains access to critical switch information, such as a manager’s login username and password, and uses that information to alter a switch’s configuration settings.
AT-S63 Management Software Menus Interface User’s Guide Encryption Key Length To create a key pair, you must specify its length. The length is given in bits. The range is 512 to 1,536 bits, in increments of 256 bits. The default is 512 bits. The general rule on key lengths is that the longer the key, the more difficult it is for someone to decipher.
Chapter 33: Encryption Keys Technical Overview The encryption feature provides the following data security services: Data Encryption Data encryption Data authentication Key exchange algorithms Key creation and storage Data encryption for switches is driven by the need for organizations to keep sensitive data private and secure. Data encryption operates by applying an encryption algorithm and key to the original data (the plaintext) to convert it into an encrypted form (the ciphertext).
AT-S63 Management Software Menus Interface User’s Guide algorithm and key. For a given input block of plaintext ECB always produces the same block of ciphertext. Cipher Block Chaining (CBC) is the most popular form of DES encryption. CBC also operates on 64-bit blocks of data, but includes a feedback step which chains consecutive blocks so that repetitive plaintext data, such as ASCII blanks, does not yield identical ciphertext.
Chapter 33: Encryption Keys secret. Only the decryption, or private key, needs to be kept secret. The other name for this type of algorithm is public key encryption. The public and private key pair cannot be randomly assigned, but must be generated together. In a typical scenario, a decryption station generates a key pair and then distributes the public key to encrypting stations.
AT-S63 Management Software Menus Interface User’s Guide It is very hard to find another message and key which give the same hash The two most commonly used one-way hash algorithms are MD5 (Message Digest 5, defined in RFC 1321) and SHA-1 (Secure Hash Algorithm, defined in FIPS-180-1). MD5 returns a 128-bit hash and SHA-1 returns a 160-bit hash. MD5 is faster in software than SHA-1, but SHA-1 is generally regarded to be slightly more secure.
Chapter 33: Encryption Keys A Diffie-Hellman algorithm requires more processing overhead than RSAbased key exchange schemes, but it does not need the initial exchange of public keys. Instead, it uses published and well tested public key values. The security of the Diffie-Hellman algorithm depends on these values. Public key values less than 768 bits in length are considered to be insecure. A Diffie-Hellman exchange starts with both parties generating a large random number.
AT-S63 Management Software Menus Interface User’s Guide Creating an Encryption Key This section contains the procedure for creating an encryption key pair. Caution Key generation is a CPU-intensive process. Because this process may affect switch behavior, Allied Telesyn recommends creating keys when the switch is not connected to a network or during periods of low network activity. To create an encryption key, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services.
Chapter 33: Encryption Keys The Key Management menu is shown in Figure 261.
AT-S63 Management Software Menus Interface User’s Guide 6. Enter an identification number for the key. This number can be from 0 to 65,535. This number is used only for identification purposes and not in generating the actual encryption key. The ID for each key on the switch must be unique. Note You cannot change the value for option 2, Key Type. This value is always RSA - Private. 7. Type 3 to select Key Length. The following prompt is displayed: Enter Key Length ->[512 to 1536] -> 512 8.
Chapter 33: Encryption Keys The new key is added to the list of keys in the Key Management menu. Returning to the Main Menu to save your changes is not necessary with this procedure. This type of change is automatically saved by the management software. To create a self-signed certificate using the new encryption key, go to “Creating a Self-signed Certificate” on page 801. To create an enrollment request, go to “Generating an Enrollment Request” on page 816.
AT-S63 Management Software Menus Interface User’s Guide Deleting an Encryption Key This section contains the procedure for deleting an encryption key pair from the switch. Note the following before performing this procedure. Deleting a key pair from the key management database also deletes the key’s corresponding “.ukf” file from the AT-S63 file system. You cannot delete a key pair if it is being used by SSL or SSH.
Chapter 33: Encryption Keys Modifying an Encryption Key The Key Management menu has a selection for modifying the description of an encryption key. This is the only item of a key that you can modify. You cannot change a key’s ID, type, or length. To change the description of a key, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 79 on page 281. 2.
AT-S63 Management Software Menus Interface User’s Guide Exporting an Encryption Key The following procedure exports the public key of a key pair into the AT-S63 file system. (The management software does not allow you to export a private key.) Before performing this procedure, please note the following: The only circumstance in which you are likely to perform this procedure is if you are using an SSH client that does not download the key automatically when you start an SSH management session.
Chapter 33: Encryption Keys The Export Key to File menu is shown in Figure 263. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Export Key to File 1 2 3 4 5 - Key ID ............ 0 Key Type .......... RSA-Public Key File Format ... HEX Key File Name Export Key to File R - Return to Previous Menu Enter your selection? Figure 263. Export Key to File Menu 5. From the Export Key to File menu, type 1 to select Key ID.
AT-S63 Management Software Menus Interface User’s Guide The following message is displayed: Key Export in Progress. Please wait...Done 11. Press any key to return to the Key Management menu. To view the public key in the switch’s file system, refer to “Displaying System Files” on page 212. Returning to the Main Menu to save your changes is not necessary with this procedure. This type of change is automatically saved by the management software.
Chapter 33: Encryption Keys Importing an Encryption Key Use the following procedure to import a public key from the AT-S63 file system into the key management database. If a file contains both public and private keys, only the public key is imported. The private key is ignored. Note It is unlikely that you will ever need to perform this procedure. A switch can only use those public keys that it has generated itself. This procedure starts from the Key Management menu.
AT-S63 Management Software Menus Interface User’s Guide The Import Key from File menu is shown in Figure 264. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Import Key from File 1 2 3 4 5 - Key ID ............ 0 Key Type .......... RSA-Public Key File Format ... HEX Key File Name ..... Import Key from File R - Return to Previous Menu Enter your selection? Figure 264. Import Key from File Menu 5. From the Import Key from File menu, type 1 to select Key ID.
Chapter 33: Encryption Keys The key file name must include the “.key” extension. If you are unsure of the file name, display the files in the switch’s file system by referring to “Displaying System Files” on page 212. 10. Type 5 to select Import Key From File to import a key to the switch from an external file. The following message is displayed: Key Import in Progress. Please wait...Done After you receive this message, the key is added to the Key Management database.
AT-S63 Management Software Menus Interface User’s Guide Displaying the Encryption Keys To display the encryption keys, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 79 on page 281. 2. From the Security and Services menu, type 7 to select Keys/Certificate Configuration. The Keys/Certificate Configuration menu is shown in Figure 260 on page 775. 3.
Chapter 33: Encryption Keys Length The length of the key in bits. Digest The CRC32 value of the MD5 digest of the public key. Description The key’s description.
Chapter 34 PKI Certificates and SSL This chapter contains the procedures for creating public key infrastructure (PKI) certificates for web server security. Because of the complexity of this feature, two overview sections are provided. The Basic Overview section offers a general review of the purpose of certificates along with relevant guidelines. For additional information refer to the Technical Overview section.
Chapter 34: PKI Certificates and SSL Basic Overview This chapter describes the second part of the encryption feature of the AT-S63 management software—PKI certificates. The first part is explained in Chapter 33, “Encryption Keys” on page 767.
AT-S63 Management Software Menus Interface User’s Guide If your company is large enough, it might have a private CA and you might want the group to issue the AT-9400 Series switch certificates so that you are in compliance with company policy. The first step to creating a CA certificate is to create a key pair. After that you must generate an digital document called an enrollment request and send the document to the CA.
Chapter 34: PKI Certificates and SSL So what would be a good distinguished name for a certificate for an AT-9400 Series switch? If the switch has an IP address, such as a master switch, you could use its address as the name. The following example is a distinguished name for a certificate for a master switch with the IP address 149.11.11.11: cn=149.11.11.
