Management Software AT-S63 Menus Interface User’s Guide AT-9400 Series Layer 2+ Gigabit Ethernet Switches Version 1.1.0 613-50570-00 Rev.
Copyright © 2005 Allied Telesyn, Inc. All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesyn, Inc. Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation. Netscape Navigator is a registered trademark of Netscape Communications Corporation. All other product names, company names, logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners. Allied Telesyn, Inc.
Contents Preface ............................................................................................................................................................ 23 How This Guide is Organized........................................................................................................................... 24 Where to Find Web-based Guides ................................................................................................................... 25 Contacting Allied Telesyn ....
Contents Displaying System Hardware Information ......................................................................................................... 69 Displaying Uplink Port Information .................................................................................................................... 71 Chapter 4: SNMPv1 and SNMPv2c ............................................................................................................... 75 SNMPv1 and SNMPv2c Overview ..........................
AT-S63 Management Software Menus Interface User’s Guide Chapter 9: Networking Stack ...................................................................................................................... 163 Managing the Address Resolution Protocol (ARP) Table............................................................................... 164 Displaying the ARP Table ........................................................................................................................
Contents Saving an Event Log to a File...................................................................................................................238 Configuring Log Outputs .................................................................................................................................241 Creating a Log Output Definition ..............................................................................................................241 Modifying a Log Output ...........................
AT-S63 Management Software Menus Interface User’s Guide Displaying Flow Groups ........................................................................................................................... 318 Managing Traffic Classes ............................................................................................................................... 320 Creating a Traffic Class...........................................................................................................................
Contents Creating an SNMPv3 SecurityToGroup Table Entry ................................................................................414 Deleting an SNMPv3 SecurityToGroup Table Entry.................................................................................417 Modifying an SNMPv3 SecurityToGroup Table Entry ..............................................................................418 Configuring the SNMPv3 Notify Table ..........................................................................
AT-S63 Management Software Menus Interface User’s Guide Multiple Spanning Tree Regions .............................................................................................................. 508 Summary of Guidelines............................................................................................................................ 512 Selecting MSTP as the Spanning Tree Protocol ............................................................................................
Contents GVRP and Network Security ....................................................................................................................587 GVRP-inactive Intermediate Switches......................................................................................................587 Generic Attribute Registration Protocol (GARP) Overview.......................................................................587 Configuring GVRP ....................................................................
AT-S63 Management Software Menus Interface User’s Guide Adding Static Unicast and Multicast MAC Addresses .................................................................................... 678 Deleting Unicast and Multicast MAC Addresses ............................................................................................ 680 Deleting All Dynamic MAC Addresses ........................................................................................................... 681 Changing the Aging Time ...
Contents Viewing or Configuring the Number of Certificates in the Database ...............................................................748 Configuring SSL ..............................................................................................................................................749 Chapter 33: Secure Shell (SSH) ..................................................................................................................751 SSH Overview..............................................
AT-S63 Management Software Menus Interface User’s Guide GVRP Default Settings ................................................................................................................................... 801 Port Security Default Settings......................................................................................................................... 802 802.1x Port-Based Network Access Control Default Settings ........................................................................
Figures Figure 1: Connecting the Management Cable to the RJ-45 Serial Terminal Port.................................................................38 Figure 2: CLI Prompt ............................................................................................................................................................39 Figure 3: Main Menu.............................................................................................................................................................
Figures Figure 51: Display ARP Table Menu...................................................................................................................................166 Figure 52: Display Route Table Menu ................................................................................................................................169 Figure 53: Display TCP Connections Menu........................................................................................................................
AT-S63 Management Software Menus Interface User’s Guide Figure 111: Modify Flow Group Menu ................................................................................................................................316 Figure 112: Destroy Flow Group Menu...............................................................................................................................317 Figure 113: Show Flow Groups Menu .........................................................................................
Figures Figure 171: STP Port Parameters Menu.............................................................................................................................489 Figure 172: Configure STP Port Settings Menu..................................................................................................................490 Figure 173: Display STP Port Configuration Menu .............................................................................................................
AT-S63 Management Software Menus Interface User’s Guide Figure 231: Configure Port Security Menu #2 ....................................................................................................................642 Figure 232: Display Port Security Menu .............................................................................................................................644 Figure 233: Example of the Authenticator Role ..............................................................................
AT-S63 Management Software Menus Interface User’s Guide 19
Tables Table 1: File Extensions and File Types ............................................................................................................................181 Table 2: AT-S63 Modules ..................................................................................................................................................233 Table 3: Event Severity Levels ...................................................................................................................................
Tables 21
Tables 22
Preface This guide contains instructions on how to configure an AT-9400 Series Layer 2+ Gigabit Ethernet Switch using the AT-S63 management software and contains the following sections: Section I: Basic Features “How This Guide is Organized” on page 24 “Where to Find Web-based Guides” on page 25 “Contacting Allied Telesyn” on page 26 23
Chapter : Preface How This Guide is Organized This guide is organized into the following sections Section I: Basic Operations The chapters in this section explain how to start a management session and perform basic tasks including configuring switch and port parameters, setting up SNMPv1 and SNMPv2c, enhanced stacking, trunking and mirroring, and viewing Ethernet statistics.
AT-S63 Management Software Menus Interface User’s Guide Where to Find Web-based Guides The installation and user guides for all Allied Telesyn products are available in portable document format (PDF) on our web site at www.alliedtelesyn.com. You can view the documents online or download them onto a local workstation or server.
Chapter : Preface Contacting Allied Telesyn This section provides Allied Telesyn contact information for technical support as well as sales and corporate information. Online Support You can request technical support online by accessing the Allied Telesyn Knowledge Base: http://kb.alliedtelesyn.com. You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions.
Chapter 1 Overview This chapter describes the AT-S63 software functions, the methods you can use to access the software, and the management access levels.
Chapter 1: Overview Management Overview The AT-S63 management software allows you to monitor and adjust the operating parameters of an AT-9400 Series switch and includes the following features: Basic operations such as configuring port and switch parameters, enhanced stacking, SNMPv1 and v2c, trunking, and mirroring Advanced operations including file uploads and downloads, event logging, traffic classifiers, access control lists, denial of service defense, Quality of Service (QoS), Class of Service
AT-S63 Management Software Menus Interface User’s Guide The following sections in this chapter briefly describe each type of management session.
Chapter 1: Overview Local Connection You establish a local connection with an AT-9400 Series switch when you use the RJ-45 to RS-232 management cable included with the switch to connect a terminal or a PC with a terminal emulator program to the terminal port on the switch. The terminal port is located on the front panel of the AT-9400 Series switch. This type of connection is referred to as “local” because you must be physically close to the switch, such as in the wiring closet where the switch is located.
AT-S63 Management Software Menus Interface User’s Guide Remote Connection You can use any management station on your network that has the Telnet application to manage an AT-9400 Series switch. This is referred to as a remote connection. To establish a remote connection to a switch, there must be at least one enhanced stacking switch in the subnet to which you assigned an IP address. Only one switch in a subnet needs to have an IP address.
Chapter 1: Overview Note Third-party network management applications such as HP OpenView cannot use the enhanced stacking feature of AT-S63. Therefore, you must assign an IP address to each switch that you want to manage with one of these applications.
AT-S63 Management Software Menus Interface User’s Guide Management Access Levels There are two levels of management access in the AT-S63 management software: manager and operator. When you log in as a manager, you can view and configure all of a switch’s operating parameters. When you log in as an operator, you can only view the operating parameters; you cannot change any values.
Chapter 1: Overview 34 Section I: Basic Features
Section I Basic Operations The chapters in this section provide information and procedures for basic switch setup using the AT-S63 management software.
Section I: Basic Operations
Chapter 2 Starting a Management Session This chapter contains procedures for starting a management session on the switch using a local or remote connection.
Chapter 2: Starting a Management Session Starting a Local Management Session To establish a local connection, you use the terminal port on the front panel of the AT-9400 Series switch, as explained in “Local Connection” on page 30. When you make the connection and start the AT-S63 menus interface, you start a local management session. A switch does not need an IP address to be managed through a local management session.
AT-S63 Management Software Menus Interface User’s Guide 3. Configure the terminal or terminal emulation program as follows: Baud rate: 9600 to 115200 bps Data bits: 8 Parity: None Stop bits: 1 Flow control: None Note The port settings are for a DEC VT100 or ANSI terminal, or an equivalent terminal emulator program. 4. Press Enter. You are prompted for a user name and password. 5. To configure the switch settings, enter “manager” as the user name.
Chapter 2: Starting a Management Session The Main Menu is shown in Figure 3. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Main Menu 1 2 3 4 5 6 7 8 - Port Configuration VLAN Configuration Spanning Tree Configuration MAC Address Tables System Administration Advanced Configuration Security and Services Enhanced Stacking C - Command Line Interface Q - Quit Enter your selection? Figure 3.
AT-S63 Management Software Menus Interface User’s Guide Starting a Remote Management Session You can use the Telnet application from any workstation on your network to connect to an AT-9400 Series switch, as described in “Remote Connection” on page 31. When you make the connection and start the AT-S63 menus interface, you start a remote management session. To manage a switch using remote connection, it must have an IP address or be part of an enhanced stack.
Chapter 2: Starting a Management Session For information about the command line interface, refer to the AT-S63 Management Software Command Line Interface User’s Guide. 4. To use the menus interface, type menu and press Return. The Main Menu is shown in Figure 3 on page 40. To select a menu item, type the corresponding letter or number. To return to the command line interface, type C. When you press the Esc key or type the letter R in a submenu, the previous menu is redisplayed.
Chapter 3 Basic Switch Parameters This chapter contains a variety of information and procedures for basic switch setup.
Chapter 3: Basic Switch Parameters When Does a Switch Need an IP Address? One of the tasks of building or expanding a network is deciding which managed switches need to be assigned a unique IP address. The rule was that a managed switch needed an IP address if you wanted to manage it remotely, such as with the Telnet application. However, if a network contained many managed switches, assigning each one an IP address was often cumbersome and time consuming.
AT-S63 Management Software Menus Interface User’s Guide How Do You Assign an IP Address? There are two ways that a switch can obtain an IP address. The first way is for you to assign the IP configuration information manually. The procedure for this is explained in “Configuring the IP Address, Switch Name, and Other Basic Parameters” on page 46. You can initially assign an IP address to a switch only through a local management session.
Chapter 3: Basic Switch Parameters Configuring the IP Address, Switch Name, and Other Basic Parameters The procedure in this section explains how to manually assign an IP address, subnet mask, and gateway address to the switch from a local or Telnet management session. (If you want the switch to obtain its IP configuration from a DHCP or BOOTP server on your network, go to the procedure “Activating the BOOTP or DHCP Client Software” on page 49.
AT-S63 Management Software Menus Interface User’s Guide The System Configuration menu is shown in Figure 5. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 System Configuration 1 2 3 4 5 6 7 8 - BOOTP/DHCP ............. IP Address ............. Subnet Mask ............ Default Gateway ........ System Name ............ Location ............... Administrator .......... Configure System Time Disabled 0.0.0.0 0.0.0.0 0.0.0.
Chapter 3: Basic Switch Parameters address must be entered in the format: xxx.xxx.xxx.xxx. The default value is 0.0.0.0. 5 - System Name This parameter specifies a name for the switch (for example, Sales Ethernet switch). The name is displayed at the top of the AT-S63 management menus and pages. The name can be from 1 to 39 characters. The name can include spaces and special characters, such as exclamation points and asterisks. The default is no name. This parameter is optional.
AT-S63 Management Software Menus Interface User’s Guide Activating the BOOTP or DHCP Client Software The BOOTP and DHCP protocols were developed to simplify network management. They are used to automatically assign IP configuration information to the devices on your network, such as an IP address, subnet mask, and a default gateway address. The AT-9400 Series switch contains the client software for these protocols and can obtain its IP configuration information from a BOOTP or DHCP server on your network.
Chapter 3: Basic Switch Parameters The following prompt is displayed: DHCP/BOOTP/DISABLE: (1-DHCP, 2-BOOTP, 3-DISABLE): 4. Type 1 to enable DHCP, 2 to enable BOOTP, or 3 to disable the services and press Return. The default is disabled. Note If you activated BOOTP or DHCP, the switch immediately begins to query the network for a BOOTP or DHCP server. The switch continues to query the network for its IP configuration until it receives a response.
AT-S63 Management Software Menus Interface User’s Guide Displaying the AT-9400 Series Switch Hardware and Software Information To display information about the switch hardware and software, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 1 to select System Information. The System Information menu is shown in Figure 6.
Chapter 3: Basic Switch Parameters Model Name Model name of the AT-9400 Series switch. You cannot change this setting. Subnet Mask Subnet mask assigned to the switch. To change the subnet mask, see “Configuring the IP Address, Switch Name, and Other Basic Parameters” on page 46. Serial Number Serial number of the switch. You cannot change this setting. Gateway Gateway assigned to the switch. To change the gateway, see “Configuring the IP Address, Switch Name, and Other Basic Parameters” on page 46.
AT-S63 Management Software Menus Interface User’s Guide Rebooting a Switch This procedure reboots the switch. Note Any configuration changes not saved are lost after the switch reboots. To save your configuration changes, return to the Main Menu and type S to select Save Configuration Changes. To reboot the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2.
Chapter 3: Basic Switch Parameters 3. From the System Utilities menu, type 5 to select Reboot the switch. The following prompt is displayed: The switch is about to reboot. Do you want to proceed? [Yes/No] -> 4. Type Y to reboot the switch or N to cancel the procedure. Caution The switch does not forward traffic while it reloads its operating software, a process that takes approximately 20 seconds to complete. Some packet traffic may be lost.
AT-S63 Management Software Menus Interface User’s Guide Working With the Manager and Operator Passwords There are two levels of management access on an AT-94xx switch: manager and operator. When you log in as manager, you can view and configure all of a switch’s operating parameters. When you log in as an operator, you can only view the operating parameters; you cannot change any values.
Chapter 3: Basic Switch Parameters The Passwords Configuration menu is shown in Figure 9. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Passwords Configuration 1 - Set Manager Password 2 - Set Operator Password R - Return to Previous Menu Enter your selection? Figure 9. Passwords Configuration Menu 4. From the Passwords Configuration menu, type 1 to select Set Manager Password. The following prompt is displayed: Enter Current Manager Password -> 5.
AT-S63 Management Software Menus Interface User’s Guide Resetting the Manager Password If you change the manager password from the default and lose or forget it, you can reset the password. Note the following about this feature: This procedure is only available through a local management session. A remote management session always requires a login and password.
Chapter 3: Basic Switch Parameters Setting the System Time This procedure explains how to set the switch’s date and time. Setting the system time is important if you configured the switch to send traps to your management stations. Traps from a switch where the time has not been set do not contain the correct date and time. Therefore, it becomes difficult for you to determine when the events represented by the traps occurred.
AT-S63 Management Software Menus Interface User’s Guide The Configure System Time menu is shown in Figure 10. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure System Time 1 2 3 4 5 6 7 - System Time ................... SNTP Status ................... SNTP Server ................... UTC Offset .................... Daylight Savings Time (DST) ... Poll Interval ................. Last Delta .................... 00:00:00 on 01-Jan-1970 Disabled 0.0.0.
Chapter 3: Basic Switch Parameters 3. From the System Configuration menu, type 8 to select Configure System Time. The Configure System Time menu is shown in Figure 10 on page 59. 4. Type 3 to select SNTP Server to enter the IP address of an SNTP server. Note If the switch is obtaining its IP address and subnet mask from a DHCP server, you can configure the DHCP server to provide the switch with an IP address of an NTP or SNTP server.
AT-S63 Management Software Menus Interface User’s Guide Note The switch does not set DST automatically. If the switch is in a locale that uses DST, you must remember to enable this in April when DST begins and disable it in October when DST ends. If the switch is in a locale that does not use DST, this option should be set to disabled all the time. 10. Type 6 to select Poll Interval to specify the time interval between queries to the SNTP server.
Chapter 3: Basic Switch Parameters Configuring the Console Startup Mode You can configure the AT-S63 management software to display either the Main Menu or the command line interface prompt whenever you start a local or Telnet management session. The default is the command line interface. To change the console startup mode, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2.
AT-S63 Management Software Menus Interface User’s Guide Configuring the Console Timer The AT-S63 management software uses the console timer, also referred to as the console disconnect interval, to automatically end inactive local and remote management sessions. A management session is automatically ended if the management software does not detect any activity from a local or remote management station after the console timer has expired.
Chapter 3: Basic Switch Parameters Enabling or Disabling the Telnet Server This procedure describes how to enable or disable the Telnet server on the switch. You might disable the server to prevent individuals from managing the switch with the Telnet application if you intend to use the Secure Shell (SSH) protocol. To enable or disable the Telnet server, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration.
AT-S63 Management Software Menus Interface User’s Guide Setting the Baud Rate of the Serial Terminal Port The default baud rate of the RJ-45 type serial terminal port on the switch is 9600 bps. To change the baud rate, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 3 to select Console (Serial/Telnet) Configuration.
Chapter 3: Basic Switch Parameters Pinging a Remote System You can instruct the switch to ping a remote device on your network. This procedure is useful in determining whether a valid link exists between the switch and another device. Note To perform this procedure, the switch must have an IP address. To instruct the switch to ping a network device, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46.
AT-S63 Management Software Menus Interface User’s Guide Returning the AT-S63 Management Software to the Factory Default Values The procedure in this section returns all AT-S63 management software parameters to the default values. Please note the following before you perform this procedure: Returning all parameter settings to their default values also deletes any port-based or tagged VLANs you created on the switch. This procedure does not delete files from the AT-S63 file system.
Chapter 3: Basic Switch Parameters Do you want to reset static IP, Subnet and Gateway? [Yes/No] -> 5. If you type Y for yes, all switch parameters including the IP address, subnet mask, and gateway address are changed to the default values. If you type N for no, all switch parameters excluding the IP address, subnet mask, and gateway address are changed to the default values. The following prompt is displayed: The Factory Defaults take effect only after the Switch reboots.
AT-S63 Management Software Menus Interface User’s Guide Displaying System Hardware Information You can view information about the system hardware, including details about the fans and temperature settings. To display the system hardware information, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2.
Chapter 3: Basic Switch Parameters The System Hardware Information menu provides the following information: System 1.25 V Power System 1.8V Power System 2.5 V Power System 3.3 V Power System 5 V Power System 12 V Power The current voltage of the six power supplies in the switch. System Temperature (Celsius) The overall system temperature. System Fan Speed The system fan speed. Main PSU RPS The status of the main power supply unit (PSU) and the redundant power supply (RPS).
AT-S63 Management Software Menus Interface User’s Guide Displaying Uplink Port Information To display the information about the GBIC or SFP transceivers installed in the uplink ports, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 1 to select System Information The System Information menu is shown in Figure 6 on page 51. 3.
Chapter 3: Basic Switch Parameters 4. Type the number corresponding to the slot where the transceiver is identified as “Present” to view detailed information about that transceiver. The information displayed depends upon the transceiver vendor and whether the slot contains an SFP or a GBIC transceiver. The GBIC/SFP Information menu (page 1) is displayed. Figure 14 shows some possible fields for an SFP.
AT-S63 Management Software Menus Interface User’s Guide The GBIC/SFP Information menu (page 2) is displayed. Figure 15 shows some possible fields of information. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 GBIC/SFP 2 Information Vendor Name ............................ Vendor OUI ............................. Vendor Part Number ..................... Vendor Product Revision ................ Vendor Serial Number ................... Upper Bit Rate Margin ....
Chapter 3: Basic Switch Parameters 74 Section I: Basic Operations
Chapter 4 SNMPv1 and SNMPv2c This chapter explains how to activate SNMP management on the switch and how to create, modify, and delete SNMPv1 and SNMPv2c community strings.
Chapter 4: SNMPv1 and SNMPv2c SNMPv1 and SNMPv2c Overview The Simple Network Management Program (SNMP) is another way for you to manage the switch. This type of management involves viewing and changing the management information base (MIB) objects on the device using an SNMP application program. The AT-S63 management software supports SNMPv1, SNMPv2c, and SNMPv3. This chapter explains how to configure the switch’s software for SNMPv1 and SNMPv2c.
AT-S63 Management Software Menus Interface User’s Guide string with an access mode of Read can only be used to view but not change the MIB objects on a switch. A community string with a Read/Write access can be used to both view the MIB objects and change them. Operating Status A community string can be enabled or disabled. When disabled, no one can use it to access the switch. You might disable a community string if you suspect someone is using it for unauthorized access to the device.
Chapter 4: SNMPv1 and SNMPv2c Default SNMP Community Strings 78 The AT-S63 management software provides two default community strings: public and private. The public string has an access mode of just Read and the private string has an access mode of Read/Write. If you activate SNMP management on the switch, you should delete or disable the private community string, which is a standard community string in the industry, or change its status from open to closed to prevent unauthorized changes to the switch.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling SNMP Management To enable or disable SNMP management for the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 16.
Chapter 4: SNMPv1 and SNMPv2c Setting the Authentication Failure Trap As mentioned in the SNMP Overview section in this chapter, a trap is a message sent by the switch to a management workstation or server to signal an operating event, such as when the device is reset. An authentication failure trap is similar to other the traps. It too signals an operating event on the switch. But this trap is somewhat special because it relates to SNMP management.
AT-S63 Management Software Menus Interface User’s Guide Creating an SNMP Community String To create a new SNMP community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 16 on page 79. 3.
Chapter 4: SNMPv1 and SNMPv2c The following prompt is displayed: Enter Access Mode [R-Read Only, W-Read/Write]: 6. Specify the access mode for the new SNMP community string. If you specify Read, the community string will only allow you to view the MIB objects on the switch. If you specify Read/Write, the community string will allow you to both view and change the SNMP MIB objects on the switch. The following prompt is displayed: Enter Open Access Status [Y-Yes, N-No]: 7. Specify the open access status.
AT-S63 Management Software Menus Interface User’s Guide 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 4: SNMPv1 and SNMPv2c Modifying a Community String To modify a community string, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 16 on page 79. 3. From the SNMP Configuration menu, type 3 to select Configure SNMPv1 &SNMPv2c Community.
AT-S63 Management Software Menus Interface User’s Guide The menu options are described below: 1 - Add Attributes to Community If a community string has a closed access mode, you can use this selection to add new IP addresses of management workstations that can use the string. You can also use this option to add IP addresses of new trap receivers. To use this option, do the following: a. From the Modify SNMP Community menu, type 1 to select Add Attributes to Community.
Chapter 4: SNMPv1 and SNMPv2c Enter SNMP Manager IP Addr: c. If you want to remove the IP address of a management workstation from the community string, enter the IP address at the prompt. Otherwise, just press Return. This prompt is displayed: Enter Trap Receiver IP Addr: d. If you want to remove the IP address of a trap receiver from the community string, enter the IP address at the prompt. Otherwise, just press Return. e. After making changes, type R until you return to the Main Menu.
AT-S63 Management Software Menus Interface User’s Guide Enter Community Status [E-Enable, D-Disable]: c. Type E to enable the community string or D to disable it. This confirmation prompt is displayed: Do you want to change Community Status? (Y/N): [Yes/No] -> d. Type Y to change the string’s status or N to cancel the change. e. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 4: SNMPv1 and SNMPv2c Displaying the SNMP Community Strings To display the attributes of all the SNMP community strings on the switch, use the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 5 to select SNMP Configuration. The SNMP Configuration menu is shown in Figure 16 on page 79. 3.
Chapter 5 Enhanced Stacking This chapter explains the enhanced stacking feature.
Chapter 5: Enhanced Stacking Enhanced Stacking Overview The enhanced stacking feature can make it easier for you to manage the AT-9400 Series switches in your network. It offers the following benefits: Enhanced Stacking Guidelines You can manage up to 24 switches from one local or remote management session. This eliminates the need of having to initiate a separate management session with each switch in your network. The switches can share the same IP address.
AT-S63 Management Software Menus Interface User’s Guide There are three basic tasks to implement this feature on your network: You must select a switch in each subnet of your network to function as the master switch of the enhanced stack for that subnet. The master switch can be any switch that supports enhanced stacking, such as an AT-8000 Series switch, an AT-8400 Series switch, or an AT-9400 Series switch.
Chapter 5: Enhanced Stacking This is explained in “Setting a Switch’s Enhanced Stacking Status” on page 93. Figure 20 is an example of the enhanced stacking feature. Master 1 IP Address 149.32.11.
AT-S63 Management Software Menus Interface User’s Guide Setting a Switch’s Enhanced Stacking Status The enhanced stacking status of the switch can be master switch, slave switch, or unavailable. Each status is described below: Master switch - A master switch of a stack can be used to manage all the other switches in a subnet. After you establish a local or remote management session with the master switch, you can access and manage all the switches in the subnet.
Chapter 5: Enhanced Stacking The Enhanced Stacking menu is shown in Figure 21. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Enhanced Stacking 1 - Switch State-(M)aster/(S)lave/(U)navailable.... Master 2 - Stacking Services R - Return to Previous Menu Enter your selection? Figure 21. Enhanced Stacking Menu The menu displays the current status of the switch at the end of selection “1 - Switch State.
AT-S63 Management Software Menus Interface User’s Guide Selecting a Switch in an Enhanced Stack Before you perform a procedure on a switch in an enhanced stack, you should first check to be sure that you are performing it on the correct switch. If you assigned system names to your switches, this should be easy. The name of the switch being managed is always displayed at the top of every management menu.
Chapter 5: Enhanced Stacking 3. From the Stacking Services menu, type 1 to select Get/Refresh List of Switches. The master switch polls the subnet for all slave and master switches that are a part of the enhanced stack and displays a list of the switches in the Stacking Services menu, as shown in the example in Figure 23.
AT-S63 Management Software Menus Interface User’s Guide 5. Type the number of the switch in the list you want to manage. A prompt is displayed if the switch has been assigned a password. 6. Enter the appropriate username and password for the switch. The Main Menu of the selected switch is displayed. You now can manage the switch. Any management tasks you perform effect only the selected switch.
Chapter 5: Enhanced Stacking Returning to the Master Switch When you have finished managing a slave switch, return to the Main Menu of the slave switch and type Q for Quit. This returns you to the Stacking Services menu. After you see that menu, you are again addressing the master switch from which you started the management session. You can either select another switch in the list to manage or, if you want to manage the master switch, type R twice to return to the master switch’s Main Menu.
AT-S63 Management Software Menus Interface User’s Guide Displaying the Enhanced Stacking Status To view the stacking status of a switch in a stack, perform the following procedure: 1. From the Main Menu, type 8 to select Enhanced Stacking. The Enhanced Stacking menu is shown in Figure 24. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Enhanced Stacking 1 - Switch State-(M)aster/(S)lave/(U)navailable....
Chapter 5: Enhanced Stacking 100 Section I: Basic Operations
Chapter 6 Port Parameters This chapter contains the procedures for viewing and changing the parameter settings for the individual ports on a switch, and contains the following procedures: Section I: Basic Operations “Configuring Port Parameters” on page 102 “Configuring Head of Line Blocking” on page 107 “Configuring Flow Control and Back Pressure” on page 109 “Configuring Filtering” on page 112 “Setting Up Rate Limiting” on page 114 “Resetting a Port” on page 116 “Forcing Por
Chapter 6: Port Parameters Configuring Port Parameters To configure the most basic parameter settings for a port, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25.
AT-S63 Management Software Menus Interface User’s Guide The Port Configuration menu is shown in Figure 26. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Port Configuration Configuring Port 11 0 1 2 3 4 5 6 X F D - Description ........................ Status ............................. HOL Blocking Prevention Threshold .. Flow Control Filtering Rate Limiting Negotiation ........................
Chapter 6: Port Parameters You might also want to disable a port that is not being used to secure it from unauthorized connections. Possible settings for this parameter are: Enabled - The port receives and forwards packets. This is the default setting. Disabled - The port does not receive or forward packets. Note The procedures for implementing item 2, HOL Blocking Prevention, are described in “Configuring Head of Line Blocking” on page 107.
AT-S63 Management Software Menus Interface User’s Guide autonegotiation on the port and set the port’s speed and duplex mode manually. When the port is set to autonegotiate, the MDI/MDI-X setting is locked at auto-MDI/MDI-X. The switch automatically determines the correct MDI/MDI-X setting. You cannot set MDI/MDI-X manually. When autonegotiation is disabled on a port, the auto-MDI/MDI-X feature on a port is also disabled, and the port defaults to the MDIX configuration.
Chapter 6: Port Parameters Disabling autonegotiation may require that you manually configure a port’s MDI/MDI-X setting using this option or that you use a crossover cable. Note When a transceiver is inserted into an uplink slot and a link is established, that slot becomes a primary uplink port and the corresponding backup port, 23R or 24R, automatically transitions to redundant uplink status.
AT-S63 Management Software Menus Interface User’s Guide Configuring Head of Line Blocking Head of line (HOL) blocking is a problem that occurs when a port on a switch becomes oversubscribed. An oversubscribed port is receiving more packets from other switch ports than it can transmit in a timely manner. An oversubscribed port can prevent other ports from forwarding packets to each other because ingress packets on a port are buffered in a First In, First Out (FIFO) manner.
Chapter 6: Port Parameters other ports to discard packets destined for port D. Port A drops the D packets, enabling it to once again forward packets to port C. The number that you enter for this value represents cells. A cell is 128 bytes. The range is 0 to 8191 cells. The default is 682. To set up head of line blocking, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2.
AT-S63 Management Software Menus Interface User’s Guide Configuring Flow Control and Back Pressure A switch port uses flow control to control the flow of ingress packets from its end node. Flow control applies only to ports operating in full-duplex mode. A port using flow control issues a special frame, referred to as a PAUSE frame, as specified in the IEEE 802.3x standard, to stop the transmission of data from an end node. When a port needs to stop an end node from transmitting data, it issues this frame.
Chapter 6: Port Parameters The Port Configuration menu is shown in Figure 26 on page 103. 4. From the Port Configuration menu, type 3 to select Flow Control. The Flow Control menu is shown in Figure 28. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Flow Control Configuring Port 11 1 - Flow Control (Full-Duplex) Status .... Disabled 2 - Flow Control Threshold ............... 7935 cells 3 - Back Pressure (Half-Duplex) Status ...
AT-S63 Management Software Menus Interface User’s Guide 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 6: Port Parameters Configuring Filtering If the performance of your network is affected by heavy traffic, you can use this parameter to limit the number of unknown unicast ingress and egress packets, unknown multicast ingress and egress packets, or broadcast ingress and egress packets a port receives. When you activate this feature on a port, the port discards all ingress or egress packets of the type you specify. The default setting for each type of packet filter is disabled.
AT-S63 Management Software Menus Interface User’s Guide 5. From the Filtering menu, type 1 to toggle Unknown Unicast Ingress Filtering between Disabled and Enabled. 6. Type 2 to toggle Unknown Unicast Egress Filtering between Disabled and Enabled. 7. Type 3 to toggle Unknown Multicast Ingress Filtering between Disabled and Enabled. 8. Type 4 to toggle Unknown Multicast Egress Filtering between Disabled and Enabled. 9. Type 5 to toggle Broadcast Ingress Filtering between Disabled and Enabled. 10.