AT-S63 Management Software Menus Interface User’s Guide For those networks that consist of enhanced stacking switches where some switches support SSL and others do not, there are two approaches you can take. One is to create different enhanced stacks for the different switches with one enhanced stack for those switches that support SSL and another stack for those that do not. You create different enhanced stacks by connecting the switches with different common VLANs.
Chapter 34: PKI Certificates and SSL Technical Overview This section describes the Secure Sockets Layer (SSL) feature, a security protocol that provides a secure and private TCP connection between a client and server. SSL can be used with many higher layer protocols including HTTP, File Transfer Protocol (FTP) and Net News Transfer Protocol (NNTP). Most web browsers and servers support SSL, and its most common deployment is for secure connections between a client and server over the Internet.
AT-S63 Management Software Menus Interface User’s Guide SSL uses asymmetrical (Public Key) encryption to establish a connection between client and server, and symmetrical (Secret Key) encryption for the data transfer phase. User Verification An SSL connection has two phases: handshake and data transfer. The handshake initiates the SSL session, during which data is securely transmitted between a client and server.
Chapter 34: PKI Certificates and SSL To verify the authenticity of a server, the server has a public and private key. The public key is given to the user. SSL uses certificates for authentication. A certificate binds a public key to a server name. A certification authority (CA) issues certificates after checking that a public key belongs to its claimed owner. There are several agencies that are trusted to issue certificates. Individual browsers have approved Root CAs that are built in to the browser.
AT-S63 Management Software Menus Interface User’s Guide this, and other attacks, PKI provides a means for secure transfer of public keys by linking an identity and that identity’s public key in a secure certificate. Caution Although a certificate binds a public key to a subject to ensure the public key’s security, it does not guarantee that the security of the associated private key has not been breached.
Chapter 34: PKI Certificates and SSL Elements of a Public Key Infrastructure A public key infrastructure is a set of applications which manage the creation, retrieval, validation and storage of certificates. A PKI consists of the following key elements: At least one certification authority (CA), which issues and revokes certificates. At least one publicly accessible repository, which stores certificates and Certificate Revocation Lists.
AT-S63 Management Software Menus Interface User’s Guide Certificate Validation To validate a certificate, the end entity verifies the signature in the certificate, using the public key of the CA who issued the certificate. CA Hierarchies and Certificate Chains It may not be practical for every individual certificate in an organization to be signed by one certification authority. A certification hierarchy may be formed, in which one CA (for example, national headquarters) is declared to be the root CA.
Chapter 34: PKI Certificates and SSL PKI Implementation The following sections discuss Allied Telesyn’s implementation of PKI for the AT-9400 Series switches.
AT-S63 Management Software Menus Interface User’s Guide Creating a Self-signed Certificate This section contains the procedure for creating a self-signed certificate. Please review the following before you perform the procedure: For a general review of all the steps to configuring the switch for a selfsigned certificate, refer to “General Steps for a Self-signed Certificate” on page 764.) The switch’s time and date must be set before you create a certificate.
Chapter 34: PKI Certificates and SSL The Public Key Infrastructure (PKI) Configuration menu is shown in Figure 266. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Public Key Infrastructure (PKI) Configuration 1 - Maximum Number of Certificates....... 256 2 - X509 Certificate Management 3 - Generate Enrollment Request R - Return to Previous Menu Enter your selection? Figure 266. Public Key Infrastructure (PKI) Configuration Menu 4.
AT-S63 Management Software Menus Interface User’s Guide Note In the X509 Certificate Management menu, MTrust means manually trusted. This field indicates that you verified the certificate. The Source field indicates the certificate was generated on the switch. Both MTrust and Source are read-only fields. 5. Type 1 to select Create Self-Signed Certificate. The Create Self-Signed Certificate menu is shown in Figure 268.
Chapter 34: PKI Certificates and SSL 9. Enter the ID number of the encryption key that you want to use to create this certificate. The encryption key must already exist on the switch. (If you have forgotten the key ID number, return to the Key Management menu to view the keys on the switch.) The value can be from 0 to 65,535. 10. Type 3 to select Format to choose the encoding format for the certificate. The possible options are: DER - Indicates the certificate contents are in a binary format.
AT-S63 Management Software Menus Interface User’s Guide Adding a Certificate to the Database After creating a certificate or receiving a certificate from a public or private CA, you need to add it to the certificate database. This makes it available to the switch’s web server. A certificate in the certificate database appears in the X509 Certificate Management menu. To add a certificate to the certificate database, perform the following procedure: 1.
Chapter 34: PKI Certificates and SSL 6. Type 1 to select Certificate Name. The following prompt is displayed: Enter file name (*.key) -> 7. Enter a name for the certificate. This is the name for the certificate as it will appear in the certificate database list. You can enter up to 24 alphanumeric characters. Spaces are allowed. No extension is needed. You might want the name to include the filename of the certificate in the file system.
AT-S63 Management Software Menus Interface User’s Guide Note This parameter has no affect on the operation of a certificate. The parameter is included only for informational purposes when the certificate is displayed in the certificate database. 10. Type 4 to select File Name. The following prompt is displayed: Enter file name (*.key) -> 11. Specify the filename of the certificate. This is the filename of the certificate in the AT-S63 file system. The filename has a “.cer” extension.
Chapter 34: PKI Certificates and SSL Modifying a Certificate The procedure in this section modifies a certificate in the certificate database. Here are the certificate items you can modify: State - trusted or untrusted Type - EE, CA, or Self Note These parameters have no affect on the operation of a certificate. They are included only for informational purposes when the certificate is displayed in the certificate database. To modify a certificate, perform the following procedure: 1.
AT-S63 Management Software Menus Interface User’s Guide The Modify Certificate menu is shown in Figure 270. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify Certificate 1 2 3 4 - Certificate Name................. Switch12 State ........................... Trusted Type ............................ Self Modify Certificate R - Return to Previous Menu Enter your selection? Figure 270. Modify Certificate Menu Note You cannot change selection 1, Certificate Name. 7.
Chapter 34: PKI Certificates and SSL 10. To permanently save your change, return to the Main Menu and type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Deleting a Certificate The procedure in this section deletes a certificate from the certificate database. Please note the following before performing this procedure: Deleting a certificate from the database does not delete it from the switch. It continues to reside in the AT-S63 file system. To completely remove a certificate from the switch, you must also delete it from the file system.
Chapter 34: PKI Certificates and SSL 7. To permanently save your change, return to the Main Menu and type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Viewing a Certificate This procedure displays information about a certificate, such as its distinguished name and serial number. To view the details of a certificate, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 7 to select Keys/ Certificates Configuration. 3. From the Keys/Certificate menu, type 3 to select Public Key Infrastructure (PKI) Configuration.
Chapter 34: PKI Certificates and SSL The View Certificate Details menu (page 1) is shown in Figure 271. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 View Certificate Details Certificate Details: Name ............... State .............. Manually Trusted ... Type ............... Source ............. Version ............ Serial Number ...... Signature Alg ...... Public Key Alg ..... Not Valid Before ... Not Valid After ....
AT-S63 Management Software Menus Interface User’s Guide Public Key Alg The public key algorithm. Not Valid Before The date the certificate became active. Not Valid After The date the certificate expires. Self-signed certificates are valid for two years. 7. Type N to see the second page of certificate details. The View Certificate Details menu (page 2) is shown in Figure 272. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 View Certificate Details Subject ......... CN=149.