Chapter 6: Port Parameters Setting Up Rate Limiting The rate limiting feature allows you to set the maximum number of ingress packets the port accepts each second. Packets exceeding the threshold are discarded. You can enable rate limiting and set a rate independently for unknown unicast, multicast, and broadcast packets. To set rate limiting, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2.
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter the Rate Limit (packets/second):[0 to 262143]-> 7. Enter a number for the rate limit. 8. Type 3 to toggle Multicast Rate Limiting Status between Enabled and Disabled. 9. Type 2 to select Multicast Rate. The following prompt is displayed: Enter the Rate Limit (packets/second):[0 to 262143]-> 10. Enter a number for the rate limit. 11. Type 3 to toggle Multicast Rate Limiting Status between Enabled and Disabled.
Chapter 6: Port Parameters Resetting a Port Resetting a port is useful in situations where a port is having problems establishing a valid connection to its end node. To reset a port, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2. From the Port Configuration menu, type 1 to select Port Configuration. The following prompt is displayed: Enter port-list -> 3.
AT-S63 Management Software Menus Interface User’s Guide Forcing Port Renegotiation Port renegotiation prompts the port to autonegotiate with the end node. This option is useful if you believe that a port and end node are not operating at the same speed and duplex mode. To force port renegotiation, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2.
Chapter 6: Port Parameters Resetting the Port Configuration to the Defaults You can return port settings to the default values. To reset ports to the default settings, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2. From the Port Configuration menu, type 1 to select Port Configuration. The following prompt is displayed: Enter port-list -> 3. Enter the number of the port you want to reset.
AT-S63 Management Software Menus Interface User’s Guide Displaying Port Statistics To display Ethernet port statistics, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2. From the Port Configuration menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 31.
Chapter 6: Port Parameters The Display Port Statistics menu is shown in Figure 32. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display Port Statistics Port 6 Bytes Rx ......... Frames Rx ........ Bcast Frames Rx... Mcast Frames Rx .. Frames 64 ........ Frames 128-255 ... Frames 512-1023 .. CRC Error ........ No. of Rx Errors . UnderSize Frames . Fragments ........ Frames 1519-1522 . 983409801 815423 107774 11429 110509 1928 157796 0 0 0 0 0 Bytes Tx ....
AT-S63 Management Software Menus Interface User’s Guide Frames 64 Frames 65-127 Frames 128-255 Frames 256-511 Frames 512-1023 Frames 1024-1518 Frames 1519-1522 Number of frames transmitted from the port, grouped by size. CRC Error Number of frames with a cyclic redundancy check (CRC) error but with the proper length (64-1518 bytes) received on the port. Jabber Number of occurrences of corrupted data or useless signals appearing on the port. No. of Rx Errors Number of receive errors. No.
Chapter 6: Port Parameters Clearing Port Statistics To clear the Ethernet port statistics and reset them to “0”, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2. From the Port Configuration menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 31 on page 119. 3. Type 2 to select Clear Statistics.
AT-S63 Management Software Menus Interface User’s Guide Displaying Port Status To display the current status of the ports on the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2. From the Port Configuration menu, type 2 to select Port Status. An example of the Port Status menu is shown in Figure 33.
Chapter 6: Port Parameters Up - Indicates that a valid link exists between the port and the end node. Down - Indicates that the port and the end node have not established a valid link. Neg The status of autonegotiation on the port. Possible values are: Auto - Indicates that the port is using autonegotiation to set operating speed and duplex mode. Manual - Indicates that the operating speed and duplex mode have been set manually. MDIO The operating configuration of the port.
Chapter 7 Static and LACP Port Trunks This chapter contains the procedures for creating, modifying, and deleting static and LACP port trunks.
Chapter 7: Static and LACP Port Trunks Port Trunk Overview A port trunk is an economical way for you to increase the bandwidth between the Ethernet switch and another networking device, such as a network server, router, workstation, or another Ethernet switch. A port trunk is a group of ports that have been grouped together to function as one logical path.
AT-S63 Management Software Menus Interface User’s Guide manufacturer. For this reason static trunks are typically employed only between devices from the same vendor. That is not to say that an Allied Telesyn layer 2 managed switch cannot form a static trunk with a device from another manufacturer; but there is the possibility that the implementations of static trunking on the two devices might not be compatible. Also note that a static trunk does not provide for redundancy or link backup.
Chapter 7: Static and LACP Port Trunks LACP Trunk Overview The ports of a static trunk must be untagged members of the same VLAN. A trunk cannot consist of untagged ports from different VLANs. The switch selects the lowest numbered port in the trunk to handle broadcast packets and packets of unknown destination. For example, a trunk of ports 11 to 15 would use port 11 for broadcast packets. An LACP (Link Aggregation Control Protocol) trunk is another type of port trunk.
AT-S63 Management Software Menus Interface User’s Guide However, it does continue to send LACPDU packets. If it begins to receive LACPDU packets, it automatically transitions to an active or standby mode as part of an aggregate trunk. If a switch is to support more than one aggregate trunk, it may be necessary to place each trunk in a separate aggregator, while in other cases you may be able to create just one aggregator and let the switch discern the individual aggregate trunks for you, automatically.
Chapter 7: Static and LACP Port Trunks Aggregator Description Aggregator Ports Aggregate Trunk Ports Aggregator 2 12-14 12-14 Caution The example cited here illustrates a loop in a network. Avoid network loops to prevent broadcast storms. If the aggregate trunks go to different devices, you can create one aggregator and let the AT-9400 Series switch form the trunks for you automatically. This is illustrated in Figure 36.
AT-S63 Management Software Menus Interface User’s Guide aggregate trunks in the example above. But letting the switch make the determination for you whenever possible saves time later if you physically reassign ports to a different trunk connected to another device. LACP System Priority It is possible for two devices interconnected by an aggregate trunk to encounter a conflict when they form a trunk.
Chapter 7: Static and LACP Port Trunks ports. This parameter can be adjusted on each port and is a hexadecimal value in a range of 1 to FFFF. The lower the number, the higher the priority. Ports with the highest priorities are designated as the active ports in an aggregate trunk. For example, if both 802.
AT-S63 Management Software Menus Interface User’s Guide LACP Trunk Guidelines Following are the guidelines for creating aggregators: Section I: Basic Features LACP must be activated on both the switch and the other device. The other device must be 802.3ad-compliant. An aggregator can consist of any number of ports. The AT-9400 Series switch supports up to eight active ports in an aggregate trunk at a time. The switch supports a maximum of three aggregate trunks.
Chapter 7: Static and LACP Port Trunks determine the maximum number of active ports the device can support in a trunk. If the number is less than eight, the maximum number for the AT-9400 Series switch, you should probably assign it a higher system LACP priority than the AT-9400 Series switch. If it is more than eight, assign the AT-9400 Series switch the higher priority. This can avoid a possible conflict between the devices if some ports are placed in the standby mode when the devices create the trunk.
AT-S63 Management Software Menus Interface User’s Guide Assume you selected source MAC address as the load distribution method and that the switch needed to transmit over the trunk a packet with a source MAC address that ended in 9. The binary equivalent of 9 is 1001, making the last three bits of the address 001. An examination of the table above indicates that the switch would use Port 8 to transmit the frame because that port is mapped to the matching bits.
Chapter 7: Static and LACP Port Trunks Managing Static Port Trunks The following procedures explain how to create, modify, and delete static port trunks: “Creating a Static Port Trunk,” next “Modifying a Static Port Trunk” on page 139 “Deleting a Static Port Trunk” on page 141 For background information, refer to “Static Port Trunk Overview” on page 126. Creating a Static Port Trunk This section contains the procedure for creating a static port trunk on a switch.
AT-S63 Management Software Menus Interface User’s Guide The Port Trunking and LACP menu is shown in Figure 37. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Port Trunking and LACP 1 - Static Port Trunking 2 - LACP Configuration R - Return to Previous Menu Enter your selection? Figure 37. Port Trunking and LACP Menu 3. From the Port Trunking and LACP menu, type 1 to select Static Port Trunking. The Static Port Trunking menu is shown in Figure 38.
Chapter 7: Static and LACP Port Trunks The Create Trunk menu is shown in Figure 39. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Create Trunk 1 2 3 4 - Trunk Trunk Trunk Trunk ID ......... 1 Name ....... Method ..... SRC/DST MAC Ports ...... C - Create Trunk R - Return to Previous Menu Enter your selection? Figure 39. Create Trunk Menu 5. Configure the following parameters as necessary: 1 - Trunk ID Specifies the trunk ID.
AT-S63 Management Software Menus Interface User’s Guide 6. Type C to select Create Trunk. The port trunk is now active on the switch. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 8. Configure the ports on the remote switch for port trunking. 9. Connect the cables to the ports of the trunk on the switch. The port trunk is ready for network operations.
Chapter 7: Static and LACP Port Trunks 3. From the Port Trunking and LACP menu, type 1 to select Static Port Trunking. The Static Port Trunking menu is shown in Figure 38 on page 137. 4. Type M to select Modify Trunk. The following prompt is displayed: Enter Trunk ID: [1 to 6] -> 5. Enter the ID number of the trunk you want to modify. The Modify Trunk menu is displayed. The menu displays the operating specifications of the selected trunk. An example is shown in Figure 40.
AT-S63 Management Software Menus Interface User’s Guide SRC/DST MAC - Source address /destination MAC address SRC IP - Source IP address trunking DST IP - Destination IP address trunking SRC/DST IP - Source address /destination IP address The default is SRC/DST MAC. For background information, refer to “Load Distribution Methods” on page 134. 4 - Port Range Specifies the ports of the trunk. A trunk can contain up to eight ports.
Chapter 7: Static and LACP Port Trunks Enter Trunk ID: [1 to 6] -> 5. Enter the ID number of the trunk to be deleted. The following prompt is displayed: Are you sure you want to delete this trunk (Y/N) [Yes/No] -> 6. Type Y for yes to delete the port trunk or N for no to cancel this procedure. The port trunk is deleted from the switch. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Managing LACP Trunks The following procedures explain how to create and manage LACP trunks: “Enabling or Disabling LACP,” next “Setting a LACP System Priority” on page 144 “Creating an Aggregator” on page 145 “Modifying an Aggregator” on page 147 “Deleting an Aggregator” on page 149 “Configuring LACP Port Parameters” on page 150 “Displaying LACP Port or Aggregator Status” on page 151 For background information, refer to “LA
Chapter 7: Static and LACP Port Trunks The LACP (IEEE 8023ad) Configuration menu is shown in Figure 41. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 LACP (IEEE 802.3ad) Configuration 1 2 3 4 5 6 7 8 - LACP Status ................ Disabled Priority Create Aggregator Modify Aggregator Configure Port Delete Aggregator Show LACP Port Status Show LACP Aggregator Status R - Return to Previous Menu Enter your selection? Figure 41.
AT-S63 Management Software Menus Interface User’s Guide 4. Type 2 to select Priority. The following prompt is displayed: Enter Priority [0x1 - 0xFFFF]: [0x1 to 0xffff] -> 0x 5. Enter the new value is hexadecimal. The range is 1 to FFFF. The lower the value, the higher the priority. The prefix “0x” indicates that the number is hexadecimal. The new priority value takes effect immediately on the switch. 6. After making changes, type R until you return to the Main Menu.
Chapter 7: Static and LACP Port Trunks The Create LACP (IEEE 8023ad) Aggregator menu is shown in Figure 42. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Create LACP (IEEE 802.3ad) Aggregator 1 2 3 4 C - Aggregator .................. Adminkey .................... 0x0000 Distribution Mode ........... SRC/DST MAC Port Range .................. Create Aggregator R - Return to Previous Menu Enter your selection? Figure 42.
AT-S63 Management Software Menus Interface User’s Guide example, 3,7,10), as a range (for example, 5-11), or both (for example, 2,4,11-14). 6. After you configure the parameters, type C to select Create Aggregator. The aggregator is created on the switch. 7. If LACP is not enabled on the switch, perform the procedure “Enabling or Disabling LACP” on page 143 and activate the protocol. 8. Configure LACP on the other network device. 9.
Chapter 7: Static and LACP Port Trunks The Port Configuration menu is shown in Figure 25 on page 102. 2. From the Port Configuration menu, type 4 to select Port Trunking and LACP. The Port Trunking and LACP menu is shown in Figure 37 on page 137. 3. Type 2 to select LACP Configuration. The LACP (IEEE 8023ad) Configuration menu is shown in Figure 41 on page 144. 4. Type 4 to select Modify Aggregator. The Modify LACP (IEEE 8023ad) Aggregator menu is shown in Figure 43.
AT-S63 Management Software Menus Interface User’s Guide 2 - Adminkey Specifies a unique adminkey value for the aggregator. The value is entered in hexadecimal. The range is 1 to FFFF. For background information, refer to “Adminkey Parameter” on page 131. 3 - Distribution Mode Sets the load distribution method.
Chapter 7: Static and LACP Port Trunks 2. From the Port Configuration menu, type 4 to select Port Trunking and LACP. The Port Trunking and LACP menu is shown in Figure 37 on page 137. 3. Type 2 to select LACP Configuration. The LACP (IEEE 8023ad) Configuration menu is shown in Figure 41 on page 144. 4. Type 6 to select Delete Aggregator. The following prompt is displayed: Enter Aggregator Name [Max up to 20 alphanumeric characters]: 5. Enter the name of the aggregator you want to delete.
AT-S63 Management Software Menus Interface User’s Guide The LACP (IEEE 8023ad) Configuration menu is shown in Figure 41 on page 144. 4. Type 4 to select Modify Aggregator. The Modify LACP (IEEE 8023ad) Aggregator menu is shown in Figure 44. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 LACP (IEEE 802.3ad) Port Configuration 1 2 3 4 M - Port Number ................. 0 Adminkey .................... 0x0000 Priority ....................
Chapter 7: Static and LACP Port Trunks 2. From the Port Configuration menu, type 4 to select Port Trunking and LACP. The Port Trunking and LACP menu is shown in Figure 37 on page 137. 3. Type 2 to select LACP Configuration. The LACP (IEEE 8023ad) Configuration menu is shown in Figure 41 on page 144. 4. To view port status, type 7 to select Show LACP Port Status. To view aggregator status, type 8 to select Show LACP Aggregator Status. Figure 45 is an example of the LACP (IEEE 802.3ad) Port Status menu.
AT-S63 Management Software Menus Interface User’s Guide aggregator appears in the menu only if there is at least one active aggregate trunk between the switch and another network device. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 LACP (IEEE 802.3ad) Aggregator Status Aggregator #1 ................. Adminkey ...................... Oper Key....................... Speed ......................... Ports in LAGID ................ Aggregated Port ........
Chapter 7: Static and LACP Port Trunks 154 Section I: Basic Features
Chapter 8 Port Mirroring This chapter contains the procedures for creating and deleting a port mirror.
Chapter 8: Port Mirroring Port Mirroring Overview The port mirroring feature allows you to unobtrusively monitor the traffic being received and transmitted on one or more ports on a switch by having the traffic copied to another switch port. You can connect a network analyzer to the port where the traffic is being copied and monitor the traffic on the other ports without impacting network performance or speed. The port(s) whose traffic you want to mirror is called the source port(s).
AT-S63 Management Software Menus Interface User’s Guide Creating a Port Mirror To create a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 47. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Port Mirroring 1 - Enable/Disable .....
Chapter 8: Port Mirroring 5. Type 2 to select Mirror-To (Destination) Port. The following prompt is displayed: Mirror-To Port (0-24): 6. Enter the number of the port that functions as the destination port. This is the port where the traffic from the source ports will be copied to and where the network analyzer will be located. You can specify only one destination port. 7. If you want to mirror the ingress (received) traffic on one or more ports, type 3 to select Ingress(Rx) Mirror (Source Ports.
AT-S63 Management Software Menus Interface User’s Guide Disabling a Port Mirror To delete a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 48 on page 157. 3. From the Port Mirroring Menu, type 1 to select Enable/Disable. The following prompt is displayed.
Chapter 8: Port Mirroring Modifying a Port Mirror To modify the port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 48 on page 157. 3. Type 2 to select Mirror-To (Destination) Port. The following prompt is displayed: Mirror-To Port (0-24): 4.
AT-S63 Management Software Menus Interface User’s Guide Displaying the Port Mirror To display the port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2. From the Port Configuration menu, type 6 to select Port Mirroring. The Port Mirroring menu is shown in Figure 49.
Chapter 8: Port Mirroring 162 Section I: Basic Operations
Chapter 9 Networking Stack The AT-S63 management software allows you to perform a few basic functions on the switch’s TCP/IP stack. The functions include viewing the switch’s Address Resolution Protocol (ARP) table and routing table. The switch uses these tables when you instruct it to perform a management function that requires interaction with another network device.
Chapter 9: Networking Stack Managing the Address Resolution Protocol (ARP) Table The switch has an Address Resolution Protocol (ARP) table for storing IP addresses of network devices and their corresponding MAC addresses. The switch uses the table whenever you issue a management command that requires the switch’s AT-S63 management software to interact with another device on the network.
AT-S63 Management Software Menus Interface User’s Guide Note The switch does not use the ARP table to move packets through its switching matrix. The switch refers to the table only when performing a management function that involves interaction with another network node. Displaying the ARP Table To display the ARP table, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2.
Chapter 9: Networking Stack The Display ARP Table menu is shown in Figure 51. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display ARP Table Interface IP Address MAC Address Type --------------------------------------------------------loopback 127.0.0.1 00:00:00:00:00:00 PERMANENT eth0 149.22.22.22 00:30:84:32:8A:5B TEMPORARY eth0 149.22.22.1 00:30:84:32:12:42 TEMPORARY eth0 149.22.22.101 00:30:84:32:8A:1B TEMPORARY eth0 149.22.22.
AT-S63 Management Software Menus Interface User’s Guide 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 7 on page 53. 3. From the System Utilities menu, type 6 to select Networking Stack. The Networking Stack menu is shown in Figure 50 on page 165. 4. From the Networking Stack menu, type 2 to select Delete ARP Entry. The following prompt is displayed: Enter IP address of ARP entry to delete: 5.
Chapter 9: Networking Stack 5. Return to the Main Menu. Setting the ARP Cache Timeout Inactive temporary entries in the ARP table are timed out according to the ARP cache timeout value. This parameter prevents the table from becoming full with inactive entries. The default setting is 400 seconds. To set this value, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2.
AT-S63 Management Software Menus Interface User’s Guide Displaying the Route Table The routing table is used by the switch when a remote node specified in a management command is not on the same physical network as the switch. The table contains the IP address of the next hop to reaching the remote network or device. For example, the switch might refer to the table if you instructed it to download a new AT-S63 image file from a network server that was on a different physical network.
Chapter 9: Networking Stack The information in this menu is for viewing purposes only. The Display Route Table menu contains the following columns of information. Destination The IP address of a destination network, subnetwork, or end node. Mask A filter used to designate the active part of the destination IP address. A binary 1 in the mask indicates an active bit in the address while a binary 0 indicates that the corresponding bit in the address is not.
AT-S63 Management Software Menus Interface User’s Guide Displaying the TCP Connections The TCP connections table lists the active Telnet, SSH, and web browser management sessions on a switch and includes the IP addresses of the management stations. You can use the table to determine the number of remote, active management sessions open on a switch, as well as identify the management stations. To display the TCP connections table, perform the following procedure: 1.
Chapter 9: Networking Stack This menu is for viewing purposes only. The Display TCP Connections menu contains the following information: Total Number of TCP Listening sockets The number of active listening sockets. There can be a maximum of three listening sockets. One is for the Telnet server, another for SSH, and the last for the web browser server. If a server is disabled, its listening socket does not appear in the table.
AT-S63 Management Software Menus Interface User’s Guide the remote TCP, or an acknowledgment of the connection termination request previously sent. FIN-WAIT-2 - Waiting for a connection termination request from the remote TCP. CLOSE-WAIT - Waiting for a connection termination request from the local user. CLOSING - Waiting for a connection termination request acknowledgment from the remote TCP.
Chapter 9: Networking Stack Deleting a TCP Connection This procedure explains how you can use the TCP connections table to end a Telnet, SSH, or web browser management session on a switch. This procedure is useful if a manager forgot to log out after ending a session or if you suspect that an unauthorized person is accessing the switch’s management software.
AT-S63 Management Software Menus Interface User’s Guide Displaying the TCP Global Information The TCP Global Information table displays TCP status and statistics. To view the table, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 7 on page 53. 3.
Chapter 9: Networking Stack Max connections The maximum number of TCP connections allowed. Active Opens The number of active TCP opens. Active opens initiate connections. Passive Opens The number of TCP passive opens. Passive opens are issued to wait for a connection from another host. Attempt Fails The number of failed connection attempts. Established Resets The number of connections established but have not been reset. Current Established The number of current connections.
Section II Advanced Operations The chapters in this section provide information and procedures for advanced switch setup using the AT-S63 management software.
Section II: Advanced Operations
Chapter 10 File System The chapter describes the AT-S63 file system, and how you can use the file system to copy, rename, and delete system files in flash memory or on a compact flash card. This chapter also explains how you can use the file system to select which boot configuration file you want the switch to use the next time the device is reset or power cycled.
Chapter 10: File System File System Overview The AT-S63 management software has a file system for storing system files in flash memory on the switch or on a compact flash card. You can view a list of files as well as copy, rename, and delete files.
AT-S63 Management Software Menus Interface User’s Guide following format: filename.ext where: filename is a descriptive name for the file, and may be one to sixteen characters in length. Valid characters are lowercase letters (a–z), uppercase letters (A–Z), digits (0–9), and the following characters: ~ ’ @ # $ % ^ & ( ) _ - { }. Invalid characters are: ! * + = “| \ [ ] ; : ? / , < >. ext is a file name extension of three characters in length, preceded by a period (.).
Chapter 10: File System selections on the File Operations menu (see Figure 56 on page 184) to work with files in flash memory or on a compact flash card by specifying the file location. To specify the file location as flash memory, precede the file name with “flash:.,” For example: flash:boot.cfg To specify a file located on a compact flash card, precede the name with “cflash:,” for example: cflash:switch12.cfg If you do not specify a location, the default is flash memory.
AT-S63 Management Software Menus Interface User’s Guide Working with Boot Configuration Files A boot configuration file contains a series of commands that configure the switch’s parameter settings when you power cycle or reset the device. The commands in the file recreate all the VLANs, port settings, spanning tree settings, port trunks, port mirrors, and so forth on the switch. A switch can contain multiple boot configuration files, but only one can be active on a switch at a time.
Chapter 10: File System “Selecting the Active Boot Configuration File for the Switch” on page 186 Creating a Boot Configuration File To create a boot configuration file, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown Figure 4 on page 46. 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 7 on page 53. 3.
AT-S63 Management Software Menus Interface User’s Guide 4. From the File Operations menu, type 3 to select Create Configuration File. The following prompt is displayed: Enter the file name: 5. Enter a file name for the new boot configuration file. The file name can be up to 16 alphanumeric characters. Spaces are allowed. The filename must include the extension “.cfg”. See “File Naming Conventions” on page 180.
Chapter 10: File System Note Only the active boot configuration file is changed when you select the Save Configuration Changes option in the Main Menu. No other boot configuration files that are stored on the switch are altered. Selecting the Active Boot Configuration File for the Switch You have now created the boot configuration file, made the necessary changes to the switch’s parameter settings, and saved the changes.
AT-S63 Management Software Menus Interface User’s Guide 5. Enter the file name of the boot configuration file that you want the switch to use the next time it is reset or power cycled. The file name is displayed following selection 1 in the File Operations menu. The file name should be followed by “Exist”, which means that the file exists in the switch’s file system.
Chapter 10: File System The contents of the boot configuration file are displayed in the View File menu. An example is shown in Figure 57. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 View File Viewing file “mydefault.
AT-S63 Management Software Menus Interface User’s Guide Section II: Advanced Operations The text editor must be able to store the file as ASCII text. Do not insert special formatting codes, such as boldface or italics, into a boot configuration file. The boot configuration file must contain AT-S63 command line commands. You enter the commands you want the switch to perform when reset or power cycled.
Chapter 10: File System Copying a System File To copy a system file, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown Figure 4 on page 46. 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 7 on page 53. 3. From the System Utilities menu, type 1 to select File Operations. The File Operations menu is shown in Figure 56 on page 184. 4.
AT-S63 Management Software Menus Interface User’s Guide Please wait... Press any key ... 7. Press any key to return to the File Operations menu.
Chapter 10: File System Renaming a System File To rename a system file, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown Figure 4 on page 46. 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 7 on page 53. 3. From the System Utilities menu, type 1 to select File Operations. The File Operations menu is shown in Figure 56 on page 184. 4.
AT-S63 Management Software Menus Interface User’s Guide Please wait... Press any key ... Press any key to return to the File Operations menu.
Chapter 10: File System Deleting a System File To delete a system file, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown Figure 4 on page 46. 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 7 on page 53. 3. From the System Utilities menu, type 1 to select File Operations. The File Operations menu is shown in Figure 56 on page 184. 4.
AT-S63 Management Software Menus Interface User’s Guide Displaying System Files Use this procedure to display a list of the system files currently stored either in the flash memory of the switch or on a compact flash card. For information about shortcuts for specifying file names, see “File Naming Conventions” on page 180.
Chapter 10: File System An example of this display is shown in Figure 58. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 List Files File Name Device Size (Bytes) Last Modified ------------------------------------------------------------default.cfg flash 805 01/10/2002 12:01:16 boot.cfg flash 1249 10/24/2003 16:50:40 newcfg.cg flash 1082 07/12/2003 16:59:06 serverkey150.key flash 768 11/30/2003 19:17:35 ProdSw.cer flash 1024 11/30/2003 20:38:20 ProdSw2.
AT-S63 Management Software Menus Interface User’s Guide Device The device type, either “flash” for flash memory or “cflash” for compact flash card. Size Size of the file, in bytes. Last Modified The time the file was created or last modified, in the following date and time format: month/day/year hours:minutes:seconds. Listing Files on the Compact Flash Card To view the files on the compact flash card, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration.
Chapter 10: File System The system displays files on the compact flash card, as shown in Figure 59. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 List Files File Name Device Size (Bytes) Last Modified ------------------------------------------------------------dcim\ cflash
01/10/2005 12:01:16 boot.cfg cflash 1249 10/24/2005 16:50:40 newcfg.cg cflash 1082 07/12/2005 16:59:06 serverkey150.key cflash 768 11/30/2005 19:17:35 ProdSw.AT-S63 Management Software Menus Interface User’s Guide Working with Flash Memory An AT-9400 Series switch contains flash memory where the file system, which contains files such as the configuration file, and event log are stored. Displaying Information about the Flash Memory To display information about the flash memory, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown Figure 4 on page 46. 2.
Chapter 10: File System Caution When you format the flash memory, ALL files including the default configuration and boot files are lost. This includes encryption keys, certificates, configuration files, and all other special files. To remove selected files, use the procedure in “Deleting a System File” on page 194. To format the flash memory, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2.
AT-S63 Management Software Menus Interface User’s Guide Working with the Compact Flash Card Some AT-9400 Series switches contain a compact flash card slot, into which you can put a compact flash card. You can then copy files such as configuration files onto the compact flash card, take the card to other switches that have compact flash card slots, and copy files from the compact flash card to that switch through a local connection.
Chapter 10: File System Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display Compact Flash Information Compact Flash: -----------------------------------------------------Current Directory: \ Number of files ......... 0 Number of directories ... 1 Bytes used .............. 0 Card Information: Hardware detected ....... Serial Number ........... Size .................... Used .................... Free ....................
AT-S63 Management Software Menus Interface User’s Guide Used The amount of space that is currently used. Free The amount of space that is free. Changing the Directory To change from one directory to another on the compact flash card, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown Figure 4 on page 46. 2. From the System Administration menu, type 9 to select System Utilities.
Chapter 10: File System 204 Section II: Advanced Operations
Chapter 11 File Downloads and Uploads This chapter contains the procedures for downloading a new AT-S63 image file onto the switch. This chapter also contains the procedures for uploading and downloading system files, such as a boot configuration file, from the file system in the switch.
Chapter 11: File Downloads and Uploads Downloading the AT-S63 Image File onto a Switch This section contains two procedures for downloading a new AT-S63 image file onto the switch.
AT-S63 Management Software Menus Interface User’s Guide Downloading the AT-S63 Image from a Local Management Session To download a new software image onto a switch from a local management session using Xmodem or TFTP, perform the following procedure: 1. Establish a local management session on the switch where you intend to download the new management software. 2. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 3.
Chapter 11: File Downloads and Uploads a. Type T. The following prompt is displayed: TFTP Server IP address: b. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: c. Enter the directory path and file name of the AT-S63 image file stored on the TFTP server. The following message is displayed: Getting the file from Remote TFTP Server - Please wait ... d. If you have not already done so, start the TFTP server software.
AT-S63 Management Software Menus Interface User’s Guide 9. Begin the file transfer. Steps 10 through 13 illustrate how you download a file using the Hilgraeve HyperTerminal program. 10. From the HyperTerminal main window, select Send File from the Transfer menu, as shown in Figure 64. Figure 64. HyperTerminal Window The Send File window is shown in Figure 65. Figure 65. Send File Window 11. Click Browse and specify the location and file to be downloaded onto the switch. 12.
Chapter 11: File Downloads and Uploads the software download. The download process takes several minutes to complete. Figure 66. XModem File Send Window Note After the switch has downloaded the new image, it begins to initialize the software, a process that takes approximately one minute to complete. The switch does not forward any network traffic during the initialization process. After the management software is initialized, the switch automatically resets.
AT-S63 Management Software Menus Interface User’s Guide The Downloads and Uploads menu is shown in Figure 63 on page 207. 5. From the Downloads and Uploads menu, type 1 to select Download Application Image/Bootloader. The following prompt is displayed: Only TFTP downloads are available for a Telnet access TFTP Server IP address: 6. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: 7.
Chapter 11: File Downloads and Uploads Downloading an AT-S63 Image File Switch to Switch The previous section contained procedures for downloading an AT-S63 software image onto a switch from a local or Telnet management session. The procedure in this section explains how to download an AT-S63 software image from one AT-9400 Series switch to another AT-9400 Series switch. This procedure is useful in networks that contain a large number of AT-9400 Series switches.
AT-S63 Management Software Menus Interface User’s Guide Note You cannot download AT-S63 software onto any type of enhanced stacking switch other than AT-9400 Series switches. The following prompt is displayed: Do you want to show remote switch burning flash -> [Yes/ No] 6. You can respond with Yes or No to this prompt. It does not affect the download. The following prompt is displayed: Do you want confirmation before downloading each switch > [Yes/No] 7.
Chapter 11: File Downloads and Uploads Downloading an AT-S63 Configuration File Switch to Switch This procedure explains how to download the active boot configuration file on the master AT-9400 Series switch to another AT-9400 Series switch in an enhanced stack. For an explanation of the boot configuration file, refer to “Working with Boot Configuration Files” on page 183. Note You can perform this procedure from a local or Telnet management session.
AT-S63 Management Software Menus Interface User’s Guide 6. Enter the number (Num column in the menu) of the AT-9400 Series switch to which you want to download the configuration file. You can specify more than one switch at a time (for example, 2,4,5). Note You can download an AT-9400 Series configuration file only onto other AT-9400 Series switches. Do not attempt to download the file onto any other type of enhanced stacking switch.
Chapter 11: File Downloads and Uploads Downloading a System File This section contains the procedures for downloading a system file from a workstation or TFTP server into the switch’s file system. You can download any of the following files: Boot configuration file Public encryption key CA certificate Note The CA certificate and key file are supported only on the version of AT-S63 management software that features SSL, PKI, and SSH security.
AT-S63 Management Software Menus Interface User’s Guide Downloading a System File from a Local Management Session To download a system file onto a switch from a local management session using Xmodem or TFTP, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 7 on page 53. 3.
Chapter 11: File Downloads and Uploads e. If you have not already done so, start the TFTP server software. After the switch has downloaded the system file, the following message is displayed: File received successfully! 6. To download a file using Xmodem, type X at the prompt displayed in Step 5. The following prompt is displayed: Local File Name: 7. Enter a name for the system file. This is the name that the switch will store the file as in its file system.
AT-S63 Management Software Menus Interface User’s Guide Figure 67. HyperTerminal Window The Send File window is shown in Figure 65. Figure 68. Send File Window 11. Click Browse and specify the location and system file to be downloaded onto the switch. 12. Click in the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem. 13. Click Send. The file immediately begins downloading onto the switch.
Chapter 11: File Downloads and Uploads The download is complete when the Downloads and Uploads menu is redisplayed. Downloading a System File from a Telnet Management Session To download a system file onto a switch from a Telnet management session using TFTP, perform the following procedure: 1. Establish a Telnet management session on the switch where you intend to download the new file. 2. From the Main Menu, type 5 to select System Administration.
AT-S63 Management Software Menus Interface User’s Guide After the switch has downloaded the system file, the following message is displayed: File received successfully! Section II: Advanced Operations 221
Chapter 11: File Downloads and Uploads Uploading a System File You use the procedures in this section to upload a system file from a switch to a computer or TFTP server. A system file can be any of the following: Boot configuration file Public key PKI certificate Certificate enrollment request Note The certificate file, certificate enrollment request file, and key file are supported only on the version of AT-S63 management software that features SSL and PKI security.
AT-S63 Management Software Menus Interface User’s Guide The System Administration menu is shown in Figure 4 on page 46. 3. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 7 on page 53. 4. From the System Utilities menu, type 2 to select Downloads and Uploads. The Downloads and Uploads menu is shown in Figure 63 on page 207. 5. From the Downloads and Uploads menu, type 4 to select Upload a File.
Chapter 11: File Downloads and Uploads The file is now stored on the TFTP server. You can now download the file onto another AT-9400 Series switch in your network. 7. To upload a file using Xmodem, type X at the prompt displayed in Step 5. The following message is displayed: Local File Name: 8. Enter the name of the system file on the switch that you want to upload to your computer. You can specify only one file. You cannot use wildcards in the file name.
AT-S63 Management Software Menus Interface User’s Guide 11. From the HyperTerminal main window, select Receive File from the Transfer menu, as shown in Figure 70. Figure 70. HyperTerminal Window The Receive File window is shown in Figure 71. Figure 71. Receive File Window 12. Click Browse and specify the location on your computer where you want the system file stored. 13. Click in the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem. 14. Click Receive.
Chapter 11: File Downloads and Uploads 3. From the System Administration menu, type 9 to select System Utilities. The System Utilities menu is shown in Figure 7 on page 53. 4. From the System Utilities menu, type 2 to select Downloads and Uploads. The Downloads and Uploads menu is shown in Figure 63 on page 207. 5. From the Downloads and Uploads menu, type 4 to select Upload a File. The following prompt is displayed: Only TFTP uploads are available for a Telnet access TFTP Server IP address: 6.
Chapter 12 Event Log This chapter describes the event log that allows you to view information about switch activity, and how to configure the switch to send the events to a syslog server.
Chapter 12: Event Log Event Log Overview A managed switch is a complex piece of computer equipment that includes both hardware and software. Multiple software features operate simultaneously, interoperating with each other and processing large amounts of network traffic. It is often difficult to determine exactly what is happening when a switch appears not to be operating normally, or what happened when the problem occurred.
AT-S63 Management Software Menus Interface User’s Guide Note The event logs, even when disabled, log all AT-S63 initialization events that occur when the switch is reset or power cycled. Any switch events that occur after AT-S63 initialization are entered into the logs only if you enable the event log feature. The default setting for the event log feature is enabled.
Chapter 12: Event Log Working with the Event Log This section contains the following procedures: Enabling or Disabling the Event Logs “Enabling or Disabling the Event Logs,” next “Displaying an Event Log” on page 232 “Modifying the Event Log Full Action” on page 237 “Clearing an Event Log” on page 238 “Saving an Event Log to a File” on page 238 This procedure explains how to enable or disable the event logs on the switch.
AT-S63 Management Software Menus Interface User’s Guide The Event Log menu is shown in Figure 72. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Event Log 1 2 3 4 5 6 - Event Logging .......... Display Output ......... Display Order .......... Display Mode ........... Display Severity ....... Display Module .........
Chapter 12: Event Log Displaying an Event Log Each time that you want to view the event log, you must choose how and what you want displayed. The event log settings are not saved. To specify the type of events you want to display in the event log, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 8 to select Event Log.
AT-S63 Management Software Menus Interface User’s Guide 6. To display events of a selected severity, type 5 to select Display Severity. The following prompt is displayed: Enter Severity levels to display (ALL, E - Error, W Warning, I - Information, D - Debug) -> The possible options are: ALL All messages of the following types are displayed. This is the default. E - Error Only error messages are displayed. Error messages indicate that the switch operation is severely impaired.
Chapter 12: Event Log Table 2. AT-S63 Modules (Continued) Module Name 234 Description CLI Command line interface commands DOS Denial of service defense ENCO Encryption keys ESTACK Enhanced stacking EVTLOG Event log FILE File system GARP GARP GVRP HTTP Web server IGMPSNOOP IGMP snooping IP System IP configuration, DHCP, and BOOTP LACP Link Aggregation Control Protocol MAC MAC address table MGMTACL Management access control list PACCESS 802.
AT-S63 Management Software Menus Interface User’s Guide Table 2. AT-S63 Modules (Continued) Module Name Description SYSTEM Hardware status; Manager and Operator log in and log off events. TACACS TACACS+ authentication protocol Telnet Telnet TFTP TFTP Time System time and SNTP VLAN Port-based and tagged VLANs, and multiple VLAN modes WATCHDOG Watchdog timer To select specific modules, type the names separated by commas. The module names are not case sensitive. For example: stp, psec 9.
Chapter 12: Event Log S (Severity) The event’s severity. The severity codes and their corresponding severity level and description are shown in Table 3. Table 3. Event Severity Levels Severity Code Severity Level E Error Switch operation is severely impaired. W Warning An issue that may require network manager attention. I Information Useful information that can be ignored during normal operation. D Debug Messages intended for technical support and software development.
AT-S63 Management Software Menus Interface User’s Guide In addition to the information displayed in Normal mode, the Full mode also displays additional columns in the table, as described below: Event ID A unique, random number assigned to each event. Source File:Line Number The AT-S63 software source file name and the line number in that source file that produced the event. 10.
Chapter 12: Event Log 1 - Wrap on Full When the event log reaches its maximum capacity, old entries are deleted when new entries are added. This is the default. 2- Halt on Full When the event log reaches its maximum capacity, the log stops adding new entries. 6. Return to the Main Menu. Clearing an Event Log You can clear the event log to remove old events and start fresh. To clear the event log, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration.
AT-S63 Management Software Menus Interface User’s Guide If you type Y, the following prompt is displayed: Enter file name (*.log) -> 6. Type a name for the file with a .log file name extension. The following message is displayed: Saving log to file. When the save process is complete, the word “Complete” is displayed, followed by another prompt: Press any key to continue. 7. Press any key. The log file is saved in the switch’s file system as an ASCII file. 8.
Chapter 12: Event Log A sample log file saved in full mode is shown in Figure 75. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 View File Viewing file “second.log” -------------------------------------------------------------I 02/24/04 12:31:02 323003 atissh.c:518 ssh: SSH server disabled I 02/24/04 12:31:02 073001 garpmain.c:259 garp: GARP initialized I 02/24/04 12:31:02 103001 trunkapp.
AT-S63 Management Software Menus Interface User’s Guide Configuring Log Outputs As explained in “Event Log Overview” on page 228, there are two methods you can use to view the events generated by the switch. One method is to view one of the switch’s event logs. The drawback to this method is that you must establish a management session with the switch before you can view the logs and you can view the log of only one switch at a time.
Chapter 12: Event Log 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 72 on page 231. 3. From the Event Log menu, type L to select Configure Log Outputs. The Configure Log Outputs menu, with a list of any log outputs that have already been created, is shown in Figure 76.
AT-S63 Management Software Menus Interface User’s Guide The Syslog Output Configuration menu is displayed, as shown in Figure 77. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Syslog Output Configuration 1 2 3 4 5 6 7 - Output ID ................ Server IP Address ........ Message Generation ....... Message Format ........... Facility Level ........... Event Severity ........... Event Module ............. 0.0.0.
Chapter 12: Event Log 11. Type 4 to toggle Message Format between the following options: Normal Sends the severity, module, and description for each event. Extended Sends the same information as Normal along with the date, time, and switch’s IP address. This is the default. 12. Type 5 to select Facility Level.
AT-S63 Management Software Menus Interface User’s Guide Table 4. Applicable RFC 3164 Numerical Code and AT-S63 Module Mappings (Continued) Numerical Code RFC 3164 Facility AT-S63 Module 9 Clock daemon Time- based modules: - TIME (system time and SNTP) - RTC 22 Local use 6 Physical interface and data link modules: - PCFG - PMIRR - PTRUNK - STP - VLAN 23 Local use 7 SYSTEM events related to major exceptions. 16 Local use 0 All other modules and events.
Chapter 12: Event Log Table 5. Numerical Code and Facility Level Mappings (Continued) Numerical Code Facility Level Setting 20 LOCAL4 21 LOCAL5 22 LOCAL6 23 LOCAL7 For example, selecting LOCAL2 as the facility level assigns the numerical code of 18 to all events sent by the switch to the syslog server. 13. To include events of a selected severity, type 6 to select Event Severity.
AT-S63 Management Software Menus Interface User’s Guide 15. Enter a list of modules separated by a comma—for example, “system, stp, ptrunk.” 16. Type C to create the log output you defined. The switch immediately begins to send events to the sever, if you enabled the definition when you created it, and adds the new syslog server definition to the Configure Log Outputs menu.
Chapter 12: Event Log Enter output ID to modify [0 to 20] -> 5. Enter the number of the log output that you want to modify. The Syslog Output Configuration menu is displayed, as shown in Figure 77 on page 243. 6. Refer to “Creating a Log Output Definition” on page 241 for information about the output selections. 7. When you complete the modifications, type M to select Modify Log Output. The Configure Log Outputs menu as shown in Figure 76 on page 242 is redisplayed. 8. Return to the Main Menu.
AT-S63 Management Software Menus Interface User’s Guide Displaying the Log Output Definition Details To view the settings of a log output definition you have already created, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 8 to select Event Log. The Event Log menu is shown in Figure 72 on page 231. 3.
Chapter 12: Event Log 250 Section II: Advanced Operations
Chapter 13 Classifiers This chapter explains classifiers and how you can create classifiers to define traffic flows.
Chapter 13: Classifiers Classifier Overview A classifier defines a traffic flow. A traffic flow consists of packets that share one or more characteristics. A traffic flow can range from being very broad to very specific. An example of the former might be all IP traffic while an example of the latter could be packets with specific source and destination MAC addresses. A classifier contains a set of criteria you configure to match the traffic flow you want the classifier to define.
AT-S63 Management Software Menus Interface User’s Guide apply a classifier to an ACL or a QoS policy to define the traffic flow you want the ACL or QoS policy to affect or control. Classifier Criteria The components of a classifier are defined in the following subsections. Destination MAC Address (Layer 2) Source MAC Address (Layer 2) You can identify a traffic flow by specifying the source and/or destination MAC address.
Chapter 13: Classifiers within an Ethernet frame. Preamble Destination Address Source Address Type/ Length 64 bits 48 bits 48 bits 16 bits Tag Protocol Identifier 16 bits User Priority CFI 3 bits 1 bit Frame Data CRC 368 to 12000 bits 32 bits VLAN Identifier 12 bits Figure 80. User Priority and VLAN Fields within an Ethernet Frame You can identify a traffic flow of tagged packets using the user priority value.
AT-S63 Management Software Menus Interface User’s Guide When selecting a Layer3 or Layer 4 variable, this variable must be left blank or set to IP. If you choose to specify a protocol by its number, you can enter the value in decimal or hexadecimal format. If you choose the latter, precede the number with the prefix “0x”. IP ToS (Type of Service) (Layer 3) Type of Service (ToS) is a standard field in IP packets. It is used by applications to indicate the priority and Quality of Service for a frame.
Chapter 13: Classifiers You cannot specify both an IP ToS value and an IP DSCP value in the same classifier. IP Protocol (Layer 3) You can define a traffic flow by the following Layer 3 protocols: TCP UDP ICMP IGMP IP protocol number If you choose to specify a Layer 3 protocol by its number, you can enter the value in decimal or hexadecimal format. It you choose the latter, precede the number with the prefix “0x”.
AT-S63 Management Software Menus Interface User’s Guide The Protocol variable must be left blank or set to IP. TCP Source Ports (Layer 4) TCP Destination Ports (Layer 4) Traffic flows can be identified by source and/or destination TCP port numbers, which are contained within the header of an IP frame. Observe the following guidelines when using these criteria: The Protocol variable must be left blank or set to IP. The IP Protocol variable must be left blank or set to TCP.
Chapter 13: Classifiers Classifier Guidelines 258 Follow these guidelines when creating a classifier: Each classifier represents a separate traffic flow. The variables within a classifier are linked by AND. The more variables specified within a classifier, the more specific it becomes in terms of the flow you are defining.
AT-S63 Management Software Menus Interface User’s Guide Creating a Classifier This section contains the procedure for creating a classifier. As explained in “Classifier Overview” on page 252, a classifier contains a series of variables for defining a traffic flow. This same procedure is used whether the classifier is intended for an ACL or a QoS policy. To create a classifier, perform the following procedure 1. From the Main Menu, type 7 to select Security and Services.
Chapter 13: Classifiers The Classifier Configuration menu is shown in Figure 83. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Classifier Configuration 1 2 3 4 - Create Classifier Modify Classifier Destroy Classifier Show Classifiers P - Purge Classifiers R - Return to Previous Menu Enter your selection? Figure 83. Classifier Configuration Menu 3. From the Classifier Configuration menu, type 1 to select Create Classifier.
AT-S63 Management Software Menus Interface User’s Guide This is the first page of the classifier variables. To view the remaining variables, type N to select Next Page. The Create Classifier menu (page 2) is shown in Figure 85. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Create Classifier 11 12 13 14 15 16 17 18 19 20 E C P U R - - IP Protocol: ... Src IP Addr: ... Src IP Mask: ... Dst IP Addr: ... Dst IP Mask: ... TCP Src Port: .. TCP Dst Port: ..
Chapter 13: Classifiers Refer to “Classifier Overview” on page 252 for definitions of the variables. 7. Repeat steps 5 and 6 to adjust any other variables necessary to define the traffic flow for this classifier. 8. After configuring the necessary variables, type C to select Create Classifier. The switch creates the classifier. If any of the settings are incompatible, the system displays an error message.
AT-S63 Management Software Menus Interface User’s Guide Modifying a Classifier In order to modify a classifier, you need to know its ID number. If you are unsure of the ID number of the classifier you want to modify, refer to “Displaying Classifiers” on page 266. You cannot modify a classifier if it belongs to an ACL or QoS policy that has already been assigned to a port. You must first remove the port assignments from the ACL or policy before you can modify the classifier.
Chapter 13: Classifiers 7. To modify other classifiers, repeat this process starting with step 3. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. 9. To add the modified classifier to an ACL, refer to “Creating an ACL” on page 277 or “Modifying an ACL” on page 280. To add it to a QoS policy, refer to “Managing Flow Groups” on page 313.
AT-S63 Management Software Menus Interface User’s Guide Deleting a Classifier This procedure deletes a classifier from the switch. To delete a classifier, you need to know its ID number. If you are unsure of the ID number of the classifier you want to delete, refer to “Displaying Classifiers” on page 266. Note You cannot delete a classifier if it belongs to an ACL or QoS policy.You must first remove the port assignments from its ACL or policy assignments before you can delete the classifier.
Chapter 13: Classifiers Displaying Classifiers To display the classifiers on a switch, do the following: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security and Services menu, type 1 to select Classifier Configuration. The Classifier Configuration menu is shown in Figure 83 on page 260. 3. From the Classifier Configuration menu, type 4 to select Show Classifiers.
AT-S63 Management Software Menus Interface User’s Guide for the classifier. An active ACL or QoS policy has been assigned to a switch port while an inactive ACL or policy has not been assigned to a port. If this number is 0 (zero), the classifier has not been assigned to any ACLs or policies. Number of Active Associations The number of active ACLs and QoS policy assignments for the classifier. An active ACL or policy has been assigned to a switch port.
Chapter 13: Classifiers The second page of the Display Classifier menu is shown in Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display Classifier 11 12 13 14 15 16 17 18 19 - Src Src Dst Dst TCP TCP UDP UDP TCP IP Addr: ... IP Mask: ... IP Addr: ... IP Mask: ... Src Port: .. Dst Port: .. Src Port: .. Dst Port: .. Flags: ..... P - Previous Page U - Update Display R - Return to Previous Menu Enter your selection? Figure 88.
Chapter 14 Access Control Lists This chapter explains access control lists (ACL) and how you can use this feature to improve network security and performance.
Chapter 14: Access Control Lists Access Control List (ACL) Overview An ACL is a tool for managing network traffic. You can use this feature to control which ingress packets a port will accept and which it will reject. One of the benefits of this the feature is that it can add to network security. An ACL can protect parts of a network from unauthorized access by allowing only permitted traffic to enter the port.
AT-S63 Management Software Menus Interface User’s Guide Here is an overview of how the process works. 1. When an ingress packet arrives on a port, it is checked against the criteria in the classifiers of all the ACLs, both permit and deny, assigned to the port. 2. If the packet matches the criteria of a permit ACL, the port immediately accepts it, even if the packet also matches a deny ACL assigned to the same port, because a permit ACL always overrides a deny ACL. 3.
Chapter 14: Access Control Lists Examples A classifier can be assigned to multiple ACLs. However, a classifier cannot be assigned more than once to a port. Put another way, ACLs that have the same classifier cannot be assigned to the same port. The switch can store up to 64 ACLs. This section contains several examples of ACLs. In this example, port 4 has been assigned one ACL, a deny ACL for the subnet 149.11.11.0. This ACL prevents the port from accepting any traffic originating from that subnet.
AT-S63 Management Software Menus Interface User’s Guide To deny traffic from several subnets on the same port, you can create multiple classifiers and apply them to the same ACL. This example denies traffic on port 4 from three subnets using three classifiers, one for each subnet, assigned to the same ACL. Create Classifier 01 - Classifier ID: ..... 22 02 - Description: ...... 149.11.11 flow . . 12 - Src IP Addr: ..... 149.11.11.0 13 - Src IP Mask: .... 255.255.255.
Chapter 14: Access Control Lists You can achieve the same result by assigning each classifier to a different ACL and assigning the ACLs to the same port, as in this example, again for port 4. Create Access Control Lists (ACL) 1 - ACL ID ................. 4 2 - Description .......... 149.11.11-deny 3 - Action .................. Deny 4 - Classifier List ...... 22 5 - Port List .............. 4 Create Access Control Lists (ACL) 1 - ACL ID ................. 22 2 - Description .......... 149.22.22.
AT-S63 Management Software Menus Interface User’s Guide In this example, the traffic on ports 14 and 15 is restricted to packets from the source subnet 149.44.44.0. All other IP traffic is denied. Classifier ID 11, which specifies the traffic flow to be permitted by the ports, is assigned to an ACL with an action of permit. Classifier ID 17 specifies all IP traffic and is assigned to an ACL whose action is deny. Since a permit ACL overrides a deny ACL, the port will accept the traffic from the 149.44.44.
Chapter 14: Access Control Lists The next example limits the ingress traffic on port 17 to IP packets from the subnet 149.22.11.0 and a Type of Service setting of 6, destined to the end node with the IP address 149.22.22.22. All other IP traffic including ARP packets are prohibited. Create Classifier Create Access Control Lists (ACL) 1 - ACL ID ................. 4 2 - Description .......... ToS 6 traffic - permit 3 - Action .................. Permit 4 - Classifier List ...... 6 5 - Port List ..............
AT-S63 Management Software Menus Interface User’s Guide Creating an ACL This procedure explains how to create an ACL. In order to perform this procedure, you need to know the ID numbers of the classifiers that you want to assign to the ACL. To view classifier ID numbers, refer to “Displaying Classifiers” on page 266. To create an ACL, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2.
Chapter 14: Access Control Lists The Create ACL menu is shown in Figure 96. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Create ACL 1 2 3 4 5 - ACL ID ........... 0 Description ....... Action ............ Deny Classifier List ... Port List ......... C - Create ACL R - Return to Previous Menu Enter your selection? Figure 96. Create ACL Menu 4. Type 1 to select ACL ID and, when prompted, enter an ID number for the ACL.
AT-S63 Management Software Menus Interface User’s Guide 9. Type 5 to select Port List and, when prompted, enter the ports where you want to assign the ACL. You can assign an ACL to just one port or to more than one port. When entering multiple ports, the ports can be listed individually (e.g., 2,5,7), as a range (e.g., 8-12) or both (e.g., 14,6,8). 10. Type C to select Create ACL. The ACL is created on the switch and immediately activated on the specified ports. 11.
Chapter 14: Access Control Lists Modifying an ACL This procedure explains how to modify an ACL. In order to perform this procedure, you need to know the ID number of the ACL. To display ACL ID numbers, refer to “Displaying ACLs” on page 285. If you plan to add classifiers to the ACL, you also need to know the ID numbers of the classifiers. To view classifier ID numbers, refer to “Displaying Classifiers” on page 266. To modify an ACL, perform the following procedure: 1.
AT-S63 Management Software Menus Interface User’s Guide You cannot change an ACL’s ID number. 5. To change the description of the ACL, type 2 to select Description and enter a new description for the ACL. The description can be up to 31 alphanumeric characters. Spaces are allowed. This parameter is optional, though recommended. Assigning each ACL a name will make it easier for you to identify them. 6. To change the ACL’s action, type 3 to select Action.
Chapter 14: Access Control Lists Deleting an ACL This procedure deletes an ACL from the switch. To perform this procedure, you need to know the ID number of the ACL. To display ACL ID numbers, refer to “Displaying ACLs” on page 285. To delete an ACL, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security and Services menu, type 4 to select Access Control Lists.
AT-S63 Management Software Menus Interface User’s Guide 5. To delete the ACL, type D to select Destroy ACL. To cancel the procedure, type R to select Return to Previous Menu. A deleted ACL is immediately removed from the switch. 6. To delete additional ACLs, repeat this procedure starting with step 3. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 14: Access Control Lists Deleting All ACLs This procedure deletes all ACLs from the switch. To delete all ACLs, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 4 to select Access Control Lists. The Access Control Lists (ACL) menu is shown in Figure 95 on page 277. 3. From the Access Control Lists (ACL) menu, type P to selection Purge ACLs. Caution No confirmation prompt is displayed.
AT-S63 Management Software Menus Interface User’s Guide Displaying ACLs To display the ACLs on a switch, perform this procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security and Services menu, type 4 to select Access Control Lists. The Access Control Lists (ACL) menu is shown in Figure 95 on page 277. 1. From the Access Control Lists (ACL) menu, type 4 to selection Show ACLs.
Chapter 14: Access Control Lists 286 Section II: Advanced Operations
Chapter 15 Denial of Service Defense This chapter contains procedures for configuring the switch to protect against denial of service (DoS) attacks.
Chapter 15: Denial of Service Defense Denial of Service Overview The AT-S63 management software can help protect your switch against the following types of denial of service attacks. SYN Flood Attack SMURF Attack Land Attack Teardrop Attack Ping of Death Attack IP Options Attack The following subsections briefly describe each type of attack and the mechanism employed by the AT-S63 management software to protect your network.
AT-S63 Management Software Menus Interface User’s Guide This overwhelms the victim with a large number of ICMP Echo (Ping) replies from the other network nodes. A switch port defends against this form of attack by examining the destination addresses of ingress ICMP Echo (Ping) request packets and discarding those that contain a broadcast address as a destination address. Implementing this defense requires that you provide an IP address of a node on your network and a subnet mask.
Chapter 15: Denial of Service Defense happens when an ingress IP packet arrives on port 4: 1. When port 4 receives an ingress IP packet with a destination MAC address learned on uplink port 1, it examines the packet’s destination IP addresses before forwarding the packet. 2. If the destination IP address is local to the network, port 4 does not forward the packet to uplink port 1 because the port assumes that there is no reason for the packet to leave the network. Instead, it discards the packet. 3.
AT-S63 Management Software Menus Interface User’s Guide The switch port discards the fragment with the invalid offset and, for a one minute period, discards all ingress fragmented IP traffic. Because the CPU only samples the ingress IP traffic, this defense mechanism may catch some, though not necessarily all, of this form of attack. Caution This defense is extremely CPU intensive; use with caution. Unrestricted use can cause a switch to halt operations if the CPU becomes overwhelmed with IP traffic.
Chapter 15: Denial of Service Defense containing IP options received on a port. If the number exceeds 20 packets per second, the switch considers this a possible IP options attack and does the following occurs: It sends an SNMP trap to the management stations. The switch port discards all ingress packets containing IP options for one minute. This defense mechanism does not involve the switch’s CPU. You can activate it on as many ports as you want without it impacting switch performance.
AT-S63 Management Software Menus Interface User’s Guide Configuring Denial of Service Defense To configure DoS defense, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security Configuration menu, type 2 to select Denial of Service (DoS). The Denial of Service (DoS) menu is shown in Figure 100.
Chapter 15: Denial of Service Defense The LAN IP Subnet menu is shown in Figure 101. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 LAN IP Subnet 1 - IP Address ................. 0.0.0.0 2 - Subnet Mask ................ 0.0.0.0 3 - Uplink Port ................ 26 R - Return to Previous Menu Enter your selection? Figure 101. LAN IP Subnet Menu b. Type 1 to select IP Address.
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter port-list: 5. Enter the port(s) where you want to activate the defense. Note If you plan to use the Teardrop defense, Allied Telesyn recommends activating it on only the uplink port and one other port. The defense is CPU intensive and can overwhelm the switch’s CPU. A menu is displayed containing either one or two options, depending on the DoS defense you selected.
Chapter 15: Denial of Service Defense 296 Section II: Advanced Operations
Chapter 16 Quality of Service This chapter describes Quality of Service (QoS).
Chapter 16: Quality of Service Quality of Service Overview Quality of Service enables you to prioritize traffic and/or limit the bandwidth available to it. The concept of QoS is a departure from the original networking protocols, which treated all traffic on the Internet or within a LAN in the same manner. Without QoS, every traffic type is equally likely to be dropped if a link becomes oversubscribed.
AT-S63 Management Software Menus Interface User’s Guide flows, according to the QoS policy that applies to the port the traffic is received on. The switch then allocates resources to direct this traffic according to bandwidth or priority settings in the policy. A policy contains traffic classes, flow groups, and classifiers. Therefore, to configure QoS, you: Create classifiers to sort packets into traffic flows. Create flow groups and add classifiers to them.
Chapter 16: Quality of Service groups. Traffic is matched in the order of the flow groups. For example, if a traffic class has flow groups 1, 3, 2 and 5, this is the order in which the packets are matched. QoS controls at the flow group level provide a QoS hierarchy. Non-default flow group settings are always used, but if no setting is specified for a flow group, the flow group uses the settings for the traffic class to which it belongs.
AT-S63 Management Software Menus Interface User’s Guide Packet Processing Bandwidth Allocation Packet Prioritization A policy may have many traffic classes. A policy may be assigned to many ports. A port may only have one policy. You can create a policy without assigning it to a port, but the policy will be inactive. A policy must have at least one action defined in the flow group, traffic class, or the policy itself. A policy without an action is invalid.
Chapter 16: Quality of Service in the appropriate CoS queue for its VLAN tag User Priority field. If neither the traffic class / flow group priority nor the VLAN tag User Priority is set, the packet is sent to the default queue, queue 1. Both the VLAN tag User Priority and the traffic class / flow group priority setting allow eight different priority values (0-7). These eight priorities are mapped to the switch’s eight CoS queues. The switch’s default mapping is shown in Table 6 on page 339.
AT-S63 Management Software Menus Interface User’s Guide DiffServ Domains Differentiated Services (DiffServ) is a method of dividing IP traffic into classes of service, without requiring that every router in a network remember detailed information about traffic flows. DiffServ operates within a DiffServ domain, a network or subnet that is managed as a single QoS unit.
Chapter 16: Quality of Service classes, with a different traffic class for each DiffServ code point grouping within the DiffServ domain. Give each traffic class the priority and/or bandwidth limiting controls that are required for that type of packet within this part of the domain. Assign a DSCP value to each traffic class, to be written into the TOS field of the packet header. 2.
AT-S63 Management Software Menus Interface User’s Guide Examples The following examples demonstrate how to implement QoS in three situations: “Voice Applications,” next “Video Applications” on page 308 “Critical Database” on page 310 Voice Applications Voice applications typically require a small but consistent bandwidth. They are sensitive to latency (interpacket delay) and jitter (delivery delay). Voice applications can be set up to have the highest priority.
Chapter 16: Quality of Service application. The components of the policies are shown in Figure 104. Policy 6 Policy 11 Create Classifier Create Classifier 01 - Classifier ID: ..... 22 02 - Description ....... VoIP flow . . 12 - Src IP Addr ....... 149.44.44.44 13 - Src IP Mask ...... Create Flow Group 01 - Classifier ID: ..... 23 02 - Description ....... VoIP flow . . 14 - Dst IP Addr ....... 149.44.44.44 15 - Dst IP Mask ....... Create Flow Group 1 - Flow Group ID ............. 14 2 - Description ..
AT-S63 Management Software Menus Interface User’s Guide The parts of the policies are: Section II: Advanced Operations Classifier - Defines the traffic flow by specifying the IP address of the node with the voice application. The classifier for Policy 6 specifies the address as a source address because this classifier is part of a policy for packets coming from the application.