Chapter 34: PKI Certificates and SSL Generating an Enrollment Request To request a certificate from a CA, you must generate an enrollment request. The request contains the public key for the certificate, a distinguished name, and other information. The request is stored as a file with a “.csr” extension in the AT-S63 file system and must be uploaded onto your management station or TFTP server for submission to the CA.
AT-S63 Management Software Menus Interface User’s Guide The Generate Enrollment Request menu is shown in Figure 273. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Generate Enrollment Request 1 2 3 4 5 - Request Name.................... KeyPair ID ..................... 0 Format ......................... PEM Type ........................... PKCS10 Generate Enrollment Request R - Return to Previous Menu Enter your selection? Figure 273.
Chapter 34: PKI Certificates and SSL 12. Type 5 to select Generate Enrollment Request. After the switch has finished generating the request, a message similar to the following is displayed: Enrollment request is being generated. Please wait ...Done. Enrollment Request available in file [Switch 12.csr]. Press any key to continue ... The enrollment request is now stored in the AT-S63 file system. To see the file, refer to “Displaying System Files” on page 212. 13.
AT-S63 Management Software Menus Interface User’s Guide Installing CA Certificates onto a Switch This section lists the procedures to perform for a certificate from a public or private CA. It should be noted that a CA generated certificate will consist of several certificates, with a minimum of two. All the certificates from the CA must be installed on the switch and loaded into the certificate database.
Chapter 34: PKI Certificates and SSL Viewing and Configuring the Maximum Number of Certificates You can specify the maximum number of certificates the certificate database can store. The range is a maximum of 12 to 256. The default value is 256. You should never need to adjust this value. To view or change the maximum number of certificates the certificate database can store, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2.
AT-S63 Management Software Menus Interface User’s Guide Configuring SSL To configure the SSL protocol, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 9 to select Secure Socket Layer (SSL). The Secure Socket Layer (SSL) menu is shown in Figure 274. Allied Telesyn AT-9424T/SP - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Secure Socket Layer (SSL) 1 - Maximum Number of Sessions.........
Chapter 34: PKI Certificates and SSL 822 Section IX: Management Security
Chapter 35 Secure Shell (SSH) The chapter contains overview information about the Secure Shell (SSH) protocol as well a procedure for configuring this protocol on a switch using a local or Telnet management session.
Chapter 35: Secure Shell (SSH) SSH Overview Secure management is increasingly important in modern networks, as the ability to easily and effectively manage switches and the requirement for security are two universal requirements. Switches are often remotely managed using remote sessions via the Telnet protocol. This method, however, has a serious security problem—it is only protected by plaintext usernames and passwords which are vulnerable to wiretapping and password guessing.
AT-S63 Management Software Menus Interface User’s Guide Note Non-encrypted Secure Shell sessions serve no purpose. SSH Server When the SSH server is enabled, connections from SSH clients are accepted. When the SSH server is disabled, connections from SSH clients are rejected by the switch. Within the switch, the AT-S63 management software uses well-known port 22 as the SSH default port.
Chapter 35: Secure Shell (SSH) switch first pass through the master switch before reaching your management station. Enhanced stacking uses a proprietary protocol different from Telnet and SSH protocols. Consequently, there is no encryption between a master switch and a slave switch. The result is that SSH encryption only occurs between your workstation and the master switch, not between your workstation and a slave switch. This is illustrated in Figure 275.
AT-S63 Management Software Menus Interface User’s Guide General Steps to Configuring SSH You activate and configure SSH on the master switch of an enhanced stack, not on slave switches. The AT-S63 software uses well-known port 22 as the SSH default port. Configuring the SSH server involves several procedures. This section lists the procedures to configuring the SSH feature. 1. Create two encryption key pairs on the master switch of the enhanced switch.
Chapter 35: Secure Shell (SSH) Configuring SSH This section describes how to configure the switch as an SSH server. For a description of all the steps required to configure an SSH server, see “General Steps to Configuring SSH” on page 827. Before you begin this procedure, you need to configure a host and server keys for SSH. See Chapter 33, “Encryption Keys” on page 767. The minimum bit size of the server key is 512 bits. The recommended bit size for a server key is 768 bits.
AT-S63 Management Software Menus Interface User’s Guide 3. Type 2 to select Host Key ID. The following prompt is displayed: Enter Host Key ID [0 to 65535] -> 0 Enter the ID number of the encryption key that will function as the host key. The default is Not Defined. For instructions on creating encryption keys, see Chapter 33, “Encryption Keys” on page 767. 4. Type 3 to select Server Key ID.
Chapter 35: Secure Shell (SSH) Type E to enable the SSH server. Select this value after you have finished configuring SSH and want to log on to the server. Or, type D to disable SSH while you are configuring the protocol. SSH must be disabled while you are configuring the protocol. This is the default. Note When there are active SSH connections, you cannot disable the SSH server. If you attempt to disable the SSH server when it is in this state, you receive a warning message.
AT-S63 Management Software Menus Interface User’s Guide Displaying SSH Information To display SSH server information, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 79 on page 281. 2. From the Security and Services menu, type 8 to select Secure Shell (SSH). The Secure Shell (SSH) menu is shown in Figure 276 on page 828. 3. From the Secure Shell (SSH) menu, type 6 to select Show Server Information.
Chapter 35: Secure Shell (SSH) Host Key ID The host key ID defined for SSH. Host Key Bits Number of bits in the host key. Server Key ID Server key ID defined for SSH. Server Key Expiry Length of time, in hours, until the server key is regenerated. The default is 0 hours which means the server key is not regenerated. Login Timeout Time, in seconds, until a SSH server is released from an incomplete connection with a SSH client. Authentication Available Authentication method available.
Chapter 36 TACACS+ and RADIUS Protocols This chapter describes how to configure the parameter settings for the two authentication protocols TACACS+ and RADIUS.
Chapter 36: TACACS+ and RADIUS Protocols TACACS+ and RADIUS Overview TACACS+ and RADIUS are authentication protocols for enhancing the security of your network. In general terms, these authentication protocols transfer the task of authenticating network access from a network device to an authentication protocol server. The AT-S62 software comes with TACACS+ and RADIUS client software. You can use the client software to add two security features to the switch.
AT-S63 Management Software Menus Interface User’s Guide switch passes the username and password entered by the manager to the authentication protocol server. The server checks to see if the username and password are valid. This is referred to as authentication. If the combination is valid, the authentication protocol server notifies the switch and the switch completes the login process, allowing the manager to manage the switch.
Chapter 36: TACACS+ and RADIUS Protocols depending on the server software. TACACS+ controls this through the sixteen (0 to 15) different levels of the Privilege attribute. A privilege level of “0” gives the combination Operator status. Any value from 1 to 15 gives the combination Manager status. For RADIUS, management level is controlled by the Service Type attribute. This attribute has 11 different values; only two apply to the AT-S63 management software.
AT-S63 Management Software Menus Interface User’s Guide The local subnet on the switch where the TACACS+ or RADIUS server is a member must have a routing interface. The switch uses the IP address of the routing interface as its source address when communicating with the server. For background information on routing interfaces, refer to the latest version of the AT-S63 Management Software Command Line Interface User’s Guide.
Chapter 36: TACACS+ and RADIUS Protocols Enabling or Disabling Server-based Management Authentication This procedure explains how to enable or disable server-based management authentication on the switch. When the feature is enabled, the switch seek its valid manager accounts from an authentication server. When disabled, the switch uses its standard Manager and Operator accounts, as explained in “Management Access Levels” on page 42.