Chapter 16: Quality of Service Video Applications Video applications typically require a larger bandwidth than voice applications. Video applications can be set up to have a high priority and buffering, depending on the application. This example creates policies with low latency and jitter for video streams (for example, net conference calls). The policies in Figure 105 assign the packets a priority level of 4 and limit the bandwidth to 5 Mbps. The node containing the application has the IP address 149.44.
AT-S63 Management Software Menus Interface User’s Guide Section II: Advanced Operations Classifier - Specifies the IP address of the node with a video application. The classifier for Policy 17 specifies the address as a source address since this classifier is part of a policy concerning packets coming from the application. The classifier for Policy 32 specifies the address as a destination address because this classifier is part of a policy concerning packets going to the application.
Chapter 16: Quality of Service Critical Database Critical databases typically require a high bandwidth. They also typically require less priority than either voice or video. The policies in Figure 106 assign 50 Mbps bandwidth, with no change to priority, to traffic going to and from a database. The database is located on a node with the IP address 149.44.44.44 on port 1 of the switch. Policy 15 Policy 17 Create Classifier Create Classifier 01 - Classifier ID: ..... 42 02 - Description .......
AT-S63 Management Software Menus Interface User’s Guide Policy Component Hierarchy The purpose of this example is to illustrate the hierarchy that exists among the components of a QoS policy and how that hierarchy needs to be taken into account when assigning new priority and DSCP values. A new priority can be set at the flow group and traffic class levels, while a new DSCP value can be set at all three levels—flow group, traffic class and policy.
Chapter 16: Quality of Service Create Classifier 01 - Classifier ID: ..... 1 . 14 - Dst IP Addr ..... 149.11.11.0 15 - Dst IP Mask ..... 255.255.255.0 Create Classifier Create Flow Group 1 - Flow Group ID ......... 1 . 3 - DSCP Value ............. 10 . 6 - Classifier List ............1,2 01 - Classifier ID: ..... 2 . 14 - Dst IP Addr ..... 149.22.22.0 15 - Dst IP Addr ...... 255.255.255.0 Create Traffic Class 1 - Traffic Class ID: ........ 1 . 5 - DSCP value ............. 30 . A - Flow Group List .....
AT-S63 Management Software Menus Interface User’s Guide Managing Flow Groups This section contains the following procedures: Creating a Flow Group “Creating a Flow Group,” next “Modifying a Flow Group” on page 315 “Deleting a Flow Group” on page 317 “Displaying Flow Groups” on page 318 To create a flow group, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2.
Chapter 16: Quality of Service The Flow Group Configuration menu is shown in Figure 109. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Flow Group Configuration 1 2 3 4 - Create Flow Group Modify Flow Group Destroy Flow Group Show Flow Groups R - Return to Previous Menu Enter your selection? Figure 109. Flow Group Configuration Menu 4. From the Flow Group Configuration menu, type 1 to select Create Flow Group.
AT-S63 Management Software Menus Interface User’s Guide optional, but recommended. Names can help you identify the groups on the switch. 3 - DSCP value Specifies a replacement value to write into the DSCP (TOS) field of the packets. The range is 0 to 63. A new DSCP value can be set at all three levels: flow group, traffic class, and policy. A DSCP value specified in a flow group overrides a DSCP value specified at the traffic class or policy level.
Chapter 16: Quality of Service The Flow Group Configuration menu is shown in Figure 109 on page 314. 4. From the Flow Group Configuration menu, type 2 to select Modify Flow Group. The following prompt is displayed: Available Flow Group(s): 0-10 Enter Flow Group ID : [0 to 1023] -> 0 5. Enter the ID number of the flow group you want to modify. You can modify only one flow group at a time. The Modify Flow Group menu is shown in Figure 111.
AT-S63 Management Software Menus Interface User’s Guide 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting a Flow Group To delete a flow group, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security and Services menu, type 6 to select Quality of Service.
Chapter 16: Quality of Service 6. Type D to delete the flow group. The flow group is deleted from the switch. The group is removed from any traffic classes to which it is assigned. 7. To delete another flow group, repeat this procedure starting with step 4. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Displaying Flow Groups To display flow groups, perform the following procedure: 1.
AT-S63 Management Software Menus Interface User’s Guide 5. To display the specifics of a flow group, type D to select Display Flow Group Details. The following prompt is displayed: Available Flow Group(s): 0-10 Enter Flow Group ID : [0 to 1023] -> 0 6. Enter the ID number of the flow group you want to view. You can display only one flow group at a time. The Display Flow Group Details menu is shown in Figure 114.
Chapter 16: Quality of Service Managing Traffic Classes This section contains the following procedures: Creating a Traffic Class “Creating a Traffic Class,” next “Modifying a Traffic Class” on page 324 “Deleting a Traffic Class” on page 325 “Displaying Traffic Classes” on page 327 To create a traffic class, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2.
AT-S63 Management Software Menus Interface User’s Guide The Create Traffic Class menu is shown in Figure 116. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Create Traffic Class 1 - Traffic Class ID .......... 2 - Description ............... 3 - Exceed Action ............. 4 - Exceed Remark Value ....... 5 - DSCP value ................ 6 - Max bandwidth ............. 7 - Burst Size ................ 8 - Priority .................. 9 - Remark Priority .........
Chapter 16: Quality of Service 5 - DSCP value Specifies a replacement value to write into the DSCP (TOS) field of the packets. The range is 0 to 63. A new DSCP value can be set at all three levels: flow group, traffic class, and policy. A DSCP value specified in a flow group overrides a DSCP value specified at the traffic class or policy level. A DSCP value specified at the traffic class level is used only if no value has been specified at the flow group level.
AT-S63 Management Software Menus Interface User’s Guide matches the number being used by the traffic. However, no unused tokens will accumulate in the bucket. If the traffic increases, the excess traffic will be discarded since no tokens are available for handling the increase. If the traffic is below the maximum bandwidth, unused tokens will accumulate in the bucket since the actual bandwidth falls below the specified maximum.
Chapter 16: Quality of Service 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying a Traffic Class To modify a traffic class, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security and Services menu, type 6 to select Quality of Service. The Quality of Service (QoS) menu is shown in Figure 108 on page 313.
AT-S63 Management Software Menus Interface User’s Guide The Modify Traffic Class menu is shown in Figure 117. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify Traffic Class 1 2 3 4 5 6 7 8 9 A B - Traffic Class ID .......... Description ............... Exceed Action ............. Exceed Remark Value ....... DSCP value ................ Max bandwidth ............. Burst Size ................ Priority .................. Remark Priority ...........
Chapter 16: Quality of Service 2. From the Security and Services menu, type 6 to select Quality of Service. The Quality of Service (QoS) menu is shown in Figure 108 on page 313. 3. From the Quality of Service (QoS) menu, type 2 to select Traffic Class Configuration. The Traffic Class Configuration menu is shown in Figure 115 on page 320. 4. From the Traffic Class Configuration menu, type 3 to select Destroy Traffic Class.
AT-S63 Management Software Menus Interface User’s Guide 7. To delete another traffic class, repeat this procedure starting with step 4. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Displaying Traffic Classes To display the traffic classes, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. 2. From the Security and Services menu, type 6 to select Quality of Service.
Chapter 16: Quality of Service 6. When prompted, enter the ID number of the traffic class you want to view. You can display only one traffic class at a time. The Display Traffic Class Details menu is shown in Figure 120. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display Traffic Class Details 1 - Traffic Class ID .......... 0 2 - Description ............... Video2 3 - Exceed Action ............. Drop 4 - Exceed Remark Value ....... 0 5 - DSCP value ......
AT-S63 Management Software Menus Interface User’s Guide Priority The priority value in the IEEE 802.1p tag control field that traffic belonging to this traffic class is assigned. Remark Priority Replaces the user priority value in the packets with the Priority value. Flow Group List The flow groups to be assigned to the traffic class.
Chapter 16: Quality of Service Managing Policies This section contains the following procedures: Creating a Policy “Creating a Policy,” next “Modifying a Policy” on page 332 “Deleting a Policy” on page 333 “Displaying Policies” on page 334 To create a policy, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2.
AT-S63 Management Software Menus Interface User’s Guide The Create Policy menu is shown in Figure 122. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Create Policy 1 2 3 4 5 6 7 8 - Policy ID ............ Description .......... Remark DSCP .......... DSCP value ........... Traffic Class List ... Redirect Port ........ Ingress Port List .... Egress Port .......... C - Create Policy R - Return to Previous Menu Enter your selection? Figure 122.
Chapter 16: Quality of Service traffic classes must already exist. Separate multiple IDs with commas (e.g., 4,11,13). 6 - Redirect Port Specifies the port to which the classified traffic from the ingress ports is redirected. 7 - Ingress Port List Specifies the ingress ports to which the policy is to be assigned. Ports can be identified individually (for example, 5,7,22), as a range (for example, 18-23), or both (for example, 1,5,14-22). A port can be an ingress port of only one policy at a time.
AT-S63 Management Software Menus Interface User’s Guide Available Policy(ies): 0-4 Enter Policy ID : [0 to 255] -> 0 5. Enter the ID number of the policy you want to modify. You can modify only one policy at a time. The Modify Policy menu is shown in Figure 123. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify Policy 1 2 3 4 5 6 7 8 - Policy ID ............ Description .......... Remark DSCP .......... DSCP value ........... Traffic Class List ...
Chapter 16: Quality of Service The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security and Services menu, type 6 to select Quality of Service. The Quality of Service (QoS) menu is shown in Figure 108 on page 313. 3. From the Quality of Service (QoS) menu, type 3 to select Policy Configuration. The Policy Configuration menu is shown in Figure 121 on page 330. 4. From the Policy Configuration menu, type, type 3 to select Destroy Policy.
AT-S63 Management Software Menus Interface User’s Guide The Show Policies menu is shown in Figure 124. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Show Policies Number of Policies: 4 ID Description -----------------------------------------------0 P1-4 database 1 Main video 2 Dev eng 3 Alt video D - Display Policy Details U - Update Display R - Return to Previous Menu Enter your selection? Figure 124. Show Policies Menu 5.
Chapter 16: Quality of Service The Display Policy Details menu is shown in Figure 125. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display Policy Details 1 2 3 4 5 6 7 8 - Policy ID ............ Description .......... Remark DSCP .......... DSCP value ........... Traffic Class List ... Redirect Port ........ Ingress Port List .... Egress Port ..........
Chapter 17 Class of Service This chapter contains the procedures for configuring Class of Service (CoS).
Chapter 17: Class of Service Class of Service Overview When a port on an Ethernet switch becomes oversubscribed—its egress queues contain more packets than the port can handle in a timely manner—the port may be forced to delay the transmission of some packets, resulting in the delay of packets reaching their destinations.
AT-S63 Management Software Menus Interface User’s Guide four egress queues of a switch port. Table 6. Default Mappings of IEEE 802.1p Priority Levels to Priority Queues IEEE 802.1p Priority Level Port Priority Queue 0 Q1 1 Q0 2 Q0 3 Q1 4 Q2 5 Q2 6 Q3 7 Q3 For example, if a tagged packet with a priority level of 3 entered a port on the switch, the switch would store the packet in Q1 queue on the egress port.
Chapter 17: Class of Service Table 7. Customized Mappings of IEEE 802.1p Priority Levels to Priority Queues IEEE 802.1p Priority Level Port Priority Queue 5 Q3 6 Q3 7 Q3 The procedure for changing the default mappings is found in “Mapping CoS Priorities to Egress Queues” on page 346. Note that because all ports must use the same priority-to-egress queue mappings, these mappings are applied at the switch level. They cannot be set on a per-port basis.
AT-S63 Management Software Menus Interface User’s Guide Note Scheduling is set at the switch level. You cannot set this on a perport basis. Strict Priority Scheduling With this type of scheduling, a port transmits all packets out of higher priority queues before transmitting any from the lower priority queues. For instance, as long as there are packets in Q3 it does not handle any packets in Q2.
Chapter 17: Class of Service Q3 before moving to Q2, from which it transmits up to 10 packets, and so forth.
AT-S63 Management Software Menus Interface User’s Guide Configuring CoS As explained in “Class of Service Overview” on page 338, a tagged packet received on a port is placed it into one of four priority queues on the egress port according to the switch’s mapping of 802.1p priority levels to egress priority queues. The default mappings are shown in Table 6 on page 339.
Chapter 17: Class of Service The Class of Service (CoS) menu is shown in Figure 126. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Class of Service (CoS) Number of CoS Queues: 4 1 2 3 4 - Configure Port CoS Priorities Map CoS Priority to Egress Queue Configure Egress Scheduling Show Port CoS Priorities R - Return to Previous Menu Enter your selection? Figure 126.
AT-S63 Management Software Menus Interface User’s Guide 5. Type 2 to select Priority (0 - 7). The following prompt is displayed: Enter new value -> [0 to 7] 6. Enter a value from 1 to 7 that corresponds to the egress queue where you want all untagged frames received on the port to be stored. For example, if you want all ingress untagged packets received on the port stored in egress queue Q2, enter 4 or 5. The default is 0, which corresponds to Q0.
Chapter 17: Class of Service Mapping CoS Priorities to Egress Queues This procedure explains how to change the default mappings of CoS priorities to egress priority queues, shown in Table 8 on page 341. This is set at the switch level. You cannot set this at the per-port level. To change the mappings, perform the following procedure. 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2.
AT-S63 Management Software Menus Interface User’s Guide 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 17: Class of Service Configuring Egress Scheduling This procedure explains how to select and configure a scheduling method for Class of Service. Scheduling determines the order in which the ports handle packets in their egress queues. For an explanation of the two scheduling methods, refer to “Scheduling” on page 340. Scheduling is set at the switch level. You cannot set this on a per-port basis. 1. From the Main Menu, type 7 to select Security and Services.
AT-S63 Management Software Menus Interface User’s Guide 5. If you select Weighted Round Robin Priority as the scheduling method, select menu options 2 through 5 and specify the maximum number of packets you want a port to transmit from each queue before it moves to the next queue. The range is 0 to 255. For an example, refer to Table 8 on page 341. The default value of 1 for each queue gives all egress queues the same weight. 6. Return to the Main Menu and type S to select Save Configuration Changes.
Chapter 17: Class of Service Displaying Port CoS Priorities The following procedure displays a menu that lists the current egress priority queue settings for each port. 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security and Services menu, type 5 to select Class of Service (CoS). The Class of Service (CoS) menu is shown in Figure 126 on page 344. 3.
Chapter 18 IGMP Snooping This chapter explains how to activate and configure the Internet Group Management Protocol (IGMP) snooping feature on the switch.
Chapter 18: IGMP Snooping IGMP Snooping Overview The IGMP protocol enables routers to create lists of nodes that are members of multicast groups. (A multicast group is a group of end nodes that want to receive multicast packets from a multicast application.) The router creates a multicast membership list by periodically sending out queries to the local area networks connected to its ports. A node wanting to become a member of a multicast group responds to a query by sending a report.
AT-S63 Management Software Menus Interface User’s Guide ports connected to host nodes. Without IGMP snooping a switch would have to flood multicast packets out all of its ports, except the port on which it received the packet. Such flooding of packets can negatively impact switch and network performance.
Chapter 18: IGMP Snooping Configuring IGMP Snooping To configure IGMP snooping on the switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 131. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Advanced Configuration 1 - IGMP Snooping Configuration 2 - RRP Snooping Configuration R - Return to Previous Menu Enter your selection? Figure 131.
AT-S63 Management Software Menus Interface User’s Guide 3. Adjust the following parameters as necessary: 1 - IGMP Snooping Status Enables or disables IGMP snooping on the switch. After you choose this selection, type E to enable to D to disable this feature. 2 - Multicast Host Topology Defines whether there is only one host node per switch port or multiple host nodes per port.
Chapter 18: IGMP Snooping range within which a timeout can occur. Consequently, an actual timeout may occur earlier or later than the value that you enter. The range is from 0.7 to 1.4 of your value. For example, if you leave this parameter set to the default 260 seconds, a timeout can occur from 182 seconds to 364 seconds. Also, the last 10 seconds are not aged out regardless of the interval you set. You may need to take this information into account when setting this parameter.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling IGMP Snooping To configure IGMP snooping on the switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 131 on page 354. 2. From the Advanced Configuration menu, type 1 to select IGMP Snooping Configuration. The IGMP Snooping Configuration menu is shown in Figure 132 on page 354. 3.
Chapter 18: IGMP Snooping Displaying a List of Host Nodes You can use the AT-S63 management software to display a list of the multicast groups on a switch, as well as the host nodes. To display the list, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 131 on page 354 2. From the Advanced Configuration menu, type 1 to select IGMP Snooping Configuration.
AT-S63 Management Software Menus Interface User’s Guide VLAN The VID of the VLAN where the port is an untagged member. Port/Trunk The port on the switch where the host node is connected. If the host node is connected to the switch through a trunk, the trunk ID number, not the port number, is displayed. HostIP The IP address of the host node connected to the port. IGMP Ver. The version of IGMP used by the host. Exp.
Chapter 18: IGMP Snooping Displaying a List of Multicast Routers A multicast router is a router that is receiving multicast packets from a multicast application and transmitting the packets to host nodes. You can use the AT-S63 management software to display a list of the multicast routers that are connected to the switch. To display a list of the multicast routers, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration.
AT-S63 Management Software Menus Interface User’s Guide switch learned the router on a port trunk, the trunk ID number, not the port number, is displayed. Router IP The IP address of the multicast router.
Chapter 18: IGMP Snooping 362 Section II: Advanced Operations
Chapter 19 RRP Snooping This chapter explains RRP snooping and contains the following sections: Section II: Advanced Operations “RRP Snooping Overview” on page 364 “Enabling or Disabling RRP Snooping” on page 366 363
Chapter 19: RRP Snooping RRP Snooping Overview The Router Redundancy Protocol (RRP) allows multiple routers to share the same virtual IP address and MAC address. In network topologies where redundant router paths or links exist, the protocol enables routers, through an election process, to designate one as the master router. This router functions as the provider of the primary path between LAN segments. Slave routers function as backup paths in the event that the master router or primary path fails.
AT-S63 Management Software Menus Interface User’s Guide The following guidelines apply to the RRP snooping feature: Section II: Advanced Operations The default setting for this feature is disabled. Activating the feature flushes all dynamic MAC addresses from the MAC address table. RRP snooping is supported on ports operating in the MAC security level of automatic. This feature is not supported on ports operating with a security level of limited, secured, or locked.
Chapter 19: RRP Snooping Enabling or Disabling RRP Snooping To enable or disable RRP snooping on a switch, perform the following procedure: 1. From the Main Menu, type 6 to select Advanced Configuration. The Advanced Configuration menu is shown in Figure 131 on page 354. 2. From the Advanced Configuration menu, type 2 to select RRP Snooping Configuration. The RRP Snooping Configuration menu is shown in Figure 135.
Section III SNMPv3 The chapter in this section provides information and procedures for SNMPv3.
Section III: SNMPv3
Chapter 20 SNMPv3 This chapter provides a description of the AT-S63 implementation of the SNMPv3 protocol. In addition, the chapter contains procedures that allow you to create and modify SNMPv3 entities.
Chapter 20: SNMPv3 SNMPv3 Overview The SNMPv3 protocol builds on the existing SNMPv1 and SNMPv2c protocol implementation which is described in Chapter 4, “SNMPv1 and SNMPv2c” on page 75. In SNMPv3, User-based Security Model (USM) authentication is implemented along with encryption, allowing you to configure a secure SNMP environment. In addition, SNMP terminology changes in the SNMPv3 protocol. In the SNMPv1 and SNMPv2c protocols, the terms agent and manager are used.
AT-S63 Management Software Menus Interface User’s Guide SNMPv3 Authentication Protocols “SNMPv3 Configuration Example” on page 378 The SNMPv3 protocol supports two authentication protocols—HMACMD5-96 (MD5) and HMAC-SHA-96 (SHA). Both MD5 and SHA use an algorithm to generate a message digest. Each authentication protocol authenticates a user by checking the message digest. In addition, both protocols use keys to perform authentication.
Chapter 20: SNMPv3 SNMPv3 MIB Views The SNMPv3 protocol allows you to configure MIB views for users and groups. The MIB tree is defined by RFC 1155 (Structure of Management Information). See Figure 136.
AT-S63 Management Software Menus Interface User’s Guide MIB subtree view and a subtree mask is analogous to the relationship between an IP address and a subnet mask. The switch uses the subnet mask to determine which portion of an IP address represents the network address and which portion represents the node address. In a similar way, the subtree mask further refines the subtree view and enables you to restrict a MIB view to a specific row of the OID MIB table.
Chapter 20: SNMPv3 Level, Privacy Protocol and Group—with the type of message and the host IP address. SNMPv3 Tables The SNMPv3 configuration is neatly divided into configuring SNMPv3 user information and configuring the message notification. You must configure all seven tables to successfully configure the SNMPv3 protocol.
AT-S63 Management Software Menus Interface User’s Guide Configure SNMPv3 Notify Table Configure SNMPv3 Target Address Table Configure SNMPv3 Target Parameters Table You start the message notification configuration by defining the type of message you want to send with the SNMPv3 Notify Table. Then you define a IP address that is used for notification in the Configure SNMPv3 Target Address Table. This is the IP address of the SNMPv3 host.
Chapter 20: SNMPv3 “SNMPv3 Target Parameters Table” on page 377 “SNMPv3 Community Table” on page 377 SNMPv3 User Table The Configure SNMPv3 User Table menu allows you to create an SNMPv3 user and provides the options of configuring authentication and privacy protocols. With the SNMPv3 protocol, users are authenticated when they send and receive messages. In addition, you can configure a privacy protocol and password so messages a user sends and receives are encrypted.
AT-S63 Management Software Menus Interface User’s Guide SNMPv3 SecurityToGroup Table The Configure SNMPv3 SecurityToGroup Table menu allows you to associate a User Name with a security group called a Group Name. The User Name is previously configured with the Configure SNMPv3 User Table menu. The security group is previously configured with the Configure SNMPv3 Access Table menu. Lastly, you can configure a storage type for this table entry which allows you to save the entry to flash memory.
Chapter 20: SNMPv3 Tables to configure SNMPv1 and SNMPv2c communities, start with the SNMPv3 Community Table. See “Configuring the SNMPv3 Community Table” on page 455. Note Allied Telesyn recommends that you use the procedures described in Chapter 4, “SNMPv1 and SNMPv2c” on page 75 to configure the SNMPv1 and SNMPv2c protocols. SNMPv3 Configuration Example 378 You may want to have two classes of SNMPv3 users—Managers and Operators.
AT-S63 Management Software Menus Interface User’s Guide Configuring SNMPv3 Entities This section describes how to configure SNMPv3 entities using the SNMPv3 Tables. To successfully configure this protocol, you must perform the procedures in the order given. For overview information about SNMPv3, see the “SNMPv3 Overview” on page 370.
Chapter 20: SNMPv3 Configuring the SNMPv3 User Table This section contains a description of the SNMPv3 User Table and how to create, delete, and modify table entries. Configure the SNMPv3 User Table first. Creating this table, allows you to create an entry in an SNMPv3 User Table for a User Name.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 Table menu is shown in Figure 139. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 Table 1 2 3 4 5 6 7 8 9 - SNMP Engine...............
Chapter 20: SNMPv3 5. To create a new user table, type 1 to select Create SNMPv3 Table Entry. The following prompt is displayed: Enter User (Security) Name: 6. Enter a descriptive name of the user. You can enter a name that consists of up to 32 alphanumeric characters. The following prompt is displayed: Enter Authentication Protocol [M-MD5, S-SHA, N-None]: 7. Enter one of the following: M-MD5 This value represents the MD5 authentication protocol.
AT-S63 Management Software Menus Interface User’s Guide You are prompted to re-enter the password. The following prompt is displayed: Enter Privacy Protocol [D-DES, N-None]: Note You can only configure the Privacy Protocol if you have configured the Authentication Protocol with the MD5 or SHA values. 9. Select one of the following options: D -DES Select this value to make the DES privacy (or encryption) protocol the privacy protocol for this User Table entry.
Chapter 20: SNMPv3 allowing you to save your changes. Allied Telesyn recommends this storage type. Note The Row Status parameter is a read-only field. The Active value indicates the SNMPv3 User Table entry takes effect immediately. 12. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 User Table Entry You may want to delete an entry from the SNMPv3 User Table.
AT-S63 Management Software Menus Interface User’s Guide “Modifying the Privacy Protocol and Password” on page 387 “Modifying the Storage Type” on page 388 Modifying the Authentication Protocol and Password To modify the Authentication Protocol and Password in an SNMPv3 User Table entry, perform the following procedure. 7. Follow steps 1 through 5 in the procedure described in “Configuring the SNMPv3 User Table” on page 380. Or, from the Main Menu type 5->1->1->8->5.
Chapter 20: SNMPv3 11. Enter the User Name of the User Table you want to modify. The following prompt is displayed: Enter Authentication Protocol [M-MD5, S-SHA, N-None]: 12. Enter one of the following: M-MD5 This value represents the MD5 authentication protocol. With this selection, users (SNMP entities) are authenticated with the MD5 authentication protocol after a message is received. This algorithm generates the message digest.
AT-S63 Management Software Menus Interface User’s Guide Re-enter Privacy password: 16. Re-enter the password. 17. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Privacy Protocol and Password To modify the Privacy Protocol and Password in an SNMPv3 User Table entry, perform the following procedure. Note You can only configure the Privacy Protocol if you have configured the Authentication Protocol with the MD5 or SHA values.
Chapter 20: SNMPv3 messages transmitted between the host and the switch are encrypted with the DES protocol. N -None Select this value if you do not want a privacy protocol for this User Table entry. With this selection, messages transmitted between the host and the switch are not encrypted. If you select None, proceed to step 9. If you select DES, the following prompt is displayed: Enter Privacy Password: 7. Enter a privacy password of up to 32 alphanumeric characters.
AT-S63 Management Software Menus Interface User’s Guide 5. Enter the User Name. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 6. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 User Table to nonvolatile memory.
Chapter 20: SNMPv3 Configuring the SNMPv3 View Table This section contains a description of the SNMPv3 View Table and how to create, delete, and modify table entries. Creating this table, allows you to specify a view using the following parameters: Subtree OID Subtree Mask MIB OID Table View To configure the SNMPv3 View Table, you need to be very familiar with the OID table. You can be very specific about the view a user can or cannot access—down to a column or row of the table.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 View Table menu is shown in Figure 142. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 View Table View Name ................. Subtree OID ............... Subtree Mask .............. View Type ................. Storage Type .............. Row Status ................ internet 1.3.6.
Chapter 20: SNMPv3 tcp The following prompt is displayed: Enter Subtree Mask (Hex format): 6. Enter a subtree mask in hexadecimal format. This is an optional parameter that is used to further refine the value in the View Subtree parameter. This parameter is in binary format. The relationship between a subtree mask and a subtree is similar to the relationship between an IP address and a subnet mask. The subnet mask further refines the IP address.
AT-S63 Management Software Menus Interface User’s Guide N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 View Table to the configuration file. After making changes to an SNMPv3 View Table entry with a NonVolatile storage type, the S Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Allied Telesyn recommends this storage type. Note The Row Status parameter is a read-only field.
Chapter 20: SNMPv3 6. Enter Y to delete the view or N to save the view. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 View Table Entry This section describes how to modify parameters in an SNMPv3 Notify Table entry.
AT-S63 Management Software Menus Interface User’s Guide The Modify SNMPv3 View Table menu is shown in Figure 143. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify SNMPv3 View Table View Name ................. Subtree OID ............... Subtree Mask .............. View Type ................. Storage Type .............. Row Status ................ tcp 1.3.6.1.2.1.
Chapter 20: SNMPv3 This is an optional parameter that is used to further refine the value in the View Subtree parameter. This parameter is in binary format. A subtree mask and a subtree have a similar relationship as an IP address and a subnet mask. The subnet mask further refines the IP address. In the same way, the OID table entry defines a MIB View and the subtree mask further restricts a user’s view to a specific the column and row of the MIB View.
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter View Subtree (OID format/Text Name): 6. Enter the View Subtree value for this View Name. You can enter either a numeric value in hex format or the equivalent text name. For example, the OID hex format for TCP/IP is: 1.3.6.1.2.1.6 The text format is for TCP/IP is: tcp The following prompt is displayed: Enter View Type [I-Included, E-Excluded]: 7.
Chapter 20: SNMPv3 The Modify SNMPv3 Table menu is shown in Figure 143 on page 395. 4. To modify the storage type, type 3 to select Set Storage Type. The following prompt is displayed: Enter View Name: 5. Enter the View Name you want to modify. The following prompt is displayed: Enter View Subtree (OID format/Text Name): 6. Enter the View Subtree for this View Name. The following prompt is displayed: Enter Storage Type [V-Volatile, N-Nonvolatile]: 7.
AT-S63 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Access Table This section contains a description of the SNMPv3 Access Table and how to create, delete, and modify table entries. The SNMPv3 Access Table allows you to configure a security group. Each user must belong to a security group. After you have configured a security group, use the SecurityToGroup Table to assign users to security groups. See “Creating an SNMPv3 SecurityToGroup Table Entry” on page 414.
Chapter 20: SNMPv3 The Configure SNMPv3 Access Table menu is shown in Figure 144. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 Access Table Group Name .... Context Prefix. Read View...... Write View .... Notify View ... softwareengineering internet tcp tcp Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
AT-S63 Management Software Menus Interface User’s Guide Note The Context Prefix and the Context Match fields are a read only fields. The Context Prefix field is always set to null. The Context Match field is always set to exact. The following prompt is displayed: Enter Security Model [1-v1, 2-v2c, 3-v3]: 5. Select one of the following SNMP protocols as the Security Model for this Group Name. 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol.
Chapter 20: SNMPv3 P-AuthPriv This option represents authentication and the privacy protocol. Select this security level to encrypt messages using a privacy protocol and authenticate SNMP entities. This level provides the greatest level of security. You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. The following prompt is displayed: Enter Read View Name: 7. Enter a value that you configured with the View Name parameter in the SNMPv3 View Table.
AT-S63 Management Software Menus Interface User’s Guide N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 Access Table to the configuration file. After making changes to an SNMPv3 Access Table entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Allied Telesyn recommends this storage type. Note The Row Status parameter is a read-only field.
Chapter 20: SNMPv3 The following prompt is displayed: Enter Security Model [1-v1, 2-v2c, 3-v3]: 5. Enter the Security Model of this Group Name. Select one of the following security levels: 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol. 2-v2c Select this value to associate the Group Name with the SNMPv2c protocol. 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol.
AT-S63 Management Software Menus Interface User’s Guide Do you want to delete this table entry?(Y/N):[Yes/No]-> 7. Enter Y to delete the view or N to save the view. The following prompt is displayed: 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 Access Table Entry This section describes how to modify parameters in an SNMPv3 Access Table entry.
Chapter 20: SNMPv3 3. From the Configure SNMPv3 Access Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Access Table is shown in Figure 145. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify SNMPv3 Access Table Group Name .... Context Prefix. Read View...... Write View .... Notify View ... 1 2 3 4 - Set Set Set Set sales systemmanagers salespeople salespeople Security Model . Security Level . Context Match .. Storage Type ...
AT-S63 Management Software Menus Interface User’s Guide 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP entities and you do not want to encrypt messages using a privacy protocol.
Chapter 20: SNMPv3 To modify the Write View Name parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 380. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 139 on page 381. 2. From the Configure SNMPv3 Table menu, type 4 to select Configure SNMPv3 Access Table. The Configure SNMPv3 Access Table is shown in Figure 144 on page 400. 3.
AT-S63 Management Software Menus Interface User’s Guide Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP entities and you do not want to encrypt messages using a privacy protocol.
Chapter 20: SNMPv3 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 380. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 139 on page 381. 2. From the Configure SNMPv3 Table menu, type 4 to select Configure SNMPv3 Access Table. The Configure SNMPv3 Access Table is shown in Figure 144 on page 400. 3. From the Configure SNMPv3 Access Table, type 3 to select Modify SNMPv3 Table Entry.
AT-S63 Management Software Menus Interface User’s Guide 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP entities and you do not want to encrypt messages using a privacy protocol. This security level provides the least security.
Chapter 20: SNMPv3 The Configure SNMPv3 Table menu is shown in Figure 139 on page 381. 2. From the Configure SNMPv3 Table menu, type 4 to select Configure SNMPv3 Access Table. The Configure SNMPv3 Access Table is shown in Figure 144 on page 400. 3. From the Configure SNMPv3 Access Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Table menu is shown in Figure 145 on page 406. 4. To modify the Storage Type parameter, type 4 to select Set Storage Type.
AT-S63 Management Software Menus Interface User’s Guide N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP entities and you do not want to encrypt messages using a privacy protocol. This security level provides the least security. Note If you have selected SNMPv1 or SNMPv2c, N-NoAuthNoPriv is the only security level you can select. A-AuthNoPriv This option represents authentication, but no privacy protocol.
Chapter 20: SNMPv3 Configuring the SNMPv3 SecurityToGroup Table This section contains a description of the SNMPv3 SecurityToGroup Table and how to create, delete, and modify table entries. The SNMPv3 SecurityToGroup Table allows you to associate a User Name with a Group Name. The User Name is configured in the Configure SNMPv3 User Table menu while the Group Name is configured in the Configure SNMPv3 Access Table menu.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 SecurityToGroup Table menu is shown in Figure 146. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
Chapter 20: SNMPv3 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Enter Group Name: 6. Enter a Group Name that you configured in the SNMPv3 Access Table. See “Creating an SNMPv3 Access Table Entry” on page 399. There are four default values for this field: defaultV1GroupReadOnly defaultV1GroupReadWrite defaultV2cGroupReadOnly defaultV2cGroupReadWrite These values are reserved for SNMPv1 and SNMPv2c implementations.
AT-S63 Management Software Menus Interface User’s Guide Deleting an SNMPv3 SecurityToGroup Table Entry You may want to delete an entry from the SNMPv3 SecurityToGroup Table. When you delete an SNMPv3 SecurityToGroup Table entry, there is no way to undelete, or recover, the entry. To delete an entry in the SNMPv3 SecurityToGroup Table, perform the following procedure: 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 380.
Chapter 20: SNMPv3 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Do you want to delete this table entry? (Y/N):[Yes/No]-> 6. Enter Y to delete this SecurityToGroup entry or N to save the entry. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide The Modify SecurityToGroup Table is displayed as shown Figure 146. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Oct-2004 Modify SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
Chapter 20: SNMPv3 3-v3 Select this value to associate the User Name with the SNMPv3 protocol. The following prompt is displayed: Enter Group Name: 7. Enter the new Group Name. This value must match a value configured in the Group Name parameter in the Configure SNMPv3 Access Table. See “Creating an SNMPv3 Access Table Entry” on page 399. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide 6. Enter the Security Model configured for this User Name. You cannot change the value of the Security Model parameter. Select one of the following SNMP protocols: 1-v1 Select this value if this User Name is configured with the SNMPv1 protocol. 2-v2c Select this value if this User Name is configured with the SNMPv2c protocol. 3-v3 Select this value if this User Name is configured with the SNMPv3 protocol.
Chapter 20: SNMPv3 Configuring the SNMPv3 Notify Table This section contains a description of the SNMPv3 Notify Table menu and how to create, delete, and modify table entries. The Configure SNMPv3 Notify Table menu allows you to define a name for sending traps. For each Notify Name, you define if a trap or inform message ia sent. The two message types, trap and inform, have different packet formats.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 Notify Table menu is shown in Figure 148. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 Notify Table Notify Name ...................... Notify Tag ....................... Notify Type ...................... Storage Type ..................... Row Status .......................
Chapter 20: SNMPv3 I-Inform Indicates this notify table is used to send inform messages. With this message type, the switch expects a response from the host. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 7. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Notify Table to the configuration file.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 Notify Table menu is shown in Figure 148 on page 423. Note To display a Group Name and its associated parameters from the Configure SNMPv3 SecurityToGroup Table menu, type N to display the Next Page and P to display the previous page. 3. To delete an SNMPv3 Notify Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Notify Name: 4. Enter a Notify Name.
Chapter 20: SNMPv3 3. From the Configure SNMPv3 Notify Table menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Notify Table menu is shown in Figure 149. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify SNMPv3 Notify Table Notify Name ................... Notify Tag..................... Notify Type.................... Storage Type .................. Row Status ....................
AT-S63 Management Software Menus Interface User’s Guide To modify the Notify Type parameter in an SNMPv3 Notify Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 380. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 139 on page 381. 2. From the Configure SNMPv3 Table menu, type 6 to select Configure SNMPv3 Notify Table.
Chapter 20: SNMPv3 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 380. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 139 on page 381. 2. From the Configure SNMPv3 Table menu, type 6 to select Configure SNMPv3 Notify Table. The Configure SNMPv3 Notify Table menu is shown in Figure 148 on page 423. 3. From the Configure SNMPv3 Notify Table menu, type 3 to select Modify SNMPv3 Table Entry.
AT-S63 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Target Address Table This section contains a description of the SNMPv3 Target Address Table menu and how to create, delete, and modify table entries. You use the SNMPv3 Target Address Table menu to assign the IP address of a host that is used for generating notifications. The Configure SNMPv3 Target Address Table menu is linked internally to the Configure SNMPv3 Notify Table through the Tag List parameter.
Chapter 20: SNMPv3 The Configure SNMPv3 Target Address Table menu is shown in Figure 150. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 Target Address Table Target Addr Name ... Target Parameters .. IP Address ......... Storage Type ....... Tag List ........... host451 Timeout ..... 1500 SNMPmanagerPC Retries ..... 3 198.35.11.1 UDP Port# ... 162 NonVolatile Row Status ..
AT-S63 Management Software Menus Interface User’s Guide The following prompt is displayed: Enter Timeout (10mS): [0 to 2147483647]-> 1500 7. Enter a timeout value in milliseconds. When an Inform message is generated, a response from the switch is required. The timeout value determines how long the switch considers the Inform message an active message. This parameter applies to Inform messages only. The range is from 0 to 2,147,483,647 milliseconds. The default value is 1500 milliseconds.
Chapter 20: SNMPv3 V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Target Address Table to the configuration file. After making changes to an SNMPv3 Target Address Table entry with a Volatile storage type, the S - Save Configuration Changes option does not appear on the Main Menu. N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 Target Address Table to the configuration file.
AT-S63 Management Software Menus Interface User’s Guide 3. To delete an SNMPv3 Target Address Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Target Address Name: 4. Enter a Target Address Name. The following prompt is displayed: Do you want to delete this table entry?(Y/N):[Yes/No]-> 5. Enter Y to delete the SNMPv3 Target Address Table entry or N to save the entry. 6. After making changes, type R until you return to the Main Menu.
Chapter 20: SNMPv3 The Configure SNMPv3 Target Address Table menu is shown in Figure 150 on page 430. 3. From the Configure SNMPv3 Target Address Table menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Target Address Table menu is shown in Figure 151. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager11:20:02 02-Mar-2005 Modify SNMPv3 Target Address Table Target Addr Name ... Target Parameters .. IP Address ......... Storage Type ....... Tag List ...........
AT-S63 Management Software Menus Interface User’s Guide Use the following format for an IP address: XXX.XXX.XXX.XXX 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Address UDP Port To modify the Target Address UDP Port parameter in an SNMPv3 Target Address Table entry, perform the following procedure: 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 380.
Chapter 20: SNMPv3 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Address Timeout The Target Address Timeout parameter only applies when the message type is an Inform message. To modify the Target Address Timeout parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 380.
AT-S63 Management Software Menus Interface User’s Guide Inform messages only. The range is from 0 to 2,147,483,647 milliseconds. The default value is 1500 milliseconds. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Address Retries The Target Address Retries parameter only applies when the message type is an Inform message.
Chapter 20: SNMPv3 The range is 0 to 255 retries. The default is 3 retries. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Address Tag List To modify the Target Address Tag List parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 380. Or, from the Main Menu type 5->1->1->8->5.
AT-S63 Management Software Menus Interface User’s Guide 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Parameters Field To modify the Target Parameters field in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 380. Or, from the Main Menu type 5->1->1->8->5.
Chapter 20: SNMPv3 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Storage Type To modify the Storage Type parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 380. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 139 on page 381. 2.
AT-S63 Management Software Menus Interface User’s Guide N-NonVolatile Select this storage type if you want the ability to save an entry in the SNMPv3 Target Address Table to the configuration file. After making changes to an SNMPv3 Target Address entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Allied Telesyn recommends this storage type. 7. After making changes, type R until you return to the Main Menu.
Chapter 20: SNMPv3 Configuring the SNMPv3 Target Parameters Table This section contains a description of the SNMPv3 Target Parameters Table and how to create, delete, and modify table entries. The SNMPv3 Target Parameters Table links the user security information with the message notification information configured in the Configure SNMPv3 Notify Table menu and Configure SNMPv3 Target Address Table menu.
AT-S63 Management Software Menus Interface User’s Guide Creating an SNMPv3 Target Parameters Table Entry “Deleting an SNMPv3 Target Parameters Table Entry” on page 446 “Modifying an SNMPv3 Target Parameters Table Entry” on page 447 To create an entry in the Configure SNMPv3 Target Parameters Table, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 380. Or, from the Main Menu type 5->1->1->8->5.
Chapter 20: SNMPv3 Note You are prompted to enter a value for the Message Processing Model parameter only if you select SNMPv1 or SNMPv2c as the Security Model. If you select the SNMPv3 protocol as the Security Model, then the Message Processing Model is automatically assigned to SNMPv3. The following prompt is displayed: Enter User (Security) Name: 5. Enter a User Name. The value of this parameter is previously configured with the Configure SNMPv3 User Table.
AT-S63 Management Software Menus Interface User’s Guide N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP entities and you do not want to encrypt messages using a privacy protocol. This security level provides the least security. Note If you have selected SNMPv1 or SNMPv2c, N-NoAuthNoPriv is the only security level you can select. A-AuthNoPriv This option represents authentication, but no privacy protocol.
Chapter 20: SNMPv3 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 Target Parameters Table Entry You may want to delete an entry from the SNMPv3 Target Parameters Table. When you delete an SNMPv3 Target Parameters Table entry, there is no way to undelete, or recover, the entry. To delete an entry in the SNMPv3 Target Parameters Table, perform the following procedure: 1.
AT-S63 Management Software Menus Interface User’s Guide Modifying an SNMPv3 Target Parameters Table Entry This section provides procedures for modifying parameters in an SNMPv3 Target Parameters Table entry. The parameter values configured in the Target Parameters Table must match those configured in the other tables. For a more detailed explanation, see “Creating an SNMPv3 Target Parameters Table Entry” on page 443.
Chapter 20: SNMPv3 When you modify the Security Name parameter, you must use a value that you configured with the User Name parameter in the Configure SNMPv3 User Table menu. If you do not use a value configured with the User Name parameter, messages are not sent on behalf of this User Name. See “Creating an SNMPv3 User Table Entry” on page 380. To modify the Security Name parameter in an SNMPv3 Target Parameter Table entry, perform the following procedure. 1.
AT-S63 Management Software Menus Interface User’s Guide 4. To change the Security Name parameter, type 1 to select Set Security Name. The following prompt is displayed: Enter Target Parameters Name: 5. Enter a previously configured Target Parameters Name. Enter a value of up to 32 alphanumeric characters. The following prompt is displayed: Enter User (Security) Name: 6. Enter a User Name. Enter a value that you previously configured with the Configure SNMPv3 User Table menu.
Chapter 20: SNMPv3 The Configure SNMPv3 Target Parameters Table menu is shown in Figure 152. 3. From the Configure SNMPv3 Target Parameters Table menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Target Parameters Table menu is shown in Figure 153 on page 448. 4. To change the Security Model, type 2 to select Security Model. The following prompt is displayed: Enter Target Parameters Name: 5. Enter a previously configured Target Parameters Name.
AT-S63 Management Software Menus Interface User’s Guide 5->1->1->8->5. The Configure SNMPv3 Table menu is shown in Figure 139 on page 381. 2. From the Configure SNMPv3 Table menu, type 8 to select Configure SNMPv3 Target Address Table. The Configure SNMPv3 Target Parameters Table menu is shown in Figure 152. 3. From the Configure SNMPv3 Target Parameters Table menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Target Parameters Table menu is shown in Figure 153 on page 448. 4.
Chapter 20: SNMPv3 A-AuthNoPriv This option represents authentication, but no privacy protocol. Select this security level if you want to authenticate SNMP users, but you do not want to encrypt messages using a privacy protocol.You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. P-AuthPriv This option represents authentication and the privacy protocol. Select this security level to encrypt messages using a privacy protocol and authenticate SNMP entities.
AT-S63 Management Software Menus Interface User’s Guide 5. Enter a previously configured Target Parameters Name. Enter a value of up to 32 alphanumeric characters. The following prompt is displayed: Enter Message Processing Model[1-v1,2-v2c,3-v3]: 6. Select one of the following SNMP protocols that is used to process, or send messages: 1-v1 Select this value to process messages with the SNMPv1 protocol.
Chapter 20: SNMPv3 5. Enter a previously configured Target Parameters Name. Enter a value of up to 32 alphanumeric characters. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 6. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Target Parameters Table to the configuration file.
AT-S63 Management Software Menus Interface User’s Guide Configuring the SNMPv3 Community Table This section contains a description of the SNMPv3 Community Table and how to create, delete, and modify table entries. The SNMPv3 Community Table allows you to create SNMPv1 and SNMPv2c Communities using the SNMPv3 Tables. Allied Telesyn does not recommend that you use the menu described in this section to configure SNMPv1 and SNMPv2c communities.
Chapter 20: SNMPv3 Security Name Transport Tag Storage Type In addition, you can display the entries configured with the Configure SNMPv1 & SNMPv2c Community menu in the Configure SNMPv3 Community Table menu. However, you cannot modify an SNMPv1 & SNMPv2c Community Table entry with the Configure SNMPv3 Community Table menu. There are three functions you can perform with the Configure SNMPv3 Target Parameters Table menu.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 Community Table menu is shown in Figure 154. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
Chapter 20: SNMPv3 The following prompt is displayed: Enter Security Name: 6. Enter the name of an SNMPv1 and SNMPv2c user. This name must be unique. Enter a value of up to 32 alphanumeric characters. Note Do not use a value configured with the User Name parameter in the SNMPv3 User Table. The following prompt is displayed: Enter Transport Tag: 7. Enter a name of up to 32 alphanumeric characters for the Transport Tag.
AT-S63 Management Software Menus Interface User’s Guide Note The Row Status parameter is a read-only field. The Active value indicates the SNMPv3 Community Table entry takes effect immediately. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 Community Table Entry You may want to delete an entry from the SNMPv3 Community Table.
Chapter 20: SNMPv3 Modifying an SNMPv3 Community Table Entry For each entry in the SNMPv3 Community Table, you can modify the following parameters: Community Name Security Name Transport Tag Storage Type However, you cannot modify the Community Index parameter. Although you can display the SNMPv1 and SNMPv2c configuration created with the procedures described in “Creating an SNMP Community String” on page 81, you cannot modify these Community Table entries with the SNMPv3 Tables.
AT-S63 Management Software Menus Interface User’s Guide The Modify SNMPv3 Community Table menu is shown in Figure 155. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
Chapter 20: SNMPv3 Modifying the Security Name To modify the Security Name parameter in an SNMPv3 Community Table entry, perform the following procedure: 1. Follow steps 1 through 5 in the procedure described in “Creating an SNMPv3 User Table Entry” on page 380. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table menu is displayed as shown in Figure 139 on page 381. 2. From the Configure SNMPv3 Table menu, type 9 to select Configure SNMPv3 Community Table.
AT-S63 Management Software Menus Interface User’s Guide The Configure SNMPv3 Table menu is displayed as shown in Figure 139 on page 381. 2. From the Configure SNMPv3 Table menu, type 9 to select Configure SNMPv3 Community Table. The Configure SNMPv3 Community Table menu is shown in Figure 154 on page 457. 3. From the Configure SNMPv3 Community Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Community Table menu is shown in Figure 155 on page 461. 4.
Chapter 20: SNMPv3 3. From the Configure SNMPv3 Community Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Community Table Menu is shown in Figure 155 on page 461. 4. To change the Storage Type, type 4 to select Set Storage Type. The following prompt is displayed: Enter Community Index: 5. Enter the Community Index of the Storage Type you want to change. The following prompt is displayed: Enter Storage type [V-volatile, N-NonVolatile]: 6.
AT-S63 Management Software Menus Interface User’s Guide Displaying SNMPv3 Table Menus The procedures in this section describe how to display the SNMPv3 Tables.
Chapter 20: SNMPv3 The Display SNMPv3 Table menu is shown in Figure 156.
AT-S63 Management Software Menus Interface User’s Guide Display SNMPv3 User Table Menu” on page 465. Or, from the Main menu type 5->1->1->8->6. 2. From the Display SNMPv3 Table menu, type 2 to select Display SNMPv3 View Table. The Display SNMPv3 View Table menu is shown in Figure 158. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display SNMPv3 View Table View Name ................... Subtree OID ................. Subtree Mask ................ View Type ....
Chapter 20: SNMPv3 The Display SNMPv3 Access Table menu is shown in Figure 159. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display SNMPv3 Access Table Group Name .... technicalsales Context Prefix. Read View...... internet Write View .... Notify View ... Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
AT-S63 Management Software Menus Interface User’s Guide The Display SNMPv3 SecurityToGroup Table menu is shown in Figure 160. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
Chapter 20: SNMPv3 Displaying the Display SNMPv3 Target Address Table Menu This section describes how to display the Display SNMPv3 Target Address Table menu. For information about the SNMPv3 Target Address Table parameters, see “Creating an SNMPv3 Target Address Table Entry” on page 429. To display the Display SNMPv3 Target Address Table menu, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in “Displaying the Display SNMPv3 User Table Menu” on page 465.
AT-S63 Management Software Menus Interface User’s Guide The Display SNMPv3 Target Parameters Table menu is shown in Figure 160. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display SNMPv3 Target Parameters Table Target Parameters Name ... Message Processing Model . Security Model ........... Security Name ............ Security Level ........... Storage Type ............. Row Status ...............
Chapter 20: SNMPv3 The Display SNMPv3 Community Table menu is shown in Figure 160. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Display SNMPv3 Community Table Community Index ........ Community Name ......... Security Name .......... Transport Tag........... Storage Type ........... Row Status ............. atiindex14 sunnyvale hoa sampletag14 NonVolatile Active U - Update Display R - Return to Previous Menu Enter your selection? Figure 164.
Section IV Spanning Tree Protocols The chapters in this section provide information and procedures for the spanning tree protocols.
Section IV: Spanning Tree Protocols
Chapter 21 STP and RSTP This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). The chapter also contains procedures on how to adjust the STP and RSTP bridge and port parameters.
Chapter 21: STP and RSTP STP and RSTP Overview The performance of a Ethernet network can be negatively impacted by the formation of a data loop in the network topology. A data loop exists when two or more nodes on a network can transmit data to each other over more than one data path. The problem that data loops pose is that data packets can become caught in repeating cycles, referred to as broadcast storms, that needlessly consume network bandwidth and can significantly reduce network performance.
AT-S63 Management Software Menus Interface User’s Guide Bridge Priority and the Root Bridge The first task that bridges perform when a spanning tree protocol is activated on a network is the selection of a root bridge. A root bridge distributes network topology information to the other network bridges and is used by the other bridges to determine if there are redundant paths in the network.
Chapter 21: STP and RSTP Where there is only one path between a bridge and the root bridge, the bridge is referred to as the designated bridge and the port through which the bridge is communicating with the root bridge is referred to as the root port. If redundant paths exist, the bridges that are a part of the paths must determine which path will be the primary, active path, and which path(s) will be placed in the standby, blocking mode. This is accomplished by an determination of path costs.
AT-S63 Management Software Menus Interface User’s Guide Table 11. STP Auto-Detect Port Trunk Costs Port Speed 1000 Mbps Port Cost 2 Table 12 lists the RSTP port costs with Auto-Detect. Table 12. RSTP Auto-Detect Port Costs Port Speed Port Cost 10 Mbps 2,000,000 100 Mbps 200,000 1000 Mbps 20,000 Table 13 lists the RSTP port costs with Auto-Detect when the port is part of a port trunk. Table 13.
Chapter 21: STP and RSTP Table 14. Port Priority Value Increments Increment Bridge Priority Bridge Priority Increment 2 32 10 160 3 48 11 176 4 64 12 192 5 80 13 208 6 96 14 224 7 112 15 240 Forwarding Delay and Topology Changes If there is a change in the network topology due to a failure, removal, or addition of any active components, the active topology also changes. This may trigger a change in the state of some blocked ports.
AT-S63 Management Software Menus Interface User’s Guide The bridges that are part of a spanning tree domain communicate with each other using a bridge broadcast frame that contains a special section devoted to carrying STP or RSTP information. This portion of the frame is referred to as the bridge protocol data unit (BPDU).
Chapter 21: STP and RSTP 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT 1000 LINK / L/A ACT 10/100 LINK / HDX / FDX D/C 1 SFP 3 5 7 9 13 15 17 19 TERMINAL PORT 21 23R SFP 1000 LINK / MASTER L/A L/A 4 6 8 10 12 14 16 18 20 22 23 24R 23 STATUS FAULT ACT RPS 24 POWER D/C 2 Gigabit Ethernet Switch ACT COL 11 L/A D/C SFP 2 24 4 6 8 10 12 14 16 18 20 22 24R Point-to-Point Ports (Full-duplex Mode) 1 3 5
AT-S63 Management Software Menus Interface User’s Guide 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 SFP 3 5 7 9 11 15 17 19 TERMINAL PORT 21 23R SFP 1000 LINK / L/A 23 4 6 8 10 12 14 16 18 20 22 24R 23 24 STATUS FAULT ACT L/A 24 MASTER RPS POWER D/C 2 Gigabit Ethernet Switch ACT COL 13 L/A D/C SFP 2 4 6 8 10 12 14 16 18 20 22 24R Point-to-Point and Edg
Chapter 21: STP and RSTP Sales VLAN 1 3 5 Production VLAN 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 SFP 3 5 7 9 11 Gigabit Ethernet Switch ACT COL 13 15 17 19 TERMINAL PORT 21 23R L/A SFP D/C 1000 LINK / SFP MASTER L/A L/A 23 RPS 24 POWER D/C 2 4 6 8 10 12 14 16 18 20 22 23 24R 2 24 STATUS FAULT ACT 4 6 8 10 12 14 16 18 20 22 24R Blocked Port Blocked D
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling a Spanning Tree Protocol The AT-S63 management software supports STP, RSTP, and MSTP. However, only one spanning tree protocol can be active on the switch at a time. Before you can enable a spanning tree protocol, you must first select it as the active spanning tree protocol on the switch. After you have selected it as the active protocol, you can then configure it and enable or disable it.
Chapter 21: STP and RSTP 4. If you selected STP as the active spanning tree protocol, go to “Configuring STP” on page 487 for further instructions. If you selected RSTP, go to “Configuring RSTP” on page 493. Multiple Spanning Tree Protocol (MSTP) is described in Chapter 22, “MSTP” on page 501. Note After you have configured the spanning tree parameters, perform steps 5 through 7 to enable spanning tree. 5. To enable or disable spanning tree, type 1 to select Spanning Tree Status.
AT-S63 Management Software Menus Interface User’s Guide Configuring STP This section contains the following procedures: Configuring STP Bridge Settings ”Configuring STP Bridge Settings”, next “Configuring STP Port Settings” on page 489 This section contains the procedure for configuring a bridge’s STP settings. Caution The default STP parameters are adequate for most networks.
Chapter 21: STP and RSTP 3. Adjust the following parameters as needed. 1 - Bridge Priority The priority number for the bridge. This number is used to determine the root bridge for RSTP. The bridge with the lowest priority number is selected as the root bridge. If two or more bridges have the same priority value, the bridge with the numerically lowest MAC address becomes the root bridge. When a root bridge goes offline, the bridge with the next priority number automatically takes over as the root bridge.
AT-S63 Management Software Menus Interface User’s Guide Configuring STP Port Settings To adjust STP port parameters, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 169 on page 485. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The STP menu is shown in Figure 170 on page 487. 3. From the STP menu, type P to select STP Port Parameters.
Chapter 21: STP and RSTP The Configure STP Port Settings menu is shown in Figure 172. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure STP Port Settings Configuring Ports 4-6 1 - Port Priority ..... 128 2 - Port Cost ......... Automatic-Update R - Return to Previous Menu Enter your selection? Figure 172. Configure STP Port Settings Menu 7. Adjust the following parameters as needed.
AT-S63 Management Software Menus Interface User’s Guide Displaying STP Port Settings To display STP port settings, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 169 on page 485. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The STP menu is shown in Figure 170 on page 487. 3. From the STP menu, type P to select STP Port Parameters.
Chapter 21: STP and RSTP Cost Port cost of the port. The default is Auto-Update. Priority The number used as a tie breaker when two or more ports have equal costs to the root bridge. Resetting STP to the Default Settings To reset STP to the default settings, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 169 on page 485. 2.
AT-S63 Management Software Menus Interface User’s Guide Configuring RSTP This section contains the following procedures: Configuring RSTP Bridge Settings ”Configuring RSTP Bridge Settings”, next “Configuring RSTP Port Settings” on page 495 This section contains the procedure for configuring a bridge’s RSTP settings. Caution The default RSTP parameters are adequate for most networks.
Chapter 21: STP and RSTP 3. Adjust the following parameters as necessary. 1 - Force Version This selection determines whether the bridge operates with RSTP or in an STP-compatible mode. If you select RSTP, the bridge operates all ports in RSTP, except for those ports that receive STP BPDU packets. If you select Force STP Compatible, the bridge operates in RSTP, using the RSTP parameter settings, but it sends only STP BPDU packets out the ports. 2 - Bridge Priority The priority number for the bridge.
AT-S63 Management Software Menus Interface User’s Guide breaker in the selection of the root bridge when two or more bridges have the same bridge priority value. This value cannot be changed. 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Configuring RSTP Port Settings To adjust RSTP port parameters, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration.
Chapter 21: STP and RSTP Ending Port to Configure [1 to 24] -> 7. To configure just one port, enter the same port number here as you entered in the previous step. To configure a range of ports, enter the last port of the range. The Configure RSTP Port Settings menu is shown in Figure 176. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure RSTP Port Settings Configuring Ports 4-4 1 2 3 4 - Port Priority ...... Port Cost .......... Point-to-Point .....
AT-S63 Management Software Menus Interface User’s Guide The possible settings are Yes and No. For an explanation of this parameter, refer to “Point-to-Point and Edge Ports” on page 481. C - Check Migration To RSTP on Selected Ports (MCHECK) The MCHECK parameter is displayed only when RSTP is enabled. This parameter resets an RSTP port, allowing it to send RSTP BPDUs. When an RSTP bridge receives STP BPDUs on an RSTP port, the port transmits STP BPDUs.
Chapter 21: STP and RSTP The Display RSTP Port Configuration menu is shown in Figure 177.
AT-S63 Management Software Menus Interface User’s Guide 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The RSTP menu is shown in Figure 170 on page 487. 3. From the RSTP menu, type P to select RSTP Port Parameters. The RSTP Port Parameters menu is shown in Figure 175 on page 495. 4. From the RSTP Port Parameters menu, type 3 to select Display RSTP Port State. The Display RSTP Port State menu is shown in Figure 178.
Chapter 21: STP and RSTP Disabled - The port has not established a link with its end node. Role The RSTP role of the port. Possible roles are: Root - The port that is connected to the root switch, directly or through other switches, with the least path cost. Alternate - The port offers an alternate path in the direction of the root switch. Backup - The port on a designated switch that provides a backup for the path provided by the designated port.
Chapter 22 MSTP This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP) and contains procedures on how to adjust spanning tree bridge and port parameters.
Chapter 22: MSTP MSTP Overview As mentioned in Chapter 21, ”STP and RSTP” on page 475, STP and RSTP are referred to as single-instance spanning trees that search for physical loops across all VLANs in a bridged network. When loops are detected, the protocols stop the loops by placing one or more bridge ports in a blocking state.
AT-S63 Management Software Menus Interface User’s Guide Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MSTIs). A MSTI can span any number of AT-9400 Series switches, and an AT-9400 Series switch can support up to 16 MSTIs at a time. To create a MSTI, you first assign it a number, referred to as the MSTI ID. The range is 1 to 15. (The switch is shipped with a default MSTI with an MSTI ID of 0.
Chapter 22: MSTP the Production VLAN.
AT-S63 Management Software Menus Interface User’s Guide Figure 180 illustrates the same two AT-9400 Series switches and the same two virtual LANs. But in this example, the two switches are running MSTP and the two VLANs have been assigned different spanning tree instances. Now that they reside in different MSTIs, both links remain active, enabling the VLANs to forward traffic over their respective direct link.
Chapter 22: MSTP A MSTI can contain more than one VLAN. This is illustrated in Figure 181 where there are two AT-9400 Series switches with four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains the Sales and Presales VLANs and MSTI 2 contains the Design and Engineering VLANs.
AT-S63 Management Software Menus Interface User’s Guide MSTI Guidelines Following are several guidelines to keep in mind about MSTIs: An AT-9400 Series switch can support up to 16 spanning tree instances, including the CIST, at a time. A MSTI can contain any number of VLANs. A VLAN can belong to only one MSTI at a time. A switch port can belong to more than one spanning tree instance at a time.