AT-S63 Management Software Menus Interface User’s Guide Note Selection 5, Passwords Configuration, is described in “Changing the Manager and Operator Passwords” on page 63. 3. To select the active authentication protocol, type 2 to select Authentication Method. The following prompt is displayed: Enter T-TACACS+, R-RADIUS -> 4. Type T to select TACACS+ or R for RADIUS. The default is TACACS+. Only one protocol can be active on the switch at a time. 5.
Chapter 36: TACACS+ and RADIUS Protocols Configuring the TACACS+ Client To configure the TACACS+ client on the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Configuration menu is shown in Figure 278 on page 838. 3.
AT-S63 Management Software Menus Interface User’s Guide If you will be specifying more than one TACACS+ server and if all of the servers use the same encryption secret, you can answer No to this prompt and enter the encryption secret using the TAC Global Secret parameter. However, if you are specifying only one TACACS+ server or if the servers have difference encryption secrets, then respond with Yes to this prompt.
Chapter 36: TACACS+ and RADIUS Protocols Displaying the TACACS+ Settings To display the TACACS+ settings, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Configuration menu is shown in Figure 278 on page 838. 3. Type 3 to select TACACS+ Configuration.
AT-S63 Management Software Menus Interface User’s Guide Configuring the RADIUS Client To configure the RADIUS client, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Configuration menu is shown in Figure 278 on page 838. 3. Type 4 to select RADIUS Configuration.
Chapter 36: TACACS+ and RADIUS Protocols Manager and Operator accounts. The default is 10 seconds. The range is 1 to 60 seconds. 3 - RADIUS Server 1 Configuration 4 - RADIUS Server 1 Configuration 5 - RADIUS Server 1 Configuration Use these parameters to specify the IP addresses of up to three network servers containing the RADIUS server software. Selecting one of the options displays the RADIUS Server Configuration menu, shown in Figure 282.
AT-S63 Management Software Menus Interface User’s Guide 6. To activate the feature, perform the procedure “Enabling or Disabling Server-based Management Authentication” on page 838.
Chapter 36: TACACS+ and RADIUS Protocols Displaying RADIUS Status and Settings To display the RADIUS status and settings, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Configuration menu is shown in Figure 278 on page 838. 3.
AT-S63 Management Software Menus Interface User’s Guide The Show Status menu displays a table that contains the following columns of information: Server IP Address IP address of the RADIUS server. Auth Port UDP port of the RADIUS protocol. Encryption Key Encryption key for the RADIUS server. Auth Req Number of authentication requests the switch has made to the RADIUS server. Auth Resp Number of responses that the switch has received back from the server.
Chapter 36: TACACS+ and RADIUS Protocols 848 Section IX: Management Security
Chapter 37 Management Access Control List This chapter explains how to create an access control list (ACL) to restrict Telnet and web browser management access to the switch.
Chapter 37: Management Access Control List Management ACL Security Overview This chapter explains how to restrict remote management access of a switch by creating a management access control list (management ACL). This feature controls which management stations can remotely manage the device using the Telnet application protocol or a web browser. The switch uses the management ACL to filter the management packets that it receives.
AT-S63 Management Software Menus Interface User’s Guide Mask You need to enter a mask that indicates the parts of the IP address the switch should filter on. A binary “1” indicates the switch should filter on the corresponding bit of the address, while a “0” indicates that it should not. If you are filtering on a specific IP address, use the mask 255.255.255.255. If you are filtering on a subnet, the mask would depend on the address. For example, to allow all management stations in the subnet 149.11.11.
Chapter 37: Management Access Control List switch. A management ACL applied to a slave switch filters only those management packets directed to the slave switch. Examples Following are several examples of ACEs. This ACE allows the management station with the IP address 149.11.11.11 to remotely manage the switch using either the Telnet application protocol or a web browser, and to ping the device: IP Address: Mask: Application Type: 149.11.11.11 255.255.255.
AT-S63 Management Software Menus Interface User’s Guide The two ACEs in this management ACL permit remote management from the management station with the IP address 149.11.11.11 and all management stations in the subnet 149.22.22.0: ACE #1 IP Address: Mask: Application Type: 149.11.11.11 255.255.255.255 All ACE #2 IP Address: Mask: Application Type: 149.22.22.0 255.255.255.0 All This example allows the management station with the IP address 149.11.11.
Chapter 37: Management Access Control List Enabling or Disabling the Management ACL This procedure enables and disables the management ACL. When enabled, only those management stations specified in the ACL are allowed to manage the switch remotely using the Telnet application protocol or a web browser. When the feature is disabled, the management software on the switch can be accessed remotely from any management workstation.
AT-S63 Management Software Menus Interface User’s Guide A change to the status of the management ACL is immediately activated on the switch. Note If you activate the feature while managing the switch from a Telnet management session, your management session will end and you will not be able to reestablish it if the management ACL does not contain an ACE that specifies your management workstation. 4. After making changes, type R until you return to the Main Menu.
Chapter 37: Management Access Control List Creating an ACE To create a new ACE in the management ACL, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 7 to select Management ACL. The Management ACL Configuration menu is shown in Figure 284 on page 854. 3. From the Management ACL Configuration menu, type 2 to select Create Management ACL Entry.
AT-S63 Management Software Menus Interface User’s Guide Telnet - Permits Telnet management. Web - Permits web browser management. Ping - Permits the management workstation to ping the switch. All - Permits all of the above. You can specify more than one by separating the selections with a comma (for example, “Telnet,Ping”). The new ACE is added to the ACL. 8. After making your changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 37: Management Access Control List Modifying an ACE To modify an ACE, you need to know its identification number. To view the identification numbers of the ACEs, refer to “Displaying the ACEs” on page 861. To modify an ACE, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 7 to select Management ACL.
AT-S63 Management Software Menus Interface User’s Guide 5. Make the desired changes to the entry by selecting the corresponding option and entering a new value. You cannot change an entry’s ID number. For information on an entry’s IP address, network mask, and applications, refer to steps 5, 6, and 7 in the procedure “Creating an ACE” on page 856. 6. After entering your changes, type M to select Modify Management ACL Entry. Your changes are immediately implemented on the switch. 7.
Chapter 37: Management Access Control List Deleting an ACE To delete an ACE, you need to know its identification number. To view the identification numbers of the ACEs, refer to “Displaying the ACEs” on page 861. Note If you are managing the switch from a Telnet management session and the management ACL is active, your management session will end and you will be unable to reestablish it if you delete the ACE that specifies your management workstation. To delete an ACE, perform the following procedure: 1.
AT-S63 Management Software Menus Interface User’s Guide Displaying the ACEs To display the ACEs in the management ACL, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 60. 2. From the System Administration menu, type 7 to select Management ACL. The Management ACL Configuration menu is shown in Figure 284 on page 854. 3.
Chapter 37: Management Access Control List 862 Section IX: Management Security
Appendix A AT-S63 Management Software Default Settings This appendix lists the factory default settings for the AT-S63 management software. It contains the following sections in alphabetical order: “ARP Cache Setting” on page 865 “Boot Configuration File Default Setting” on page 866 “Class of Service” on page 867 “Denial of Service Prevention Default Settings” on page 868 “802.
Appendix A: AT-S63 Management Software Default Settings 864 “Telnet Server Default Settings” on page 893 “VLAN Default Settings” on page 894 “Web Server Default Settings” on page 895
AT-S63 Management Software Menus Interface User’s Guide ARP Cache Setting The following table lists the ARP cache default setting.
Appendix A: AT-S63 Management Software Default Settings Boot Configuration File Default Setting The following table lists the File menu default setting. Boot Configuration File Menu Setting Default Configuration File 866 Default boot.
AT-S63 Management Software Menus Interface User’s Guide Class of Service The following table lists the default mappings of IEEE 802.1p priority levels to egress port priority queues. IEEE 802.
Appendix A: AT-S63 Management Software Default Settings Denial of Service Prevention Default Settings The following table lists the default settings for the Denial of Service prevention feature. Denial of Service Prevention Setting 868 Default IP Address 0.0.0.0 Subnet Mask 0.0.0.
AT-S63 Management Software Menus Interface User’s Guide 802.1x Port-Based Network Access Control Default Settings The following table describes the 802.1x Port-based Network Access Control default settings. 802.1x Port-based Network Access Control Settings Default Port Access Control Disabled Authentication Method RADIUS EAP Port Role None The following table lists the default settings for RADIUS accounting.
Appendix A: AT-S63 Management Software Default Settings Authenticator Port Setting Default VLAN Assignment Enabled Secure VLAN On Control Direction Both Piggyback Mode Disabled Guest VLAN None The following table lists the default settings for a supplicant port.
AT-S63 Management Software Menus Interface User’s Guide Enhanced Stacking Default Setting The following table lists the enhanced stacking default setting.
Appendix A: AT-S63 Management Software Default Settings Event Log Default Settings The following table lists the default settings for both the permanent and temporary event logs.
AT-S63 Management Software Menus Interface User’s Guide GVRP Default Settings This section provides the default settings for GVRP.
Appendix A: AT-S63 Management Software Default Settings IGMP Snooping Default Settings The following table lists the IGMP Snooping default settings.
AT-S63 Management Software Menus Interface User’s Guide Internet Protocol Version 4 Packet Routing The following table lists the IPv4 packet routing default settings. Packet Routing Setting Default Equal Cost Multi-path (ECMP) Enabled Default Route None Update Timer 30 seconds Invalid Timer 180 seconds Note The update and invalid timers are not adjustable. The IPv4 routing holddown and flush timers are not supported by the switch.
Appendix A: AT-S63 Management Software Default Settings MAC Address-based Port Security Default Settings The following table lists the MAC address-based port security default settings.
AT-S63 Management Software Menus Interface User’s Guide MAC Address Table Default Setting The following table lists the default setting for the MAC address table.
Appendix A: AT-S63 Management Software Default Settings Management Access Control List Default Setting The following table lists the default setting for the Management Access Control List.
AT-S63 Management Software Menus Interface User’s Guide Manager and Operator Account Default Settings The following table lists the manager and operator account default settings. Manager Account Setting Default Manager Login Name manager Manager Password friend Operator Login Name operator Operator Password operator Console Disconnect Timer Interval 10 minutes Console Startup Mode CLI Note Login names and passwords are case sensitive.
Appendix A: AT-S63 Management Software Default Settings MLD Snooping Default Settings The following table lists the MLD Snooping default settings.
AT-S63 Management Software Menus Interface User’s Guide PKI Default Settings The following table lists the PKI default settings, including the generate enrollment request settings.
Appendix A: AT-S63 Management Software Default Settings Port Configuration Default Settings The following table lists the port configuration default settings.
AT-S63 Management Software Menus Interface User’s Guide RJ-45 Serial Terminal Port Default Settings The following table lists the RJ-45 serial terminal port default settings. RJ-45 Serial Terminal Port Setting Default Data Bits 8 Stop Bits 1 Parity None Flow Control None Baud Rate 9600 bps The baud rate is the only adjustable parameter on the port.
Appendix A: AT-S63 Management Software Default Settings RRP Snooping Default Setting The following table lists the RRP Snooping default setting.
AT-S63 Management Software Menus Interface User’s Guide Server-based Authentication (RADIUS and TACACS+) Default Settings This section describes the server-based authentication, RADIUS, and TACACS+ client default settings. Server-based Authentication Default Settings RADIUS Default Settings The following table describes the server-based authentication default settings.
Appendix A: AT-S63 Management Software Default Settings SNMP Default Settings The following table describes the SNMP default settings.
AT-S63 Management Software Menus Interface User’s Guide SNTP Default Settings The following table lists the SNTP default settings. SNTP Setting Default System Time 00:00:00 on January 1, 1980 SNTP Status Disabled SNTP Server 0.0.0.
Appendix A: AT-S63 Management Software Default Settings Spanning Tree (STP, RSTP, and MSTP) Default Settings This section provides the spanning tree, STP RSTP, and MSTP, default settings. Spanning Tree Switch Settings The following table describes the Spanning Tree Protocol default settings for the switch. Spanning Tree Setting STP Default Settings Default Spanning Tree Status Disabled Active Protocol Version RSTP The following table describes the STP default settings.
AT-S63 Management Software Menus Interface User’s Guide MSTP Default Settings The following table lists the MSTP default settings.
Appendix A: AT-S63 Management Software Default Settings SSH Default Settings The following table lists the SSH default settings. SSH Setting Status Disabled Host Key ID Not Defined Server Key ID Not Defined Server Key Expiry Time 0 hours Login Timeout 180 seconds SSH Port Number 22 The SSH port number is not adjustable.
AT-S63 Management Software Menus Interface User’s Guide SSL Default Settings The following table lists the SSL default settings.
Appendix A: AT-S63 Management Software Default Settings System Name, Administrator, and Comments Settings The following table describes the IP default settings.
AT-S63 Management Software Menus Interface User’s Guide Telnet Server Default Settings The following table lists the Telnet server default settings. Telnet Server Setting Default Telnet Server Enabled Telnet Port Number 23 NULL Character Off The Telnet port number is not adjustable.
Appendix A: AT-S63 Management Software Default Settings VLAN Default Settings This section provides the VLAN default settings.
AT-S63 Management Software Menus Interface User’s Guide Web Server Default Settings The following table lists the web server default settings.
Appendix A: AT-S63 Management Software Default Settings 896
Appendix B SNMPv3 Configuration Examples This appendix provides two examples of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to use as an aid when configuring the SNMPv3 protocol.
Appendix B: SNMPv3 Configuration Examples SNMPv3 Configuration Examples This appendix provides SNMPv3 configuration examples for the following types of users: Manager Operator In addition an SNMPv3 Configuration Table is provided to record your SNMPv3 configuration. For more information about the SNMPv3 protocol, see Chapter 21, “SNMPv3” on page 409. SNMPv3 Manager Configuration This section provides a sample configuration for a Manager with a User Name of systemadmin24.
AT-S63 Management Software Menus Interface User’s Guide Configure SNMPv3 SecurityToGroup Table User Name:systemadmin24 Security Model:v3 Group Name: Managers Storage Type: NonVolatile Configure SNMPv3 Notify Table Notify Name: sysadminTrap Notify Tag: sysadminTag Notify Type: Trap Storage Type: NonVolatile Configure SNMPv3 Target Address Table Target Address Name: host451 Target IP Address: 198.35.11.
Appendix B: SNMPv3 Configuration Examples Configure SNMPv3 View Table Menu View Name: internet View Subtree OID: 1.3.6.1 (or internet) Subtree Mask: View Type: Included Storage Type: NonVolatile Configure SNMPv3 Access Table Group Name: Operators Security Model: SNMPv3 Security Level: Authentication Read View Name: internet Write View Name: Notify View Name: SNMPv3 Worksheet This section supplies a table that you can use a worksheet when configuring SNMPv3.
AT-S63 Management Software Menus Interface User’s Guide SNMPv3 Parameters (Continued) Security Model Security Level Read View Name Write View Name Notify View Name Storage Type SNMPv3 SecurityToGroup Table User Name Security Model Group Name Storage Type SNMPv3 Notify Table Notify Name Notify Tag Notify Type Storage Type SNMPv3 Target Address Table Target Address Name Target IP Address UDP Port Timeout Retries Tag List Target Parms Name Storage Type SNMPv3 Target Parameters Table Target Parameters Name Use
Appendix B: SNMPv3 Configuration Examples SNMPv3 Parameters (Continued) Security Model Security Level Storage Type 902
Appendix C Features and Standards This appendix lists the features and standards of the AT-9400 Series switches.