Chapter 22: MSTP Multiple Spanning Tree Regions Another important concept of MSTP is regions. A MSTP region is defined as a group of bridges that share exactly the same MSTI characteristics. Those characteristics are: Configuration name Revision number VLANs VLAN to MSTI ID associations A configuration name is a name you assign to a region to help you identify it. You must assign each bridge in a region exactly the same name; even the same upper and lowercase lettering.
AT-S63 Management Software Menus Interface User’s Guide Figure 182 illustrates the concept of regions. It shows one MSTP region consisting of two AT-9400 Series switches. Each switch in the region has the same configuration name and revision level. The switches also have the same five VLANs and the VLANs are associated with the same MSTIs.
Chapter 22: MSTP The same is true for any ports connected to bridges running the singleinstance spanning tree STP or RSTP. Those ports are also considered as part of another region. Each MSTI functions as an independent spanning tree within a region. Consequently, each MSTI must have a root bridge to locate physical loops within the spanning tree instance. An MSTI’s root bridge is called a regional root. The MSTIs within a region may share the same regional root or they can have different regional roots.
AT-S63 Management Software Menus Interface User’s Guide Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree instance called the Common and Internal Spanning Tree (CIST). This instance has an MSTI ID of 0. This instance has unique features and functions that make it different from the MSTIs that you create yourself. First, you cannot delete this instance and you cannot change its MSTI ID.
Chapter 22: MSTP An MSTP region can be considered as a virtual bridge. The implication is that other MSTP regions and STP and RSTP single-instance spanning trees cannot discern the topology or constitution of a MSTP region. The only bridge they are aware of is the regional root of the CIST instance. Summary of Guidelines 512 Careful planning is essential for the successful implementation of MSTP.
AT-S63 Management Software Menus Interface User’s Guide Note The AT-S63 MSTP implementation complies fully with the new IEEE 802.1s standard. Any other vendor’s fully compliant 802.1s implementation is interoperable with the AT-S63 implementation. Associating VLANs to MSTIs Allied Telesyn recommends that you assign all VLANs on a switch to an MSTI. You should not leave a VLAN assigned to just the CIST, including the Default_VLAN.
Chapter 22: MSTP belongs only to CIST with its MSTI ID 0.
AT-S63 Management Software Menus Interface User’s Guide determine that a loop exists between the regions, and Switch B would block a port.
Chapter 22: MSTP Selecting MSTP as the Spanning Tree Protocol To select and activate MSTP as the spanning tree protocol, or to disable spanning tree, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 169 on page 485. 2. To change the active version of spanning tree on the switch, type 2 to select Active Protocol Version. The following prompt is displayed: Enter new value (S-STP, R-RSTP, M-MSTP): 3.
AT-S63 Management Software Menus Interface User’s Guide Configuring MSTP Bridge Settings To configure a bridge’s MSTP settings, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 169 on page 485. 2. From the Spanning Tree menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 186.
Chapter 22: MSTP seconds. The default is 2 seconds. This value is active only if the bridge is selected as the root bridge of the network. 3 - Forwarding Delay The waiting period before a bridge changes to a new state, for example, becomes the new root bridge after the topology changes. If the bridge transitions too soon, not all links may have yet adapted to the change, possibly resulting in a network loop. The range is 4 to 30 seconds. The default is 15 seconds.
AT-S63 Management Software Menus Interface User’s Guide 9 - Root Identifier If this MAC address is the same as the bridge’s MAC address, then the switch is also functioning as a root bridge. If the two MAC addresses are different, then a different switch is functioning as the root bridge. You cannot change this parameter. This parameter is only displayed with MSTP is enabled. Note Selection C, CIST menu, is described in “Configuring the CIST Priority,” next.
Chapter 22: MSTP Configuring the CIST Priority This procedure explains how to adjust the bridge’s CIST priority. To change the CIST priority, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 169 on page 485. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 186 on page 517. 3. From the MSTP menu, type C to select CIST menu.
AT-S63 Management Software Menus Interface User’s Guide Enter new priority [the value will be multiplied by 4096]: [0 to 15] -> 5. Enter the increment that represents the new CIST priority value. The range is 0 (zero) to 61,440 in increments of 4,096, with 0 being the highest priority. For a list of the increments, refer to Table 14, “Port Priority Value Increments” on page 479. 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 22: MSTP Displaying the CIST Priority To change the CIST priority, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 169 on page 485. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 186 on page 517. 3. From the MSTP menu, type M to select MSTI menu. The MSTI menu is shown in Figure 188.
AT-S63 Management Software Menus Interface User’s Guide Path Cost Specifies the path cost from the bridge to the regional root. If the bridge is the regional root, the value is 0. Associated VLANs Specifies the VIDs of the VLANs that have been associated with the MSTI ID. The table does not include the CIST. The table is empty if no MSTI IDs have been created.
Chapter 22: MSTP Creating, Deleting, and Modifying MSTI IDs The following sections contain procedures for working with MSTI IDs: Creating an MSTI ID ”Creating an MSTI ID” next “Deleting an MSTI ID” on page 525 “Modifying an MSTI ID” on page 525 To create an MSTI ID, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 169 on page 485. 2.
AT-S63 Management Software Menus Interface User’s Guide 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an MSTI ID To delete an MSTI ID, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 169 on page 485. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol.
Chapter 22: MSTP Enter the MSTI ID to be modified: [1 to 15] -> 5. Enter the MSTP IDs that you want to modify. The range is 1 to 15. You can specify only one MSTI ID at a time. The following prompt is displayed: Enter new priority [the value will be multiplied by 4096] [0 to 15] -> 8 6. Enter a new MSTI priority number for this MSTI on the bridge. This parameter is used in selecting a regional root for the MSTI. The range is 0 (zero) to 61,440 in increments of 4,096, with 0 being the highest priority.
AT-S63 Management Software Menus Interface User’s Guide Adding, Removing, or Modifying VLAN Associations to MSTI IDs When you create a new MSTI ID, you are given the opportunity of associating VLANs to it. But after an MSTI ID is created, you may want to add more VLANs to it, or perhaps remove VLANs. This procedure explains how to associate VLANs on the switch to an existing MSTI ID and also how to remove VLANs.
Chapter 22: MSTP The VLAN-MSTI Association menu is shown in Figure 189. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 VLAN-MSTI Association Menu MSTI/CIST Associated VLANs ------------------------------------------------------0 4 5 7 1 2 3 4 1,2 6 7,22 - Add VLANs to MSTI Delete VLANs from MSTI Set VLAN to MSTI Association Clear VLAN to MSTI Association U - Update Display R - Return to Previous Menu Enter your selection? Figure 189.
AT-S63 Management Software Menus Interface User’s Guide 4. From the MSTP menu, type V to select VLAN-MSTI Association menu. The VLAN-MSTI Association menu is shown in Figure 189 on page 528. 5. From the VLAN-MSTI Association menu, type 1 to select Add VLANs to MSTI. The following prompt is displayed: Enter the MSTI ID [0 to 15] -> 6. Enter the MSTI ID to which you want to associate a VLAN. A prompt similar to the following is displayed: Enter the list of VLANs: 7.
Chapter 22: MSTP Enter the MSTI ID [0 to 15] -> 6. Enter the MSTI ID to which you want to associate a VLAN. A prompt similar to the following is displayed: Enter the list of VLANs: 7. Enter the VLAN ID of the virtual LAN that you want to remove from the MSTI ID. You can enter more than one VLAN at a time (for example, 2,4,7) To view VIDs, refer to “Displaying VLANs” on page 571. A removed VLAN is returned to CIST. 8. After making changes, type R until you return to the Main Menu.
AT-S63 Management Software Menus Interface User’s Guide 8. Enter the VLAN ID of the virtual LAN that you want to associate with the MSTI ID. You can enter more than one VLAN at a time (for example, 2,4,7) (To view VIDs, refer to “Displaying VLANs” on page 571.) The VLANs already associated with the MSTI ID are removed when the new VLANs are added. The removed VLANs are returned to CIST. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 22: MSTP Configuring MSTP Port Settings As explained in “Ports in Multiple MSTIs” on page 507, MSTP port settings are divided into two groups. The parameters in the first group are set just once on a port, regardless of the number of MSTIs in which a port is a member. These settings are: External path cost Point-to-point designation Edge port designation The procedure for setting these parameters is in “Configuring Generic MSTP Port Settings” on page 532.
AT-S63 Management Software Menus Interface User’s Guide The MSTP Port Parameters menu is shown in Figure 190. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 MSTP Port Parameters 1 2 3 4 - Configure Generic Port Settings Configure Per Spanning Tree Port Settings Display MSTP Port Configuration Display MSTP Port State R - Return to Previous Menu Enter your selection? Figure 190. MSTP Port Parameters Menu 4.
Chapter 22: MSTP 7. Adjust the following parameters as necessary: 1- Port External Path Cost The port cost of the port if the port is connected to a bridge which is a member of another MSTP region or is running STP or RSTP. The range is 0 to 200,000,000. The default setting is Auto, which sets port cost depending on the speed of the port. Table 15 lists the MSTP port costs with the Auto setting when the port is not a member of a trunk.
AT-S63 Management Software Menus Interface User’s Guide The Spanning Tree Configuration menu is shown in Figure 169 on page 485. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 186 on page 517. 3. From the MSTP menu, type P to select MSTP Port Parameters. The MSTP Port Parameters menu is shown in Figure 190 on page 533. 4. Type 2 to select Configure Per Spanning Tree Port Settings.
Chapter 22: MSTP Configure Per Spanning Tree Port Settings Menu is shown in Figure 192. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure Per Spanning Tree Port Settings Spanning Tree List: 4 Configuring Ports: 7-7 1 - Port Priority ............... 128 2 - Port Internal Path Cost ..... Auto Update R - Return to Previous Menu Enter your selection? Figure 192.
AT-S63 Management Software Menus Interface User’s Guide Table 18 lists the RSTP port costs with Auto-Detect when the port is part of a port trunk. Table 18. RSTP Auto-Detect Port Trunk Costs Port Speed Port Cost 10 Mbps 20,000 100 Mbps 20,000 1000 Mbps 2,000 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 22: MSTP Displaying the MSTP Port Configuration To display the MSTP port configuration, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 169 on page 485. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 186 on page 517. 3. From the MSTP menu, type P to select MSTP Port Parameters.
AT-S63 Management Software Menus Interface User’s Guide Port The port number. Edge-Port Whether or not the port is functioning as an edge port. The possible settings are Yes and No. Point-to-Point Whether or not the port is functioning as a point-to-point port. The possible settings are Yes, No, and Auto-Detect. External or Internal Port Cost External Port Cost The port cost of the port if the port is connected to a bridge which is a member of another MSTP region or is running STP or RSTP.
Chapter 22: MSTP Displaying the MSTP Port State To display the MSTP port state, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 169 on page 485. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 186 on page 517. 3. From the MSTP menu, type P to select MSTP Port Parameters.
AT-S63 Management Software Menus Interface User’s Guide The Display MSTP Port State menu is shown in Figure 194.
Chapter 22: MSTP Backup - The port on a designated switch that provides a backup for the path provided by the designated port. Designated - The port on the designated switch for a LAN that has the least cost path to the root switch. This port connects the LAN to the root switch. Master - Similar to the root port. When the port is a boundary port, the MSTI port roles follow the CIST port roles. The MSTI port role is called “master” when the CIST role is “root.
AT-S63 Management Software Menus Interface User’s Guide Resetting MSTP to the Defaults To reset MSTP to the defaults, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Configuration. The Spanning Tree Configuration menu is shown in Figure 169 on page 485. 2. From the Spanning Tree Configuration menu, type 3 to select Configure Active Protocol. The MSTP menu is shown in Figure 186 on page 517. 3. From the MSTP menu, type D to select Reset MSTP to Defaults.
Chapter 22: MSTP 544 Section IV: Spanning Tree Protocols
Section V Virtual LANs The chapters in this section provide information and procedures for basic switch setup using the AT-S63 management software.
Section V: VLANs
Chapter 23 Port-based and Tagged VLANs This chapter contains basic information about virtual LANs (VLANs) and procedures for creating, modifying, and deleting VLANs from a local or Telnet management session.
Chapter 23: Port-based and Tagged VLANs VLAN Overview A VLAN is a group of ports on an Ethernet switch that form a logical Ethernet segment. The ports of a VLAN form an independent traffic domain where the traffic generated by the nodes of a VLAN remains within the VLAN. With VLANs, you can segment your network through the switch’s AT-S63 management software and so be able to group nodes with related functions into their own separate, logical LAN segments.
AT-S63 Management Software Menus Interface User’s Guide management software. You can change the VLAN memberships through the management software without moving the workstations physically, or changing group memberships by moving cables from one switch port to another. In addition, a virtual LAN can span more than one switch. This means that the end nodes of a VLAN do not need to be connected to the same switch and so are not restricted to being in the same physical location.
Chapter 23: Port-based and Tagged VLANs Port-based VLAN Overview As explained in “VLAN Overview” on page 548, a VLAN consists of a group of ports on one or more Ethernet switches that form an independent traffic domain. Traffic generated by the end nodes of a VLAN remains within the VLAN and does not cross over to the end nodes of other VLANs unless there is an interconnection device, such as a router or Layer 3 switch.
AT-S63 Management Software Menus Interface User’s Guide For example, if you had a port-based VLAN titled Marketing that spanned three AT-9400 Series switches, you would assign the Marketing VLAN on each switch the same VID. You can assign this number manually or allow the AT-S63 management software to do it automatically. If you allow the management software to do it automatically, it selects the next available VID. This is acceptable when you are creating a new, unique VLAN.
Chapter 23: Port-based and Tagged VLANs Drawbacks of Port-based VLANs Port-based Example 1 552 Each port-based VLAN must be assigned a unique VID. If a particular VLAN spans multiples switches, each part of the VLAN on the different switches should be assigned the same VID. A port can be an untagged member of only one port-based VLAN at a time. Each port must be assigned a PVID. This value must be the same for all ports in a port-based VLAN and it must match the VLAN’s VID.
AT-S63 Management Software Menus Interface User’s Guide examples, the Default_VLAN is not shown.
Chapter 23: Port-based and Tagged VLANs Port-based Example 2 Figure 196 illustrates more port-based VLANs. In this example, two VLANs, Sales and Engineering, span two AT-9400 Series Gigabit Ethernet switches.
AT-S63 Management Software Menus Interface User’s Guide Production VLANs on the switches: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) AT-9424T/SP Switch (top) Ports 1 - 2, 4, 6, 8 (PVID 2) Ports 11 - 14, 19 (PVID 3) Ports 19, 21 - 23 (PVID 4) AT-9424T/GB Switch (bottom) Ports 1 - 4, 7 (PVID 2) Ports 14, 16, 18-19, 22 (PVID 3) none Sales VLAN - This VLAN spans both switches.
Chapter 23: Port-based and Tagged VLANs Tagged VLAN Overview The second type of VLAN supported by the AT-S63 management software is the tagged VLAN. VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assigned to the ports determine VLAN membership. The VLAN information within an Ethernet frame is referred to as a tag or tagged header.
AT-S63 Management Software Menus Interface User’s Guide Tagged and Untagged Ports Port VLAN Identifier Note For explanations of VLAN name and VLAN identifier, refer back to “VLAN Name” on page 550 and “VLAN Identifier” on page 550. Tagged and Untagged Ports You need to specify which ports will be members of the VLAN. In the case of a tagged VLAN, it is usually a combination of both untagged ports and tagged ports. You specify which ports are tagged and which untagged when you create the VLAN.
Chapter 23: Port-based and Tagged VLANs General Rules for Creating a Tagged VLAN 558 Below is a summary of the rules to observe when you create a tagged VLAN. Each tagged VLAN must be assigned a unique VID. If a particular VLAN spans multiple switches, each part of the VLAN on the different switches must be assigned the same VID. A tagged port can be a member of multiple VLANs. An untagged port can be an untagged member of only one VLAN at a time.
AT-S63 Management Software Menus Interface User’s Guide Tagged VLAN Example Figure 197 illustrates how tagged ports can be used to interconnect IEEE 802.1Q-based products. Engineering VLAN (VID 3) IEEE 802.
Chapter 23: Port-based and Tagged VLANs The port assignments for the VLANs are as follows: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) Untagged Ports Tagged Ports Untagged Ports Tagged Ports Untagged Ports Tagged Ports AT-9424T/ SP Switch (top) 1-2, 4 (PVID 2) 5, 8 7-10 (PVID 3) 5, 6 19, 2123(PVID 4) 5 AT-9424T/ GB Switch (bottom) 1-4 (PVID 2) 7 114, 16, 18, 22 (PVID 3) 7 none none This example is nearly identical to the “Port-based Example 2” on page 554.
AT-S63 Management Software Menus Interface User’s Guide Creating a New Port-based or Tagged VLAN To create a new port-based or tagged VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 VLAN Configuration 1 2 3 4 5 6 7 - Ingress Filtering Status ........ Enabled VLANs Mode ......................
Chapter 23: Port-based and Tagged VLANs The Configure VLANs menu is shown in Figure 199. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure VLANs 1 2 3 4 - Create VLAN Modify VLAN Delete VLAN Reset to Default VLAN R - Return to Previous Menu Enter your selection? Figure 199. Configure VLANs Menu 3. From the Configure VLANs menu, type 1 to select Create VLAN. The Create VLAN menu is shown in Figure 200.
AT-S63 Management Software Menus Interface User’s Guide The name can be from one to fifteen alphanumeric characters in length. The name should reflect the function of the nodes that will be a part of the VLAN (for example, Sales or Accounting). The name cannot contain spaces or special characters, such as asterisks (*) or exclamation points (!). If the VLAN will be unique in your network, then the name should be unique as well.
Chapter 23: Port-based and Tagged VLANs You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 79), or both (e.g., 2,5,7-9). 9. Type 4 to select Untagged Ports and specify the ports on the switch to function as untagged ports in the VLAN. If this VLAN will not contain any untagged ports, leave this field empty. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 79), or both (e.g., 2,5,7-9). 10. Type C to select Create VLAN.
AT-S63 Management Software Menus Interface User’s Guide Example of Creating a Port-based VLAN The following procedure creates the Sales VLAN illustrated in “Port-based Example 1” on page 552. This VLAN will be assigned a VID of 2 and will consist of four untagged ports, ports 1, 2, 4, and 6. The VLAN will not contain any tagged ports. To create the Sales VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration.
Chapter 23: Port-based and Tagged VLANs Example of Creating a Tagged VLAN The following procedure creates the Engineering VLAN in the top switch illustrated in “Tagged VLAN Example” on page 559. This VLAN will be assigned a VID of 3. It will consist of four untagged ports, ports 7 to 10, and two untagged ports, ports 5 and 6. To create the example Engineering VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration.
AT-S63 Management Software Menus Interface User’s Guide Modifying a VLAN Note To modify a VLAN, you need to know its VID. To view VLAN VIDs, refer to “Displaying VLANs” on page 571. To modify a VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2. From the VLAN Configuration menu, type 4 to select Configure VLANs. The Configure VLANs menu is shown in Figure 199 on page 562.
Chapter 23: Port-based and Tagged VLANs Enter new value -> [1 to 4096] -> 5. Enter the VID of the VLAN you want to modify. The Modify VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 202. Allied Telesyn Ethernet Switch AT-9400 Series - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify VLAN 1 2 3 4 - VLAN Name .............. VLAN ID (VID) .......... Tagged Ports ........... Untagged Ports .........
AT-S63 Management Software Menus Interface User’s Guide When you add or remove tagged ports, observe the following guidelines: The new list of tagged ports will replace the existing tagged ports. If the VLAN contains tagged ports and you want to remove them all, enter 0 (zero) for this value. 4 - Untagged Ports Use this selection to add or remove untagged ports from the VLAN. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 79), or both (e.g., 2,5,7-9).
Chapter 23: Port-based and Tagged VLANs 9. Repeat this procedure starting with Step 4 to modify other VLANs, or return to the Main Menu and type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Displaying VLANs To view the name, VID number, and member ports of all the VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2. From the VLAN Configuration menu, type 5to select Show VLANs. The Show VLANs menu is shown in Figure 203.
Chapter 23: Port-based and Tagged VLANs Protocol The protocol associated with this VLAN. The possible settings are: Blank - The VLAN is a port-based or tagged VLAN. GARP - The VLAN is a dynamic GVRP VLAN or the port is a dynamic GVRP port of a static VLAN. Untagged (U) / Tagged (T) The untagged and tagged ports that are part of the VLAN.
AT-S63 Management Software Menus Interface User’s Guide Deleting a VLAN Note To delete a VLAN, you need to know its VID. To view VLAN VIDs, refer to “Displaying VLANs” on page 571. To delete a VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2. From the VLAN Configuration menu, type 4 to select Configure VLANs. The Configure VLANs menu is shown in Figure 199 on page 562.
Chapter 23: Port-based and Tagged VLANs Note You cannot delete the Default_VLAN, which has a VID of 1. The Delete VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 205. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Delete VLAN 1 2 3 4 - VLAN Name .............. VLAN ID (VID) .......... Tagged Ports ........... Untagged Ports .........
AT-S63 Management Software Menus Interface User’s Guide 9. Repeat this procedure starting with Step 4 to delete other VLANs. 10. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 23: Port-based and Tagged VLANs Resetting to the Default VLAN The following procedure for deletes all VLANs, except the Default_VLAN, on a switch. To delete selected VLANs, perform the procedure in “Deleting a VLAN” on page 573. To return all ports to the default VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2. From the VLAN Configuration menu, type 4 to select Configure VLANs.
AT-S63 Management Software Menus Interface User’s Guide 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 23: Port-based and Tagged VLANs Displaying PVIDs The following procedure displays a menu that lists the PVIDs for all the ports on the switch. To display the PVID settings on the switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2. From the VLAN Configuration menu, type 6 to select Show PVIDs. The Show PVIDs menu is shown in Figure 206.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling Ingress Filtering There are rules a switch follows when it receives and forwards an Ethernet frame. There are rules for frames as they enter a port (called ingress rules) and rules for when a frame is transmitted out a port (called egress rules). A switch does not accept and forward a frame unless the frame passes the ingress and egress rules. There are many ingress and egress rules for Gigabit Ethernet switches.
Chapter 23: Port-based and Tagged VLANs In most cases, you will probably want to leave ingress filtering activated on the switch, which is the default. You can enable or disable ingress filtering on a per switch basis. You cannot set this per port. To enable or disable ingress filtering, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2.
AT-S63 Management Software Menus Interface User’s Guide Specifying a Management VLAN The management VLAN is the VLAN on which an AT-9400 Series switch expects to receive management packets. This VLAN is important if you will be managing a switch remotely or using the enhanced stacking feature of the switch. Management packets are packets generated by a management station when you manage a switch using the Telnet application protocol or a web browser.
Chapter 23: Port-based and Tagged VLANs connecting the switches together are either tagged or untagged members of the NMS VLAN. You also need to specify the NMS VLAN as the management VLAN on each switch using the AT-S63 management software. Finally, you must be sure to connect your management station to a port on a switch that is a tagged or untagged member of the management VLAN. Note You cannot specify a management VLAN when the switch is operating in a multiple VLAN mode.
Chapter 24 GARP VLAN Registration Protocol This chapter describes the GARP VLAN Registration Protocol (GVRP) and contains the following sections: Section V: VLANs “GARP VLAN Registration Protocol (GVRP) Overview” on page 584 “Configuring GVRP” on page 592 “Enabling or Disabling GVRP on a Port” on page 594 “Displaying the GVRP Port Configuration” on page 596 “Displaying GVRP Counters” on page 597 “Displaying the GVRP Database” on page 602 “Displaying the GIP Connected Ports Rin
Chapter 24: GARP VLAN Registration Protocol GARP VLAN Registration Protocol (GVRP) Overview The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information. The main purpose of GVRP is to allow switches to automatically discover some of the VLAN information that would otherwise need to be manually configured in each switch. This is helpful in networks where VLANs span more than one switch.
AT-S63 Management Software Menus Interface User’s Guide Figure 207 provides an example of how GVRP works.
Chapter 24: GARP VLAN Registration Protocol port that received the PDU, in this case port 4, is a member of the VLAN. If it is not a member, it automatically adds the port to the VLAN as an tagged dynamic GVRP port. If the port is already a member of the VLAN, then no change is made. 5. Switch #3 sends a PDU out port 4 to switch #2. 6. Switch #2 receives the PDU on port 3 and then adds the port as a tagged dynamic GVRP port to the dynamic GVRP_VLAN_11 VLAN.
AT-S63 Management Software Menus Interface User’s Guide disabling GVRP on those ports that are connected to GVRP-inactive devices, meaning that they do not feature GVRP. GVRP and Network Security PDUs are transmitted to only those switch ports where GVRP is enabled. Use GVRP with caution because it can expose your network to unauthorized access.
Chapter 24: GARP VLAN Registration Protocol To use GARP, a GARP application must be defined. The Layer 2 switch has one GARP application presently implemented, GVRP. The GARP application specifies what the attribute represents. GARP defines the architecture, rules of operation, state machines and variables for the registration and deregistration of attribute values. By itself, GARP is not directly used by devices in a bridged LAN. It is the applications of GARP that perform meaningful actions.
AT-S63 Management Software Menus Interface User’s Guide GARP architecture is shown in Figure 208. Switch GARP Participant GARP Participant GARP Application GARP Application GIP MAC Layer: Port 1 GARP PDUs GID LLC GARP PDUs LLC GARP PDUs GARP PDUs GID MAC Layer: Port 2 Figure 208.
Chapter 24: GARP VLAN Registration Protocol GID Attribute ... state: Attribute C state: Attribute B state: Attribute A state: Applicant State Registrar State Figure 209. GID Architecture GARP registers and deregisters attribute values through GARP messages sent at the GID level. A GARP participant that wishes to make a declaration (an applicant registering an attribute value) sends a JoinIn or JoinEmpty message.
AT-S63 Management Software Menus Interface User’s Guide To control the applicant state machine, an applicant administrative control parameter is provided. This parameter determines whether or not the applicant state machine participates in GARP protocol exchanges. The default value has the applicant participating in the exchanges. To control the registrar state machine, a registrar administrative control parameter is provided.
Chapter 24: GARP VLAN Registration Protocol Configuring GVRP To configure GVRP, perform the following procedure: Note The timers in the following menus are in increments of centi seconds which is one hundredth of a second. To configure GVRP, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2. From the VLAN Configuration menu, type 7 to select Configure GARPGVRP.
AT-S63 Management Software Menus Interface User’s Guide 4. Type E to enable GVRP or D to disable GVRP. The default setting is disabled. 5. Type 2 to select GVRP GIP Status. The following prompt is displayed: Enter your new value (E-Enabled, D-Disabled): 6. Type E to enable GIP or D to disable GIP. Note Do not disable GIP if you intend to use GVRP. GIP is required to propagate VLAN information among the ports of the switch. Caution The following steps change the three GVRP timers.
Chapter 24: GARP VLAN Registration Protocol Enabling or Disabling GVRP on a Port This procedure enables and disables GVRP on a switch port. The default setting for GVRP on a port is enabled. Only those ports where GVRP is enabled transmit PDUs. Note Allied Telesyn recommends disabling GVRP on unused ports and those ports that are connected to GVRP-inactive devices. This protects against unauthorized access to restricted areas of your network.
AT-S63 Management Software Menus Interface User’s Guide Enter port-list: 5. Enter a port or a list of ports. The Configure GVRP Port Settings menu is shown in Figure 212. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure GVRP Port Settings Configuring Port 1-8 1 - Port Mode ............. Normal R - Return to Previous Menu Enter your selection? Figure 212. Configure GVRP Port Settings Menu 6. Type 1 to select Port Mode.
Chapter 24: GARP VLAN Registration Protocol Displaying the GVRP Port Configuration To display the GVRP port configuration, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2. From the VLAN Configuration menu, type 7 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 210 on page 592. 3. From the GVRP Port Parameters menu, type 2 to select Display GVRP Port Configuration.
AT-S63 Management Software Menus Interface User’s Guide Displaying GVRP Counters To display GVRP counters, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2. From the VLAN Configuration menu, type 7 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 210 on page 592. 3. From the GARP-GVRP menu, type O to select Other GVRP Parameters.
Chapter 24: GARP VLAN Registration Protocol The GVRP Counters menu (page 1) is shown in Figure 215.
AT-S63 Management Software Menus Interface User’s Guide Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 GVRP Counters Receive: -------GARP Messages: --------------LeaveAll JoinEmpty JoinIn LeaveEmpty LeaveIn Empty Bad Message Bad Attribute Transmit: --------7 0 68 0 0 5 0 0 LeaveAll JoinEmpty JoinIn LeaveEmpty LeaveIn Empty 77 58 285 1 0 21 P - Previous Page U - Update Display R - Return to Previous Menu Enter your selection? Figure 216.
Chapter 24: GARP VLAN Registration Protocol Table 19. GVRP Counters (Continued) Parameter 600 Meaning Receive Discarded: Port Not Listening Number of GARP PDUs discarded because the port that received the PDUs was not listening, that is, MODE=NONE was set on the port. Transmit Discarded: Port Not Sending Number of GARP PDUs discarded because the port that the PDUs were to be transmitted on was not sending, that is, MODE=NONE was set on the port.
AT-S63 Management Software Menus Interface User’s Guide Table 19. GVRP Counters (Continued) Parameter Section V: VLANs Meaning Transmit GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages transmitted for all attributes in the GARP application. Receive GARP Messages: LeaveIn Total number of GARP LeaveIn messages received for all attributes in the GARP application.
Chapter 24: GARP VLAN Registration Protocol Displaying the GVRP Database To display GVRP database, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2. From the VLAN Configuration menu, type 8 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 210 on page 592. 3. From the GARP-GVRP menu, type O to select Other GVRP Parameters menu.
AT-S63 Management Software Menus Interface User’s Guide begin at 0. If the GARP application has no attributes presently registered, “No attributes have been registered” is displayed. VLAN ID The VLAN ID. Used Indicates whether the GID index is currently being used by any port in the GARP application. The definition of “used” is whether the Applicant and Registrar state machine for the GID index are in a non-initialized state, that is, not in {Vo, Mt} state.
Chapter 24: GARP VLAN Registration Protocol Displaying the GIP Connected Ports Ring To display the GIP connected ports ring, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2. From the VLAN Configuration menu, type 8 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 210 on page 592. 3. From the GARP-GVRP menu, type O to select Other GVRP Parameters menu.
AT-S63 Management Software Menus Interface User’s Guide STP ID Present if the GARP application is GVRP; identifies the spanning tree instance associated with the GIP context. Connected Ring The ring of connected ports. Only ports presently in the spanning tree Forwarding state are eligible for membership in the GIP connected ring. If no ports exist in the GIP connected ring, “No ports are connected” is displayed. If the GARP application has no ports, “No ports have been assigned” is displayed.
Chapter 24: GARP VLAN Registration Protocol Displaying the GVRP State Machine To display the GVRP state machine, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2. From the VLAN Configuration menu, type 7 to select Configure GARPGVRP. The GARP-GVRP menu is shown in Figure 210 on page 592. 3. From the GARP-GVRP menu, type O to select Other GVRP Parameters menu.
AT-S63 Management Software Menus Interface User’s Guide The GVRP State Machine menu (page 2) is displayed, as shown in Figure 220.
Chapter 24: GARP VLAN Registration Protocol Table 20. GVRP State Machine Parameters (Continued) Parameter App Meaning Applicant state machine for the GID index on that particular port.
AT-S63 Management Software Menus Interface User’s Guide Table 20. GVRP State Machine Parameters (Continued) Parameter Reg Meaning Registrar state machine for the GID index on that particular port. One of: “Mt” Empty “Lv3” Leaving substate 3 (final Leaving substate) “Lv2” Leaving substate 2 “Lv1” Leaving substate 1 “Lv” Leaving substate (initial Leaving substate) “In” In “Fix” Registration Fixed “For” Registration Forbidden The initialized state for the Registrar is Mt.
Chapter 24: GARP VLAN Registration Protocol 610 Section V: VLANs
Chapter 25 Multiple VLANs This chapter describes the multiple VLAN modes and how to select a mode.
Chapter 25: Multiple VLANs Multiple VLAN Mode Overview The multiple VLAN modes are designed to simplify the task of configuring the switch in network environments that require a high degree of network segmentation. In a multiple VLAN mode, the ports on a switch are prohibited from forwarding traffic to each other and are only allowed to forward traffic to a user-designated uplink port. These configurations isolate the traffic on each port from all other ports, while providing access to the uplink port.
AT-S63 Management Software Menus Interface User’s Guide A user-designated port on the switch functions as an uplink port, which can be connected to a shared device such as a router for access to a WAN. This port is placed as a tagged port in each VLAN. Thus, while the switch ports are separated from each other in their individual VLANs, they all have access to the uplink port. The uplink port also has its own VLAN, where it is an untagged member. This VLAN is called Uplink_VLAN. Note In 802.
Chapter 25: Multiple VLANs Table 21. 802.
AT-S63 Management Software Menus Interface User’s Guide Note When the uplink port receives a packet with a destination MAC address that is not in the MAC address table, the port broadcasts the packet to all switch ports. This can result in ports receiving packets that are not intended for them. Also note that a switch operating in this mode can be remotely managed through any port on the switch, not just the uplink port.
Chapter 25: Multiple VLANs Selecting a VLAN Mode The following procedure explains how to select a VLAN mode. Available modes are: User-configured VLAN mode (port-based and tagged VLANs) IEEE 802.1Q Compliant Multiple VLAN mode Non-IEEE 802.1Q Compliant Multiple VLAN mode Note Any port-based or tagged VLANs you created are not retained when you change the VLAN mode from the user-configured mode to a multiple VLAN mode and, at some point, reset the switch.
AT-S63 Management Software Menus Interface User’s Guide Displaying VLAN Information To view the VLANs on the switch while the unit is operating in Multiple VLAN mode, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu (multiple VLAN mode) is shown in Figure 221. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 VLAN Configuration 1 2 3 4 5 6 - Ingress Filtering Status ........
Chapter 25: Multiple VLANs The Show Multiple VLANs menu is shown in Figure 222. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Show Multiple VLANs Name Untagged Port Uplink Port VLAN ID ---------------------------------------------------Client_1 1 24 1 Client_2 1 24 1 Client_3 1 24 1 Client_4 1 24 1 Client_5 1 24 1 Client_6 1 24 1 Client_7 1 24 1 Client_8 1 24 1 N - Next Page U - Update Display R - Return to Previous Menu Enter your selection? Figure 222.
Chapter 26 Protected Ports VLANs This chapter explains protected ports VLANs.
Chapter 26: Protected Ports VLANs Protected Ports VLAN Overview The purpose of a protected ports VLAN is to allow multiple ports on the switch to share the same uplink port but not share traffic with each other. This feature has some of the same characteristics as the multiple VLAN modes described in the previous chapter. In a protected ports VLAN, each port is considered a separate LAN segment that can only communicate with an uplink port.
AT-S63 Management Software Menus Interface User’s Guide Note For explanations of VIDs and tagged and untagged ports, refer to Chapter 23, “Port-based and Tagged VLANs” on page 547. To create a protected ports VLAN, you perform many of the same steps that you do when you create a new port-based or tagged VLAN. You give it a name and a unique VID, and you indicate which of the ports will be tagged and untagged.
Chapter 26: Protected Ports VLANs 622 A protected ports VLAN should contain a minimum of two groups. A protected ports VLAN of only one group has little value. Create a portbased or tagged VLAN instead. A protected ports VLAN can contain any number of groups. A group can contain any number of ports. The ports of a group can be tagged or untagged. Each group must be assigned a unique group number on the switch. The number can be from 1 to 256.
AT-S63 Management Software Menus Interface User’s Guide Creating a Protected Ports VLAN To create a new protected ports VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. 2. From the VLAN Configuration menu, type 4 to select Configure VLANs. Note If the menu does not include selection 4, Configure VLANs, the switch is running a multiple VLAN mode. To change the switch’s VLAN mode, refer to “Selecting a VLAN Mode” on page 616. 3.
Chapter 26: Protected Ports VLANs Note A VLAN must be assigned a name. 6. Type 2 to select VLAN ID (VID. The following prompt is displayed: Enter new value -> [2 to 4094] -> 7. Type a VID value for the new VLAN. The range for the VID value is 1 to 4094. The AT-S63 management software uses the next available VID number on the switch as the default value.
AT-S63 Management Software Menus Interface User’s Guide 12. Type C to select Create VLAN. The following prompt is displayed: Enter Uplink Ports (4 - 12) -> The prompt will shown the ports that you specified as belonging to the VLAN. 13. Enter the port in the VLAN that will function as the uplink port for the different VLAN groups. You can select more than one uplink port.
Chapter 26: Protected Ports VLANs Modifying a Protected Ports VLAN Please note the following before you perform this procedure: To modify this type of VLAN, you must recreate it by reselecting the uplink port(s) and reassigning the ports to the groups. For this reason Allied Telesyn recommends that before you perform this procedure you first display the details of the protected ports VLAN you want to modify and write down on paper the VLAN’s current configuration (i.e.
AT-S63 Management Software Menus Interface User’s Guide The Modify VLAN menu is shown in Figure 201 on page 567. 4. Type 1 to select VLAN ID (VID). The following prompt is displayed: Enter new value -> [1 to 4096] -> 5. Enter the VID of the VLAN you want to modify. The Modify VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 224. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify VLAN 1 2 3 4 5 - VLAN Name ........
Chapter 26: Protected Ports VLANs 3 - Tagged Ports Use this selection to add or remove tagged ports from the VLAN. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 7-9), or both (e.g., 2,5,7-9). The new list of tagged ports will replace the existing tagged ports. 4 - Untagged Ports Use this selection to add or remove untagged ports from the VLAN. You can specify the ports individually (e.g., 2,3,5), as a range (e.g., 79), or both (e.g., 2,5,7-9).
AT-S63 Management Software Menus Interface User’s Guide After you have created all of the groups, this prompt is displayed: SUCCESS - Press any key to continue. Press any key to continue. The modified protected ports VLAN and its groups are now active on the switch. 12. Press any key to return to the Configure VLANs menu. 13. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 26: Protected Ports VLANs Displaying a Protected Ports VLAN To view the name, VID number, and member ports of all the VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2. From the VLAN Configuration menu, type 6 to select Show VLANs. The Show VLANs menu is shown in Figure 225.
AT-S63 Management Software Menus Interface User’s Guide An example of the Show VLANs window is shown in Figure 226.
Chapter 26: Protected Ports VLANs Deleting a Protected Ports VLAN All untagged ports in a deleted protected ports VLAN are automatically returned to the Default_VLAN. To delete a protected ports VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Configuration. The VLAN Configuration menu is shown in Figure 198 on page 561. 2. From the VLAN Configuration menu, type 4 to select Configure VLANs. The Configure VLANs menu is shown in Figure 199 on page 562.
AT-S63 Management Software Menus Interface User’s Guide Note You cannot delete the Default_VLAN, which has a VID of 1. The Delete VLAN menu expands to contain all relevant information about the VLAN, as shown in Figure 228. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Delete VLAN 1 2 3 4 - VLAN Name .............. VLAN ID (VID) .......... Tagged Ports ........... Untagged Ports .........
Chapter 26: Protected Ports VLANs 9. Repeat this procedure starting with Step 4 to delete other VLANs. 10. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Section VI Port Security The chapters in this section provide information and procedures for basic switch setup using the AT-S63 management software. The chapters include: Section IV: Port Security Chapter 27, “Port Security” on page 637 Chapter 28, “802.
Section IV: Port Security
Chapter 27 Port Security This chapter explains how you can use the dynamic and static MAC addresses learned on the ports of the switch to control which end nodes can forward packets through the device. The sections in this chapter include: “MAC Address Security Overview” on page 638 “Configuring MAC Address Port Security” on page 641 “Displaying Port Security Levels” on page 644 Note This type of port security does not apply to ports located on optional GBIC and SFP modules.
Chapter 27: Port Security MAC Address Security Overview This feature can enhance the security of your network. You can use it to control which end nodes can forward frames through the switch, and so prevent unauthorized individuals from accessing your network or particular parts of the network. This type of network security uses a frame’s source MAC address to determine whether the switch should forward a frame or discard it. The source address is the MAC address of the end node that sent the frame.
AT-S63 Management Software Menus Interface User’s Guide port has already learned its maximum number of dynamic MAC addresses. A switch port can have up to 255 dynamic and static MAC addresses. Secured The Secured security level instructs a port to forward frames using only static MAC address. The port does not learn any dynamic MAC addresses and deletes any dynamic addressees that it has already learned.
Chapter 27: Port Security Intrusion action defines what a port does when it receives an invalid frame. For a port operating under either the Secured or Locked security mode, the intrusion action is always the same. The port discards the frame. But with the Limited security mode you can specify an intrusion action. Here are the options: MAC Address Security Guidelines 640 Discard the invalid frame. Discard the invalid frame and send an SNMP trap.
AT-S63 Management Software Menus Interface User’s Guide Configuring MAC Address Port Security To set the port security level, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2. From the Port Configuration menu, type 5 to select Port Security. The Port Security menu is shown in Figure 229.
Chapter 27: Port Security 5. From the Configure Port Security menu, type 1 to select Security Mode. The following prompt is displayed: Enter new mode (A-Automatic, L-Limited, S-Secured, KlocKed): 6. Select the desired security level. For definitions of the security levels, refer to “MAC Address Security Overview” on page 638. If you select Automatic, which disables port security on the port, return to the Main Menu to save your change.
AT-S63 Management Software Menus Interface User’s Guide N - No Action (Discard): The port discards invalid frames. This is the default. T - Trap: The port discards invalid frames and sends an SNMP trap. D - Disable: The port discards invalid frames, sends an SNMP trap, and disables the port. 8. If you selected the trap or disable intrusion action, type 3 to toggle the Port Participating option to Yes. Option 3, Port Participating, applies only when the intrusion action is set to trap or disable.
Chapter 27: Port Security Displaying Port Security Levels To view the current security levels for the ports on the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Configuration. The Port Configuration menu is shown in Figure 25 on page 102. 2. From the Port Configuration menu, type 5 to select Port Security. The Port Security menu is shown in Figure 229 on page 641. 3. From the Port Security menu, type 2 to select Display Port Security.
AT-S63 Management Software Menus Interface User’s Guide Threshold The maximum number of dynamic MAC addresses the port learns. It only applies when a port is operating in the Limited security mode. Intruder Action The action taken by the switch if a port receives an invalid frame. The possible settings are: No Action (Discard) - The port discards invalid frames. This is the default. Trap - The port discards invalid frames and sends a trap. This applies only to the Limited security mode.
Chapter 27: Port Security 646 Section IV: Port Security
Chapter 28 802.1x Port-based Network Access Control This chapter explains 802.1x Port-based Network Access Control and how you can use this feature to restrict access to the network ports on the switch. Sections are as follows: Section IV: Port Security “IEEE 802.1x Port-based Network Access Control Overview” on page 648 “Setting Port Roles” on page 657 “Enabling or Disabling 802.
Chapter 28: 802.1x Port-based Network Access Control IEEE 802.1x Port-based Network Access Control Overview The AT-S63 management software offers you several different methods for protecting your network and its resources from unauthorized access. For instance, Chapter 27, “Port Security” on page 637, explains how you can restrict network access using the MAC addresses that belong to the end nodes of your network. This chapter explains yet another way.
AT-S63 Management Software Menus Interface User’s Guide Authenticator - The authenticator is a port on the switch that prohibits network access by a supplicant until the network user has entered a valid username and password. Authentication server - The authentication server is the network device that has the RADIUS server software. This is the device that does the actual authenticating of the user names and password from the supplicants.
Chapter 28: 802.1x Port-based Network Access Control Port Roles Part of the task of implementing this feature is specifying the roles of the ports on the switch. A port can have one of three roles: None Authenticator Supplicant None Role A switch port in the None role does not participate in port-based access control. Any device can connect to the port and send traffic through it and receive traffic from it without providing a username and password.
AT-S63 Management Software Menus Interface User’s Guide 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 3 5 7 9 11 15 17 19 TERMINAL PORT 21 23R 1000 LINK / ACT L/A L/A 23 24 6 8 10 12 14 16 18 20 22 24R 23 24 MASTER RPS POWER D/C 4 STATUS FAULT SFP SFP D/C 2 Gigabit Ethernet Switch ACT COL 13 L/A SFP 2 4 6 8 10 12 14 16 18 20 22 24R Port 22 in None Role
Chapter 28: 802.
AT-S63 Management Software Menus Interface User’s Guide The number of packets transmitted and received by the switch port during a supplicant’s session. (This information is sent only when the client logs off.) You can also configure the accounting feature to send interim updates so you can monitor which clients are still active. Here are a few guidelines to using the accounting feature: The AT-S63 management software supports the Network level of accounting, but not the System or Exec.
Chapter 28: 802.1x Port-based Network Access Control The instructions for this step are in “Configuring TACACS+” on page 767. 4. Next, you must configure the port access control settings on the switch. This involves the following: Specifying the port roles. Configuring 802.1x port parameters. Enabling 802.1x Port-based Network Access Control. The instructions for this step are found in this chapter. 5.
AT-S63 Management Software Menus Interface User’s Guide the network. Only then is the address removed. The address is not timed out, even if the end node becomes inactive. Note End users of port-based access control should be instructed to always log off when they are finished with a work session. This prevents unauthorized individuals from accessing the network through unattended network workstations.
Chapter 28: 802.1x Port-based Network Access Control 656 When 802.1x Port-based Network Access Control is activated on a switch, the feature polls all RADIUS servers specified in the RADIUS configuration. If three servers have been configured, the switch polls all three. If server 1 responds, all future requests go only to that server. If server 1 stops responding, the switch again polls all RADIUS servers. If server 2 responds, but not server 1, then all future requests go to servers 1 and 2.
AT-S63 Management Software Menus Interface User’s Guide Setting Port Roles This procedure sets port roles. For an explanation of port roles, refer to “Port Roles” on page 650. You must set up the port roles before you enable port access control. To set port roles, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security Configuration menu, type 1 to select Port Access Control (802.
Chapter 28: 802.1x Port-based Network Access Control The Configure Port Access Role menu is shown in Figure 237. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure Port Access Role Configuring Port 3 1 - Port Role ......... None R - Return to Previous Menu Enter your selection? Figure 237. Configure Port Access Role Menu 5. Type 1 to select Port Role. The following prompt is displayed: Enter new Port Role [N-None, A-Authenticator, S-Supplicant] -> 6.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling 802.1x Port-based Network Access Control This procedure explains how to enable and disable port-based access control on the switch. If you have not assigned port roles and configured the parameter settings, you should skip this procedure and go first to “Setting Port Roles” on page 657. To enable or disable 802.1x Port-based Network Access Control, perform the following procedure: 1.
Chapter 28: 802.1x Port-based Network Access Control Configuring Authenticator Port Parameters To configure authenticator port parameters, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security Configuration menu, type 1 to select Port Access Control (802.1X). The Port Access Control (802.1X) menu is shown in Figure 236 on page 657. 3.
AT-S63 Management Software Menus Interface User’s Guide The Configure Authenticator Port Access Parameters menu is shown in Figure 239. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure Authenticator Port Access Parameters Configuring Port 3 0 1 2 3 4 5 6 7 8 9 - Port Control ............. Quiet Period ............. TX Period ................ Reauth Enabled ........... Reauth Period ............ Supplicant Timeout ....... Server Timeout ...........
Chapter 28: 802.1x Port-based Network Access Control 1 - Quiet Period The quiet period is the number of seconds that the port remains in the quiet state following a failed authentication exchange with the client. The default value is 60 seconds. The range is 0 to 65,535 seconds. 2 - TX Period This parameter sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request. The default value is 30 seconds.
AT-S63 Management Software Menus Interface User’s Guide Both - A port, when in the unauthorized state, does not forward ingress or egress broadcast and multicast packets from or to the same client until the client logs in. This is the default. 9 - Piggyback Mode This parameter opens up the port after authentication to all other unauthenticated devices and closes the port when reauthentication takes place. The options are Enabled or Disabled. 7.
Chapter 28: 802.1x Port-based Network Access Control Configuring Supplicant Port Parameters To configure supplicant port parameters, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security Configuration menu, type 1 to select Port Access Control (802.1X). The Port Access Control (802.1X) menu is shown in Figure 236 on page 657. 3.
AT-S63 Management Software Menus Interface User’s Guide The Configure Supplicant Port Access Parameters menu is shown in Figure 239. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Configure Supplicant Port Access Parameters Configuring Port 5-8 1 2 3 4 5 6 - Auth Period........... Held Period........... Max Start ........... Start Period.......... User Name: ........... User Password: .......
Chapter 28: 802.1x Port-based Network Access Control characters, such as asterisks or exclamation points. The username is case sensitive. 6 - User Password This parameter specifies the password for the switch port. The port sends the password to the authentication server for verification when the port logs on to the network. The password can be from 1 to 16 alphanumeric characters (A to Z, a to z, 1 to 9). Do not use spaces or special characters, such as asterisks or exclamation points.
AT-S63 Management Software Menus Interface User’s Guide Displaying the Port Access Parameters To display the port access parameters for the ports on the switch, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security Configuration menu, type 1 to select Port Access Control (802.1X). The Port Access Control (802.1X) menu is shown in Figure 236 on page 657. 3.
Chapter 28: 802.1x Port-based Network Access Control Port Role Port access role configured for the port. The possible settings are None, Authenticator, or Supplicant. State State of the port. The state field is dependent on whether a port is configured as an authenticator or a supplicant.
AT-S63 Management Software Menus Interface User’s Guide Configuring RADIUS Accounting The AT-S63 management software supports RADIUS accounting for ports operating in the Authenticator role. The accounting information sent by the switch to a RADIUS server includes the date and time when clients log on and log off, as well as the number of packets sent and received by a switch port during a client session. For background information on this feature, refer to “RADIUS Accounting” on page 652.
Chapter 28: 802.1x Port-based Network Access Control 1 - Status This parameter activates or deactivates RADIUS accounting on the switch. Select Enabled to activate the feature or Disabled to deactivate it. The default is Disabled. 2 - Port This parameter specifies the UDP port for RADIUS accounting. The default is port 1813. 3 - Type This parameter specifies the type of RADIUS accounting. The default is Network. This value cannot be changed.
Chapter 29 MAC Address Table This chapter contains the procedures for viewing the static and dynamic MAC address table.
Chapter 29: MAC Address Table MAC Address Overview Each hardware device that you connect to your Ethernet network has a unique MAC address assigned to it by the device’s manufacturer. For example, every network interface card (NIC) that you use to connect your computers to your network has a MAC address assigned to it by the adapter’s manufacturer. The AT-9400 Series switch contains a MAC address table with a storage capacity of 16,000 entries.
AT-S63 Management Software Menus Interface User’s Guide Dynamic MAC addresses are not stored indefinitely in the MAC address table. The switch deletes a dynamic MAC address from the table if it does not receive any frames from the node after a specified period of time. The switch assumes that the node with that MAC address is no longer active and that its MAC address can be purged from the table. This prevents the MAC address table from becoming filled with addresses of nodes that are no longer active.
Chapter 29: MAC Address Table Displaying the MAC Address Tables The AT-S63 management software has two menu selections for displaying the MAC addresses of a switch. One selection displays the static and dynamic unicast MAC addresses while the other displays the static and dynamic multicast addresses. To display the MAC address tables, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 244.
AT-S63 Management Software Menus Interface User’s Guide The Display Unicast MAC Addresses menu is shown in Figure 245. The Display Multicast MAC Addresses menu contains the same selections.
Chapter 29: MAC Address Table Note The first address in the unicast MAC address table is the address of the switch. A unicast MAC address table contains the following columns of information: MAC The static or dynamic multicast MAC address. Port The port where the address was learned or assigned. The MAC address with port 0 is the address of the switch. VLAN ID The ID number of the VLAN where the port is an untagged member. Type The type of the address: static or dynamic.
AT-S63 Management Software Menus Interface User’s Guide Port Maps The tagged and untagged ports on the switch that are members of a multicast group. This column is useful in determining which ports belong to different groups. The other selections on the menu are: 2 - Display Static This selection displays only the static addresses assigned to the ports on the switch. 3 - Display Dynamic This selection displays only the dynamic addresses learned on the ports on the switch.
Chapter 29: MAC Address Table Adding Static Unicast and Multicast MAC Addresses This section contains the procedure for adding static unicast and multicast MAC addresses to the switch. You can assign up to 255 static addresses per port on an AT-9400 Series switch. To add a static MAC address, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 244 on page 674. 2.
AT-S63 Management Software Menus Interface User’s Guide 5. Enter the number of the port on the switch where you want to assign the static address. If you are adding a static unicast address, you can specify only one port. If you are entering a static multicast address, you must specify the port when the multicast application is located as well as the ports where the host nodes are connected.
Chapter 29: MAC Address Table Deleting Unicast and Multicast MAC Addresses To delete a dynamic or static unicast or multicast address from the MAC address table, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 244 on page 674. 2. From the MAC Address Tables menu, type 2 to select MAC Addresses Configuration. The MAC Addresses Configuration menu is shown in Figure 248 on page 678. 3.
AT-S63 Management Software Menus Interface User’s Guide Deleting All Dynamic MAC Addresses To delete all dynamic unicast and multicast MAC address from the MAC address table, perform the following procedure: 1. From the Main Menu, type 4 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 244 on page 674. 2. From the MAC Address Tables menu, type 2 to select MAC Addresses Configuration. The MAC Addresses Configuration menu is shown in Figure 248 on page 678. 3.
Chapter 29: MAC Address Table Changing the Aging Time The switch uses the aging time to delete inactive dynamic MAC addresses from the MAC address table. When the switch detects that no packets have been sent to or received from a particular MAC address in the table after the period specified by the aging time, the switch deletes the address. This prevents the table from becoming full of addresses of nodes that are no longer active. The default setting for the aging time is 300 seconds (5 minutes).
Section VII Management Security The chapters in this section provide information and procedures for basic switch setup using the AT-S63 management software.
Section VII: Management Security
Chapter 30 Web Server The chapter provides an overview of the web server feature and procedures to configure the server.
Chapter 30: Web Server Web Server Overview The AT-S63 management software is shipped with web server software. The software is available so that you can remotely manage the switch with a web browser from any management station on your network. (The instructions for managing a switch with a web browser are described in the AT-S63 Network Management Web Browser Interface User’s Guide.) The web server can operate in two modes. The first is referred to as nonsecure HTTP mode.
AT-S63 Management Software Menus Interface User’s Guide Configuring the Web Server This procedure explains how to enable and disable the web server and how to configure the HTTP and HTTPS settings from a local or Telnet management session. The default setting for the web server is enabled, with the non-secure HTTP mode as the active web server mode. Before you configure the web server, please note the following: You cannot make any changes to the HTTP or HTTPS settings while the web server is enabled.
Chapter 30: Web Server The Web Server Configuration menu is shown in Figure 249. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Web Server Configuration 1 - Status ............................ Disabled 2 - Mode .............................. HTTP 3 - Port Number ....................... 80 R - Return to Previous Menu Enter your selection? Figure 249. Web Server Configuration Menu 3. Type 1 to select Status to enable or disable the web server.
AT-S63 Management Software Menus Interface User’s Guide 3. To enable the web server, type 1 to toggle Status to Enabled. The Web Server Configuration menu is redisplayed. Figure 250 shows an example of the menu configured for HTTPS that contains the SSL Key ID. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Web Server Configuration 1 2 3 4 - Status ............................ Mode .............................. Port Number .......................
Chapter 30: Web Server General Steps for Configuring the Web Server for Encryption There are several procedures you need to perform in order to implement HTTPS and web browser encryption on the switch. This section is here to provide you with the general steps that you need to do to and the procedures for performing them. There is a section for configuring the web server with a self-signed certificate and another for a public or private CA certificate.
AT-S63 Management Software Menus Interface User’s Guide 6. After you have received the appropriate certificates back from the CA, download them into the AT-S63 file system from your management station or a TFTP server, as explained in “Downloading a System File” on page 216. 7. Add the certificates to the certificate database, as explained in “Adding a Certificate to the Database” on page 733. 8.
Chapter 30: Web Server 692 Section VII: Management Security
Chapter 31 Encryption Keys This chapter describes encryption keys and how you can use keys to improve the security of your switches. Because of the complexity of the feature, this chapter contains several overview sections. The Basic Overview section offers a general review of the purpose of this feature along with relevant guidelines. For additional information, refer to the two Technical Overview sections.
Chapter 31: Encryption Keys Basic Overview Protecting your managed switches from unauthorized management access is an important role for a network manager. Network operations and security can be severely compromised if an intruder gains access to critical switch information, such as a manager’s login username and password, and uses that information to alter a switch’s configuration settings.
AT-S63 Management Software Menus Interface User’s Guide Encryption Key Length To create a key pair, you must specify its length. The length is given in bits. The range is 512 to 1,536 bits, in increments of 256 bits. The default is 512 bits. The general rule on key lengths is that the longer the key, the more difficult it is for someone to break (decipher).
Chapter 31: Encryption Keys The management session assumes that the web server mode that the master switch is using is the same for all the switches in the stack. As an example, if the master switch is using HTTPS, a web browser management session assumes that all the other switches in the stack are also using HTTPS, and it does not allow you to manage any switches running HTTP.
AT-S63 Management Software Menus Interface User’s Guide Technical Overview of Secure Sockets Layer This section describes the Secure Sockets Layer (SSL) feature, a security protocol that provides a secure and private TCP connection between a client and server. SSL can be used with many higher layer protocols including HTTP, File Transfer Protocol (FTP) and Net News Transfer Protocol (NNTP).
Chapter 31: Encryption Keys MAC. SSL uses asymmetrical (Public Key) encryption to establish a connection between client and server, and symmetrical (Secret Key) encryption for the data transfer phase. User Verification An SSL connection has two phases: handshake and data transfer. The handshake initiates the SSL session, during which data is securely transmitted between a client and server. During the handshake, the following occurs: The client and server establish the SSL version they are to use.
AT-S63 Management Software Menus Interface User’s Guide To verify the authenticity of a server, the server has a public and private key. The public key is given to the user. SSL uses certificates for authentication. A certificate binds a public key to a server name. A certification authority (CA) issues certificates after checking that a public key belongs to its claimed owner. There are several agencies that are trusted to issue certificates.
Chapter 31: Encryption Keys Technical Overview of Encryption The encryption feature provides the following data security services: Data Encryption Data encryption Data authentication Key exchange algorithms Key creation and storage Data encryption for switches is driven by the need for organizations to keep sensitive data private and secure.
AT-S63 Management Software Menus Interface User’s Guide algorithm and key. For a given input block of plaintext ECB always produces the same block of ciphertext. Cipher Block Chaining (CBC) is the most popular form of DES encryption. CBC also operates on 64-bit blocks of data, but includes a feedback step which chains consecutive blocks so that repetitive plaintext data, such as ASCII blanks, does not yield identical ciphertext.
Chapter 31: Encryption Keys secret. Only the decryption, or private key, needs to be kept secret. The other name for this type of algorithm is public key encryption. The public and private key pair cannot be randomly assigned, but must be generated together. In a typical scenario, a decryption station generates a key pair and then distributes the public key to encrypting stations.
AT-S63 Management Software Menus Interface User’s Guide It is very hard to find another message and key which give the same hash The two most commonly used one-way hash algorithms are MD5 (Message Digest 5, defined in RFC 1321) and SHA-1 (Secure Hash Algorithm, defined in FIPS-180-1). MD5 returns a 128-bit hash and SHA-1 returns a 160-bit hash. MD5 is faster in software than SHA-1, but SHA-1 is generally regarded to be slightly more secure.
Chapter 31: Encryption Keys A Diffie-Hellman algorithm requires more processing overhead than RSAbased key exchange schemes, but it does not need the initial exchange of public keys. Instead, it uses published and well tested public key values. The security of the Diffie-Hellman algorithm depends on these values. Public key values less than 768 bits in length are considered to be insecure. A Diffie-Hellman exchange starts with both parties generating a large random number.
AT-S63 Management Software Menus Interface User’s Guide Creating an Encryption Key This section contains the procedure for creating an encryption key pair. Caution Key generation is a CPU-intensive process. Because this process may affect switch behavior, Allied Telesyn recommends creating keys when the switch is not connected to a network or during periods of low network activity. To create an encryption key, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services.
Chapter 31: Encryption Keys The Key Management menu is shown in Figure 252.
AT-S63 Management Software Menus Interface User’s Guide 6. Enter an identification number for the key. This number can be from 0 to 65,535. This number is used only for identification purposes and not in generating the actual encryption key. The ID for each key on the switch must be unique. Note You cannot change the value for option 2, Key Type. This value is always RSA - Private. 7. Type 3 to select Key Length. The following prompt is displayed: Enter Key Length ->[512 to 1536] -> 512 8.
Chapter 31: Encryption Keys The new key is added to the list of keys in the Key Management menu. Returning to the Main Menu to save your changes is not necessary with this procedure. This type of change is automatically saved by the management software. To create a self-signed certificate using the new encryption key, go to “Creating a Self-signed Certificate” on page 729. To create an enrollment request, go to “Generating an Enrollment Request” on page 744.
AT-S63 Management Software Menus Interface User’s Guide Deleting an Encryption Key This section contains the procedure for deleting an encryption key pair from the switch. Note the following before performing this procedure. Deleting a key pair from the key management database also deletes the key’s corresponding “.ukf” file from the AT-S63 file system. You cannot delete a key pair if it is being used by SSL or SSH.
Chapter 31: Encryption Keys Modifying an Encryption Key The Key Management menu has a selection for modifying the description of an encryption key. This is the only item of a key that you can modify. You cannot change a key’s ID, type, or length. To change the description of a key, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2.