Appendix C: Features and Standards 10/100/1000Base-T Twisted Pair Ports IEEE 802.1d Bridging IEEE 802.3 10Base-T IEEE 802.3u 100Base-TX IEEE 802.3ab 1000Base-T IEEE 802.3u Auto-Negotiation IEEE 802.3x 10/100 Mbps Flow Control / Backpressure IEEE 802.
AT-S63 Management Software Menus Interface User’s Guide File System — 8 megabyte storage capacity DHCP and BOOTP Clients RFC 2131 DHCP client RFC 951, 1542 BOOTP client Internet Protocol Multicasting RFC 1112 IGMP Snooping (Ver. 1.0) RFC 2236 IGMP Snooping (Ver. 2.0) RFC 3376 IGMP Snooping (Ver. 3.0) RFC 2710 MLD Snooping (Ver. 1.0) RFC 3810 MLD Snooping (Ver. 2.
Appendix C: Features and Standards MAC Address Table — Storage capacity of 16K entries Management Access and Security RFC 1157 SNMPv1 RFC 1901 SNMPv2 RFC 3411 SNMPv3 RFC 1492 TACACS+ Client RFC 2865 RADIUS Client RFC 2068 HTTP RFC 2616 HTTPS RFC 1866 HTML RFC 854 Telnet Server — Secure Sockets Layer (SSL) RFC 4325 (X.509) Public Key Infrastructure (PKI) — Encryption Keys — Secure Shell (SSH) (Vers. 1.3, 1.5, 2.
AT-S63 Management Software Menus Interface User’s Guide Management Interfaces Menus Command Line Web Browser SNMP v1, v2, & v3 Management MIBs RFC 1213 MIB-II RFC 1215 TRAP MIB RFC 1493 Bridge MIB RFC 2863 Interface Group MIB RFC 2933 IGMP RFC 1643 Ethernet-like MIB RFC 2674 IEEE 802.1Q MIB RFC 1757 RMON 4 groups — Allied Telesyn Private MIBs IEEE 802.
Appendix C: Features and Standards Port Trunking and Mirroring IEEE 802.3ad Link Aggregation Control Protocol (LACP) — Static Port Trunking — Port Mirroring Spanning Tree Protocols IEEE 802.1D Spanning Tree Protocol IEEE 802.1w Rapid Spanning Tree Protocol IEEE 802.
AT-S63 Management Software Menus Interface User’s Guide — 802.1q Priority to Type of Service Replacement — Maximum Bandwidth Control — Burst Size Control — Support for Ingress and Egress Ports IEEE 802.1p Class of Service with Strict and Weighted Round Robin Scheduling — Port Access Control Lists — Ingress and Egress Control of Broadcast, Multicast, and Unknown Unicast Traffic — Ingress Packet Rate Limiting IEEE 802.1Q Tagged VLANs — Port-based VLANs — Compliant and Non-compliant 802.
Appendix C: Features and Standards 910
Appendix D MIB Objects This appendix lists the SNMP MIB objects in the private Allied Telesyn MIBs that apply to the AT-S63 management software and the AT-9400 Series switches.
Appendix D: MIB Objects Access Control Lists Table 31. Access Control Lists (AtiStackSwitch MIB) Object Name atiStkSwACLConfigTable atiStkSwACLConfigEntry 912 OID 1.3.6.1.4.1.207.8.17.9.1 1.3.6.1.4.1.207.8.17.9.1.1 atiStkSwACLModuleId 1.3.6.1.4.1.207.8.17.9.1.1.1 atiStkSwACLId 1.3.6.1.4.1.207.8.17.9.1.1.2 atiStkSwACLDescription 1.3.6.1.4.1.207.8.17.9.1.1.3 atiStkSwACLAction 1.3.6.1.4.1.207.8.17.9.1.1.4 atiStkSwACLClassifierList 1.3.6.1.4.1.207.8.17.9.1.1.5 atiStkSwACLPortList 1.3.6.1.4.1.207.
AT-S63 Management Software Menus Interface User’s Guide Class of Service Table 32. CoS Scheduling (AtiStackSwitch MIB) Object Name atiSwQoSGroup OID 1.3.6.1.4.1.207.8.17.7 atiStkSwQoSGroupNumberOfQueues 1.3.6.1.4.1.207.8.17.7.1 atiStkSwQoSGroupSchedulingMode 1.3.6.1.4.1.207.8.17.7.2 Table 33. CoS Priority to Egress Queue Mappings (AtiStackSwitch MIB) Object Name atiStkSwQoSGroupCoSToQueueTable atiStkSwQoSGroupCoSToQueueEntry OID 1.3.6.1.4.1.207.8.17.7.3 1.3.6.1.4.1.207.8.17.7.3.
Appendix D: MIB Objects Date, Time, and SNTP Client Table 36. Date, Time, and SNTP Client (AtiStackSwitch MIB) Object Name atiStkSysSystemTimeConfig 914 OID 1.3.6.1.4.1.207.8.17.1.5 atiStkSwSysCurrentTime 1.3.6.1.4.1.207.8.17.1.5.1 atiStkSwSysCurrentDate 1.3.6.1.4.1.207.8.17.1.5.2 atiStkSwSysSNTPStatus 1.3.6.1.4.1.207.8.17.1.5.3 atiStkSwSysSNTPServerIPAddress 1.3.6.1.4.1.207.8.17.1.5.4 atiStkSwSysSNTPUTCOffset 1.3.6.1.4.1.207.8.17.1.5.5 atiStkSwSysSNTPDSTStatus 1.3.6.1.4.1.207.8.17.1.5.
AT-S63 Management Software Menus Interface User’s Guide Denial of Service Defenses Table 37. LAN Address and Subnet Mask (AtiStackSwitch MIB) Object Name atiStkDOSConfig OID 1.3.6.1.4.1.207.8.17.2.6 atiStkDOSConfigLANIpAddress 1.3.6.1.4.1.207.8.17.2.6.1 atiStkDOSConfigLANSubnetMask 1.3.6.1.4.1.207.8.17.2.6.2 Table 38. Denial of Service Defenses (AtiStackSwitch MIB) Object Name atiStkPortDOSAttackConfigTable atiStkPortDOSAttackConfigEntry OID 1.3.6.1.4.1.207.8.17.2.6.3 1.3.6.1.4.1.207.8.17.2.6.3.
Appendix D: MIB Objects Enhanced Stacking Table 39. Switch Mode and Discovery (AtiStackInfo MIB) Object Name atiswitchEnhancedStackingInfo OID 1.3.6.1.4.1.207.8.16.1 atiswitchEnhStackMode 1.3.6.1.4.1.207.8.16.1.1 atiswitchEnhStackDiscover 1.3.6.1.4.1.207.8.16.1.2 atiswitchEnhStackRemoteNumber 1.3.6.1.4.1.207.8.16.1.3 Table 40. Switches of an Enhanced Stack (AtiStackInfo MIB) Object Name atiswitchEnhStackTable atiswitchEnhStackEntry 916 OID 1.3.6.1.4.1.207.8.16.1.4 1.3.6.1.4.1.207.8.16.1.4.
AT-S63 Management Software Menus Interface User’s Guide GVRP Table 41. GVFP Switch Configuration (AtiStackSwitch MIB) Object Name atiStkSwGVRPConfig OID 1.3.6.1.4.1.207.8.17.3.6 atiStkSwGVRPStatus 1.3.6.1.4.1.207.8.17.3.6.1 atiStkSwGVRPGIPStatus 1.3.6.1.4.1.207.8.17.3.6.2 atiStkSwGVRPJoinTimer 1.3.6.1.4.1.207.8.17.3.6.3 atiStkSwGVRPLeaveTimer 1.3.6.1.4.1.207.8.17.3.6.4 atiStkSwGVRPLeaveAllTimer 1.3.6.1.4.1.207.8.17.3.6.5 Table 42.
Appendix D: MIB Objects Table 43. GVRP Counters (AtiStackSwitch MIB) Object Name 918 OID atiStkSwGVRPCountersPortNotListening 1.3.6.1.4.1.207.8.17.3.8.1.8 atiStkSwGVRPCountersInvalidPort 1.3.6.1.4.1.207.8.17.3.8.1.9 atiStkSwGVRPCountersInvalidProtocol 1.3.6.1.4.1.207.8.17.3.8.1.10 atiStkSwGVRPCountersInvalidFormat 1.3.6.1.4.1.207.8.17.3.8.1.11 atiStkSwGVRPCountersDatabaseFull 1.3.6.1.4.1.207.8.17.3.8.1.12 atiStkSwGVRPCountersRxMsgLeaveAll 1.3.6.1.4.1.207.8.17.3.8.1.
AT-S63 Management Software Menus Interface User’s Guide MAC Address-based Port Security Table 44. MAC Address-based Port Security (AtiStackSwitch MIB) Object Name atiStkPortSecurityConfigTable atiStkPortSecurityConfigEntry OID 1.3.6.1.4.1.207.8.17.2.5 1.3.6.1.4.1.207.8.17.2.5.1 atiStkPortSecurityMode 1.3.6.1.4.1.207.8.17.2.5.1.1 atiStkPortSecurityThreshold 1.3.6.1.4.1.207.8.17.2.5.1.2 atiStkPortIntrusionAction 1.3.6.1.4.1.207.8.17.2.5.1.3 atiStkPortIntrusionActionStatus 1.3.6.1.4.1.207.8.17.2.5.1.
Appendix D: MIB Objects MAC Address Table Table 45. MAC Address Table (AtiStackSwitch MIB) Object Name atiStkSwMacAddr2VlanTable atiStkSwMacAddr2VlanEntry OID 1.3.6.1.4.1.207.8.17.3.3 1.3.6.1.4.1.207.8.17.3.3.1 atiStkSwMacAddress 1.3.6.1.4.1.207.8.17.3.3.1.1 atiStkSwMacAddrVlanId 1.3.6.1.4.1.207.8.17.3.3.1.2 atiStkSwMacAddrVlanName 1.3.6.1.4.1.207.8.17.3.3.1.3 atiStkSwMacAddrModuleId 1.3.6.1.4.1.207.8.17.3.3.1.4 atiStkSwMacAddrPortId 1.3.6.1.4.1.207.8.17.3.3.1.5 atiStkSwMacAddrPortList 1.3.6.
AT-S63 Management Software Menus Interface User’s Guide Management Access Control List Table 47. Management Access Control List Status (AtiStackSwitch MIB) Object Name atiStkSwSysMgmtACLGroup atiStkSwSysMgmtACLStatus OID 1.3.6.1.4.1.207.8.17.1.7 1.3.6.1.4.1.207.8.17.1.7.1 Table 48. Management Access Control List Entries (AtiStackSwitch MIB) Object Name atiStkSwSysMgmtACLConfigTable atiStkSwSysMgmtACLConfigEntry OID 1.3.6.1.4.1.207.8.17.1.7.2 1.3.6.1.4.1.207.8.17.1.7.2.
Appendix D: MIB Objects Miscellaneous Table 49. System Reset (AtiStackSwitch MIB) Object Name atiStkSwSysGroup OID 1.3.6.1.4.1.207.8.17.1 atiStkSwSysConfig atiStkSwSysReset 1.3.6.1.4.1.207.8.17.1.1 1.3.6.1.4.1.207.8.17.1.1.1 Table 50. Local Interface (AtiStackSwitch MIB) Object Name atiStkSwSysGroup OID 1.3.6.1.4.1.207.8.17.1 atiStkSwSysConfig 1.3.6.1.4.1.207.8.17.1.1 atiStkSwSysIpAddress 1.3.6.1.4.1.207.8.17.1.1.2 atiStkSwSysSubnetMask 1.3.6.1.4.1.207.8.17.1.1.3 atiStkSwSysGateway 1.3.6.1.4.
AT-S63 Management Software Menus Interface User’s Guide Port Mirroring Table 52. Port Mirroring (AtiStackSwitch MIB) Object Name atiStkSwPortMirroringConfig OID 1.3.6.1.4.1.207.8.17.2.2 atiStkSwPortMirroringState 1.3.6.1.4.1.207.8.17.2.2.1 atiStkSwPortMirroringDestinationModuleId 1.3.6.1.4.1.207.8.17.2.2.4 atiStkSwPortMirroringDestinationPortId 1.3.6.1.4.1.207.8.17.2.2.5 atiStkSwPortMirroringSourceRxList 1.3.6.1.4.1.207.8.17.2.2.6 atiStkSwPortMirroringSourceTxList 1.3.6.1.4.1.207.8.17.2.2.
Appendix D: MIB Objects Quality of Service Table 53. Flow Groups (AtiStackSwitch MIB) Object Name atiStkSwQosFlowGrpTable atiStkSwQosFlowGrpEntry OID 1.3.6.1.4.1.207.8.17.7.5 1.3.6.1.4.1.207.8.17.7.5.1 atiStkSwQosFlowGrpModuleId 1.3.6.1.4.1.207.8.17.7.5.1.1 atiStkSwQosFlowGrpId 1.3.6.1.4.1.207.8.17.7.5.1.2 atiStkSwQosFlowGrpDescription 1.3.6.1.4.1.207.8.17.7.5.1.3 atiStkSwQosFlowGrpDSCPValue 1.3.6.1.4.1.207.8.17.7.5.1.4 atiStkSwQosFlowGrpPriority 1.3.6.1.4.1.207.8.17.7.5.1.
AT-S63 Management Software Menus Interface User’s Guide Table 54. Traffic Classes (AtiStackSwitch MIB) Object Name OID atiStkSwQosTrafficClassClassPriority 1.3.6.1.4.1.207.8.17.7.6.1.9 atiStkSwQosTrafficClassRemarkPriority 1.3.6.1.4.1.207.8.17.7.6.1.10 atiStkSwQosTrafficClassToS 1.3.6.1.4.1.207.8.17.7.6.1.11 atiStkSwQosTrafficClassMoveToSToPriority 1.3.6.1.4.1.207.8.17.7.6.1.12 atiStkSwQosTrafficClassMovePriorityToToS 1.3.6.1.4.1.207.8.17.7.6.1.13 atiStkSwQosTrafficClassFlowGroupList 1.3.6.1.
Appendix D: MIB Objects Port Configuration and Status Table 56. Port Configuration and Status (AtiStackSwitch MIB) Object Name atiStkSwPortConfigTable atiStkPortConfigEntry 926 OID 1.3.6.1.4.1.207.8.17.2.1 1.3.6.1.4.1.207.8.17.2.1.1 atiStkSwModuleId 1.3.6.1.4.1.207.8.17.2.1.1.1 atiStkSwPortId 1.3.6.1.4.1.207.8.17.2.1.1.2 atiStkSwPortName 1.3.6.1.4.1.207.8.17.2.1.1.3 atiStkSwPortState 1.3.6.1.4.1.207.8.17.2.1.1.4 atiStkSwPortLinkState 1.3.6.1.4.1.207.8.17.2.1.1.5 atiStkSwPortNegotiation 1.3.6.