AT-S63 Management Software Menus Interface User’s Guide Exporting an Encryption Key The following procedure exports the public key of a key pair into the AT-S62 file system. (The management software does not allow you to export a private key.) Before performing this procedure, please note the following: The only circumstance in which you are likely to perform this procedure is if you are using an SSH client that does not download the key automatically when you start an SSH management session.
Chapter 31: Encryption Keys The Export Key to File menu is shown in Figure 254. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Export Key to File 1 2 3 4 5 - Key ID ............ 0 Key Type .......... RSA-Public Key File Format ... HEX Key File Name Export Key to File R - Return to Previous Menu Enter your selection? Figure 254. Export Key to File Menu 5. From the Export Key to File menu, type 1 to select Key ID.
AT-S63 Management Software Menus Interface User’s Guide The following message is displayed: Key Export in Progress. Please wait...Done 11. Press any key to return to the Key Management menu. To view the public key in the switch’s file system, refer to “Displaying System Files” on page 195. Returning to the Main Menu to save your changes is not necessary with this procedure. This type of change is automatically saved by the management software.
Chapter 31: Encryption Keys Importing an Encryption Key Use the following procedure to import a public key from the AT-S62 file system into the key management database. If a file contains both public and private keys, only the public key is imported. The private key is ignored. Note It is unlikely that you will ever need to perform this procedure for an SSL public key. A switch can only use those SSL public keys that it has generated itself. This procedure starts from the Key Management menu.
AT-S63 Management Software Menus Interface User’s Guide The Import Key from File menu is shown in Figure 255. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Import Key from File 1 2 3 4 5 - Key ID ............ 0 Key Type .......... RSA-Public Key File Format ... HEX Key File Name ..... Import Key from File R - Return to Previous Menu Enter your selection? Figure 255. Import Key from File Menu 5. From the Import Key from File menu, type 1 to select Key ID.
Chapter 31: Encryption Keys The key file name must include the “.key” extension. If you are unsure of the file name, display the files in the switch’s file system by referring to “Displaying System Files” on page 195. 10. Type 5 to select Import Key From File to import a key to the switch from an external file. The following message is displayed: Key Import in Progress. Please wait...Done After you receive this message, the key is added to the Key Management database.
AT-S63 Management Software Menus Interface User’s Guide Displaying the Encryption Keys To display the encryption keys, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security and Services menu, type 7 to select Keys/Certificate Configuration. The Keys/Certificate Configuration menu is shown in Figure 251 on page 705. 3.
Chapter 31: Encryption Keys Length The length of the key in bits. Digest The CRC32 value of the MD5 digest of the public key. Description The key’s description.
Chapter 32 PKI Certificates and SSL This chapter contains the procedures for creating public key infrastructure (PKI) certificates for web server security. Because of the complexity of this feature, two overview sections are provided. The Basic Overview section offers a general review of the purpose of certificates along with relevant guidelines. For additional information refer to the Technical Overview section.
Chapter 32: PKI Certificates and SSL Basic Overview This chapter describes the second part of the encryption feature of the AT-S63 management software—PKI certificates. The first part is explained in Chapter 31, “Encryption Keys” on page 693. Encryption keys and certificates allow you to encrypt the communications between your management station and a switch when you manage the device with a web browser.
AT-S63 Management Software Menus Interface User’s Guide devices. If your company is large enough, it might have a private CA and you might want that group to issue any AT-9400 Series switch certificates, if for no other reason than to follow company policy. What is required to create a certificate by a public or private CA? First, you must create a key pair. After you have done that you need to generate an digital document called an enrollment request.
Chapter 32: PKI Certificates and SSL This distinguished name omits the common name, but includes everything else: ou=Network Support,o=XYZ Inc.,st=CA,c=US So what would be a good distinguished name for a certificate for an AT-8524M switch? If the switch has an IP address, such as a master switch, you could use its address as the name. The following example is a distinguished name for a certificate for a master switch with the IP address 149.11.11.11: cn=149.11.11.
AT-S63 Management Software Menus Interface User’s Guide Guidelines Section VII: Management Security The guidelines for creating certificates are: A certificate can have only one key. A switch can use only those certificates that contain a key that was generated on the switch. You can create multiple certificates on a switch, but the device uses the certificate whose key pair has been designated as the active key pair for the switch’s web server.
Chapter 32: PKI Certificates and SSL Technical Overview The public key infrastructure (PKI) feature is part of the switch’s suite of security modules, and consists of a set of tools for managing and using certificates. The tools that make up the PKI allow the switch to securely exchange public keys, while being sure of the identity of the key holder. The switch acts as an End Entity (EE) in a certificate-based PKI.
AT-S63 Management Software Menus Interface User’s Guide Caution Although a certificate binds a public key to a subject to ensure the public key’s security, it does not guarantee that the security of the associated private key has not been breached. A secure system is dependent upon private keys being kept secret, by protecting them from malicious physical and virtual access. Certificates A certificate is an electronic identity document.
Chapter 32: PKI Certificates and SSL Elements of a Public Key Infrastructure A public key infrastructure is a set of applications which manage the creation, retrieval, validation and storage of certificates. A PKI consists of the following key elements: At least one certification authority (CA), which issues and revokes certificates. At least one publicly accessible repository, which stores certificates and Certificate Revocation Lists.
AT-S63 Management Software Menus Interface User’s Guide Certificate Validation To validate a certificate, the end entity verifies the signature in the certificate, using the public key of the CA who issued the certificate. CA Hierarchies and Certificate Chains It may not be practical for every individual certificate in an organization to be signed by one certification authority. A certification hierarchy may be formed, in which one CA (for example, national headquarters) is declared to be the root CA.
Chapter 32: PKI Certificates and SSL PKI Standards Certificate Retrieval and Storage Certificate Validation Root CA Certificates PKI Standards The following standards are supported by the switch: draft-ietf-pkix-roadmap-05 — PKIX Roadmap RFC 1779 — A String Representation of Distinguished Names RFC 2459 — PKIX Certificate and CRL Profile RFC 2511 — PKIX Certificate Request Message Format PKCS #10 v1.
AT-S63 Management Software Menus Interface User’s Guide Creating a Self-signed Certificate This section contains the procedure for creating a self-signed certificate. Please review the following before you perform the procedure: The switch’s time and date must be set before you create a certificate. You can set this manually or you can configure the switch to obtain the date and time from an SNTP server on your network. For instructions, refer to “Setting the System Time” on page 58.
Chapter 32: PKI Certificates and SSL The Public Key Infrastructure (PKI) Configuration menu is shown in Figure 257. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Public Key Infrastructure (PKI) Configuration 1 - Maximum Number of Certificates....... 256 2 - X509 Certificate Management 3 - Generate Enrollment Request R - Return to Previous Menu Enter your selection? Figure 257. Public Key Infrastructure (PKI) Configuration Menu 4.
AT-S63 Management Software Menus Interface User’s Guide Note In the X509 Certificate Management menu, MTrust means manually trusted. This field indicates that you verified the certificate. The Source field indicates the certificate was generated on the switch. Both MTrust and Source are read-only fields. 5. Type 1 to select Create Self-Signed Certificate. The Create Self-Signed Certificate menu is shown in Figure 259.
Chapter 32: PKI Certificates and SSL 9. Enter the ID number of the encryption key that you want to use to create this certificate. The encryption key must already exist on the switch. (If you have forgotten the key ID number, return to the Key Management menu to view the keys on the switch.) The value can be from 0 to 65,535. 10. Type 3 to select Format to choose the encoding format for the certificate. The possible options are: DER - Indicates the certificate contents are in a binary format.
AT-S63 Management Software Menus Interface User’s Guide Adding a Certificate to the Database After you have created a certificate or received a certificate from a public or private CA, you need to add it into the certificate database to make it available for use by the switch’s web server. After you add a certificate to the certificate database, it appears in the X509 Certificate Management menu. To add a certificate to the certificate database, perform the following procedure: 1.
Chapter 32: PKI Certificates and SSL The Add Certificate menu is shown in Figure 260. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Add Certificate 1 2 3 4 5 - Certificate Name ............. State ........................ Trusted Type ......................... EE File Name .................... Add Certificate R - Return to Previous Menu Enter your selection? Figure 260. Add Certificate Menu 6. Type 1 to select Certificate Name.
AT-S63 Management Software Menus Interface User’s Guide Note This parameter has no affect on the operation of a certificate. The parameter is included only for informational purposes when the certificate is displayed in the certificate database. 9. Type 3 to select Type (of certificate). The possible settings are: EE The certificate was issued by a CA, such as VeriSign. This is the default. CA The certificate belongs to a CA. Self This certificate is a self-signed certificate.
Chapter 32: PKI Certificates and SSL Modifying a Certificate The procedure in this section modifies a certificate. (The certificate to be modified must be in the certificate database.) Here are the certificate items you can modify: State - trusted or untrusted Type - EE, CA, or Self Note These parameters have no affect on the operation of a certificate. They are included only for informational purposes when the certificate is displayed in the certificate database.
AT-S63 Management Software Menus Interface User’s Guide 6. Enter the name of the certificate you want to modify. (This field is case sensitive.) The Modify Certificate menu is shown in Figure 261. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Modify Certificate 1 2 3 4 - Certificate Name................. Switch12 State ........................... Trusted Type ............................
Chapter 32: PKI Certificates and SSL The following message is displayed: Please wait while certificate is updated...Done. 10. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Deleting a Certificate The procedure in this section deletes a certificate from the certificate database. Please note the following before performing this procedure: Deleting a certificate from the database does not delete it from the switch. It continues to reside in the AT-S63 file system. To completely remove a certificate from the switch, you must also delete it from the file system.
Chapter 32: PKI Certificates and SSL Enter certificate name (ALL - delete all) -> 6. Enter the name of the certificate you want to delete. (This field is case sensitive.) To delete all the certificates, enter ALL. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Viewing a Certificate This procedure displays information about a certificate, such as its distinguished name and serial number. This procedure starts from the X509 Certificate Management menu. If you are unsure how to access the menu, perform steps 1 to 4 in the procedure “Adding a Certificate to the Database” on page 733. To view the details of a certificate, perform the following procedure: 1.
Chapter 32: PKI Certificates and SSL The View Certificate Details menu (page 1) is shown in Figure 262. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 View Certificate Details Certificate Details: Name ............... State .............. Manually Trusted ... Type ............... Source ............. Version ............ Serial Number ...... Signature Alg ...... Public Key Alg ..... Not Valid Before ... Not Valid After ....
AT-S63 Management Software Menus Interface User’s Guide Not Valid Before The date the certificate became active. Not Valid After The date the certificate expires. Self-signed certificates are valid for two years. 7. Type N to see the second page of certificate details. The View Certificate Details menu (page 2) is shown in Figure 263. User: Manager Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing 11:20:02 02-Mar-2005 View Certificate Details Subject ......... CN=149.44.44.44 Issuer ..........
Chapter 32: PKI Certificates and SSL Generating an Enrollment Request To request a certificate from a CA, you need to generate an enrollment request. The request contains the public key for the certificate, a distinguished name, and other information. The request is stored as a file with a “.csr” extension in the AT-S63 file system, from where you can upload it onto your management station or FTP server for submission to the CA.
AT-S63 Management Software Menus Interface User’s Guide The Generate Enrollment Request menu is shown in Figure 264. Allied Telesyn Ethernet Switch AT-94xx - AT-S63 Marketing User: Manager 11:20:02 02-Mar-2005 Generate Enrollment Request 1 2 3 4 5 - Request Name.................... KeyPair ID ..................... 0 Format ......................... PEM Type ........................... PKCS10 Generate Enrollment Request R - Return to Previous Menu Enter your selection? Figure 264.
Chapter 32: PKI Certificates and SSL 12. Type 5 to select Generate Enrollment Request. After the switch has finished generating the request, a message similar to the following is displayed: Enrollment request is being generated. Please wait ...Done. Enrollment Request available in file [Switch 12.csr]. Press any key to continue ... The enrollment request is now stored in the AT-S63 file system. To see the file, refer to “Displaying System Files” on page 195. 13.
AT-S63 Management Software Menus Interface User’s Guide Installing CA Certificates onto a Switch This section lists the procedures that you will need to perform if the switch’s certificate was created by a public or private CA. It should be noted that a CA generated certificate actually consists of several certificates. There is a minimum of two. All the certificates from the CA must be installed on the switch.
Chapter 32: PKI Certificates and SSL Viewing or Configuring the Number of Certificates in the Database The maximum number of certificates you can add to the certificate database is 12 to 256. The default value is 256. There should be little cause or need for you to adjust this value. To view or change the number of certificates in the certificate database, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services.
AT-S63 Management Software Menus Interface User’s Guide Configuring SSL To configure the SSL protocol, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security and Services menu, type 9 to select Secure Socket Layer (SSL). The Secure Socket Layer (SSL) menu is shown in Figure 265.
Chapter 32: PKI Certificates and SSL 750 Section VII: Management Security
Chapter 33 Secure Shell (SSH) The chapter contains overview information about the Secure Shell (SSH) protocol as well a procedure for configuring this protocol on a switch using a local or Telnet management session.
Chapter 33: Secure Shell (SSH) SSH Overview Secure management is increasingly important in modern networks, as the ability to easily and effectively manage switches and the requirement for security are two universal requirements. Switches are often remotely managed using remote sessions via the Telnet protocol. This method, however, has a serious security problem—it is only protected by plaintext usernames and passwords which are vulnerable to wiretapping and password guessing.
AT-S63 Management Software Menus Interface User’s Guide Note Non-encrypted Secure Shell sessions serve no purpose. SSH Server When the SSH server is enabled, connections from SSH clients are accepted. When the SSH server is disabled, connections from SSH clients are rejected by the switch. Within the switch, the AT-S63 management software uses well-known port 22 as the SSH default port.
Chapter 33: Secure Shell (SSH) enhanced stacking feature. Management packets from your workstation are first directed to the master switch before being forwarded to the slave switch. The reverse is true as well. Management packets from a slave switch first pass through the master switch before reaching your management station. Enhanced stacking uses a proprietary protocol different from Telnet and SSH protocols. Consequently, there is no encryption between a master switch and a slave switch.
AT-S63 Management Software Menus Interface User’s Guide General Steps for Configuring SSH SSH requires two encryption key pairs. One key pair will function as the host key and the other the server key. For instructions on creating keys, refer to “Creating an Encryption Key” on page 705. The two encryption key pairs must be of different lengths of at least one increment (256 bits) apart. The recommended bit size for a server key is 768 bits. The recommended size for the host key is 1024 bits.
Chapter 33: Secure Shell (SSH) Configuring SSH This section describes how to configure the switch as an SSH server. For a description of all the steps required to configure an SSH server, see “General Steps for Configuring SSH” on page 755. Before you begin this procedure, you need to configure a host and server keys for SSH. See Chapter 31, “Encryption Keys” on page 693. The minimum bit size of the server key is 512 bits. The recommended bit size for a server key is 768 bits.
AT-S63 Management Software Menus Interface User’s Guide 3. Type 2 to select Host Key ID. The following prompt is displayed: Enter Host Key ID [0 to 65535] -> 0 Enter a host key ID. The default is Not Defined. Enter a value that you configured in the encryption menus. See Chapter 31, “Encryption Keys” on page 693. 4. Type 3 to select Server Key ID. The following prompt is displayed: Enter Server vKey ID [0 to 65535 -> 0 Enter a server key ID. The default is Not Defined.
Chapter 33: Secure Shell (SSH) Type E to enable the SSH server. Select this value after you have finished configuring SSH and want to log on to the server. Or, type D to disable SSH while you are configuring the protocol. SSH must be disabled while you are configuring the protocol. This is the default. Note When there are active SSH connections, you cannot disable the SSH server. If you attempt to disable the SSH server when it is in this state, you receive a warning message.
AT-S63 Management Software Menus Interface User’s Guide Displaying SSH Information To display SSH server information, perform the following procedure: 1. From the Main Menu, type 7 to select Security and Services. The Security and Services menu is shown in Figure 82 on page 259. 2. From the Security and Services menu, type 8 to select Secure Shell (SSH). The Secure Shell (SSH) menu is shown in Figure 267 on page 756. 3. From the Secure Shell (SSH) menu, type 6 to select Show Server Information.
Chapter 33: Secure Shell (SSH) Host Key ID The host key ID defined for SSH. Host Key Bits Number of bits in the host key. Server Key ID Server key ID defined for SSH. Server Key Expiry Length of time, in hours, until the server key is regenerated. The default is 0 hours which means the server key is not regenerated. Login Timeout Time, in seconds, until a SSH server is released from an incomplete connection with a SSH client. Authentication Available Authentication method available.
Chapter 34 TACACS+ and RADIUS Protocols This chapter describes how you can use two authentication protocols, TACACS+ and RADIUS, to control who can log onto a switch to manage it.
Chapter 34: TACACS+ and RADIUS Protocols TACACS+ and RADIUS Overview The AT-S63 management software has two standard manager login accounts: manager and operator. The manager account lets you change a switch’s parameter settings while the operator account lets you view the settings, but not change them. Each account has its own password. The manager account has a default password of “friend” and the operator account has a default password “operator.
AT-S63 Management Software Menus Interface User’s Guide The final function of an authentication protocol is accounting, which keeps track of user activity on network devices. The AT-S63 management software does not support RADIUS or TACACS+ accounting as part of manager accounts. However, it does support RADIUS accounting with the 802.1x Port-based Network Access Control feature, as explained in Chapter 28, “802.1x Port-based Network Access Control” on page 647.
Chapter 34: TACACS+ and RADIUS Protocols Note This manual does not explain how to configure TACACS+ or RADIUS server software. For that you need to refer to the documentation that came with the software. You must activate the TACACS+ or RADIUS client software on the switch using the AT-S63 management software and configure the settings, which includes the IP addresses of up to three authentication server. The procedure for this step is found in this chapter.
AT-S63 Management Software Menus Interface User’s Guide Enabling or Disabling TACACS+ or RADIUS To enable or disable the server-based authentication feature on the switch and to configure the RADIUS or TACACS+ settings, perform one of the following procedures. Enabling TACACS+ or RADIUS To enable TACACS+ or RADIUS, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2.
Chapter 34: TACACS+ and RADIUS Protocols Note Before enabling server-based authentication on the switch, you should first configure the TACACS+ or RADIUS settings. If you selected TACACS+, go to “Configuring TACACS+” on page 767. If you selected RADIUS, go to “Configuring RADIUS” on page 771. Disabling TACACS+ or RADIUS To disable the authentication feature on the switch, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration.
AT-S63 Management Software Menus Interface User’s Guide Configuring TACACS+ To configure the TACACS+ client software, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Configuration menu is shown in Figure 269 on page 765. 3.
Chapter 34: TACACS+ and RADIUS Protocols prompt and enter the encryption secret using the TAC Global Secret parameter. However, if you are specifying only one TACACS+ server or if the servers have difference encryption secrets, then respond with Yes to this prompt. You will see: Enter per-server secret [max 40 characters] -> Use this prompt to enter the encryption secret for the TACACS+ server whose IP address you are specifying.
AT-S63 Management Software Menus Interface User’s Guide Displaying the TACACS+ Settings To display the TACACS+ settings, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Configuration menu is shown in Figure 269 on page 765. 3. Type 3 to select TACACS+ Configuration.
Chapter 34: TACACS+ and RADIUS Protocols TAC Timeout The maximum amount of time the switch waits for a response from a TACACS+ server before assuming the server is not responding.
AT-S63 Management Software Menus Interface User’s Guide Configuring RADIUS To configure the RADIUS protocol, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Configuration menu is shown in Figure 269 on page 765. 3. Type 4 to select RADIUS Configuration.
Chapter 34: TACACS+ and RADIUS Protocols Manager and Operator accounts. The default is 10 seconds. The range is 1 to 60 seconds. 3 - RADIUS Server 1 Configuration 4 - RADIUS Server 1 Configuration 5 - RADIUS Server 1 Configuration Use these parameters to specify the IP addresses of up to three network servers containing the RADIUS server software. Selecting one of the options displays the RADIUS Server Configuration menu, shown in Figure 273.
AT-S63 Management Software Menus Interface User’s Guide Displaying RADIUS Status and Settings To display the RADIUS status and settings, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 6 to select Authentication Configuration. The Authentication Configuration menu is shown in Figure 269 on page 765. 3.
Chapter 34: TACACS+ and RADIUS Protocols Server IP Address IP address of the RADIUS server. Auth Port UDP port of the RADIUS protocol. Encryption Key Encryption key for the RADIUS server. Auth Req Number of authentication requests the switch has made to the RADIUS server. Auth Resp Number of responses that the switch has received back from the server.
Chapter 35 Management Access Control Lists This chapter explains how to create an access control list (ACL) to restrict Telnet and web browser management access to the switch.
Chapter 35: Management Access Control Lists Management ACL Security Overview This chapter explains how to restrict remote management access of a switch by creating a management access control list (management ACL). This feature controls which management stations can remotely manage the device using the Telnet application protocol or a web browser. The switch uses the management ACL to filter the management packets that it receives.
AT-S63 Management Software Menus Interface User’s Guide Mask You need to enter a mask that indicates the parts of the IP address the switch should filter on. A binary “1” indicates the switch should filter on the corresponding bit of the address, while a “0” indicates that it should not. If you are filtering on a specific IP address, use the mask 255.255.255.255. If you are filtering on a subnet, enter the appropriate mask. For example, to allow all management stations in the subnet 149.11.11.
Chapter 35: Management Access Control Lists Examples Activating this feature without specifying any ACEs prohibits you from managing the switch remotely using a Telnet application or web browser because the switch discards all Telnet and web browser management packets. You can apply management ACLs to both master and slave switches in an enhanced stack.
AT-S63 Management Software Menus Interface User’s Guide ACE #1 IP Address Subnet Mask Protocol Interface 149.11.11.0 255.255.255.0 TCP Telnet ACE #2 IP Address Subnet Mask Protocol Interface 149.22.22.0 255.255.255.0 TCP Telnet The two ACEs in this management ACL permit remote management from the management station with the IP address 149.11.11.11 and all management stations in the subnet 149.22.22.0: ACE #1 IP Address Mask Protocol Interface 149.11.11.11 255.255.255.
Chapter 35: Management Access Control Lists Creating the Management ACL To create a management ACL, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 7 to select Management ACL. The Management ACL menu is shown in Figure 275.
AT-S63 Management Software Menus Interface User’s Guide 5. Enter a mask that indicates the parts of the IP address the switch should filter on. A binary “1” indicates the switch should filter on the corresponding bit of the address, while a “0” indicates that it should not. If you are filtering on a specific IP address, use the mask 255.255.255.255. If you are filtering on a subnet, enter the appropriate mask. For example, to allow all management stations in the subnet 149.11.11.
Chapter 35: Management Access Control Lists 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S63 Management Software Menus Interface User’s Guide Adding an ACE To add an ACE, repeat the procedure in “Creating the Management ACL” on page 780. The new ACEs that you enter are added to the ACEs that are already in the management ACL.
Chapter 35: Management Access Control Lists Deleting an ACE To delete an ACE, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 7 to select Management ACL menu. The Management ACL menu is shown in Figure 275 on page 780. 3. From the Management ACL menu, type 3 to select Delete Management ACL Entry.
AT-S63 Management Software Menus Interface User’s Guide Displaying the ACEs To display the ACEs, perform the following procedure: 1. From the Main Menu, type 5 to select System Administration. The System Administration menu is shown in Figure 4 on page 46. 2. From the System Administration menu, type 7 to select Management ACL menu. The Management ACL menu is shown in Figure 275 on page 780. 3. From the Management ACL menu, type 4 to select Display All Management ACL Entries.
Chapter 35: Management Access Control Lists Interface The interface that the management station uses to manage the switch. The options are Telnet, Web, and All (both Telnet and Web.
Appendix A AT-S63 Default Settings This appendix lists the AT-S63 factory default settings.
Appendix A: AT-S63 Default Settings Basic Switch Default Settings This section lists the default settings for basic switch parameters.
AT-S63 Management Software Web Browser Interface User’s Guide Note Login names and passwords are case sensitive. RJ-45 Serial Terminal Port Default Settings SNTP Default Settings The following table lists the RJ-45 serial terminal port default settings. RJ-45 Serial Terminal Port Setting Default Data Bits 8 Stop Bits 1 Parity None Flow Control None Baud Rate 9600 bps The following table lists the SNTP default settings.
Appendix A: AT-S63 Default Settings Switch Administration Default Settings System Software Default Settings The following table describes the switch administration default settings. Administration Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.0 Gateway Address 0.0.0.0 System Name None Administrator None Comments None BOOTP/DHCP Disabled MAC Address Aging Time 300 seconds The following table lists the system software default settings.
AT-S63 Management Software Web Browser Interface User’s Guide Enhanced Stacking Default Setting The following table lists the enhanced stacking default setting.
Appendix A: AT-S63 Default Settings SNMP Default Settings The following table describes the SNMP default settings.
AT-S63 Management Software Web Browser Interface User’s Guide Port Configuration Default Settings The following table lists the port configuration default settings.
Appendix A: AT-S63 Default Settings Event Log Default Settings The following table lists the event log default settings.
AT-S63 Management Software Web Browser Interface User’s Guide Quality of Service The following table lists the default mappings of IEEE 802.1p priority levels to egress port priority queues IEEE 802.
Appendix A: AT-S63 Default Settings IGMP Snooping Default Settings The following table lists the IGMP Snooping default settings.
AT-S63 Management Software Web Browser Interface User’s Guide Denial of Service Prevention Default Settings The following table lists the default settings for the Denial of Service prevention feature. Denial of Service Prevention Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.
Appendix A: AT-S63 Default Settings STP, RSTP, and MSTP Default Settings This section provides the spanning tree, STP RSTP, and MSTP, default settings. Spanning Tree Switch Settings The following table describes the Spanning Tree Protocol default settings for the switch. STP Switch Setting STP Default Settings Default Spanning Tree Status Disabled Active Protocol Version RSTP The following table describes the STP default settings.
AT-S63 Management Software Web Browser Interface User’s Guide MSTP Default Settings The following table lists the MSTP default settings..
Appendix A: AT-S63 Default Settings VLAN Default Settings This section provides the VLAN default settings.
AT-S63 Management Software Web Browser Interface User’s Guide GVRP Default Settings This section provides the default settings for GVRP.
Appendix A: AT-S63 Default Settings Port Security Default Settings The following table lists the port security default settings.
AT-S63 Management Software Web Browser Interface User’s Guide 802.1x Port-Based Network Access Control Default Settings The following table describes the 802.1x Port-based Network Access Control default settings. 802.1x Port-based Network Access Control Settings Default Port Access Control Disabled Authentication Method RADIUS EAP Port Role None The following table lists the default settings for RADIUS accounting.
Appendix A: AT-S63 Default Settings Web Server Default Settings The following table lists the web server default settings.
AT-S63 Management Software Web Browser Interface User’s Guide SSL Default Settings The following table lists the SSL default settings.
Appendix A: AT-S63 Default Settings PKI Default Settings The following table lists the PKI default settings, including the generate enrollment request settings.
AT-S63 Management Software Web Browser Interface User’s Guide SSH Default Settings The following table lists the SSH default settings.
Appendix A: AT-S63 Default Settings Server-Based Authentication Default Settings This section describes the server-based authentication, RADIUS, and TACACS+ client default settings. Server-Based Authentication Default Settings RADIUS Default Settings The following table describes the server-based authentication default settings.
AT-S63 Management Software Web Browser Interface User’s Guide Management Access Control List Default Setting The following table lists the default setting for the Management Access Control List.
Appendix A: AT-S63 Default Settings 810 Section I: Basic Features
Index Numerics 802.
Index selecting 186 selecting active 186 Boot Protocol (BootP) activating 49 deactivating 49 default setting 790 defined 49 BPDU.
AT-S63 Management Software Menus Interface User’s Guide default setting 789 setting 60 default values, AT-S63 software 787 default VLAN name 550 defined 253 Denial of Service (DoS) defense configuring 293 default settings 797 mirror port 295 overview 288 DER certificate format 732, 745 DES privacy protocol 371 DES.
Index G H GARP Information Declaration (GID), diagram 590 GARP Information Propagation (GIP) connected ports ring, displaying 604 defined 588 GARP VLAN Registration Protocol (GVRP) configuring 592 counters, displaying 597 database, displaying 602 default settings 801 diagram 585 disabling on a port 594 displaying GVRP state machine 606 parameters 597, 602, 604, 606 statistics 597, 602, 604, 606 enabling on a port 594 GIP connected ports ring, displaying 604 guidelines 586 GVRP state machine, displaying 6
AT-S63 Management Software Menus Interface User’s Guide L LACP port priority described 131 LACP system priority configuring 144 described 131 LACP trunk configuring ports 150 creating aggregator 145 deleting aggregator 149 described 128 displaying status 151 enabling or disabling protocol 143 guidelines 133 modifying aggregator 147 Land attack 289 limited port security mode, described 638 Link Aggregation Control Protocol.
Index MSTP.
AT-S63 Management Software Menus Interface User’s Guide default configuration 118 disabling 103 enabling 103 resetting 116, 118 speed, 105 status default setting 793 displaying 123 port cost description 478 Rapid Spanning Tree Protocol (RSTP) 496 Spanning Tree Protocol (STP) 490 port costdefault setting 798, 799 port external path cost parameter, Multiple Spanning Tree Protocol (MSTP) 534 port internal path cost, Multiple Spanning Tree Protocol (MSTP) 536 port mirror creating 157 deleting 159 destination p
Index configuring 346 described 340 See also traffic class, flow group, and policy R RADIUS configuring 771 default settings 808 disabling 766 displaying settings 773 enabling 765 guidelines 763 overview 762 settings, displaying 773 status, displaying 773 RADIUS accounting, configuring 669 RADIUS server encryption key 772 IP address, configuring 772 Rapid Spanning Tree Protocol (RSTP) bridge forwarding delay 494 bridge hello time 494 bridge max age 494 bridge parameters, configuring 493 bridge priority 49
AT-S63 Management Software Menus Interface User’s Guide SHA authentication protocol 371 Simple Network Management Protocol.
Index SNMPv3 Target Parameters Table, described 377 SNMPv3 trap 373 SNMPv3 User Table entry creating 380 deleting 384 displaying 465 modifying authentication protocol 385 authentication protocol password 385 privacy protocol 387 privacy protocol password 387 SNMPv3 User Table, described 376 SNMPv3 View Table entry 396 creating 390 deleting 393 displaying 466 storage type, modifying 397 subtree mask, modifying 394 SNMPv3 View Table, described 376 SNTP server, default setting 789 SNTP.
AT-S63 Management Software Menus Interface User’s Guide enabling 765 guidelines 763 overview 762 server IP address 767 server order configuring 768 displaying 769 server timeout configuring 768 default setting 808 displaying 770 tagged VLAN creating 561 defined 556 deleting 573 diagram 559 displaying 571, 617 example 566 modifying 567 overview 556 rules 558 target IP address 422 TCP connections table 171 TCP destination ports 257 TCP flags 257 TCP Global Information table 175 TCP source ports 257 Teardrop
Index 822