AT-S63 Management Software Menus Interface User’s Guide Spanning Tree Table 57. Spanning Tree (AtiStackSwitch MIB) Object Name atiStkSwSysConfig OID 1.3.6.1.4.1.207.8.17.1.1 atiStkSwSysSpanningTreeStatus 1.3.6.1.4.1.207.8.17.1.1.9 atiStkSwSysSpanningTreeVersion 1.3.6.1.4.1.207.8.17.1.1.
Appendix D: MIB Objects Static Port Trunk Table 58. Static Port Trunks (AtiStackSwitch MIB) Object Name atiStkSwStaticTrunkTable atiStkSwStaticTrunkEntry 928 OID 1.3.6.1.4.1.207.8.17.8.1 1.3.6.1.4.1.207.8.17.8.1.1 atiStkSwStaticTrunkModuleId 1.3.6.1.4.1.207.8.17.8.1.1.1 atiStkSwStaticTrunkIndex 1.3.6.1.4.1.207.8.17.8.1.1.2 atiStkSwStaticTrunkId 1.3.6.1.4.1.207.8.17.8.1.1.3 atiStkSwStaticTrunkName 1.3.6.1.4.1.207.8.17.8.1.1.4 atiStkSwStaticTrunkMethod 1.3.6.1.4.1.207.8.17.8.1.1.
AT-S63 Management Software Menus Interface User’s Guide VLANs The objects in Table 59 display the specifications of the Default_VLAN. Table 59. VLAN Table (AtiStackSwitch MIB) Object Name atiStkSwVlanConfigTable atiStkSwVlanConfigEntry OID 1.3.6.1.4.1.207.8.17.3.1 1.3.6.1.4.1.207.8.17.3.1.1 atiStkSwVlanId 1.3.6.1.4.1.207.8.17.3.1.1.1 atiStkSwVlanName 1.3.6.1.4.1.207.8.17.3.1.1.2 atiStkSwVlanTaggedPortListModule1 1.3.6.1.4.1.207.8.17.3.1.1.3 atiStkSwVlanUntaggedPortListModule1 1.3.6.1.4.1.207.8.17.
Appendix D: MIB Objects Table 62. PVID Table (AtiStackSwitch MIB) Object Name atiStkSwPort2VlanTable atiStkSwPort2VlanEntry 930 OID 1.3.6.1.4.1.207.8.17.3.2 1.3.6.1.4.1.207.8.17.3.2.1 atiStkSwPortVlanId 1.3.6.1.4.1.207.8.17.3.2.1.1 atiStkSwPortVlanName 1.3.6.1.4.1.207.8.17.3.2.1.
Index Numerics 802.1Q-compliant VLAN mode described 650 displaying 656 selecting 654 802.
Index Spanning Tree Protocol (STP) 529 bridge hello time default setting 888 Multiple Spanning Tree Protocol (MSTP) 559 Rapid Spanning Tree Protocol (RSTP) 536 Spanning Tree Protocol (STP) 528 bridge identifier described 517 Multiple Spanning Tree Protocol (MSTP) 560 Rapid Spanning Tree Protocol (RSTP) 536 Spanning Tree Protocol (STP) 529 bridge max age default setting 888 Multiple Spanning Tree Protocol (MSTP) 559 Rapid Spanning Tree Protocol (RSTP) 536 Spanning Tree Protocol (STP) 529 bridge priority def
AT-S63 Management Software Menus Interface User’s Guide setting 69 default gateway, setting 705 default route, setting 705 default values AT-S63 software 863 resetting to 78 Denial of Service (DoS) defense configuring 376 default settings 868 mirror port 378 overview 370 DER certificate format 817 DER certificates format 804 DES privacy protocol 411 destination IP address 164, 278 destination IP mask 278 destination MAC address 164, 275 destination port 186 Diffie-Hellman algorithm 774 DiffServ domain 277
Index G HTTP 760 HTTPS 760 GARP VLAN Registration Protocol (GVRP) configuring 630 default settings 873 described disabling 630 disabling on a port 632 displaying counters 636 database 641 GIP connected ports ring 643 GVRP state machine 645 port configuration 635 dynamic VLAN, converting 634 enabling 630 enabling on a port 632 guidelines 624 intermediate switches 625 port mode, configuring 633 security issues 625 GARP.
AT-S63 Management Software Menus Interface User’s Guide displaying status 182 enabling or disabling protocol 174 guidelines 163 load distribution method changing 180 described 164 selecting 178 port priority described 162 ports changing 180 specifying 178 system priority configuring 175 described 161 load distribution methods described 164 setting in LACP trunk 178, 180 setting in static port trunk 170, 172 local interface 706 local management interface displaying IP address 703 local management session de
Index viewing 410 MLD snooping. See Multicast Listener Discovery (MLD) snooping MSTI association to a VLAN creating 569 removing 570 MSTI ID associating to VLANs 571 creating 565 deleting 566 list 563 modifying 566 removing a VLAN association 571 MSTI priority, defined 551 MSTI. See Multiple Spanning Tree Instance (MSTI) MSTP.
AT-S63 Management Software Menus Interface User’s Guide policy creating 360 deleting 364 described 328 displaying 365 guidelines 329 modifying 363 poll interval default setting 887 setting 69 port Auto-Negotiation 124 back pressure 130 description 124 disabling 124 displaying settings 120 duplex mode 126 enabling 124 flow control 130 forcing Auto-Negotiation 137 MDI/MDI-X 126 resetting 136 resetting to default settings 138 speed 124, 126 status default setting 882 port cost default setting 888 description
Index R RADIUS configuring 843 default settings 885 displaying settings 846 enabling 838 guidelines 835 overview 834 settings, displaying 846 status, displaying 846 RADIUS accounting, configuring 755 Rapid Spanning Tree Protocol (RSTP) bridge forwarding delay 536 bridge hello time 536 bridge max age 536 bridge parameters, configuring 534 bridge priority 535 default settings 888 disabling 525 edge port, configuring 539 enabling 525 force version 535 MCHECK 539 point-to-point port, configuring 538 port confi
AT-S63 Management Software Menus Interface User’s Guide servers 66 slave switch assigning 95 defined 95 SMURF attack configuring defense 376 described 371 SNMP default settings 886 SNMP community string access mode 104 closed access status 105 creating 109 default 106 default name 886 disabling 107 displaying 117 enabling 107 modifying 112 name 104 open access status 105 operating status 105 SNMP management default setting 886 disabling 107 enabling 107 session, starting 41 SNMPv1 and SNMPv2c agent 410 com
Index deleting 424 displaying 505 modifying authentication protocol 425 authentication protocol password 425 privacy protocol 427 privacy protocol password 427 SNMPv3 User Table, described 416 SNMPv3 View Table entry 436 creating 430 deleting 433 displaying 506 storage type, modifying 437 subtree mask, modifying 434 SNMPv3 View Table, described 416 SNTP server, default setting 887 SNTP.
AT-S63 Management Software Menus Interface User’s Guide TCP flags 279 TCP source ports 279 Teardrop attack configuring defense 376 described 373 Telnet server enabling or disabling 75 NULL character 75 Telnet, default setting for remote management 893 terminal port baud rate, setting 76 TFTP downloading and uploading files 222 traffic class creating 350 deleting 356 described 328 displaying 357 modifying 354 traffic flow, defined 274 trap receivers 105 Triple DES (3DES) encryption algorithms, described 771
Index 942
